• United States




Can You Demonstrate Business Continuity Readiness?

Feb 27, 20093 mins
Business Continuity

The traditional disaster recovery plan was often something that sat on a shelf, looked at periodically, and handed to an auditor or member of the board upon request.  Today, demonstrating a DR plan exists, that it is part of an overall business continuity plan, and that it is actually followed and works is often a requirement for establishing a business relationship.

Proof of active business continuity management is something many businesses request before signing a critical agreement.  In other words, does the supplier of critical goods and services take steps to continue delivery when something breaks?  If not, stepping away from the table to look for an organization which understands the importance of uninterrupted service and product delivery is increasingly common.

In a Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, 80 percent of respondents claimed they had to provide proof of business continuity readiness during the previous 12 months (Businesses Take BC Planning More Seriously, Stephanie Balaouras, Forrester, 26 Feb 2009).  The following graph from the survey results depicts sources of the requests.

Using information in the survey and my own experience over the past five years, I made a list of people, businesses, or agencies who might ask you to demonstrate the resiliency of your information infrastructure.

  • Business auditors: Internal and third party auditors want more today than a DR manual.  They want to understand how you approach Business Continuity Event Management (BCEM), from a failed server or switch to unavailability of the data center.
  • Regulatory auditors or courts: The HIPAA is just one of several government regulations, both in place and emerging, which include information availability requirements.  Further, requests for proof of effective BCEM might be part of a discovery request for events which caused financial damage or physical injury.
  • Recipients of your products and services: You’d like your customers to consider you their primary supplier of a critical service or product.  However, their BCEM plan might dictate proof that all critical suppliers can react quickly to internal interruptions or to interruptions by their suppliers.  This means not only do you have to demonstrate you can recover, you must also show you’ve asked the same of your suppliers. 

In addition to these situations, there is often a general expectation that certain services will be available.  For example, I don’t believe any business users of Google mail services asked the provider to demonstrate continuity capabilities—this includes me.  There was a general perception that a cloud services provider understands the need and ensures continuous delivery.  That doesn’t seem evident by the Google online services stoppage this week, but I’m sure we all learned something about expectation setting—including Google.  What unknown expectations do your customer have?

Creating and managing a BCEM program consists of a series of steps, steps which can take several months if you haven’t already started.  However, it will be a resource commitment with an ROI demonstrated by improved existing-customer satisfaction and new-customer confidence in your ability to support their operations.


Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.