IT Examiner School eBook

• Enterprise-wide business continuity plan

• Business impact analysis

• Risk/threat assessment, including cyber risks/threats

• Testing program

• Testing resultsBCM responsibility and accountability

• BCM resource allocation

• Alignment of business strategy and risk appetite

• Business continuity risks and adopting policies and plans to manage events

• Business continuity exercise/test strategy

• Business continuity training strategy

• Business continuity operating/performance results, including exercise/test results

• Resolution plan(s) for identified weaknesses

Procedure 4 – Business Impact Analysis6

Determine whether adequate business impact analyses and risk assessments have been completed. Consider the following:

• Input from all integral groups (e.g., business line management, risk management, IT, facilities management, and audit) and comprehensiveness of management’s review

• Analysis of reasonably foreseeable threats, including natural events, technical events, pandemics, malicious activity, and cyber threats

• Utilization of the business impact analysis to identify critical business assets and prioritize recovery of processes, systems, and applications

• Identification Reasonableness of key recovery metrics, such as allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), and costs associated with downtime

• Inclusion of IT services provided by third-party vendors or service providers in the business impact analyses/risk assessments

Control Test

Review a sample of business impact analyses and risk assessments.

Procedure 5 – Business Continuity Plan (BCP)7

Evaluate the adequacy of risk management over the business continuity processthe business continuity plan. Consider the following:

InTREx Mapping

19

Tandem, LLC | Copyright © 2024

Confidential - Internal Use Only