Auditing Business Continuity Management Tariq Mahmood Lead IT Auditor Kuwait Petroleum Corporation MBA MIS, Finance, Marketing, CISA, CISM, CGEIT, CRISC, MBCI, ISO 27000, BS 25999
Who is your audience 1. How many of you have developed BCM involving critical divisions of your company? 2. How many of you have developed a BCP for IT Only. 3. How many of you are using BS 25999 or ISO 22301? 4. How many of you have not started BCM? 5. Any auditors for BCM?
You must be aware by now 1. 2. 3. 4.
What is a BCM ? What are the components? Why we need BCM? Is it really needed? What are relevant standards & Certications? What are the costs involved for implementation, maintenance and testing 5. What is BIA, RA, RTO, RPO etc. 6. What are the major risks involved. 7. Therefore we are skipping introduction.
How can you benefit from next 30 Min 1. I will NOT tell you how to audit a BCM. 2. I will try to tell you how to prepare a BCM that really works at the time of disaster. 3. I will try to tell you what an auditor looks for while auditing? 4. I was on the other side of the table as CISO. 5. I will ask questions during this presentation.
Contents of a BCM Audit 1. 2. 3. 4. 5. 6. 7. 8.
Planning and Scoping the audit Review how the BCM has been organized BCM Policy, standards and procedures Review the Business Impact Assessment Review the Risk Assessment Review BCM documentation Review how the Plan is being tested Comment on Maturity Assessment
Presentation Based on ISACA Audit and Assurance Program 2011 Only high level, dropped lot of details Not intended to be a comprehensive checklist Need to tailor for every client, diff. for banks, retailers, manufacturing, location, small, large
Format of ISACA BCM Audit program – Free for ISACA Members
1.
PLANNING AND SCOPING THE BUSINESS CONTINUITY AUDIT
Define Audit/Assurance Objectives The audit/assurance objectives are high level and describe the overall audit goals.
1.
1.
Review the audit/assurance objectives in the introduction to this business continuity management (BCM) audit/assurance program.
1.
Modify the audit/assurance objectives to align with the audit universe, annual plan and charter.
Monitoring
Information and Communication
Control Activities
Risk Assessment
Audit/Assurance Program Step
COBIT Crossreference
Control Environment
COSO Reference Hyper-link
Issue Crossreference
Comments
COSO References 1. 2. 3. 4. 5.
Control Environment Risk Assessment Control Activities Information and Communication Monitoring
EVIDENCES
1. Planning & Scoping BCM Audit 1 1. Define Audit/Assurance Objectives The audit/assurance objectives are high level and describe the overall audit goals. 2. Define boundaries of the Audit The auditor understands the operating environment and prepares a proposed scope, subject to a later risk assessment.
Proposed objectives of a BCM Audit 1. Provide management with an evaluation of the enterprise’s preparedness in the event of a major business disruption in real time testing 2. Identify issues that may limit interim business processing and restoration of the same 3. Provide management with an independent assessment of the effectiveness of the BCM and its alignment with subordinate continuity plans
Proposed scope of a BCM Audit The audit focuses on the enterprise business continuity plan, policies, standards, guidelines, procedures, laws and regulations that address maintaining continuous business services. This includes: 1. Development, maintenance and testing of the BCM in real situations with uncertainities 2. Ability to provide interim business services and the effective and timely restoration of same 3. Risk management and costs related to the BCM
1. Planning & Scoping BCM Audit 2 3. Identify and document the Audit Risks Risk assessment is necessary to evaluate where audit resources should be focused. Risk-based approach ensures the most effective utilization of audit resources on audit unverse. 4. Define the Audit Change Process Initial audit approach is based on the auditor’s initial understanding of the operating environment and associated risks. As further research and analysis are performed, changes to the scope and approach do result.
1. Planning & Scoping BCM Audit 3 5. Define Assignment Success Factors and Identify the drivers for a successful audit. 6. Define Audit Resources Required  Determine the audit skills necessary,  Estimate the total audit resources (hours) and time frame (start and end dates) required for the audit
1. Planning & Scoping BCM Audit 4 7. Define Deliverables  Determine the interim deliverables, including initial findings, status reports, draft reports, due dates for responses or meetings and the final report.  Document who are the key representatives 8. Communications of process and reports The audit/assurance process and agreed deliverables must be clearly communicated to the auditee on time
WHO AUDITS THE AUDITOR
2. We review the BCM Organization 1 Objective: The BCM plan team must be organized to represent all appropriate business functions. BCM Organization 1. Ensure that the BCM Team has a designated leader reporting to top management 2. Membership of the BCM team includes the major segments of the enterprise’s business units, as well as critical support functions
2. Review BCM Organization 2 1. Ensure Org. Chart describes BCM Job descriptions 2. Review documents related to the BCM 3. Ensure BCM Management is conducting Regular review / test meetings 4. Ensure BCM Team members are participating, review minutes
2. Review BCM Organization 3 Ensure following functions are on BCM Team 1. Team management, 2. Finance, 3. Human resources, 4. Facilities, and Communications 5. Legal and Public relations, 6. Technology and Operations, 7. Supply and logistics chain management, 8. Critical third parties, e.g., contractors, technology vendors, 9. Internal and external auditors
WHAT IS THE VALUE OF A BCM PROJECT OF IT ONLY
3. BCM Policy, Standard & Procedures 1 1. Policy and Standards Objective: Policies affecting business continuity & documented, approved & implemented to ensure completeness & appropriate coverage for business risks. 2. BCM Maintenance  BCM Maintenance Reviews : Periodic reviews of the BCM policies and procedures are regularly scheduled, performed, and the results evaluated
3. BCM Policy, Standard & Procedures 2 3. BCM Procedures Audit / Assurance 1. Procedures , review BCM Charter and Objectives 2. Ensure Personnel Policies have been established and include skills assessment and training programs for the BCM function. 3. Incident Response responsibilities are clearly defined and exercises are routinely executed. 4. BCM Procedure Monitoring - BCM processes are routinely monitored, and results are reported to and evaluated by responsible management
ENSURE MANAGEMENT COMMITMENT LANGUAGE OF $
4. Business Impact Assessment (BIA) 1 BIA Defines Business Continuity Needs Objective - A comprehensive BIA is the basis for business continuity decisions. BIA Methodology Defined Ensure that a BIA methodology has been defined and implemented Review the processes for implementing modifications to reflect changes in business processes Ensure that the organization has determined RTOs and RPOs for each critical application Ensure that the RTOs and RPOs are practical and reasonable for each application
4. Business Impact Assessment (BIA) 2 BIA Supports BCM Ensure that BIA justifies BCM alternatives. Review management reports, minutes of meetings, emails, etc., that formally document BIA communications and status reports
BIA Continually Assesses Business Continuity Needs
Ensure that the BIA is updated, at least annually, by the business and support units, review minutes of meetings, management reports
4. Business Impact Assessment (BIA) 3 Single Points of Failure  Ensure that the BIA includes a detailed identification and analysis of all single points of failure in the business and support functions  Including all levels of technology supporting a business function from hardware through networks to application layers, databases, Web interfaces, etc.  Ensure that all single points of failure have either been fully remediated or the enterprise has formally accepted the risks or the risks have been laid off (typically by purchasing suitable insurance cover.)
WHAT LEVEL OF BCM IS REQUIRED
5. Risk Assessment 1 Integration with Enterprise Risk Management (ERM) Objective: BCM is an integral component of the ERM. Risk Management 1. Ensure Management participates in an active risk management program. 2. Ensure BCM team performs annual or more frequent risk assessments of all relevant processes 3. Ensure BCM team prepared a residual risk profile 4. Review risk management meetings minutes 5. You can get IT related risks from RISK IT of ISACA
5. Risk Assessment 2 Enterprise Risk Management (ERM) 1. Ensure BCM is a process within ERM 2. Review risk assessment documentation 3. Ensure risk assessment assigns reasonable probabilities and impact to incidents affecting business continuity. 4. Ensure risk assessment has been performed in an impartial manner
5. Risk Assessment 3 Risk Management Issue Monitoring 1. 2. 3. 4. 5. 6.
Ensure Identified risks have been input into an issue monitoring system for inclusion in a business continuity plan Review the process for including risks into an issue monitoring system Review the most recent issue monitoring report Ensure issues have been appropriately addressed Evaluate open items and assess risk rating Determine the frequency of issue monitoring follow-up and assess its appropriateness.
6. Documentation 1 Appropriate documentation  Objective: The business continuity plan is adequately documented to conduct effective interim business activities and recovery procedures after a declared business interruption. Documentation is adequate to support Business Continuity  Ensure that the entire business continuity plan is documented and available during a declared emergency.  Ensure that the plan has been kept current and reflects changes in the business processes, environment, technology, third-party relationships, relevant contracts and regulatory and other compliance requirements.
6. Documentation 2 Documentation is adequate to Support Recovery Recovery Plan Documentation
Objective - The entire business recovery plan is documented and available during a declared emergency.
1. Ensure a recovery plan is in place – Review copy 2. Ensure that the plan has been kept current and reflects relevant changes 3. Ensure contact information is current 4. Ensure plan is available in appropriate form 5. Ensure plan is accessible to relevant officers ONLY 24X7X365
What is the best way to Audit a BCM Program
Measure up against ISO 22301 and practically test all sections
7. Testing the Plan 1 Objective: 1. Test regularly, 2. Ensure that tests include a comprehensive verification of continuity processes and 3. Situational drills to test the assumptions and alternate procedures within the plan.
7. Testing the Plan 2 1. Plan Testing
Ensure that the Testing Policies define test frequency, types of tests, use of situational drills and others Testing Methods includes walkthroughs, part testing and full-scale drills of the interim process and recovery plans Ensure an updated after hours call list exists– call them Analysis of Test Results – Ensure that the results from the plan tests are analyzed to identify issues that require BCP revision, additional training or additional resources Testing Management - BCM tests are documented and provide the structure for identifying lapses and gaps.
7. Testing the Plan 3 2. Testing of Recovery Service Levels includes verification that the tests were completed within the intervals established in the BIA and BCP 3. Test Frequency - Verify that the recovery plans are tested periodically – Review the test criteria 4. Plan Stress Testing -- Verify that the tests include unannounced situations to stress test the recovery plan's assumptions and the staff’s ability to react to unplanned events
Maturity Assessment of processes Control Practice
Business Continuity Plan Management BCM Policy, Standards, and Procedures Business Impact Assessment Risk Assessment Documentation
Plan Testing
Ref. Target Hype Assessed Maturity Maturity rlink
Comments
Maturity Levels
0 Non-existent 1 Initial/ad hoc 2 Repeatable but Intuitive 3 Defined 4 Managed and Measurable 5 Optimized
Assessment Maturity vs Target maturity
Auditors Job requirement
WE TRUST IN ALLAH SWT and MOHAMMAD SAW OTHERS WE AUDIT
Have you understood everything, something or nothing?
Thank you very much
tareq.m@kpc.com.kw +965-6611-2545