New Developments

In New Developments, internal auditors will find information about the most recent IT and audit research reports and survey results; new IT, security, and privacy legislation; and other news items of importance to auditors.

Report Summarizes Business Continuity Best Practices

The European Network and Information Security Agency (ENISA) recently issued a report that brings together business and IT service continuity best practices, methods, and tools to help organizations mitigate network and information security (NIS) risks to critical processes. More specifically, Business and IT Continuity: Overview and Implementation Principles (PDF, 2.21 MB) provides information that can help senior managers assess how to effectively implement business continuity management (BCM) activities, identify potential NIS threats, and establish the infrastructure necessary to restore and maintain business continuity efforts.

The report defines business continuity as a series of management processes and integrated plans established to prevent the interruption of critical business activities and delivery of key services. To help managers establish an effective BCM program, the report provides detailed information on how to:

  • Assign BCM responsibilities and incident teams.
  • Define BCM policy.
  • Conduct a business impact analysis.
  • Design a BCM approach.
  • Deliver and test the organization's business continuity plan.
  • Sustain the BCM program.

In addition, the report shows the relationship between BCM and risk management — business continuity processes mitigate risks that affect an organization's ongoing activities through the use of proactive or reactive controls. Proactive controls include the implementation of agreements or the use of systems to deal with the effects of a disruption, while reactive controls include business continuity plans that outline the steps organizations must take in case of a disruption.

The report also identifies three key factors needed for organizations to maintain the availability of their IT efforts. These include understanding critical processes to the organization's day-to-day operations, knowing how quickly critical processes must be restored, and determining the technology and information required to keep critical processes running. By gathering as much information as possible on these factors, managers should be able to identify the IT requirements needed to ensure the continuity of critical BCM processes in the event of a disruption. These actions may include ensuring that security and IT staff are available within established timeframes and identifying alternative sites from which to work, if necessary.

Finally, the report compiles the different standards, handbooks, and best practices related to BCM, IT service continuity, risk management, and information security, and provides an overview of BCM practices currently available. These best practices include the British Standards Institution's 7799-3: 2006 Standard, the IT Governance Institute's Control Objectives for Information and related Technology framework, the International Organization for Standardization's 27001: 2005 Standard, the U.S. National Institute of Standards and Technology's Contingency Planning Guide for Information Technology Systems, and the UK's IT Infrastructure Library.

To download a full copy of Business and IT Continuity, visit the ENISA Web site.