Из Википедии, бесплатной энциклопедии
  (Перенаправлено из Resilience (организационная) )
Перейти к навигации Перейти к поиску
Жизненный цикл планирования непрерывности бизнеса

Непрерывность бизнеса может быть определена как «способность организации продолжать предоставление продуктов или услуг на заранее определенных приемлемых уровнях после разрушительного инцидента» [1] и планирование непрерывности бизнеса [2] [3] (или непрерывность бизнеса и планирование устойчивости ) - это процесс создания систем предотвращения и восстановления для борьбы с потенциальными угрозами для компании. [4] Помимо предотвращения, цель состоит в том, чтобы обеспечить выполнение текущих операций до и во время выполнения аварийного восстановления . [5] Непрерывность бизнеса. является предполагаемым результатом надлежащего выполнения как планирования непрерывности бизнеса, так и аварийного восстановления.

Различные органы по стандартизации опубликовали несколько стандартов непрерывности бизнеса, чтобы помочь в составлении контрольных списков текущих задач планирования. [6]

Сопротивление организации неудачам - это «способность ... противостоять изменениям в окружающей среде и при этом продолжать функционировать». [7] Часто называемая устойчивостью, это способность, которая позволяет организациям либо выдерживать изменения окружающей среды без постоянной адаптации, либо организация вынуждена адаптировать новый способ работы, который лучше соответствует новым условиям окружающей среды. [7]

Обзор [ править ]

Любое событие, которое может негативно повлиять на работу, должно быть включено в план, например, прерывание цепочки поставок , потеря или повреждение критически важной инфраструктуры (основного оборудования или вычислительных / сетевых ресурсов). Таким образом, BCP представляет собой подмножество управления рисками . [8] В США государственные органы называют этот процесс непрерывным операционным планированием (COOP). [9] План обеспечения непрерывности бизнеса [10]описывает ряд сценариев бедствий и шаги, которые бизнес предпримет в каждом конкретном сценарии, чтобы вернуться к обычной торговле. BCP записываются заранее и могут также включать меры предосторожности, которые необходимо принять. BCP, обычно создаваемый при участии ключевых сотрудников и заинтересованных сторон, представляет собой набор непредвиденных обстоятельств для минимизации потенциального вреда для бизнеса во время неблагоприятных сценариев. [11]

Устойчивость [ править ]

Проведенный в 2005 году анализ того, как сбои могут отрицательно сказаться на деятельности корпораций и как инвестиции в устойчивость могут дать конкурентное преимущество перед организациями, не подготовленными к различным непредвиденным обстоятельствам [12], расширил распространенные тогда практики планирования непрерывности бизнеса. Деловые организации, такие как Совет по конкурентоспособности, поддержали эту цель устойчивости. [13]

Адаптация к изменениям явно более медленным, более эволюционным образом - иногда в течение многих лет или десятилетий - была описана как более устойчивая [14], а термин «стратегическая устойчивость» теперь используется для того, чтобы выйти за рамки противодействия единовременному кризису, а скорее постоянное ожидание и корректировка, «прежде чем аргументы в пользу перемен станут очевидными».

Этот подход иногда резюмируют как: готовность , [15] защита, реагирование и восстановление. [16]

Теория устойчивости может быть связана с областью связей с общественностью. Устойчивость - это коммуникативный процесс, который создается гражданами, семьями, средствами массовой информации, организациями и правительствами посредством повседневных разговоров и опосредованных бесед. [17]

Теория основана на работе Патриса М. Баззанелла , профессора Школы коммуникации Брайана Лэмба при Университете Пердью . В своей статье 2010 года «Устойчивость: говорить, сопротивляться и воображать новые нормальные явления в бытии» [18] Баззанелл обсуждала способность организаций к процветанию после кризиса путем создания сопротивления. Баззанелл отмечает, что существует пять различных процессов, которые люди используют, пытаясь поддерживать устойчивость: формирование нормального состояния, подтверждение якорей идентичности, поддержание и использование сетей связи, использование альтернативной логики и преуменьшение негативных чувств при одновременном выдвижении на первый план положительных эмоций.

Если смотреть на теорию устойчивости, теория кризисной коммуникации похожа, но не то же самое. Теория кризисной коммуникации основана на репутации компании, а теория устойчивости основана на процессе восстановления компании. Существует пять основных компонентов устойчивости: формирование нормальности, подтверждение якорей идентичности, поддержание и использование коммуникационных сетей, использование альтернативных логик и преуменьшение негативных чувств при одновременном выдвижении негативных эмоций на первый план. [19] Каждый из этих процессов может быть применен к бизнесу в кризисные времена, что делает устойчивость важным фактором, на котором компании должны сосредоточиться во время обучения.

Кризис затронул три основные группы. Они бывают микро (индивидуальные), мезо (группа или организация) и макро (национальные или межорганизационные). Также существует два основных типа устойчивости: упреждающая и пост-устойчивость. Проактивная устойчивость - это подготовка к кризису и создание прочной основы для компании. Пост-устойчивость включает в себя поддержание связи и общение с сотрудниками. [20] Проактивная устойчивость имеет дело с проблемами до того, как они вызовут возможный сдвиг в рабочей среде, и пост-устойчивость, поддерживая общение и принимая шансы после того, как инцидент произошел. Устойчивость можно применить к любой организации.

Непрерывность [ править ]

Планы и процедуры используются при планировании непрерывности бизнеса, чтобы гарантировать, что критически важные организационные операции, необходимые для поддержания работы организации, продолжают работать во время событий, когда нарушаются ключевые зависимости операций. Непрерывность не обязательно должна применяться ко всем видам деятельности, которые предпринимает организация. Например, в соответствии с ISO 22301: 2019 организации должны определить свои цели обеспечения непрерывности бизнеса, минимальные уровни операций с продуктами и услугами, которые будут считаться приемлемыми, и максимально допустимый период нарушения работы (MTPD), который может быть разрешен. [21]

Основные затраты при планировании этого - подготовка документов по управлению соблюдением требований аудита; Доступны инструменты автоматизации, позволяющие сократить время и затраты, связанные с ручным созданием этой информации.

Инвентарь [ править ]

У проектировщиков должна быть информация о:

  • Оборудование
  • Поставки и поставщики
  • Расположение, включая другие офисы и сайты резервного копирования / восстановления рабочей области (WAR)
  • Документы и документация, в том числе с удаленными резервными копиями: [10]
    • Деловые документы
    • Документация по процедуре

Анализ [ править ]

Этап анализа состоит из

  • анализ воздействия
  • анализ угроз и
  • сценарии воздействия.

Quantifying of loss ratios must also include "dollars to defend a lawsuit."[22] It has been estimated that a dollar spent in loss prevention can prevent "seven dollars of disaster-related economic loss."[23]

Business impact analysis (BIA)[edit]

Main article: Disaster recovery § IT Service Continuity

A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. A function may be considered critical if dictated by law.

Each function/activity typically relies on a combination of constituent components in order to operate:

  • Human resources (full-time staff, part-time staff, or contractors)
  • IT systems
  • Physical assets (mobile phones, laptops/workstations etc.)
  • Documents (electronic or physical)

For each function, two values are assigned:

  • Recovery Point Objective (RPO) – the acceptable latency of data that will not be recovered. For example, is it acceptable for the company to lose 2 days of data?[24] The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded.
  • Recovery Time Objective (RTO)  – the acceptable amount of time to restore the function

Maximum RTO[edit]

Maximum time constraints for how long an enterprise's key products or services can be unavailable or undeliverable before stakeholders perceive unacceptable consequences have been named as:

  • Maximum Tolerable Period of Disruption (MTPoD)
  • Maximum Tolerable Downtime (MTD)
  • Maximum Tolerable Outage (MTO)
  • Maximum Allowable Outage (MAO)[25][26]

According to ISO 22301 the terms maximum acceptable outage and maximum tolerable period of disruption mean the same thing and are defined using exactly the same words.[27]

Consistency[edit]

When more than one system crashes, recovery plans must balance the need for data consistency with other objectives, such as RTO and RPO.[28] Recovery Consistency Objective (RCO) is the name of this goal. It applies data consistency objectives, to define a measurement for the consistency of distributed business data within interlinked systems after a disaster incident. Similar terms used in this context are "Recovery Consistency Characteristics" (RCC) and "Recovery Object Granularity" (ROG).[29]

While RTO and RPO are absolute per-system values, RCO is expressed as a percentage that measures the deviation between actual and targeted state of business data across systems for process groups or individual business processes.

The following formula calculates RCO with "n" representing the number of business processes and "entities" representing an abstract value for business data:

100% RCO means that post recovery, no business data deviation occurs.[30]

Threat and risk analysis (TRA)[edit]

After defining recovery requirements, each potential threat may require unique recovery steps. Common threats include:

  • Epidemic/pandemic
  • Earthquake
  • Fire
  • Flood
  • Cyber attack
  • Sabotage (insider or external threat)
  • Hurricane or other major storm
  • Power outage
  • Water outage (supply interruption, contamination)
  • Telecomms outage
  • IT outage
  • Terrorism/Piracy
  • War/civil disorder
  • Theft (insider or external threat, vital information or material)
  • Random failure of mission-critical systems
  • Single point dependency
  • Supplier failure
  • Data corruption
  • Misconfiguration

The above areas can cascade: Responders can stumble. Supplies may become depleted. During the 2002-2003 SARS outbreak, some organizations compartmentalized and rotated teams to match the incubation period of the disease. They also banned in-person contact during both business and non-business hours. This increased resiliency against the threat.

Impact scenarios[edit]

Impact scenarios are identified and documented:

  • need for medical supplies[31]
  • need for transportation options[32]
  • civilian impact of nuclear disasters[33]
  • need for business and data processing supplies[34]

These should reflect the widest possible damage.

Tiers of preparedness[edit]

SHARE's seven tiers of disaster recovery[35] released in 1992, were updated in 2012 by IBM as an eight tier model:[36]

  • Tier 0 - No off-site data • Businesses with a Tier 0 Disaster Recovery solution have no Disaster Recovery Plan. There is no saved information, no documentation, no backup hardware, and no contingency plan. Typical recovery time: The length of recovery time in this instance is unpredictable. In fact, it may not be possible to recover at all.
  • Tier 1 - Data backup with no Hot Site • Businesses that use Tier 1 Disaster Recovery solutions back up their data at an off-site facility. Depending on how often backups are made, they are prepared to accept several days to weeks of data loss, but their backups are secure off-site. However, this Tier lacks the systems on which to restore data. Pickup Truck Access Method (PTAM).
  • Tier 2 - Data backup with Hot Site • Tier 2 Disaster Recovery solutions make regular backups on tape. This is combined with an off-site facility and infrastructure (known as a hot site) in which to restore systems from those tapes in the event of a disaster. This tier solution will still result in the need to recreate several hours to days worth of data, but it is less unpredictable in recovery time. Examples include: PTAM with Hot Site available, IBM Tivoli Storage Manager.
  • Tier 3 - Electronic vaulting • Tier 3 solutions utilize components of Tier 2. Additionally, some mission-critical data is electronically vaulted. This electronically vaulted data is typically more current than that which is shipped via PTAM. As a result there is less data recreation or loss after a disaster occurs.
  • Tier 4 - Point-in-time copies • Tier 4 solutions are used by businesses that require both greater data currency and faster recovery than users of lower tiers. Rather than relying largely on shipping tape, as is common in the lower tiers, Tier 4 solutions begin to incorporate more disk-based solutions. Several hours of data loss is still possible, but it is easier to make such point-in-time (PIT) copies with greater frequency than data that can be replicated through tape-based solutions.
  • Tier 5 - Transaction integrity • Tier 5 solutions are used by businesses with a requirement for consistency of data between production and recovery data centers. There is little to no data loss in such solutions; however, the presence of this functionality is entirely dependent on the application in use.
  • Tier 6 - Zero or little data loss • Tier 6 Disaster Recovery solutions maintain the highest levels of data currency. They are used by businesses with little or no tolerance for data loss and who need to restore data to applications rapidly. These solutions have no dependence on the applications to provide data consistency.
  • Tier 7 - Highly automated, business-integrated solution • Tier 7 solutions include all the major components being used for a Tier 6 solution with the additional integration of automation. This allows a Tier 7 solution to ensure consistency of data above that of which is granted by Tier 6 solutions. Additionally, recovery of the applications is automated, allowing for restoration of systems and applications much faster and more reliably than would be possible through manual Disaster Recovery procedures.

Solution design[edit]

Two main requirements from the impact analysis stage are:

  • For IT: the minimum application and data requirements and the time in which they must be available.
  • Outside IT: preservation of hard copy (such as contracts). A process plan must consider skilled staff and embedded technology.

This phase overlaps with disaster recovery planning.

The solution phase determines:

  • crisis management command structure
  • telecommunication architecture between primary and secondary work sites
  • data replication methodology between primary and secondary work sites
  • Backup site - applications, data and work space required at the secondary work site

British standards[edit]

The British Standards Institution (BSI) released a series of standards:

  • 1995: BS 7799, peripherally addressed information security procedures. (withdrawn)
  • 2006: BCP — BS 25999-1 Business Continuity Management. Code of Practice (withdrawn)
  • 2007: BS 25999-2 Specification for Business Continuity Management, which specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS). (withdrawn)
  • 2008: BS 25777, specifically to align computer continuity with business continuity. (withdrawn March 2011)
  • 2011: ISO/IEC 27031 - Security techniques — Guidelines for information and communication technology readiness for business continuity.
  • BS EN ISO 22301:2019 Security and resilience – Business continuity management systems – Requirements, the current standard for business continuity planning.[37]
  • BS EN ISO 22313:2020 Security and resilience - Business continuity management systems - Guidance on the use of ISO 22301

ITIL has defined some of these terms.[38]

Within the UK, BS 25999-2:2007 and BS 25999-1:2006 were being used for business continuity management across all organizations, industries and sectors. These documents give a practical plan to deal with most eventualities—from extreme weather conditions to terrorism, IT system failure, and staff sickness.[39]

Civil Contingencies Act[edit]

In 2004, following crises in the preceding years, the UK government passed the Civil Contingencies Act of 2004: Businesses must have continuity planning measures to survive and continue to thrive whilst working towards keeping the incident as minimal as possible.[40]

The Act was separated into two parts:

  • Part 1: civil protection, covering roles & responsibilities for local responders
  • Part 2: emergency powers

Australia and New Zealand[edit]

United Kingdom and Australia[41] have incorporated resilience into their continuity planning.[42][43] In the United Kingdom, resilience is implemented locally by the Local Resilience Forum.

In New Zealand, the Canterbury University Resilient Organisations programme developed an assessment tool for benchmarking the Resilience of Organisations.[44] It covers 11 categories, each having 5 to 7 questions. A Resilience Ratio summarizes this evaluation.[45]

Implementation and testing[edit]

The implementation phase involves policy changes, material acquisitions, staffing and testing.

Testing and organizational acceptance[edit]

The 2008 book Exercising for Excellence, published by The British Standards Institution identified three types of exercises that can be employed when testing business continuity plans.

  • Tabletop exercises - a small number of people concentrate on a specific aspect of a BCP. Another form involves a single representative from each of several teams.
  • Medium exercises - Several departments, teams or disciplines concentrate on multiple BCP aspects; the scope can range from a few teams from one building to multiple teams operating across dispersed locations. Pre-scripted "surprises" are added.
  • Complex exercises - All aspects of a medium exercise remain, but for maximum realism no-notice activation, actual evacuation and actual invocation of a disaster recovery site is added.

While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run their course.

Maintenance[edit]

Biannual or annual maintenance cycle maintenance of a BCP manual[41] is broken down into three periodic activities.

  • Confirmation of information in the manual, roll out to staff for awareness and specific training for critical individuals.
  • Testing and verification of technical solutions established for recovery operations.
  • Testing and verification of organization recovery procedures.

Issues found during the testing phase often must be reintroduced to the analysis phase.

Information/targets[edit]

The BCP manual must evolve with the organization, and maintain information about who has to know what

  • a series of checklists
    • job descriptions, skillsets needed, training requirements
    • documentation and document management
  • definitions of terminology to facilitate timely communication during disaster recovery,[46]
  • distribution lists (staff, important clients, vendors/suppliers)
  • information about communication and transportation infrastructure (roads, bridges)[47]

Technical[edit]

Specialized technical resources must be maintained. Checks include:

  • Virus definition distribution
  • Application security and service patch distribution
  • Hardware operability
  • Application operability
  • Data verification
  • Data application

Testing and verification of recovery procedures[edit]

Software and work process changes must be documented and validated, including verification that documented work process recovery tasks and supporting disaster recovery infrastructure allow staff to recover within the predetermined recovery time objective.[48]

Standards[edit]

There are many standards that are available to support Business continuity planning and management. ISO has for example developed a whole series of standards on Business continuity management systems [49] under responsibility of technical committee ISO/TC 292:

  • ISO 22300:2018 Security and resilience – Vocabulary[50]
  • ISO 22301:2019 Security and resilience – Business continuity management systems – Requirements[51]
  • ISO 22313:2020 Security and resilience – Business continuity management systems – Guidance on the use of ISO 22301[52]
  • ISO/TS 22317:2015 Societal security – Business continuity management systems – Guidelines for business impact analysis[53]
  • ISO/TS 22318:2015 Societal security – Business continuity management systems – Guidelines for supply chain continuity[54]
  • ISO/TS 22330:2018 Security and resilience – Business continuity management systems – Guidelines for people aspects on business continuity[55]
  • ISO/TS 22331:2018 Security and resilience – Business continuity management systems – Guidelines for business continuity strategy[55]
  • ISO/IEC/TS 17021-6:2015 Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 6: Competence requirements for auditing and certification of business continuity management systems[56]

See also[edit]

  • Catastrophe modeling
  • Crisis management
  • Cyber resilience
  • Digital continuity
  • Disaster
  • Disaster recovery
  • Disaster recovery and business continuity auditing
  • Disaster risk reduction
  • Emergency management
  • Man-made hazards
  • Natural hazards
  • Risk management
  • Scenario planning
  • Systems engineering
  • System lifecycle

References[edit]

  1. ^ BCI Good Practice Guidelines 2013, quoted in Mid Sussex District Council, Business Continuity Policy Statement, published April 2018, accessed 19 February 2021
  2. ^ "How to Build an Effective and Organized Business Continuity Plan". Forbes. June 26, 2015.
  3. ^ "Surviving a Disaster" (PDF). American Bar.org (American Bar Association). 2011.
  4. ^ Elliot, D.; Swartz, E.; Herbane, B. (1999) Just waiting for the next big bang: business continuity planning in the UK finance sector. Journal of Applied Management Studies, Vol. 8, No, pp. 43–60. Here: p. 48.
  5. ^ Alan Berman (March 9, 2015). "Constructing a Successful Business Continuity Plan". Business Insurance Magazine.
  6. ^ "Business Continuity Plan". United States Department of Homeland Security. Retrieved 4 October 2018.
  7. ^ a b Ian McCarthy; Mark Collard; Michael Johnson (2017). "Adaptive organizational resilience: an evolutionary perspective". Current Opinion in Environmental Sustainability. 28: 33–40. doi:10.1016/j.cosust.2017.07.005.
  8. ^ Intrieri, Charles (10 September 2013). "Business Continuity Planning". Flevy. Retrieved 29 September 2013.
  9. ^ "Continuity Resources and Technical Assistance | FEMA.gov". www.fema.gov.
  10. ^ a b "A Guide to the preparation of a Business Continuity Plan" (PDF).
  11. ^ "Business Continuity Planning (BCP) for Businesses of all Sizes". 19 April 2017. Archived from the original on 24 April 2017. Retrieved 28 April 2017.
  12. ^ Yossi Sheffi (October 2005). The Resilient Enterprise: Overcoming Vulnerability for Competitive Enterprise. MIT Press.
  13. ^ "Transform. The Resilient Economy".
  14. ^ "Newsday | Long Island's & NYC's News Source | Newsday".
  15. ^ Tiffany Braun; Benjamin Martz (2007). "Business Continuity Preparedness and the Mindfulness State of Mind". S2CID 7698286. “An estimated 80 percent of companies without a well-conceived and tested business continuity plan, go out of business within two years of a major disaster” (Santangelo 2004) Cite journal requires |journal= (help)
  16. ^ "Building A Resilient Nation: Enhancing Security, Ensuring a Strong Economy report" (PDF). Reform Institute. October 2008.[permanent dead link]
  17. ^ "Communication and resilience: concluding thoughts and key issues for future research". www.researchgate.net.
  18. ^ Buzzanell, Patrice M. (2010). "Resilience: Talking, Resisting, and Imagining New Normalcies Into Being". Journal of Communication. 60 (1): 1–14. doi:10.1111/j.1460-2466.2009.01469.x. ISSN 1460-2466.
  19. ^ Buzzanell, Patrice M. (March 2010). "Resilience: Talking, Resisting, and Imagining New Normalcies Into Being". Journal of Communication. 60 (1): 1–14. doi:10.1111/j.1460-2466.2009.01469.x. ISSN 0021-9916.
  20. ^ Buzzanell, Patrice M. (2018-01-02). "Organizing resilience as adaptive-transformational tensions". Journal of Applied Communication Research. 46 (1): 14–18. doi:10.1080/00909882.2018.1426711. ISSN 0090-9882. S2CID 149004681.
  21. ^ ISO, ISO 22301 Business Continuity Management: Your implementation guide, published, accessed 20 February 2021
  22. ^ "Emergency Planning" (PDF).
  23. ^ Helen Clark (August 15, 2012). "Can your Organization survive a natural disaster?" (PDF). RI.gov.
  24. ^ May, Richard. "Finding RPO and RTO". Archived from the original on 2016-03-03.
  25. ^ "Maximum Acceptable Outage (Definition)". riskythinking.com. Albion Research Ltd. Retrieved 4 October 2018.
  26. ^ "BIA Instructions, BUSINESS CONTINUITY MANAGEMENT - WORKSHOP" (PDF). driecentral.org. Disaster Recovery Information Exchange (DRIE) Central. Retrieved 4 October 2018.
  27. ^ "Plain English ISO 22301 2012 Business Continuity Definitions". praxiom.com. Praxiom Research Group LTD. Retrieved 4 October 2018.
  28. ^ "The Rise and Rise of the Recovery Consistency Objective". 2016-03-22. Retrieved September 9, 2019.
  29. ^ "How to evaluate a recovery management solution." West World Productions, 2006 [1]
  30. ^ Josh Krischer; Donna Scott; Roberta J. Witty. "Six Myths About Business Continuity Management and Disaster Recovery" (PDF). Gartner Research.
  31. ^ "Medical supply location and distribution in disasters". doi:10.1016/j.ijpe.2009.10.004. Cite journal requires |journal= (help)
  32. ^ "transportation planning in disaster recovery". SCHOLAR.google.com.
  33. ^ "PLANNING SCENARIOS Executive Summaries" (PDF).
  34. ^ Chloe Demrovsky (December 22, 2017). "Holding It All Together". Manufacturing Business Technology Magazine. Cite magazine requires |magazine= (help)
  35. ^ developed by SHARE's Technical Steering Committee, working with IBM
  36. ^ Ellis Holman (March 13, 2012). "A Business Continuity Solution Selection Methodology" (PDF). IBM Corp.
  37. ^ "ISO 22301 Business Continuity Management". www.bsigroup.com.
  38. ^ "Glossaries of Terms". AXELOS.
  39. ^ British Standards Institution (2006). Business continuity management-Part 1: Code of practice :London
  40. ^ Cabinet Office. (2004). overview of the Act. In: Civil Contingencies Secretariat Civil Contingencies Act 2004: a short. London: Civil Contingencies Secretariat
  41. ^ a b "Business Continuity Plan Template".
  42. ^ Resilient Nation Archived 2015-09-23 at the Wayback Machine. Demos. April 2009.
  43. ^ Improving Disaster Resilience. Australian Government. May 12, 2009.
  44. ^ "Resilient Organisations". March 22, 2011.
  45. ^ "Resilience Diagnostic". November 28, 2017.
  46. ^ "Glossary | DRI International". drii.org.
  47. ^ "Disaster Recovery Plan Checklist" (PDF). CMS.gov.
  48. ^ Othman. "Validation of a Disaster Management Metamodel (DMM)". SCHOLAR.google.com.
  49. ^ "ISO - ISO/TC 292 - Security and resilience". www.iso.org.
  50. ^ "ISO 22300:2018". ISO.
  51. ^ "ISO 22301:2019". ISO.
  52. ^ "ISO 22313:2020". ISO.
  53. ^ "ISO/TS 22317:2015". ISO.
  54. ^ "ISO/TS 22318:2015". ISO.
  55. ^ a b "ISO/TS 22330:2018". ISO.
  56. ^ "ISO/IEC TS 17021-6:2014". ISO.

Further reading[edit]

United States[edit]

Bibliography[edit]

  • Business Continuity Planning, FEMA, Retrieved: June 16, 2012
  • Continuity of Operations Planning (no date). U.S. Department of Homeland Security. Retrieved July 26, 2006.
  • Purpose of Standard Checklist Criteria For Business Recovery (no date). Federal Emergency Management Agency. Retrieved July 26, 2006.
  • NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs (2010). National Fire Protection Association.
  • United States General Accounting Office Y2k BCP Guide (August 1998). United States Government Accountability Office.
  • SPC.1-2009, "Organizational Resilience: Security, Preparedness, and Continuity Management Systems—Requirements with Guidance for Use", approved by American National Standards Institute

International Organization for Standardization[edit]

  • ISO 22300:2018 Security and resilience - Vocabulary
  • ISO 22301:2019 Security and resilience – Business continuity management systems – Requirements
  • ISO 22313:2013 Security and resilience - Business continuity management systems - Guidance on the use of ISO 22301
  • ISO/TS 22315:2015 Societal security – Business continuity management systems – Guidelines for business impact analysis (BIA)
  • ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity management (withdrawn)
  • ISO/IEC 24762:2008 Guidelines for information and communications technology disaster recovery services
  • ISO/IEC 27001:2013 (formerly BS 7799-2:2002) Information technology — Security techniques — Information security management systems — Requirements
  • ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
  • ISO/IEC 27031:2011 Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity
  • IWA 5:2006 Emergency Preparedness (withdrawn)

British Standards Institution[edit]

  • BS 25999-1:2006 Business Continuity Management Part 1: Code of practice (superseded, withdrawn)
  • BS 25999-2:2007 Business Continuity Management Part 2: Specification (superseded, withdrawn)

Australia Standards[edit]

  • HB 292-2006, "A practitioners guide to business continuity management"
  • HB 293-2006, "Executive guide to business continuity management"

Others[edit]

  • James C. Barnes (2001-06-08). A Guide to Business Continuity Planning. ISBN 978-0471530152.
  • Kenneth L Fulmer (2004-10-04). Business Continuity Planning, A Step-by-Step Guide. ISBN 978-1931332217.
  • Richard Kepenach. Business Continuity Plan Design, 8 Steps for Getting Started Designing a Plan.
  • Judy Bell. Disaster Survival Planning: A Practical Guide for Businesses. ISBN 978-0963058003.
  • Dimattia, S. (November 15, 2001). "Planning for Continuity". Library Journal. 126 (19): 32–34.
  • Andrew Zolli; Ann Marie Healy (2013). Resilience: Why Things Bounce Back. Simon & Schuster. ISBN 978-1451683813.
  • International Glossary for Resilience, DRI International.

External links[edit]

  • The tiers of Disaster Recovery and TSM. Charlotte Brooks, Matthew Bedernjak, Igor Juran, and John Merryman. In, Disaster Recovery Strategies with Tivoli Storage Management. Chapter 2. Pages 21–36. Red Books Series. IBM. Tivoli Software. 2002.
  • SteelStore Cloud Storage Gateway: Disaster Recovery Best Practices Guide. Riverbed Technology, Inc. October 2011.
  • Disaster Recovery Levels. Robert Kern and Victor Peltz. IBM Systems Magazine. November 2003.
  • Business Continuity: The 7-tiers of Disaster Recovery. Archived 2018-09-26 at the Wayback Machine Recovery Specialties. 2007.
  • Continuous Operations: The Seven Tiers of Disaster Recovery. Mary Hall. The Storage Community (IBM). 18 July 2011. Retrieved 26 March 2013.</ref>
  • Maximum Tolerable Period of Disruption (MTPOD)
  • Maximum Tolerable Period of Disruption (MTPOD): BSI committee response
  • Wayback Machine
  • Janco Associates
  • Department of Homeland Security Emergency Plan Guidelines
  • CIDRAP/SHRM Pandemic HR Guide Toolkit
  • Adapt and respond to risks with a business continuity plan (BCP)