Business Continuity Management Audit Assurance Program Icq Eng 0911

Business Continuity Management Audit/Assurance Audit/Assura nce Program

Business Continuity Management Audit/Assurance Audit/Assurance Program Program ISACA® With 95,000 constituents in 160 countries, ISACA ( www.isaca.org ) is a leading global provider o !no"ledge, certiications, certiications, co##unit$, advocac$ and education on inor#ation s$ste#s (IS) assurance and securit$, securit$, enterprise governance and #anage#ent o I%, and I%&relate I%&related d ris! and co#pliance' ounded in 1969, the nonproit, independent ISACA hosts international conerences, publishes the ISACA the ISACA® Journal , and develops international IS auditing and control standards, "hich help its constituents ensure trust in, and value ro#, inor#ation s$ste#s' It also advances and attests I% s!ills and !no"ledge through the globall$ respected Certiied Inor#ation Inor#ation S$ste#s Auditor  (CISA), Certiied Inor#ation Securit$ *anager  (CIS*), Certiied in the +overnance o nterprise I%  (C+I% ) and Certiied in -is! and Inor#ation S$ste#s Control. (C-ISC.) designations' ISACA continuall$ updates C/I% , "hich helps I% proessionals and enterprise leaders ulil their I% governance and #anage#ent responsibilities, responsibilities, particularl$ in in the areas o assurance, assurance, securit$, securit$, ris! and control, control, and deliver value value to the business' business'

Disclaimer ISACA has designed and created the Business the Business Continuity Continuity Management Management Audit/Assurance Audit/Assurance Program Program (the Wor!2) pri#aril$ as an inor#ational inor#ational resource or audit audit and assurance assurance proessionals' ISACA #a!es no clai# clai# that use o an$ o the Wor! "ill assure a successul outco#e' %he Wor! should not be considered inclusive o all proper inor#ation, procedures procedures and tests or e3clusive o other inor#ation, procedures and tests that are reasonabl$ directed to obtaining the sa#e results' In deter#ining the propriet$ o an$ speciic inor#ation, procedure procedure or test, audit and assurance proessionals should appl$ their o"n proessional 4udg#ent to the speciic circu#stances presented b$ the particular s$ste#s s$ste#s or inor#ation inor#ation technolog$ environ#ent' environ#ent'

Reservation of Rights  011 ISACA' All rights reserved' 7o part o this publication #a$ be used, copied, reproduced, #odiied, distributed, displa$ed, displa$ed, stored in a retrieval s$ste# or trans#itted in an$ or# b$ an$ #eans (electronic, #echanical, photocop$ing, recording recording or other"ise) other"ise) "ithout the the prior "ritten "ritten authori8ation authori8ation o ISACA' ISACA' -eproduction and and use o all or portions o this publication are per#itted solel$ or acade#ic, internal and nonco##ercial use and or consultingadvisor$ consultingadvisor$ engage#ents, and #ust include ull attribution o the #aterial:s #aterial:s source' 7o other right or per#ission is granted "ith respect to this "or!'

ISACA ;<01 Algon=uin -oad, Suite 1010 -olling *eado"s, I> 6000? @SA honeB 1'?D<'5;'15D5

Business Continuity Management Audit/Assurance Program

ISACA wishes to recognize: Author 7or# Eelson, CISA, C+I%, CA, C Interactive Inc', @SA, Fe Eal"eris!$, CISA, CA (SA), C Interactive Inc', @SA Subject Matter Expert Garve$ etan, CC, -is!#asters Inc', @SA Expert Reviewers Sunil a!shi, CISA, CIS*, C+I%, C-ISC, A*CI, S5999>I, C, CISS, IS/ <001 >A, *CA, *, 7ational Stoc! 3change, India Hiane H' ili, @SCI, Canada o! Gai Suan, CIS*, C+I%, *, Singapore *ichael H' Gansen, CISA, C, ublic #plo$ees -etire#ent Association o 7e" *e3ico, @SA >e %hi *ai Guong, CISA, 7 aribas , rance +ar$ >angha#, CISA, CIS*, C+I%, CISS, CA, Australia >ucio Augusto *olina oca88io, CISA, CIS*, C-ISC, I%I>, Colo#bia ipin Sehgal, CISA, Sun >ie inancial, Canada %ari= Shai!h, C@ISA, %i# Gortons Inc', Canada SACA Board o! "irectors Eenneth >' ander Wal, CISA, CA, rnst J Koung >> (retired), @SA, International resident Christos E' Hi#itriadis, h'H', CISA, CIS*, I7%-A>/% S'A', +reece, ice resident +regor$ %' +rochols!i, CISA, %he Ho" Che#ical Co', @SA, ice resident %on$ Ga$es, C+I%, ACGS, CG, ACS, CA, IIA, Lueensland +overn#ent, Australia, ice resident 7ira4 Eapasi, CISA, Eapasi angad %ech Consulting vt' >td', India, ice resident Fe Spive$, C-ISC, C, S, Securit$ -is! *anage#ent, Inc', @SA, ice resident Fo Ste"art&-attra$, CISA, CIS*, C+I%, CSS, -S* ird Ca#eron, Australia, ice resident #il H:Angelo, CISA, CIS*, an! o %o!$o&*itsubishi @F >td', @SA, ast International resident >$nn C' >a"ton, CISA, CS CI%, CA, IIA, E*+ >td', -ussian ederation, ast International resident Allan 7eville oard#an, CISA, CIS*, C+I%, C-ISC, CA, CISS, F'' *organ Chase, @E, Hirector *arc ael, h'H', CISA, CIS*, C+I%, CISS, aluendo, elgiu#, Hirector

Business Continuity Management Audit/Assurance Program %he Center or Internet Securit$ Co##on"ealth Association or Corporate +overnance Inc' IHA Inor# Inor#ation Securit$ oru# Institute o *anage#ent Accountants Inc' ISACA chapters I%+I Fapan 7or"ich @niversit$ Solva$ russels School o cono#ics and *anage#ent Strategic %echnolog$ *anage#ent Institute (S%*I) o the 7ational @niversit$ o Singapore @niversit$ o Ant"erp *anage#ent School ASI S$ste# Integration Ge"lett&ac!ard I* S/Aro4ects Inc S$#antec Corp' %ruAr3 Inc'

Tale of Contents I' Introduction'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''D II' @sing %his Hocu#ent''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''5 III' Controls *aturit$ Anal$sis'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ? I' Assurance and Control ra#e"or!''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''9 ' 3ecutive Su##ar$ o AuditAssurance ocus'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''10 I' AuditAssurance rogra#''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1 1' lanning and Scoping the usiness Continuit$ Audit''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1 ' usiness Continuit$ lan *anage#ent''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1D ;' C* olic$, Standards and rocedures'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''16 D' usiness I#pact Assess#ent''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''19 5' -is! Assess#ent''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''0


Control %rame#or& %he auditassurance progra#s have been developed in align#ent "ith the ISACA C/I% ra#e"or!N speciicall$ C/I% D'1Nusing generall$ applicable and accepted good practices' %he$ relect I%A sections ;D00NI% *anage#ent rocesses, ;600NI% Audit and Assurance rocesses, and ;?00NI% Audit and Assurance *anage#ent' *an$ organi8ations have e#braced several ra#e"or!s at an enterprise level, including the Co##ittee o Sponsoring /rgani8ations o the %read"a$ Co##ission (C/S/) Internal Control ra#e"or!' %he i#portance o the control ra#e"or! has been enhanced due to regulator$ re=uire#ents b$ the @S Securities and 3change Co##ission (SC) as directed b$ the @S Sarbanes&/3le$ Act o 00 and si#ilar legislation in other countries' nterprises see! to integrate control ra#e"or! ele#ents used b$ the general auditassurance tea# into the I% audit and assurance ra#e"or!' Since C/S/ is "idel$ used, it has been selected or inclusion in this auditassurance progra#' %he revie"er #a$ delete or rena#e these colu#ns to align "ith the enterprise:s control ra#e"or!'

'overnance( Ris& and Control of IT +overnance, ris! and control o I% are critical in the peror#ance o an$ assurance #anage#ent process' +overnance o the process under revie" "ill be evaluated as part o the policies and #anage#ent oversight controls' -is! pla$s an i#portant role in evaluating "hat to audit and ho" #anage#ent approaches and #anages ris!' oth issues "ill be evaluated as steps in the auditassurance progra#' Controls are the pri#ar$ evaluation point in the process' %he auditassurance progra# "ill identi$ the control ob4ectives and the steps to deter#ine control design and eectiveness'

Res$onsiilities of IT Audit and Assurance Professionals I% audit and assurance proessionals are e3pected to custo#i8e this docu#ent to the environ#ent in "hich the$ are peror#ing an assurance process' %his docu#ent is to be used as a revie" tool and starting point' It #a$ be #odiied b$ the I% audit and assurance proessionalO it is not intended to be a chec!list or =uestionnaire' It is assu#ed that the I% audit and assurance proessional has the necessar$ sub4ect #atter e3pertise re=uired to conduct the "or! and is supervised b$ a proessional "ith the Certiied Inor#ation


eginning in step , the steps associated "ith the "or! progra# are ite#i8ed' %o si#pli$ the use o the progra#, the auditassurance ob4ectiveNthe reason or peror#ing the steps in the topic areaNis described' %he speciic controls ollo"' ach revie" step is listed belo" the control' %hese steps #a$ include assessing the control design b$ "al!ing through a process, intervie"ing, observing or other"ise veri$ing the process and the controls that address that process' In #an$ cases, once the control design has been veriied, speciic tests need to be peror#ed to provide assurance that the process associated "ith the control is being ollo"ed' %he ISACA auditassurance progra#s have adopted a #aturit$ assess#ent process as docu#ented in the IT Assurance $uide% &sing C'BIT ' %his auditassurance progra# is technical in scope and does not lend itsel to the #aturit$ assess#ent' Accordingl$, the #aturit$ assess#ent "ill not appear in this docu#ent' %he auditassurance plan "rap&upNthose processes associated "ith the co#pletion and revie" o "or! papers, preparation o issues and reco##endations, report "riting, and report clearingNhas been e3cluded ro# this docu#ent because it is standard or the auditassurance unction and should be identiied else"here in the enterprise:s standards'

C"BIT Cross+reference %he C/I% cross&reerence provides the audit and assurance proessional "ith the abilit$ to reer to the speciic C/I% control ob4ective that supports the auditassurance step' %he C/I% control ob4ective should be identiied or each auditassurance step in the section' *ultiple cross&reerences are not unco##on' rocesses at lo"er levels in the "or! progra# are too granular to be cross&reerenced to C/I%' %he auditassurance progra# is organi8ed in a #anner to acilitate an evaluation through a structure parallel to the develop#ent process' C/I% provides in&depth control ob4ectives and suggested control practices at each level' As proessionals revie" each control, the$ should reer to C/I% D'1 or the IT Assurance $uide% &sing C'BIT or good&practice control guidance'

C"S" Com$onents As noted in the introduction, C/S/ and si#ilar ra#e"or!s have beco#e increasingl$ popular a#ong

Business Continuity Management Audit/Assurance Program Figure 1—Comparison of COSO Internal Control and E! Integrated Framewor"s Internal Control Framewor" Control En#ironmentB %he control environ#ent sets the tone o an organi8ation, inluencing the control consciousness o its people' It is the oundation or all other co#ponents o internal control, providing discipline and structure' Control environ#ent actors include the integrit$, ethical values, #anage#ent:s operating st$le, delegation o authorit$ s$ste#s, as "ell as the processes or #anaging and developing people in the organi8ation'

is" AssessmentB ver$ entit$ aces a variet$ o ris!s ro# e3ternal and internal sources that #ust be assessed' A precondition to ris! assess#ent is establish#ent o ob4ectives, and, thus, ris! assess#ent is the identiication and anal$sis o relevant ris!s to achieve#ent o assigned ob4ectives' -is! assess#ent is a prere=uisite or deter#ining ho" the ris!s should be #anaged'

Control Acti#itiesB Control activities are the policies and procedures that help ensure #anage#ent directives are carried out' %he$ help ensure that necessar$ actions are ta!en to address ris!s to achieve#ent o the entit$Ps ob4ectives' Control activities occur throughout the organi8ation, at all levels and in all unctions' %he$ include a range o activities as diverse as approvals, authori8ations, veriications, reconciliations, revie"s o operating peror#ance, securit$ o assets and segregation o duties' Information and Communication B Inor#ation s$ste#s pla$ a !e$ role in internal control s$ste#s as the$ produce reports, including operational, inancial and co#pliance&related inor#ation that #a!e it possible to run and control the business' In a broader sense, eective

E! Integrated Framewor" Internal En#ironmentB %he internal environ#ent enco#passes the tone o an organi8ation, and sets the basis or ho" ris! is vie"ed and addressed b$ an entit$:s people, including ris! #anage#ent philosoph$ and ris! appetite, integrit$ and ethical values, and the environ#ent in "hich the$ operate'

Ob$ecti#e SettingB /b4ectives #ust e3ist beore #anage#ent can identi$ potential events aecting their achieve#ent' nterprise ris! #anage#ent ensures that #anage#ent has in place a process to set ob4ectives and that the chosen ob4ectives support and align "ith the entit$:s #ission and are consistent "ith its ris! appetite' E#ent IdentificationB Internal and e3ternal events aecting achieve#ent o an entit$:s ob4ectives #ust be identiie d, distinguishing bet"een ris!s and opportunities' /pportunities are channeled bac! to #anage#ent:s strateg$ or ob4ective&setting processes' is" AssessmentB -is!s are anal$8ed, considering the li!elihood and i#pact, as a basis or deter#ining ho" the$ could be #anaged' -is! areas are assessed on an inherent and residual basis'

is" esponseB *anage#ent selects ris! responsesNavoiding, accepting, reducing or sharing ris!Ndeveloping a set o a ctions to align ris!s "ith the entit$:s ris! tolerances and ris! appetite' Control Acti#itiesB olicies and procedures are established and i#ple#ented to help ensure the ris! responses are eectivel$ carried out'

Information and Communication B -elevant inor#ation is identiied, captured and co##unicated in a or# and ti#e ra#e that enable people to carr$ out their responsibilities' ective co##unication also occurs in a broader sense, lo"ing do"n, across

Business Continuity Management Audit/Assurance Program o this docu#ent provides a read$ nu#bering sche#e or the "or! papers' I desired, a lin! to the "or! paper can be pasted into this colu#n'

Issue Cross+reference %his colu#n can be used to lag a indingissue that the I% audit and assurance proessional "ants to urther investigate or establish as a potential inding' %he potential indings should be docu#ented in a "or! paper that indicates the disposition o the indings (or#all$ reported, reported as a #e#o or verbal inding, or "aived)'

Comments %he co##ents colu#n can be used to indicate the "aiving o a step or other notations' It is not to be used in place o a "or! paper describing the "or! peror#ed'

III! Controls Maturity Analysis /ne o the consistent re=uests o sta!eholders "ho have undergone I% auditassurance revie"s is a desire to understand ho" their peror#ance co#pares to good practices' Audit and assurance proessionals #ust provide an ob4ective basis or the revie" conclusions' *aturit$ #odeling or #anage#ent and control over I% processes is based on a #ethod o evaluating the enterprise, so that it can be rated ro# a #aturit$ level o none3istent (0) to opti#i8ed (5)' %his approach is derived ro# the #aturit$ #odel that the Sot"are ngineering Institute (SI) o Carnegie *ellon @niversit$ deined or the #aturit$ o sot"are develop#ent' %he IT Assurance $uide &sing C 'BI T, Appendi3 IIN*aturit$ *odel or Internal Control, in figure %, provides a generic #aturit$ #odel sho"ing the status o the internal control environ#ent and the establish#ent o internal controls in an enterprise' It sho"s ho" the #anage#ent o internal control, and an a"areness o the need to establish better internal controls, t$picall$ develops ro# an ad ,oc to an opti#i8ed level' %he #odel provides a high&level guide to help C /I% users appreciate "hat is re=uired or eective internal controls in I% and to help position their enterprise on the #aturit$ scale'


!aturit& 'e#el

Figure %—!aturit& !odel for Internal Control Status of the Internal Control En#ironment Establishment of Internal Controls occurs re=uentl$' *an$ controls are auto#ated a nd regularl$ revie"ed' *anage#ent is li!el$ to detect #ost control issues, but not all issues are routinel$ identiied' %here is consistent ollo"&up to address identiied control "ea!nesses' A li#ited, tactical use o technolog$ is applied to auto#ate controls'

5 /pti#i8ed

An enterprise"ide ris! and control progra# provides continuous and eective control and ris! issues resolution' Internal control and ris! #anage#ent are integrated "ith enterprise practices, supported "ith auto#ated real&ti#e #onitoring "ith ull accountabilit$ or control #onitoring, ris! #anage#ent and co#pliance enorce#ent' Control evaluation is continuous, based on sel&assess#ents and gap and root cause anal$ses' #plo$ees are proactivel$ involved in control i#prove#ents'

Assess#ent o control re=uire#ents is based on polic$ and the actual #aturit$ o these processes, ollo"ing a thorough and #easured anal$sis involving !e$ sta!eholders' Accountabilit$ or these assess#ents is clear and enorced' I#prove#ent strategies are supported b$ business cases' eror#ance in achieving the desired outco#es is consistentl$ #onitored' 3ternal control revie"s are organi8ed occasionall$' usiness changes consider the criticalit$ o I% processes and cover an$ need to reassess process control capabilit$' I% process o"ners regularl$ peror# sel&assess#ents to conir# that controls are at the right level o #aturit$ to #eet business needs and the$ consider #aturit$ attributes to ind "a$s to #a!e controls #ore eicient and eective' %he organi8ation bench#ar!s to e3ternal best practices and see!s e3ternal advice on internal control eectiveness' or critical processes, independent revie"s ta!e place to provide assurance that the controls are at the desired level o #aturit$ and "or!ing as planned'

%he #aturit$ #odel evaluation is one o the inal steps in the evaluation process' %he audit and assurance proessional can address the !e$ controls "ithin the scope o the "or! progra# and or#ulate an ob4ective assess#ent o the #aturit$ levels o the control practices' %he #aturit$ assess#ent can be a part o the auditassurance report and can be used as a #etric ro# $ear to $ear to docu#ent progression in the enhance#ent o controls' Go"ever, it #ust be noted that the perception as to the #aturit$ level #a$ var$ bet"een the process o"ner and the auditor' %hereore, an auditor should obtain the concerned sta!eholder:s concurrence beore sub#itting the inal report to #anage#ent' At the conclusion o the revie", once all indings and reco##endations are co#pleted, the proessional assesses the current state o the control ra#e"or!, using the #ain topics o the progra#, and assigns it a #aturit$ level using the si3&level scale' So#e practitioners utili8e deci#als (3'5, 3'5, 3'<5) to indicate gradations in the #aturit$ #odel' %o provide urther value to the clientcusto#er, the proessional can also obtain #aturit$ targets ro# the clientcusto#er' @sing the assessed and target #aturit$ levels, the


usiness Continuit$ *anage#ent aligns "ith HSD, nsure Continuous Service' Go"ever, the scope is "ider and does not lend itsel to a direct co#parison on a speciic control ob4ective level' %he C/I% cross&reerence is indicated "here applicable'

-! .ecutive Summary of Audit/Assurance %ocus A business continuit$ plan is an enterprise"ide group o processes and instructions to ensure the continuation o business processes Q including, but not li#ited to, Inor#ation %echnolog$ & in the event o an interruption' It provides the plans or the enterprise to recover ro# #inor incidents (e'g', locali8ed disruptions o business co#ponents) to #a4or disruptions (e'g', ire, natural disasters, e3tended po"er ailures, e=uip#ent andor teleco##unications ailure)' %he plan is usuall$ o"ned and #anaged b$ the business units and a disaster #anage#ent or ris! prevention unction in the enterprise' unctional continuit$ plans are subsets o the enterprise business continuit$ planning and support the deliver$ o essential business services %he business continuit$ plan #ust ensure thatB -is!s are appropriatel$ identiied and evaluated b$ ocusing on the i#pact o !no"n and potential • ris!s on business processes %he costs o i#ple#enting and #anaging continuit$ assurance are less than the e3pected losses and • "ithin #anage#ent:s ris! tolerance %he business priorities are addressedB critical applications, interi# processes, restoration activities and • #andated deadlines *anual interaces to auto#ated processes are identiied, personnel are trained and practice drills are • conducted 3pectations are #anaged "ith realistic goals •

Business Im$act and Ris& usiness reliance on auto#ated solutions, e#plo$ee !no"ledge and #anual process are tightl$ "oven

Business Continuity Management Audit/Assurance Program •

• •

Increased costs or continuit$ #anage#ent due to ineective ocus on ris!s and costs or  ailure to prioriti8e services recover$ based on business need >ac! o develop#ent o realistic threat scenarios that #a$ potentiall$ disrupt business processes >ac! o consideration o all possible threat scenarios based upon potential circu#stances and events

"0ective and Sco$e Ob$ecti#e— %he continuit$ planning auditassurance revie" "illB rovide #anage#ent "ith an evaluation o the enterprise:s preparedness in the event o a #a4or • business disruption Identi$ issues that #a$ li#it interi# business processing and restoration o sa#e • rovide #anage#ent "ith an independent assess#ent o the eectiveness o the business continuit$ • plan and its align#ent "ith subordinate continuit$ plans Scope— %he revie" "ill ocus on the enterprise business continuit$ plan, policies, standards, guidelines, procedures, la"s and regulations that address #aintaining continuous business services' %his "ill includeB Hevelop#ent, #aintenance and testing o the business continuit$ plan • Abilit$ to provide interi# business services and the eective and ti#el$ restoration o sa#e • -is! #anage#ent and costs related to the business continuit$ plan •

Minimum Audit S&ills %he audit and assurance proessional should have an understanding o good&practice s$ste#s business continuit$ #anage#ent ra#e"or! and processes' In addition, a solid understanding o the enterprise:s business unctions and industr$ ris!s is necessar$ to peror# the revie"' %he business continuit$ #anage#ent auditassurance revie" is best peror#ed as an integrated audit, b$ proessionals "ith business, operational, and technolog$ s!ill sets'


-I! Audit/Assurance Program COSO

CO*I+ Audit(Assurance )rogram Step

1! P2A33I3' A3D SC"PI3' T,. B)SI3.SS C"3TI3)IT4 A)DIT 1.1 /efine Audit(Assurance Ob$ecti#es %he auditassurance ob4ectives are high level and describe the overall audit goals' 1.1.1 -evie" the auditassurance ob4ectives in the introduction to this business continuit$ #anage#ent (C*) auditassurance progra#' 1.1.% *odi$ the auditassurance ob4ectives to align "ith the audit universe, annual plan and charter' 1.% /efine *oundaries of e#iew %he revie" #ust have a deined scope' %he revie"er should understand the operating environ#ent and prepare a proposed scope, sub4ect to a later ris! assess#ent' 1.%.1 /btain C* polic$ docu#entation' 1.%.% /btain and revie" the enterprise C* plans' 1.%.0 Heter#ine i the C* audit "ill include the enterprise or be li#ited to speciic business units' 1.%. Identi$ li#itations andor constraints aecting the abilit$ to audit speciic depart#ents, locations or entities' 1.0 Identif& and /ocument Audit is"s %he ris! assess#ent is necessar$ to evaluate "here audit resources should be ocused' In #ost enterprises, audit resources are not available or all processes' %he ris!&based approach assures the #ost eective utili8ation o audit resources' 1.0.1 Heter#ine i the ris! assess#ent rating assigned b$ the audit depart#ent is reasonable' 1.0.% valuate the overall ris! proile or peror#ing the revie"' 1.0.0 Heter#ine i C* audits have been peror#ed previousl$' I $es then deter#ine the ollo"ing' 1';';'1 Heter#ine the status o issues previousl$ identiied'

1';';' Heter#ine i the status o previousl$ identiied issues re=uires ad4ust#ent to the audit ris! rating and priorit$ o the audit' 1.0. ased on the audit ris! assess#ent, identi$ changes to the scope' 1.0.2 Hiscuss the ris!s "ith appropriate #anage#ent, and ad4ust the audit ris! as sess#ent as needed'  011 ISACA' All rights reserved' age 1

Cross, reference

t n e # s t n s e e s # s n A o r ! i s v i n , l o r t n o C

d n a n o eference i t s e a i t # i g -&per, r v n o i i  t c n r lin" o t A I n i l o n o t i o r t a * n i o c C n u # # o C

Issue Cross, Comments reference

Business Continuity Management Audit/Assurance Program COSO


1. /efine the Audit Change )rocess %he initial audit approach is based on the revie"er:s understanding o the operating environ#ent and associated ris!s' As urther research and anal$sis are peror#ed, c hanges to the scope and approach "ill result' 1..1 Identi$ the senior assurance resource responsible or the revie"' 1..% stablish the process or suggesting and i#ple#enting changes to the C* auditassurance progra# and the authori8ations re=uired' 1.2 /efine Assignment Success %he success actors need to be identiied' 1.2.1 Identi$ the drivers or a successul revie"' (%his should e3ist in the assurance unction:s standards and procedures') 1.2.% Co##unicate success attributes to the process o"ner or sta!eholder, and obtain agree#ent' 1.3 /efine Audit esources e4uired %he resources re=uired are deined in the introduction to this C* auditassurance progra#' 1.3.1 Heter#ine the audit s!ills necessar$ or the revie"' 1.3.% Consider ho" the auditassurance process "ill integrate internal audit resources based on sub4ect #atter e3pertise' 1.3.0 sti#ate the total audit resources (hours) and ti#e ra#e (start and end dates) re=uired or the revie"' 1.5 /efine /eli#erables %he deliverable is not li#ited to the inal report' C* is also not li#ited to a single sta!eholder' Co##unication bet"een the auditassurance tea# and the various sta!eholders is essential to assign#ent success' 1.5.1 Heter#ine the interi# deliverables, including initial indings, status reports, drat reports, due dates or responses or #eetings and the inal report' 1.5.% Heter#ine "ho are the !e$ representatives o each aected organi8ation and identi$ their participation in the status and inal reporting process' 1.6 Communications %he auditassurance process #ust be clearl$ co##unicated to the organi8ation' 1.6.1 Identi$ the recipients o status reports and other co##unications' 1.6.% Schedule status #eetings and status reporting procedures'  011 ISACA' All rights reserved' age 1;

Cross, reference

t n e # s t s n s e e s i e # s t n A i v o ! t i r s i i c v n - A l , o l r t o r n t o n C o C

d n a n o eference i t a # g -&per, r n o i  r n t lin" o I n i n o i o t a * c i n u # # o C

1

2

3

4

5

6

7

8

9

10

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

51 52 53 54 55

56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80




Cross, reference


5! B)SI3.SS C"3TI3)IT4 P2A3 MA3A'.M.3T %.1 *usiness Continuit& !anagement Organization AuditAssurance /b4ectiveB %he business continuit$ #anage#ent plan tea# #ust be organi8ed to represent all appropriate business unctions' *usiness Continuit& !anagement Organization ControlB %he C* tea# has a designated leader, reporting to a senior e3ecutive "ith cross& organi8ation responsibilities' *e#bership o the C* tea# includes the #a4or seg#ents o the enterprise:s business units, as "ell as critical support unctions such as legal, hu#an resources, public relations, suppl$ and logistics chain #anage#ent, #anuacturing, inor#ation securit$, I% operations, internal and e3ternal auditors' '1'1'1 /btain an organi8ation chart describing the C* 4ob descriptions, reporting relationships, level o authorit$, and incu#bent and bac!&up personnel assigned to each position and deter#ine "hether all personnel are active in the enterprise' '1'1' /btain the docu#ents relating to the processes and procedures to be ollo"ed b$ the C* group in the event o a contingenc$, the co#position o the group, re=uenc$ o #eetings, and co##unications re=uire#ents' '1'1'; Heter#ine i the ollo"ing unctions are represented on the C* tea#B %ea# #anage#ent • inance • Gu#an resources • acilities • >egal • ublic relations • %echnolog$ • /perations • Suppl$ and logistics chain #anage#ent • Co##unications • Critical third parties, e'g', contractors, technolog$ vendors • Internal and e3ternal audit • '1'1'D Heter#ine i the representatives regularl$ participate in or are consulted on strategic and operational issues aecting business continuit$'  011 ISACA' All rights reserved' age 1D

/D'6 HSD'1

R

R





Cross, reference



'1'1'5 /btain #inutes o #eetings, organi8ation charts and other docu#entation as evidence o participation' '1'1'6 Heter#ine i the tea# #anager reports to an appropriate senior level (C& suite) e3ecutive "ith cross&organi8ation responsibilities '1'1'< Identi$ the or# and process or the reporting relationship'

6!

R R R

BCM P"2IC4( STA3DARDS A3D PR"C.D)R.S 0.1 )olic& and Standards AuditAssurance /b4ectiveB olicies aecting business continuit$ are i#ple#ented to ensure co#pleteness and appropriate coverage or business ris!s' )olic& /efinition ControlB Heter#ine i the C* unction is activel$ involved in the establish#ent o business continuit$ polic$' ;'1'1'1 /btain corporate policies and standards' ;'1'1' Heter#ine i C* is based upon recogni8ed standards or ra#e"or!s, e'g', S 5999 +uideline or Incident reparedness and /perational Continuit$ *anage#ent or 7IS% S?00&;D Contingenc$ lanning +uide or ederal Inor#ation S$ste#s ;'1'1'; /btain #inutes o C* #eetings to veri$ involve#ent in, and a#iliarit$ "ith, corporate policies and standards' ;'1'1'D Heter#ine i the C* docu#entation relects appropriate reports, dashboards, etc', to ensure C* governance as per corporate policies ;'1'1'5 Heter#ine i the C* tea# is involved in the develop#ent o policies and standards' ;'1'1'6 -evie" polic$ approval procedures or inclusion o C* in the process' 0.% *C! )rocedures Audit(Assurance /b4ectiveB C* procedures are deined, i#ple#ented and #onitored' )rocedures ControlB %he C* procedures include a charter or scope and ob4ectives' ;''1'1 /btain the C* charter or scope and ob4ectives'

;''1' Heter#ine i the charter or scope and ob4ectives includes the business units "ithin the organi8ation either re=uiring or providing C* services'  011 ISACA' All rights reserved' age 15

/6'; HSD'1 HSD'

R

R

R




)ersonnel )olicies ControlB ersonnel policies are established and include s!ills assess#ent and training progra#s or the C* unction' ;''1'; Heter#ine i resources assigned to the C* unction have appropriate s!ills to peror# their duties' ;''1'D Heter#ine i resources assigned to the C* unction have re=uire#ents, training schedules and #onitoring o training co#pletion' ;''1'5 /btain training records or C* resources'

;''1'6 valuate training recordsO deter#ine i the$ address the identiied s!ills assess#ent deiciencies' Incident esponse ControlB Incident response responsibilities are clearl$ deined and e3ercises are routinel$ e3ecuted'

Cross, reference


/< HSD'; HS<

3

HSD'1 HS?'; HS?'D HS10

R

;''1'< /btain the incident response policies and procedures' ;''1'? Heter#ine i incident responsibilities are clearl$ identiied' ;''1'9 Heter#ine i alternate resources or !e$ responsibilities are deined' ;''1'10 Heter#ine i incident drills are regularl$ scheduled' ;''1'11 Heter#ine i incident drills ade=uatel$ consider oreseeable incidents and disaster scenarios' ;''1'1 Heter#ine i the policies and procedures are up to date and are regularl$ revie"ed *C! )rocedure !onitoring *1 ControlB C* processes are routinel$ #onitored, and results are reported to and evaluated b$ * responsible #anage#ent' *D ;''1'1; Heter#ine i C* policies and procedures are #onitored' ;''1'1D Heter#ine i the #onitoring reporting process includes the use o scorecards and sel&assess#ents' ;''1'15 /btain and revie" sel&assess#ents or eectiveness' ;''1'16 /btain and revie" scorecards' Heter#ine i issue&#onitoring procedures are in eect to ensure resolution o identiied issues'  011 ISACA' All rights reserved' age 16

R


R




;''1'1< Heter#ine ho" oten reports are generated and the appropriateness o the individual(s) "ho receives the reports' 0.0 *C! !aintenance AuditAssurance /b4ectiveB %he C* policies and procedures are sub4ect to routine revie" to ensure the$ address current business continuit$ issues' *C! !aintenance e#iews ControlB eriodic revie"s o the C* policies and procedures are regularl$ scheduled, peror#ed, and the results evaluated' ;';'1'1 /btain a list o all C* docu#entation'

Cross, reference


/? AID HSD'D

R R R

HSD'1 HSD'

R

;';'1' Heter#ine i the C* docu#entation has been updated regularl$ and changes or eective dates appear on each page o the docu#entation' ;';'1'; Heter#ine i revie"ers docu#ent co#pletion o the revie" process "ith their initials or signature' ;';'1'D Heter#ine i personnel revie"ing docu#ents are =ualiied' ;';'1'5 Heter#ine i a senior e3ecutive has or#all$ approved all recent #aterial changes to C* policies procedures, and docu#entation' ;';'1'6 Heter#ine i C* policies, procedures and docu#entation are available in appropriate or# independent o the internal inrastructure, e'g', hard cop$ or electronic #aintained o&site or in a cloud&based online version' ;';'1'< Heter#ine i !e$ business continuit$, line o business and supporting sta all have access to the docu#entation'

7!

B)SI3.SS IMPACT ASS.SSM.3T 8BIA9 .1 *IA /efines *usiness Continuit& 7eeds AuditAssurance /b4ectiveB A co#prehensive usiness I#pact Anal$sis is the basis or business continuit$ decisions' *IA !ethodolog& /efined ControlB A IA #ethodolog$ is deined and i#ple#ented' D'1'1'1 /btain the IA #ethodolog$'

D'1'1' -evie" the processes or i#ple#enting #odiications to relect changes in the business and processing environ#ents and incident histor$'

 011 ISACA' All rights reserved' age 1<





D'1'1'; Heter#ine that the organi8ation has deter#ined -%/s (-ecover$ %i#e /b4ectives) and -/s (-ecover$ oint /b4ectives) or each critical application' 1 D'1'1'D Assess that the -%/s and -/s are practical and reasonable or each application and line o business or unction' *IA Supports *C! ControlB IA 4ustiies C* alternatives' D'1'1'5 /btain #anage#ent reports, #inutes o #eetings, e#ails, etc', that or#all$ docu#ent IA co##unications and status reports' *IA Continuall& Assesses *usiness Continuit& 7eeds ControlB %he IA is updated, at least annuall$, b$ the business and support units' D'1'1'6 /btain #anage#ent reports, #inutes o #eetings, etc', that docu#ent periodic updates to the IA' D'1'1'< -evie" the #anage#ent reports to ensure all business and support units peror# the annual assess#ent' D'1'1'? Select speciic annual reports ro# high&ris! unctional unitsO deter#ine that the annual updates or the selected units "ere peror#ed as re=uired and include a resh assess#ent o the business continuit$ needs' D'1'1'9 Heter#ine that the business unit #anagers docu#ent the co#pletion o an annual (or #ore re=uent) IA revie"' D'1'1'10 Heter#ine i IAs are peror#ed in response to signiicant business process change and "hen business units are ac=uired or sold' Single )oints of Failure ControlB %he IA includes a detailed anal$sis o all single points o ailure in the business and support unctions' D'1'1'11 /btain anal$ses o single points o ailure "ithin the business and support units, e'g', suppl$ chain, logistics chain, inancial reporting, technolog$ stac!s (all levels o technolog$ supporting a business unction ro# hard"are through net"or!s to application la$ers, databases, Web interaces, etc') D'1'1'1 Heter#ine that all single points o ailure have either been ull$ re#ediated or the enterprise has or#all$ accepted the ris!s or the ris!s have been laid o (t$picall$ 1

Application is deined as a group o business processes, not an I% application'  011 ISACA' All rights reserved' age 1?

Cross, reference



HSD'1 HSD'

R

R

HSD'D

R

R

HSD'; HSD'D

R




Cross, reference


b$ purchasing suitable insurance cover')

:! RIS; ASS.SSM.3T 2.1 Integration 8ith Enterprise is" !anagement 9E! AuditAssurance /b4ectiveB C* is an integral co#ponent o the -* progra#' 2.1.1 -is! *anage#ent ControlB *anage#ent #ust participate in an active ris! #anage#ent progra#' 5'1'1'1 Heter#ine that the C* tea# (or other appropriate tea#) peror#s annual or #ore re=uent ris! assess#ents, based on current business conditions' 5'1'1' Heter#ine i ris! assess#ents included suppl$ chain and logistics chain issues as "ell as #ission&critical third part$ relationships' 5'1'1'; Heter#ine i identiied ha8ards are being #onitored'

/9

R R

/9

R R

5'1'1'D Heter#ine that C* tea# prepares a residual ris! proile identi$ing signiicant ris!s, and revie" the docu#ents to deter#ine #anage#ent ollo"&up' 5'1'1'5 /btain ris! #anage#ent #eeting #inutes and other docu#entation to deter#ine the involve#ent o the C* unction' 5'1'1'6 Heter#ine that the C* unction participates in the ris! #anage#ent unction' Enterprise is" !anagement 9E! ControlB usiness continuit$ #anage#ent is a process "ithin the -*' 5'1'1'< I the C* ris! assess#ents utili8e the enterprise ris! #anage#ent process, peror# the ollo"ingB 5'1'1'? /btain and inspect ris! assess#ent docu#entation'

5'1'1'9 Heter#ine that ris! assess#ent assigns reasonable probabilities to incidents aecting business continuit$' 5'1'1'10 -evie" the ris! assess#ent to deter#ine i the ris! assess#ent is peror#ed in an i#partial #anner and is supported b$ act or reasonable #anage#ent 4ustiication' 5'1'1'11 Heter#ine that the ris! #anage#ent process assigns residual ris! ratings 5'1'1'1 Heter#ine ho" the residual ris! ratings drive the decision o "hich processes are included in the business continuit$ plans' 5'1'1'1; Heter#ine i -* and residual ris! ratings are in align#ent "ith Internal AuditPs annual ris! assess#ent, identi$ an$ #aterial dierences and obtain e3planations  011 ISACA' All rights reserved' age 19





Cross, reference



5'1'1'1D Heter#ine i !e$ business units and support units are included in the -*' 5'1'1'15 I an -* s$ste# has not been established, peror# the ollo"ing' 5'1'1'16 Heter#ine "hether critical business units and support units re=uired or inclusion in a ris! assess#ent (i'e', ris! dependent units) have been considered' 5'1'1'1< Heter#ine "hether these ris! dependent units peror# their o"n ris! assess#ents' 5'1'1'1? Heter#ine the processes used or the independent ris! assess#ents' 5'1'1'19 Heter#ine "hether the individual unit residual ris! ratings are in align#ent "ith Internal AuditPs annual ris! assess#ent, identi$ an$ #aterial dierences, and obtain e3planations' is" !anagement Issue !onitoring ControlB Identiied ris!s are entered into an issue #onitoring s$ste# or inclusion in a business continuit$ plan' 5'1'1'0 -evie" the process or including ris!s into an issue #onitoring s$ste# or inclusion in the business continuit$ #anage#ent progra#' 5'1'1'1 /btain the #ost recent issue #onitoring report'

/9

R R

5'1'1' Heter#ine "hether identiied issues have been appropriatel$ addressed b$ C*' 5'1'1'; valuate open ite#s and assess ris! rating associated "ith eac h ite#' Heter#ine i the ratings are appropriate' 5'1'1'D Heter#ine the re=uenc$ o issue #onitoring ollo"&up and assess its appropriateness'

6'1'1'1 /btain business continuit$ plan docu#entation'  011 ISACA' All rights reserved' age 0

/? AID HSD'D HSD'<

R

R




Cross, reference


6'1'1' Heter#ine that the plan has been !ept current and relects changes in the business processes, environ#ent, technolog$, third&part$ relationships, relevant contracts and regulator$ and other co#pliance re=uire#ents' 3.% /ocumentation is Ade4uate to Support eco#er& eco#er& )lan /ocumentation ControlB %he entire business recover$ plan is docu#ented and available during a declared e#ergenc$' 6''1'1 Heter#ine "hether a recover$ plan is in place'

HSD'D HSD'<

R

6''1' /btain recover$ plan docu#entation' 6''1'; Heter#ine that the plan has been !ept current and relects relevant changes in the business processes, environ#ent, third&part$ relationships, relevant contracts and regulator$ and other co#pliance re=uire#ents' 6''1'D Heter#ine i contact inor#ation has been !ept current' 6''1'5 Heter#ine i it is available in an appropriate or# independent o internal inrastructure' 6''1'6 Heter#ine i !e$ recover$ personnel have access to the docu#entation'

R

=! P2A3 T.STI3' 5.1 )lan +esting AuditAssurance /b4ectiveB %he plan should be tested regularl$, and the tests should include a co#prehensive veriication o continuit$ processes and situational drills to test the assu#ptions and alternate procedures "ithin the plan' +esting )olicies ControlB %esting policies deine test re=uenc$, t$pes o tests, use o situational drills and other recogni8ed processes' <'1'1'1 /btain testing policies docu#ent'

<'1'1' Heter#ine that the ollo"ing policies are stated and docu#entedB • *ini#u# test re=uenc$ • Conditions re=uiring #ore re=uent testing • %$pes o scenarios to be tested

 011 ISACA' All rights reserved' age 1

HSD'5 HSD'6

R





Cross, reference



+esting !ethods ControlB %esting includes both "al!throughs and ull&scale drills o the interi# process and recover$ plans' <'1'1'; Heter#ine that "al!through tests are peror#ed regularl$ and include all acets o the plan' <'1'1'D Heter#ine that ull&scale tests are peror#ed regularl$ and include higher ris!s events' <'1'1'5 Heter#ine i an ater&hours call list e3ists and is current'

<'1'1'6 Heter#ine i a progra# o continuit$ a"areness e3ists and is e3ecuted regularl$' Anal&sis of +est esults ControlB %he results ro# the plan tests are anal$8ed to identi$ issues that re=uire C revision, additional training or additional resources' <'1'1'< eri$ that changes to recover$ plans have been #ade as a result o testing and lessons learned' <'1'1'? Heter#ine i the results have been co##unicated to # anage#ent'

<'1'1'9 Heter#ine that sta!eholders and assurance unctions #onitor and receive post&test anal$sis' +esting !anagement ControlB C* tests are docu#ented and provide the structure or identi$ing lapses and gaps'

HSD'10

R R R

HSD HS5 HS9

R

HSD'5 HSD'?

R

HSD'6 HSD'?

R

<'1'1'10 /btain docu#entation o e3ercise peror#ed' <'1'1'11 Heter#ine i the e3ercises had been eective in identi$ing possible shortco#ings in the C*' 5.% +esting of eco#er& Ser#ice 'e#els ControlB lan testing includes veriication that the tests "ere co#pleted "ithin the intervals established in the IA and C' 5.%.1 Heter#ine i test results are co#pared against test criteria (-%/s, -/s, etc')' 5.0 +est Fre4uenc& ControlB %he continuit$ plan is tested routinel$, according to the polic$' %he tests address the re=uire#ents "ithin the C and are docu#ented' 5.0.1 eri$ that the recover$ plans are tested periodicall$' 5.0.% -evie" the test criteria to deter#ine i it "ill appropriatel$ test the plan against the  011 ISACA' All rights reserved' age 




Cross, reference


re=uire#ents identiied in the IA' )lan Stress +esting ControlB %he business continuit$ tests utili8e situational drills "here anticipated resources are not available or the test, or the circu#stances o the test are #odiied unannounced to veri$ the recover$ tea#:s abilit$ to adapt to unplanned situations' 5.0.0 eri$ that the tests include unannounced situations to stress test the recover$ planPs assu#ptions and the sta:s abilit$ to react to unplanned events'

 011 ISACA' All rights reserved' age ;

HSD'5

R




-II! Maturity Assessment %he #aturit$ assess#ent is an opportunit$ or the revie"er to assess the #aturit$ o the processes revie"ed' ased on the results o auditassurance revie", and the revie"er:s observations, the revie"er assigns a #aturit$ level to each o the ollo"ing control practices'

Control )ractice

Assessed !aturit&

*usiness Continuit& )lan !anagement *C! )olic&; Standards; and )rocedures *usiness Impact Assessment is" Assessment /ocumentation )lan +esting

 011 ISACA' All rights reserved' age D

+arget !aturit&

eference -&per, lin"

Comments

-III! Assessment Maturity vs! Target Maturity %his spider graph is an e3a#ple o the assess#ent results and #aturit$ target or a speciic enterprise'

 011 ISACA' All rights reserved' age 5

Business Continuity Management Audit Assurance Program Icq Eng 0911

Recommend Documents