Policy and Programme Management Flashcards
What are the 6 stages of the BCM lifecycle?
PP1 - Policy and Programme Management PP2 - Embedding PP3 - Analysis PP4 - Design PP5 - Implementation PP6 - Validation
What does the Business Continuity Policy do?
The policy “provides the intentions and direction of an organization as formally expressed by its top management.” (Source: ISO 22301:2012).
Sets the boundaries and requirements for the business continuity programme and states the reasons why it is being implemented.
Defines the guiding principles which the organization follows and measures its performance against.
Defines how the organization should build and maintain the programme to continue to deliver products and services in the event of an incident.
What general principles should be considered when creating or revising a business continuity policy?
The policy should provide the strategic direction from which the business continuity programme is delivered .
The policy should define the way in which the organization will approach business continuity and how the programme will be structured and resourced.
The policy should be supported, approved, and owned by top management to provide effective governance and leadership.
The policy should state how it supports the strategic objectives of the organization and other relevant policies.
The policy should be appropriate to the size, complexity, and type of organization and aligned to its culture and operating environment.
The policy should identify any standards or guidelines that are used as a benchmark for the business continuity programme.
The policy should be communicated, and made available to all interested parties.
What methods and techniques should be considered when establishing the business continuity policy?
Control the distribution of the policy using an appropriate version control system.
Use an existing template or policy (where one exists in the organization).
What should the business continuity policy include?
A definition of business continuity for use in the organization.
A statement of governance and leadership commitment to the policy.
Defined objectives and scope for the business continuity programme.
Roles and responsibilities for the business continuity programme including an incident response capability.
References to relevant policies, standards, and legal and regulatory requirements.
Identification of interested parties.
Agreed methods and frequency for measurement and review of all stages of the business continuity lifecycle.
Agree methods for sign-off and communication of the policy and all programme activities.
Other than regular review, when else should a BCP be reviewed?
A change in the organization’s approach to risk which can be prompted by an incident or change.
A change in market conditions.
An acquisition, merger, or disposal.
Changes to products or services (including those that are outsourced).
Changes to legal or regulatory requirements.
What should be demonstrated when reviewing or auditing a business continuity policy?
Top management has ensured that the policy is communicated throughout the organization.
The policy is effective.
The policy clearly states what the measurable deliverables of the business continuity programme are.
There is clear top management commitment to satisfy all applicable internal and external requirements within the scope of the programme.
There is clear and documented ongoing commitment to business continuity and continual improvement.
Opportunities for adapting to change can be identified.
