Business continuity planning (
BCP) is the creation and validation of a practiced logistical
planA plan is typically any procedure used to achieve an objective. It is a set of intended actions, through which one expects to achieve a goal.Plans can be formal or informal:...
for how an
organizationAn organization is a social arrangement which pursues collective goals, which controls its own performance, and which has a boundary separating it from its environment...
will recover and restore partially or completely interrupted
criticalCritical may denote:*pertaining to a critic*pertaining to a critique*pertaining to a crisisMore specifically:-Psychology and education:*critical pedagogy - helping students achieve critical consciousness...
(urgent) functions within a predetermined time after a
disasterA disaster is the tragedy of a natural or human-made hazard that negatively affects society or environment....
or extended disruption. The logistical plan is called a
business continuity plan.
In plain language, BCP is working out how to stay in business in the event of disaster. Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses.
BCP may be a part of an
organizational learningOrganizational learning is an area of knowledge within organizational theory that studies models and theories about the way an organization learns and adapts....
effort that helps reduce
operational riskAn operational risk is a risk arising from execution of a company's business functions. As such, it is a very broad concept including e.g. fraud risks, legal risks, physical or environmental risks, etc. The term operational risk is most commonly found in risk management programs of financial...
associated with lax
information managementInformation management is the collection and management of information from one or more sources and the distribution of that information to one or more audiences. This sometimes involves those who have a stake in, or a right to that information...
controls. This process may be integrated with improving
information securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.The terms information security, computer security and information assurance are...
and corporate reputation
risk managementRisk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events...
practices.
In December 2006, the
British Standards InstitutionBSI Group, also known in its home market as the British Standards Institution is a multinational business services provider whose principal activity is the production of standards and the supply of standards-related services.- History :...
(BSI) released a new independent standard for BCP — BS 25999-1. Prior to the introduction of
BS 25999BS 25999 is BSI's standard in the field of Business Continuity Management . This standard replaces PAS 56, a Publicly Available Specification, published in 2003 on the same subject.-Structure:...
, BCP professionals relied on BSI information security standard
BS 7799BS 7799 was a standard originally published by the British Standards Institute in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and after several revisions, was eventually adopted by ISO as ISO/IEC 17799, "Information Technology - Code of practice for...
, which only peripherally addressed BCP to improve an organization's information security compliance. BS 25999's applicability extends to organizations of all types, sizes, and missions whether governmental or private, profit or non-profit, large or small, or industry sector.
In 2007, the BSI published the second part, BS 25999-2 "Specification for Business Continuity Management", that specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS).
In 2004, the
United KingdomThe United Kingdom of Great Britain and Northern Ireland is a sovereign state located off the northwestern coast of continental Europe. It is an island country, spanning an archipelago including Great Britain, the northeastern part of Ireland, and many small islands...
enacted the
Civil Contingencies Act 2004The Civil Contingencies Act 2004 is a United Kingdom Act of Parliament that gives the British government wide-ranging powers in an emergency. It is designed to replace former Civil Defence and Emergency Powers legislation of the 20th century....
, a statute that instructs all emergency services and local authorities to actively prepare and plan for emergencies. Local authorities also have the legal obligation under this act to actively lead promotion of business continuity practices amongst its geographical area.
Introduction
A completed BCP cycle results in a formal printed manual available for reference before, during, and after disruptions have occurred. Its purpose is to reduce adverse stakeholder impacts determined by both the disruption's scope (who and what it affects) and duration (how bad, implications last for hours, months etc). Measureable business impact analysis (BIA) "zones" (areas in which hazards and threats reside)include civil, economic, natural, technical, secondary and subsequent.
For the purposes of this article, the term
disaster will be used to represent
natural disasterA natural disaster is the effect of a natural hazard that affects the environment, and leads to financial, environmental and/or human losses...
, human-made disaster, and disruptions.
Before January 1, 2000, governments anticipated computer failures, called the Y2k problem, in important public utility infrastructures like banking,
powerElectric power is defined as the rate at which electrical energy is transferred by an electric circuit. The SI unit of power is the watt.When electric current flows in a circuit, it can transfer energy to do mechanical or thermodynamic work...
,
telecommunicationTelecommunication is transmission over a distance for the purpose of communication. In earlier times, this may have involved the use of smoke signals, drums, semaphore, flags or heliograph. In modern times, telecommunication typically involves the use of electronic devices such as the telephone,...
,
healthAt the of the creation of the World Health Organization , in 1948, Health was defined as being "a state of complete physical, mental, and social well-being and not merely the absence of disease or infirmity"....
and
financialFINANCIAL is the weekly English-language newspaper with offices in Tbilisi, Georgia and Kiev, Ukraine. Published by Intelligence Group LLC, FINANCIAL is focused on opinion leaders and top business decision-makers; It's about world’s largest companies, investing, careers, and small business. It is...
industries. Since 1983, regulatory agencies like the
American Bankers AssociationThe American Bankers Association is the largest industry trade group and professional association representing the nation's banking industry...
and
Banking Administration InstituteBAI is the leading professional organization for the financial services industry, especially in the United States.-Organization:...
(BAI) required their supporting members to exercise operational continuity practices (later supported by more formal BCP manuals) that protect the public interest. Newer regulations were often based on formalized standards defined under ISO/IEC 17799 or BS 7799.
Both regulatory and global business focus on BCP arguably waned after the problem-free Y2K rollover. Some believe this lax attitude ended
September 11th 2001The September 11 attacks were a series of coordinated suicide attacks by Al-Qaeda upon the United States on September 11, 2001. On that morning, 19 Al-Qaeda terrorists hijacked four commercial passenger jet airliners...
, when simultaneous terrorist attacks devastated downtown
New York CityNew York is the most populous city in the United States, and the center of the New York metropolitan area, which is among the most populous urban areas in the world. A leading global city, New York exerts a powerful influence over worldwide commerce, finance, culture, fashion and entertainment...
and changed the 'worst case scenario'
paradigmThe word paradigm has been used in linguistics and science to describe distinct concepts....
for business continuity planning.
BCP methodology is scalable for an organization of any
sizeThe word size may refer to how big something is. In particular:* Measurement* Dimensions: length, width, height, diameter, perimeter, area, volume* Clothing sizes such as shoe size or dress size* Body dimensions**Human height**Human weight...
and
complexityIn general usage, complexity tends to be used to characterize something with many parts in intricate arrangement. The study of these complex linkages is the main goal of network theory and network science...
. Even though the methodology has roots in
regulated industriesCritical Infrastructure Protection or CIP is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or nation....
, any type of organization may create a BCP manual, and arguably every organization
should have one in order to ensure the organization's
longevityThe word "longevity" is sometimes used as a synonym for "life expectancy" in demography. However, this is not the most popular or accepted definition...
. Evidence that firms do not invest enough time and resources into BCP preparations are evident in disaster survival statistics. Fires permanently close 44% of the business affected. In the 1993
World Trade CenterThe World Trade Center was a complex in Lower Manhattan in New York City whose seven buildings were destroyed in 2001 in the September 11 terrorist attacks...
bombing, 150 businesses out of 350 affected failed to survive the event. Conversely, the firms affected by the September 11 attacks with well-developed and tested BCP manuals were back in business within days.
A BCP manual for a small organization may be simply a printed manual stored safely away from the primary work location, containing the names, addresses, and phone numbers for crisis management staff, general staff members, clients, and vendors along with the location of the offsite
dataThe term data means groups of information that represent the qualitative or quantitative attributes of a variable or set of variables. Data are typically the results of measurements and can be the basis of graphs, images, or observations of a set of variables...
backupIn information technology, a backup or the process of backing up refer to making copies of data so that these additional copies may be used to restore the original after a data loss event...
storage media, copies of insurance contracts, and other critical materials necessary for organizational survival.
At its most complex, a BCP manual may outline a
secondarySecondary is an adjective meaning "second" or "second hand". It may refer to:* Secondary education* A secondary consumer in an ecological sense* Secondary dominant, in music...
work site, technical requirements and readiness, regulatory reporting requirements, work recovery measures, the means to reestablish physical records, the means to establish a new supply chain, or the means to establish new production centers.
Firms should ensure that their BCP manual is realistic and easy to use during a crisis. As such, BCP sits alongside
crisis managementCrisis management is the process by which an organization deals with a major unpredictable event that threatens to harm the organization, its stakeholders, or the general public. Three elements are common to most definitions of crisis: a threat to the organization, the element of surprise, and ...
and
disaster recovery planningDisaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster....
and is a part of an organization's overall
risk managementRisk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events...
.
The development of a BCP manual can have five main phases:
- Analysis
- Solution
In chemistry, a solution is a homogeneous mixture composed of two or more substances. In such a mixture, a solute is dissolved in another substance, known as a solvent. Gases may dissolve in liquids, for example, carbon dioxide or oxygen in water. Liquids may dissolve in other liquids. Gases can...
design
- Implementation
Implementation is the realization of an application, or execution of a plan, idea, model, design, specification, standard, algorithm, or policy....
- Testing and organization acceptance
UAT may refer to:* Universal Access Transceiver, a physical link proposed for the Automatic Dependent Surveillance-Broadcast aviation technology...
- Maintenance
Maintenance, repair and operations is fixing any sort of mechanical or electrical device should it become out of order or broken as well as performing the routine actions which keep the device in working order or prevent trouble from arising...
.
The above list is not exhaustive. There are a number of other considerations that could be included in your own plan / manual:
- Risk Identification Matrix
- Roles and Responsibilities (ensuring names are left out but titles are included, e.g. HR Manager)
- Identification of top risks and mitigating strategies.
- Considerations for resource reallocation e.g. skills matrix for larger organizations.
Much of the BCP material on the internet is sponsored by consultancies who offer fee-based services for BCP solution development, however basic tutorials are freely available on the Internet for properly motivated organizations.
Analysis
The analysis phase in the development of a BCP manual consists of an impact analysis, threat analysis, and impact scenarios with the resulting BCP plan requirement documentation.
Impact analysis (Business Impact Analysis, BIA)
An impact analysis results in the differentiation between
criticalCritical may denote:*pertaining to a critic*pertaining to a critique*pertaining to a crisisMore specifically:-Psychology and education:*critical pedagogy - helping students achieve critical consciousness...
(urgent) and non-critical (non-urgent) organization functions/ activities. A function may be considered critical if the implications for stakeholders of damage to the organization resulting are regarded as unacceptable. Perceptions of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate
businessA business is a legally recognized organization designed to provide goods and/or services to consumers. Businesses are predominant in capitalist economies, most being privately owned and formed to earn profit that will increase the wealth of its owners and grow the business itself...
or
technicalTechnical may refer to:*Technical , a fighting vehicle based on a pickup truck*Technical analysis, a discipline for forecasting the future direction of prices through the study of past market data...
recoveryRecovery or Recover can refer to:* Recovery of a missing or stolen item.-Economics:*Economic recovery, the end of a recession or depression, marked by renewed growth after the slump in the business cycle.-Electronics:...
solutions. A function may also be considered critical if dictated by
lawLaw is a system of rules, usually enforced through a set of institutions. It shapes politics, economics and society in numerous ways and serves as a primary social mediator of relations between people. Contract law regulates everything from buying a bus ticket to trading on derivatives markets...
. For each critical (in scope) function, two values are then assigned:
- Recovery Point Objective
Recovery Point Objective describes the acceptable amount of data loss measured in time.The Recovery Point Objective is the point in time to which you must recover data as defined by your organization. This is generally a definition of what an organization determines is an "acceptable loss" in a...
(RPO) - the acceptable latency of data that will be recovered
- Recovery Time Objective
The Recovery Time Objective is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in business continuity....
(RTO) - the acceptable amount of time to restore the function
The Recovery Point Objective must ensure that the Maximum Tolerable Data Loss for each activity is not exceeded.
The Recovery Time Objective must ensure that the
Maximum Tolerable Period of DisruptionMaximum Tolerable Period of Disruption MTPODThe standard BS 25999 requires the dependencies of critical activities to be identified .BS 25999-2, 20 Nov...
(MTPD) for each activity is not exceeded.
Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the following information:
- The business requirements for recovery of the critical function, and/or
- The technical requirements for recovery of the critical function
Threat analysis
After defining recovery requirements, documenting potential threats is recommended to detail a specific disaster’s unique recovery steps. Some common threats include the following:
- Disease
A disease or medical condition isan abnormal condition of an organism that impairs bodily functions, associated with specific symptoms and signs...
http://www.continuitycentral.com/feature0162.htm
- Earthquake
An earthquake is the result of a sudden release of energy in the Earth's crust that creates seismic waves. Earthquakes are recorded with a seismometer, also known as a seismograph...
http://www.theregister.co.uk/2002/04/02/taiwan_recovers_from_earthquake/
- Fire
Fire is the rapid oxidation of a combustible material releasing heat, light, and various reaction products such as carbon dioxide and water. If hot enough, the gases may become ionized to produce plasma. Depending on the substances alight, and any impurities outside, the color of the flame and the...
- Flood
A flood is an overflow or accumulation of an expanse of water that submerges land. In the sense of "flowing water", the word may also be applied to the inflow of the tide....
http://www.continuitycentral.com/news0797.htm
- Cyber attack
In common usage, a hacker is a person who breaks into computers, usually by gaining access to administrative controls. The subculture that has evolved around hackers is often referred to as the computer underground...
- Sabotage
Sabotage is a deliberate action aimed at weakening another entity through subversion, obstruction, disruption, or destruction. In a workplace setting, sabotage is the conscious withdrawal of efficiency generally directed at causing some change in workplace conditions...
- Hurricane http://www.continuitycentral.com/news01508.htm#
- Utility outage
A power outage is a short- or long-term loss of the electric power to an area.There are many causes of power failures in an electricity network...
http://www.continuitycentral.com/news0981.htm
- Terrorism
Terrorism is the systematic use of terror especially as a means of coercion.At present, there is no internationally agreed definition of terrorism...
http://www.protiviti.com/downloads/PRO/pro-us/articles/FeatureArticle_20040213.html
All threats in the examples above share a common impact: the potential of damage to organizational infrastructure - except one (disease).
The impact of diseases can be regarded as purely human, and may be alleviated with technical and business solutions. However, if the humans behind these recovery plans are also affected by the disease, then the process can fall down.
During the 2002-2003 SARS outbreak, some organizations grouped staff into separate teams, and rotated the teams between the primary and secondary work sites, with a rotation
frequencyFrequency is the number of occurrences of a repeating event per unit time. It is also referred to as temporal frequency.The period is the duration of one cycle in a repeating event, so the period is the reciprocal of the frequency....
equal to the
incubation periodIncubation period is the time elapsed between exposure to a pathogenic organism, a chemical or radiation, and when symptoms and signs are first apparent...
of the disease.
The organizations also banned face-to-face contact between opposing team members during business and non-business hours. With such a split, organizations increased their resiliency against the threat of government-ordered
quarantineQuarantine is voluntary or compulsory isolation, typically to contain the spread of something considered dangerous, often but not always disease...
measures if one person in a team contracted or was exposed to the disease. Damage from flooding also has a unique characteristic. If an office environment is flooded with non-salinated and contamination-free water (e.g., in the event of a pipe burst), equipment can be thoroughly dried and may still be functional.
Definition of impact scenarios
After defining potential threats, documenting the impact scenarios that form the basis of the business recovery plan is recommended. In general, planning for the most wide-reaching disaster or disturbance is preferable to planning for a smaller scale problem, as almost all smaller scale problems are partial elements of larger disasters. A typical impact scenario like 'Building Loss' will most likely encompass all critical business functions, and the worst potential outcome from any potential threat. A business continuity plan may also document additional impact scenarios if an organization has more than one building. Other more specific impact scenarios - for example a scenario for the temporary or permanent loss of a specific floor in a building - may also be documented.
Recovery requirement documentation
After the completion of the analysis phase, the business and technical plan requirements are documented in order to commence the implementation phase. A good asset management program can be of great assistance here and allow for quick identification of available and re-allocateable resources. For an
officeAn office is generally a room or other area in which people work, but may also denote a position within an organization with specific duties attached to it ; the latter is in fact an earlier usage, office as place originally referring to the location of one's duty...
-based,
ITInformation technology , as defined by the Information Technology Association of America , is "the study, design, development, implementation, support or management of computer-based information systems, particularly software applications and computer hardware." IT deals with the use of electronic...
intensive business, the plan requirements may cover the following elements which may be classed as ICE (In Case of Emergency) Data:
- The numbers and types of desks, whether dedicated or shared, required outside of the primary business location in the secondary location
- The individuals involved in the recovery effort along with their contact and technical details
- The applications and application data required from the secondary location desks for critical business functions
- The manual workaround solutions
- The maximum outage allowed for the applications
- The peripheral requirements like printers
In computing, a printer is a peripheral which produces a hard copy of documents stored in electronic form, usually on physical print media such as paper or transparencies. Many printers are primarily used as local peripherals, and are attached by a printer cable or, in most newer printers, a USB...
, copier, fax machine, calculators, paperPaper is thin material mainly used for writing upon, printing upon or for packaging. It is produced by pressing together moist fibers, typically cellulose pulp derived from wood, rags or grasses, and drying them into flexible sheets....
, penA pen is a long, thin rounded device used to apply ink to a surface for the purpose of writing, usually paper. There are several different types, including ballpoint, rollerball, fountain, felt-tip. Historically, reed pens, quill pens, and dip pens were used. Modern day pens come in a varity of...
s etc.
Other business environments, such as production, distribution, warehousing etc will need to cover these elements, but are likely to have additional issues to manage following a disruptive event.
Solution design
The goal of the solution design phase is to identify the most cost effective
disaster recoveryDisaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster....
solution that meets two main requirements from the impact analysis stage. For IT applications, this is commonly expressed as:
- The minimum application and application data requirements
- The time frame in which the minimum application and application data must be available
Disaster recovery plans may also be required outside the IT applications domain, for example in preservation of information in hard copy format, or restoration of embedded technology in process plant.
This BCP phase overlaps with
Disaster recovery planningDisaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster....
methodology. The solution phase determines:
- the crisis management command structure
- the location of a secondary work site (where necessary)
- telecommunication architecture between primary and secondary work sites
- data replication methodology between primary and secondary work sites
- the application and software required at the secondary work site, and
- the type of physical data requirements at the secondary work site.
Implementation
The implementation phase, quite simply, is the execution of the design elements identified in the solution design phase. Work package testing may take place during the implementation of the solution, however; work package testing does not take the place of organizational testing.
Testing and organizational acceptance
The purpose of testing is to achieve organizational acceptance that the business continuity solution satisfies the organization's recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws, or solution implementation errors. Testing may include:
- Crisis command team call-out testing
- Technical swing test from primary to secondary work locations
- Technical swing test from secondary to primary work locations
- Application test
- Business process test
At minimum, testing is generally conducted on a biannual or
annualA year is the amount of time it takes the Earth to make one revolution around the Sun...
schedule. Problems identified in the initial testing phase may be rolled up into the maintenance phase and retested during the next test cycle.
Maintenance
Maintenance of a BCP manual is broken down into three periodic activities.
The first activity is the confirmation of information in the manual, roll out to ALL staff for awareness and specific training for individuals whose roles are identified as critical in response and recovery.
The second activity is the testing and verification of technical solutions established for recovery operations.
The third activity is the testing and verification of documented organization recovery procedures. A biannual or annual maintenance cycle is typical.
Information update and testing
All organizations change over time, therefore a BCP manual must change to stay relevant to the organization. Once data accuracy is verified, normally a call tree test is conducted to evaluate the notification plan's efficiency as well as the accuracy of the contact data. Some types of changes that should be identified and updated in the manual include:
- Staffing changes
- Staffing persona
- Changes to important clients and their contact details
- Changes to important vendors/suppliers and their contact details
- Departmental changes like new, closed or fundamentally changed departments.
- Changes in company investment portfolio and mission statement
- Changes in upstream/downstream supplier routes
Testing and verification of technical solutions
As a part of ongoing maintenance, any specialized technical deployments must be checked for functionality. Some checks include:
- Virus
A computer virus is a computer program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability...
definition distribution
- Application security and service patch distribution
- Hardware operability check
- Application operability check
- Data verification
Testing and verification of organization recovery procedures
As work processes change over time, the previously documented organizational recovery procedures may no longer be suitable. Some checks include:
- Are all work processes for critical functions documented?
- Have the systems used in the execution of critical functions changed?
- Are the documented work checklists meaningful and accurate for staff?
- Do the documented work process recovery tasks and supporting disaster recovery infrastructure allow staff to recover within the predetermined recovery time objective.
Treatment of test failures
As suggested by the diagram included in this article, there is a direct relationship between the test and maintenance phases and the impact phase. When establishing a BCP manual and recovery infrastructure from scratch, issues found during the testing phase often must be reintroduced to the analysis phase.
See also
- Business Continuity Institute
The Business Continuity Institute was established in 1994 to enable individual members to obtain guidance and support from fellow business continuity practitioners...
- Catastrophe
A catastrophe is an extremely large-scale disaster, a horrible event.It may also refer to:*Catastrophe bond, a risk-linked security used to share risks with bond investors...
- Disaster recovery
Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster....
- Disaster
A disaster is the tragedy of a natural or human-made hazard that negatively affects society or environment....
- Emergency management
Emergency management is the discipline of dealing with and avoiding risks. It is a discipline that involves preparing for disaster before it occurs, disaster response , as well as supporting, and rebuilding society after natural or human-made disasters have occurred...
- Natural hazards
- Man-made hazards
- Space accidents and incidents
- Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events...
- Disaster recovery and business continuity auditing
Disaster recovery and business continuity refers to an organization’s ability to recover from a disaster and/or unexpected event and resume or continue operations. Organizations should have a plan in place that outlines how this will be accomplished...
- Systems engineering
Systems engineering is an interdisciplinary field of engineering that focuses on how complex engineering projects should be designed and managed. Issues such as logistics, the coordination of different teams, and automatic control of machinery become more difficult when dealing with large, complex...
- Systems engineering process
A systems engineering process is a process for applying systems engineering techniques to the development of all kinds of systems. Systems engineering processes are related to the stages in a system life cycle...
- System lifecycle
The system lifecycle in systems engineering is an examination of a system or proposed system that addresses all phases of its existence to include system design and development, production and/or construction, distribution, operation, maintenance and support, retirement, phase-out and...
- Systems thinking
Systems thinking is any process of estimating or inferring how local policies, actions, or changes influence the state of the neighboring universe...
- Resilience (organizational)
Resilience is defined as “the positive ability of a system or company to adapt itself to the consequences of a catastrophic failure caused by power outage, a fire, a bomb or similar” event....
Further reading
- ISO/IEC 27001:2005 (formerly BS 7799-2:2002) by the International Organization for Standardization
- ISO/IEC 17799:2005 by the International Organization for Standardization
- "A Guide to Business Continuity Planning" by James C. Barnes
- "Business Continuity Planning", A Step-by-Step Guide with Planning Forms on CDROM by Kenneth L Fulmer
- "Disaster Survival Planning: A Practical Guide for Businesses" by Judy Bell
- ICE Data Management (In Case of Emergency) made simple - by MyriadOptima.com
- BS 25999-1:2006 Business Continuity Management Part 1: Code of practice - British Standards Institution
- IWA 5:2006 Emergency Preparedness - International Organisation for Standardisation
- Harney, J.(2004). Business continuity and disaster recovery: Back up or shut down. AIIM
E-Doc Magazine, 18(4), 42-48.
- Dimattia, S. (November 15,2001).Planning for Continuity. Library Journal,32-34.
External links
BSI 17799 supplements
Competency certification ventures