Parent Framework: COBIT 2019
Domain: Deliver, Service and Support (DSS)
Managed Continuity
Establish and maintain a plan to enable the business and IT organizations to respond to incidents and quickly adapt to disruptions. This will enable continued operations of critical business processes and required I&T services and maintain availability of resources, assets and information at a level acceptable to the enterprise.
Purpose
Adapt rapidly, continue business operations and maintain availability of resources and information at a level acceptable to the enterprise in the event of a significant disruption (e.g., threats, opportunities, demands).
Management practices
DSS04.01 Define the business continuity policy, objectives and scope.
Define business continuity policy and scope, aligned with enterprise and stakeholder objectives, to improve business resilience.
DSS04.02 Maintain business resilience.
Evaluate business resilience options and choose a cost-effective and viable strategy that will ensure enterprise continuity, disaster recovery and incident response in the face of a disaster or other major incident or disruption.
DSS04.03 Develop and implement a business continuity response.
Develop a business continuity plan (BCP) and disaster recovery plan (DRP) based on the strategy. Document all procedures necessary for the enterprise to continue critical activities in the event of an incident.
DSS04.04 Exercise, test and review the business continuity plan (BCP)
and disaster response plan (DRP).
Test continuity on a regular basis to exercise plans against predetermined outcomes, uphold business resilience and allow innovative solutions to be developed.
DSS04.05 Review, maintain and improve the continuity plans.
Conduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plans in accordance with the change control process to ensure that continuity plans are kept up to date and continually reflect actual business requirements.
DSS04.06 Conduct continuity plan training.
Provide all concerned internal and external parties with regular training sessions regarding procedures and their roles and responsibilities in case of disruption.
DSS04.07 Manage backup arrangements.
Maintain availability of business-critical information.
DSS04.08 Conduct post-resumption review.
Assess the adequacy of the business continuity plan (BCP) and disaster response plan (DRP) following successful resumption of business processes and services after a disruption.
Skills
Continuity management COPL
The provision of service continuity planning and support, as part of, or in close cooperation with, the function which plans business continuity for the whole organisation. The identification of information systems which support critical business processes. The assessment of risks to critical systems’ availability, integrity and confidentiality. The co-ordination of planning, designing, testing and maintenance procedures and contingency plans to address exposures and maintain agreed levels of continuity.