IT Business Continuity Management Audit Checklist

Download Free IT Business Continuity Management Audit Checklist. This Audit Checklist created based from ISO27002 which requires the organization to have in place a managed process for developing and maintaining business continuity throughout the organization, and it must address the information security requirements of continuity. The information security adviser could take the lead in setting up this process, which should be agreed by the information security management forum. ISO27002 recommends that the process should:

- Ensure that the risks faced by the organization, in terms of their likelihood and potential impact, are understood, and that critical business processes are identified by means of risk assessments and their protection prioritized.
- Identify all the assets involved in critical business processes.
- Understand the range of impacts that interruptions may have on the organization and recognize that small incidents (power failures, virus attacks) may be as significant in terms of data availability, integrity and confidentiality as larger, more dynamic events (fires, bombs, floods).
- Ensure that adequate financial, organizational, technical and environmental resources are available to address the identified requirements.
- Ensure the safety of staff and the protection of information systems and organizational assets.
- Consider the purchase of insurance that covers the risks identified and ensure that premiums are kept up to date.
- Formulate and agree with line managers, and everyone likely to be affected, a business continuity strategy that is consistent with the organization’s documented objectives and strategy. This needs to be no more than a single page that states clearly the overall approach to continuity, the prioritization of processes and the extent of training and review.  Formulate and document detailed BCPs that are consistent with the strategy.
- Ensure that plans are regularly tested, lessons learned and plans updated.
- Ensure that the management of business continuity is as embedded into the organization’s processes and culture as is information security generally, and that specific responsibilities for business continuity, and its information security aspects, have been allocated at an adequately high level in the organization.