São Paulo/SP – September 19, 2022. The Business Continuity Plan (PCN or BCP) has as its main purpose the creation of procedures to support essential business operations, during the recovery caused by a significant interruption.
*By Dylan Ribeiro
When we think of a Business Continuity Plan, the first thing that comes to our mind are major disasters such as earthquakes, floods and even terrorist attacks. In fact, this topic came into focus after one of these events, the 9/11 terrorist attack caused many companies to lose everything because they had their data centers main and that of backup in the two towers destroyed that day. However, a Business Continuity Plan is much more than that, the Disaster Recovery Plan is just one of many plans created to ensure that a business survives any incident.
According to Disaster Recovery Journal in 2020, the top triggers for a company to put a Disaster Recovery Plan into action were Hardware and Software (37%), Cyberattack (24%), Electrical Failure (18%), and Internet Service Failure (18%). This demonstrates that the triggers for this triggering are very varied and are not always those that come to our mind when we think of Business Continuity.
Because they are so varied, these risk factors have different ways of being addressed and mitigated. The Business Continuity Plan (PCN or BCP) has as its main purpose the creation of procedures to support essential business operations, during the recovery caused by a significant interruption. The BCP encompasses other elements such as the BIA (Business Impact Analysis), a detailed risk analysis of each of the company's main processes and other plans that are put into practice according to the triggering rules present in the BCP. Below we present these plans and a little more of what they do.
Disaster Recovery Plan (PRD or DRP)
This plan describes operational procedures for the recovery of computer systems in the organization's primary or secondary locations after a disaster has occurred. Unlike other plans, DRP is focused on the IT area and is limited to major disruptions with long-term effects.
He is also responsible for:
- Identify and classify threats and riches capable of causing a disaster;
- Define resources and processes that ensure business continuity during the disaster, such as alternative site and others;
- Define the mechanisms to carry out the restoration of services after the effects of the disaster are mitigated or extinguished.
Incident Response Plan (PRI)
In PRI, the objective is to create strategies to detect, respond and limit the consequences of an IT or information security incident. Its scope is limited to responses to information and/or network security incidents. Elements like the SOC (Security Operations Center or Security Operations Center) and the CSIRT (Computer Security Incident Response Team or Security Incident Response Group) are measures that can be created in implementing the PRI.
Among other aspects, this plan also seeks to:
- Prevent a disjointed response to an information security incident, thus minimizing the impact on operations;
- Create and establish controls for adequate recovery and treatment of evidence;
- Allow criminal or civil action against the authors;
- Serve as a reference for creating accurate reports and useful recommendations.
Operational Continuity Plan (PCO)
Its purpose is to create procedures to support the company's strategic operations during a failure. This failure can partially or totally affect the organization for a short period of time and the recovery is done by the IT area without the declaration of contingency.
This plan encompasses other aspects such as:
- Identify and map possible failures in the company's IT environment;
- Define alternative resources and processes;
- Implement backup policies for all critical application data;
- Test and adapt the plan, as well as training for the team;
- Establish rules for performing corrective and preventive maintenance.
It is worth noting that a failure will initially trigger the PCO, but can evolve and trigger the PRD or PRI depending on the problem or source and as its impact on the organization's business increases.
Crisis Communication Plan (CCP)
This plan proposes procedures for disseminating information on the progress of recovery processes to the organization's internal or external public. It also serves to plan and monitor how information is brought to the public, both by the company and the media. All these actions seek to ensure that the company's image is preserved in the face of a crisis scenario.
We can divide a crisis in four ways:
- Record with greater public knowledge;
- Record with less public knowledge;
- Take with greater public knowledge;
- Take with less public knowledge.
For each of these situations, the actions to be taken are defined, who should be informed first, who is responsible for carrying out this communication and other elements.
Occupational Emergency Plan (OCP)
These are coordinated procedures to minimize loss of life or injury and property damage in response to a physical threat. Disasters such as fire, flood, bomb threat or strikes are situations in which the PCO is triggered and used.
In this plan are defined, for example:
- Emergency Committee;
- Tree of responsibilities;
- External contact list;
- Better sequence of actions;
- Events that will be covered by the plan.
From this description we can see how the PCO is similar to the PRD and it is not uncommon for them to be confused. In fact, a fire for example will trigger both plans at the same time depending on the scale of the event. The main difference is that the PRD is focused on IT operations and the PCO is focused on the company's employees and facilities.
Final considerations
This article sought to briefly present some plans that make up the Business Continuity Plan. Each of them has a series of recommendations and best practices for structuring. A reference for this structuring is the ABNT NBR ISO/IEC 22301 standard, which specifies requirements for establishing and managing a business continuity management system. Some organizations may treat them as sections within the NCP or separate plans judging by the information contained in each and who should have access.
The important thing is to understand that we cannot limit business continuity to natural disasters alone. We must look for ways to meet any possible scenario. All these plans generally seek to create tools so that in times of crisis, employees can overcome them in the fastest, most organized way and with the least possible impact.
The actions taken by one organization do not always fit perfectly into another, so it is important to understand each scenario and how each of these plans can positively contribute to the company being able to overcome adversities.
— Dylan Ribeiro is a GRC Consultant at [SAFEWAY]
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!
