Small and medium-sized enterprises tend to get ignored when talking about business continuity planning. The planning is more prosaic. The challenges are fewer. And most importantly, their budgets are smaller.

But of course, the same principles that apply to large businesses also apply to the small ones. We at Oppello are an IT consultancy that specialises in looking after small to medium sized businesses. And business continuity planning is a must for companies of all sizes. A small firm that loses all its data will go out of business, just as surely as a larger one.

If anything smaller firms become more vulnerable to crises because larger companies are geographically more diverse – knocking out your operations in say Edinburgh is not as business critical when your offices in London can take some of the overload.

A few years ago business continuity planning was only regularly undertaken by the larger corporations, nowadays SMEs are more than likely to make some kind of preparation. Part of the problem, however, is that smaller companies are typically less aware of the correct procedures than larger firms where systems have been developed.

Initial IT audit

Frequently we’ll find small companies that have thought about continuity issues but not implemented them fully, On our initial audit we’ll find, for example, that IT back-ups have indeed been taken. But the tapes are sitting next to the computer and the coffee cups! It’s frightening too the number of times you find that checking the tapes has not gone on – the procedures have never been tested.

Increasing sophistication

But with the growing awareness of the need for business continuity, smaller firms are starting to get more sophisticated and this kind of situation should soon start to become less and less frequent. Also one encouraging trend for smaller firms looking for business continuity support is that there are a greater number of support firms operating in this space and charging a price that is affordable. And size can sometimes be an advantage too. Large companies are often entrenched in old technologies and methodologies. One advantage that smaller companies have over larger companies is that they are able to respond and embrace new technologies more quickly Depending on the size of a business, support for business continuity planning can be brought in-house. Typically, a company with around 30 computers and a couple of servers could keep an IT specialist – as a full member of staff – busy for most of a week.

Other potential weaknesses

However, that can cause problems too. IT specialists are valuable commodities and tend to move around considerably. Also there remains the constant questions over how the company ensures that the business runs as normal when the IT expert is on holiday or sick.

The great thing about business continuity is that – irrespective of the size of your business – you can go a long way to devising a plan simply by getting your senior staff to think through the issues.

Watch the video related to business continuity audit

Burton Asset Management CEO, Kevin Burton, reviews the BAM BC/DR Methodology, and discusses how the deliverables provided with the Methodology stand up to any audit to which a company might be subject. Mr. Burton has developed this methodology to help inform the thinking of businesses of all sizes that are struggling with Business Continuity / Disaster Recovery preparedness. This event was recorded live, February 29th, 2008, at Mastro’s Steak House in Costa Mesa, CA. The event was hosted and …

Help answer the question about business continuity audit

About Author

Oppello IT Support London – We Make IT Work

ISO IEC 27001 International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

Home

This ISO 27001 International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

NOTE 1: References to ‘business’ in this International Standard should be interpreted broadly to mean those activities that are core to the purposes for the organization’s existence.

NOTE 2: ISO/IEC 17799 provides implementation guidance that can be used when designing controls.

The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature. Excluding any of the requirements specified in Clauses 4, 5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard.

Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are excluded, claims of conformity to this International Standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable legal or regulatory requirements.

NOTE: If an organization already has an operative business process management system (e.g. in relation with ISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within this existing management system.

Delatprima mempersiapkan bagi Anda segala kebutuhan untuk jasa konsultan iso 27000 27001 27002, iso 27001 consultant, it security management consultant, konsultan isms, isms consultant, information security management consultant, it risk management, konsultan keamanan ti, konsultan manajemen keamanan ti, iso it security consultant, konsultan iso 17799, iso 17799 consultant, training iso 27000 27001, it audit, konsultan it bsc, manajemen risiko ti, tata kelola ti, it governance, it scorecard, iso 27000 27001 certification audit.

Hubungi segera NOVI – TEL. 021.7511984, 08161346764.

Watch the video related to business continuity audit

Help answer the question about business continuity audit

About Author

Any business faces minor down times and major unknowns. It is important therefore that contingencies are built into the business processes to ensure that important information is protected in the event of a planned or unplanned closure of the business. It has once been said that any investment into a Business Continuity Program (BCP) is a waste of valuable resources. And it is true that if a strict ROI calculation is attributed to such a program it is likely that it would not provide a sufficient justification for such an investment. However, anybody who has experienced a cessation of business activity will know that not having a BCP spells disaster and in fact it is a small cost to bear in relationship to the losses the business incurs during such an event.

Our recent history is filled with events that “were unthinkable” but that actually happened and which are all reminders that a BCP should not be disregarded. It is an accepted fact that following a major fire almost half of businesses fail to reopen and then close to a third of those that do reopen do not survive beyond three years. Those are everyday examples and the list could easily go on and on building up an unassailable argument for a BCP.

There are also smaller scale events where because of the temporary nature of the business interruption there is no life threatening effect on the business but the amount of time spent recovering lost information can be seriously distracting and in many instances where the information is permanently lost it can lead to severe problems for the people or organisations affected by such a loss. All distractions however small create a cost to the business as they take away resources from normal business activities and lead to increased overtime, more defects (which have to be fixed at a cost) or simply greater stress which means lower staff efficiency.

A BCP is ultimately a simple methodology for identifying areas of risk, creating contingencies, assigning responsibilities, communicating its benefits to the organisation and then following up with regular audits and live tests. But as in any aspect of a business’s activities it needs the commitment of senior management and staff for its processes and disciplines to be effectively embedded into the organisation.

While, this article does not go into the subject of how to construct a BCP, it does, as the title suggests, describe how a hosted software product can be used by an organisation as part of its business continuity contingency.

The definition of a hosted arrangement is one that is held as a guest by a third party. This means that the third party not only holds the hardware and software on behalf of the client but also takes care of maintaining both the hardware and software as well. In the specific case of a hosted software the product is owned, hosted and managed by the organisation that developed it and is then rented out from its hosted location for specific periods of time to a number of different companies. The hosting location is always remote from the business locations of the clients and the software product is accessible over an Internet connection. This provides a dual benefit of operating from a remote location that is protected from any event that could happen to a client’s business location while at the same time being able to be accessed from any PC and from any location, whether primary or alternative, with an Internet connection.

An example of a specific instance would be helpful at this stage. Company A operates from a single location with its offices, manufacturing and distribution in the same building. A small fire in the plant sets off the sprinkler system in the entire site and the fire’s spread is restricted and quickly put out. The damage is limited to the factory and it is quickly cleaned and is up and running again within a couple of hours. However, the damage from the sprinklers in the offices is substantial and all electronic equipment is permanently damaged and the storage disks are corrupted and it is not certain that anything can be recovered from them. However, the company used a hosted software to run its quality systems and its customer management with the data being held at the hosting location. So with the help of a new PC, an existing live broadband connection and a new printer, Company A was able to access its account and retrieve its orders, print out its latest production procedures from its quality system and have the factory starting production on outstanding customer orders as soon as it had been cleaned up from the fire. There obviously could have been some mitigating measures that should have been installed prior to the incident such as different sprinkler systems in the offices and the factory and a gas based extinguisher for the electronic equipment but the management was not willing to accept the extra expense at the time.

As an observation Company A was able to reduce its downtime because it had systems and procedures in place to enable it to recover key information far quicker than had it disregarded such contingencies and taken the attitude that “it would never happen to us”. Clearly, the hosted software product at a remote location with its standard back-up models combined with its Internet connectivity had an important role to play in Company A’s business interruption contingencies.

But let us not forget that a hosted application also provides a cost effective alternative to a standard client server application while at the same time having the structure for protecting against the unexpected.

Watch the video related to business continuity audit

Help answer the question about business continuity audit

About Author

Written by Christopher Stainow of Lennox Hill Ltd. Lennox Hill http://www.lennoxhill.co.uk is a provider of hosted quality management software for effective management of the ISO 9000, ISO 14000 and OHSAS 18001 standards.