In the immortal words of Taylor Swift (and Benjamin Franklin), “If you fail to plan, you plan to fail.” With the recent CrowdStrike IT outage causing significant global disruption, the importance of effective business continuity management has once again been highlighted. In this article, we discuss how maintaining Business Continuity Plans (BCPs) can help organisations to continue operations under difficult conditions.
What caused the CrowdStrike global IT outage?
The CrowdStrike outage was caused by a faulty software update, resulting in Blue Screens of Death, sudden shutdowns, and other usability issues impacting many Windows operating systems across the globe. This outage affected organisations across many industries, including banking, airlines, and media. CrowdStrike clarified that the outage was not the result of a cybersecurity incident or malicious activity. They provided remediation guidance through their Customer Portal, urging affected customers to follow these instructions. Recovery times varied depending on the extent of the disruption to the organisation and the resources available for remediation. It generally took most organisations days to fully recover, with some reporting that it took nearly a week to restore normal operations.
As organisations tried to recover as quickly as possible from the outage, we unfortunately saw some affected organisations also fall victim to scams, as scammers impersonated Microsoft and IT service providers, claiming to be able to fix the issue and return businesses to normal operations.
Why Every Organisation Needs a Business Continuity Plan
This incident has shown that even the most reliable systems can face unforeseen disruptions. It underscores the importance of robust backup and recovery plans and highlights the potential cascading effects of IT failures in interconnected systems. It also highlights the need for organisations to prepare for unexpected events by identifying risks and developing plans to continue operations if key systems, personnel, or assets are interrupted. Contingency planning for how to operate during the disruption can also help to minimise the impact to an organisation’s operations and lessen their reliance on individual systems, reducing single points of failure. Organisations can protect themselves by developing a business continuity plan, backing up data, and ensuring robust cybersecurity measures are in place.
What is a BCP?
A BCP sets out an organisation’s plan for handling potential disruptions to its operations. It sets out the framework to ensure the continuation of essential functions during and after a disruption, serving as a roadmap to keep the business operational.
For cybersecurity incidents such as the one at CrowdStrike, a BCP should include:
-
- Incident Response Plan: Detailed steps for immediate action to contain and mitigate the impact of the outage.
- Communication Plan: Clear communication channels to inform all stakeholders, including employees, customers, and partners, about the situation and ongoing remediation efforts. This should also include planned communication channels with support providers to minimise the risk of scammers seeking to take advantage of large-scale outages.
- Backup and Recovery: Regular backups of critical systems and data to ensure swift recovery.
- Testing and Drills: Regular testing of the business continuity and incident response plans to ensure preparedness for actual incidents.
Why having a BCP is important
Having a BCP in place is important because it can:
-
- Protect data and assets by including strategies for data backup and recovery, ensuring vital information is safeguarded during disruptions.
- Reduce downtime and financial losses by outlining procedures that quickly restore critical business functions.
- Enhance resilience and support long-term success. Regular testing and updates of the BCP can help prepare an organisation for various disruptive scenarios.
- Demonstrate to stakeholders a proactive approach to risk management. It also demonstrates that the organisation is committed to customer satisfaction and providing consistent and reliable services.
- Help to ensure compliance and meet regulatory requirements, reducing the risk of legal and financial penalties.
- Improve operational efficiency through well-defined processes and resource optimisation.
What is ISO 22301?
ISO 22301 is an international standard for Business Continuity Management Systems (BCMS). It provides a framework for organisations to develop, implement, maintain, and improve a BCMS, ensuring they can effectively respond to and recover from disruptive incidents.
ISO 22301:2019 is the latest version of the standard and sets out the requirements for a BCMS. The key elements include:
- Policy and Objectives: Establishing business continuity policies and objectives tailored to the organisation’s needs.
- Risk Assessment and Business Impact Analysis (BIA): Identifying and evaluating risks and their potential impacts on critical business functions.
- Strategies and Solutions: Developing BCPs that contain strategies to mitigate risks and ensure the continuity of operations.
- Incident Response Structure: Establishing a structure for responding to incidents, including communication and recovery procedures, and leading the organisation during disruption.
- Performance Evaluation: Monitoring and evaluating the performance of the BCMS through audits, reviews, and testing.
- Continual Improvement: Continuously improving the BCMS based on lessons learned from exercises, real incidents, and audits.
How ISO 22301 Helps Develop a BCP
-
- Comprehensive Framework:
- Provides a structured approach to developing a BCMS, ensuring all critical aspects are considered.
- Helps organisations identify potential threats and their impacts systematically.
- Risk and Impact Assessment:
- Guides the organisation through a thorough risk assessment process, identifying vulnerabilities and threats.
- Conducts a Business Impact Analysis (BIA) to determine critical functions and their recovery priorities.
- Clear Objectives and Policies:
- Assists in setting clear business continuity objectives and policies that align with the organisation’s strategic goals.
- Ensures that all stakeholders understand the importance of business continuity and their roles in it.
- Resource Allocation:
- Provides guidelines for allocating resources necessary to implement and maintain an effective BCMS.
- Ensures that appropriate personnel, technology, and financial resources are available.
- Developing and Testing Plans:
- Helps in creating detailed response and recovery plans tailored to specific incidents and scenarios.
- Emphasises the importance of regular testing and exercises to ensure plans are effective and up-to-date.
- Continuous Improvement:
- Encourages a culture of continuous improvement through regular monitoring, review, and updates.
- Uses feedback from exercises, audits, and actual incidents to refine and improve the BCMS.
- Compliance and Certification:
- Provides a framework that is recognised globally, facilitating compliance with regulatory requirements.
- Organisations can seek certification to demonstrate their commitment to business continuity to stakeholders.
- Enhanced Resilience:
- Builds organisational resilience by preparing for, responding to, and recovering from disruptions efficiently.
- Helps maintain critical operations and minimise downtime, protecting the organisation’s reputation and financial stability.
- Comprehensive Framework:
Additional Tips
- Documentation: Maintain comprehensive documentation to support all aspects of the BCMS, ensuring traceability and accountability, and ensure that this documentation is available in relevant points of use to key personnel, and is not only available electronically
- Stakeholder Engagement: Engage with relevant stakeholders throughout the planning and implementation process to ensure buy-in and cooperation, and ensure the right people are involved in testing and exercising the BCPs. Remember, a test of the BCP cannot fail, but it can definitely highlight weaknesses in the BCP.
- Integration: Integrate the BCMS with other management systems in the organisation, such as information security management systems, for a more cohesive approach.
By following ISO 22301, organisations can systematically develop robust Business Continuity Plans, ensuring preparedness for potential disruptions and the ability to maintain critical operations under adverse conditions.
Want to learn more about ISO 22301? Join our upcoming Business Continuity course and get the knowledge and tools needed to navigate unexpected challenges and ensure continuity in any situation. Every organisation should have a Business Continuity Plan. No one is immune to the risks of disruption or disaster. Being prepared for such events is essential to the resilience of any organisation. Find out more and enrol here.