241
8
Maintaining a Business Continuity Plan
8.1 How to Maintain the Business
Continuity Plan
Environmental changes, new products, policies, new proce-
dures, personnel forgetting or losing interest in critical parts
of the plan, or departing from the company—any of these
situations may make a BCP obsolete or in need of revisions.
Periodic testing of the BCP is required for verification and
validation purposes. This stage is to preplan and coordinate
plan exercises. It is also to evaluate and document the
results of the plan exercise. Develop processes to maintain
the currency of continuity capabilities and the plan docu-
ment in accordance with the organizations strategic direc-
tion. Verify that the plan will prove effective by comparison
with a suitable standard, and report results in a clear and
concise manner.
Tasks to perform:
Preplan the exercises
Coordinate the exercises
Evaluate the exercise plans
Exercise the plans
Document the results
Evaluate the results
Report results and/or evaluation to management
Understand strategic directions of the business
242 8.1 How to Maintain the Business Continuity Plan
Attend strategic planning meetings
Coordinate plan maintenance
Assist in establishing audit program for the business continuity plan
A BCP is a “living” document, changing in concert with changes in the
business activities it supports. The plan should be reviewed by senior man-
agement, the planning team or coordinator, team members, internal audit,
and the executive management team at least annually. As part of that review
process, the team, or coordinator should contact business unit managers
throughout the institution at regular intervals to assess the nature and scope
of any changes to the institutions business, structure, systems, software,
hardware, personnel, or facilities. It is to be expected that some changes will
have occurred since the last plan update. Software applications are commer-
cially available to assist the BCP coordinator in identifying and tracking
these organizational changes so the BCP can be updated.
All such organizational changes should be analyzed to determine how
they may affect the existing continuity plan, and what revisions to the plan
may be necessary to accommodate these changes. The agencies expect that
BCP updates will be documented to show that the plan reflects the institu-
tion as it currently exists. Lastly, the financial institution should ensure the
revised BCP is distributed throughout the organization.
The plan itself is always changing to reflect changing conditions in the
business, the environment, and the community itself. It is necessary for the
BCP updating process to be properly structured and controlled. As a living
document, the organization should implement a change control process for
managing the BCP. Periodic reviews should be conducted and the responsi-
bilities for maintenance of each part of the plan should be clearly delin-
eated. Whenever any change is made to the plan, it is important to test that
change to ensure it adequately satisfies all requirements. Also, when changes
are made, it is important to notify the training group of those changes so
they can be reflected in future training. Whenever changes are made to the
BCP they should be fully tested. This will usually involve the use of formal-
ized change control procedures under the control of the BCP Team Leader.
Four areas need to be addressed in this process:
1. Use change control procedures for updating the plan
2. Assign responsibilities for maintenance of each part of the plan

Get Business Continuity and Disaster Recovery for InfoSec Managers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.