• United States




Business Continuity Event Planning: Analysis and Remediation

Dec 24, 20083 mins
Business Continuity

In this post of the Business Continuity Event Management (BCEM) series, we continue event response and recovery planning with a transition from incident response to recovery operations. 

The first step in handling a business continuity event (BCE) is an effective response.  Once the situation is stabilized, analysis and remediation (recovery) can begin.

The core of the analysis and remediation phase is the Business Continuity Plan.  According to BS 25999-1:2006 (p. 33),

The purpose of a business continuity plan (BCP) is to enable an organization to recover or maintain its activities in the event of a disruption to normal business operations. 

BCPs are activated (invoked) to support the critical activities required to deliver the organization’s objectives.  They may be invoked in whole or in part and at any stage of the response to an incident.

The BCP must contain information sufficient to allow recovery of critical systems and implementation of failed process workarounds.  It should also include contact information for all stakeholders, recovery team members, and technology vendors.  All of this information should have been collected during understanding the business and BIA activities.

In many organizations, the BCP is seen as a disaster recovery plan, a plan to recover from catastrophic events.  Although it must contain DR documentation, it should also support less pervasive recovery operations.  The following is a descriptive list of required components for a basic BCP:

  • Event Management.   This section includes:

    • Team lead names and contact information
    • The conditions under which the plan may be invoked
    • Communication of recovery invocation and progress
    • Definition of roles and responsibilities 
    • Reporting and communication centers for recovery personnel
    • Information about when and how to move operations to one or more alternate sites
  • System Recovery.  A section should exist for each critical process, and should include:

    • Instructions for rebuilding technology
    • Technology vendor contacts for each externally supported component
    • List of dependent processes
    • List of affected internal and external stakeholders
    • Workarounds, both manual and technical
  • Templates.  Templates for documenting all BCP recovery activities.

The final component of an effective BCP is testing.  The first time a team member sees the BCP should not be at 2 P.M. the day of an event.  Not all testing requires a trip to an alternate site.  The type of test performed is dictated by the test objectives.

For example, if you want to simply ensure completeness of documentation or to strengthen team familiarity with a system’s recovery process, getting everyone into a conference room for a documentation-based walkthrough is an inexpensive what to check your work.  If, however, you want to know if following the documentation actually results in system recovery, you will want to send a team to the alternate site for the test.

All results should be documented during the test and used to modify the BCP, if necessary.


Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.