SAMPLE REPORT Business Continuity Gap Analysis Report Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx COMMERCIAL-IN-CONFIDENCE PAGE 1 OF 11
Contact Details CSC Contacts CSC Contact Name Title Telephone Email Client Contacts/Interviewees Contact Name Title Telephone Email Distribution Additional Client Distribution Name: Name: Title: Title: Document Classification Commercial Caveat Privacy and/or Security Caveat Overall Classification COMMERCIAL-IN-CONFIDENCE SECURITY-IN-CONFIDENCE COMMERCIAL-IN-CONFIDENCE Release Authorisation Task Name Title Date Disclaimer This document has been prepared for XYZ Business by CSC Australia Pty Ltd and describes the findings of a Business Continuity Gap Analysis. This document has been prepared on the basis of information that was made available to CSC and is subject to change should new information become available. COMMERCIAL-IN-CONFIDENCE PAGE 2 OF 11
Contents Contact Details... 2 CSC Contacts... 2 Client Contacts/Interviewees... 2 Distribution... 2 Document Classification... 2 Release Authorisation... 2 Disclaimer... 2 Contents... 3 Executive Summary... 4 Introduction... 5 Background... 5 Objective... 5 Approach... 5 Scope... 5 s and recommendations... 6 Summary of s... 6 Business Continuity Program Management... 8 Business Continuity Policy... 8 Business Impact Assessment (BIA)... 8 Risk Assessment (RA)... 9 Business Continuity Strategies (Corporate, Process and Resource level)... 9 Business Continuity Plans (BCP)... 9 Crisis Management Plan... 9 Business Continuity Training and Awareness... 9 Business Continuity Testing... 10 Business Continuity Monitoring... 10 Business Continuity Audit... 10 CSC Australia Pty Limited... 11 COMMERCIAL-IN-CONFIDENCE PAGE 3 OF 11
Executive Summary As a result of a recent audit finding regarding the maturity of XYZ Business Continuity Management (BCM), CSC Business Continuity Services was engaged by the CIO of XYZ to review their BCM framework. The work was undertaken by Mr John Smith of CSC, at XYZ s Sydney head office from 12 January 2015 to 15 February 2015. The principle aim of the project was to: Assess the gaps in the Business Continuity Management (BCM) Program of XYZ with respect to ISO 22301/APRA standard s requirements To provide recommendations to close the gaps and to provide a roadmap to improve the standard of the BCM program to the desired level of maturity. CSC found that while there is a basic Business Continuity Management Program, there are weaknesses in the links between recovery strategies and XYZ s business continuity plans. Recovery time objectives (RTO) and Recovery point objectives (RPO) for critical services and key ICT systems need to identified in order to put in place appropriate strategies. We have raised 16 findings for the XYZ BCM program which we believe need to be prioritised as per the recommendations contained in the s & s section of the report. The summary of the key findings are: Third part agreement/arrangements where XYZ rely on key suppliers and services have not been included within the Business Continuity Plan framework. The Business Continuity Plan (BCP) does not have clear escalation procedures and details of tasks that need to be carried out during the course of a disaster event. The Business Impact Analysis (BIA) does not properly prioritise the critical processes at the time of a disaster event. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) have not been identified for the recovery of critical services and key IT systems. RTO and RPO assigned to critical activities allow management to recover key systems in a way that minimises the impact on the XYZ business and where it is in line with the expectations for the recovery of XYZ services. A complete Risk Analysis (RA) has not been completed to encompass facilities, people, IT infrastructure and utilities to addresses all the threats and controls to the business. From a compliance point of view, the current BCP framework needs to be revised to meet the ISO22301/APRA standard requirements. The role of IT in other business continuity plans needs to be further coordinated. The output of the business continuity and disaster recovery tests has not been formally presented to or accepted by management. Management should have the opportunity to comment or make recommendations based on test outcomes. There is no formal crisis communication plan in place to communicate with internal employees and external stakeholders, including customers and media during the course of a disaster event. Full details of the Gap analysis findings and recommendations are contained in the body of this report. COMMERCIAL-IN-CONFIDENCE PAGE 4 OF 11
Introduction Background XYZ Business is a boutique industry service established in 2001-2002 and is a global leader in its industry domain, headquartered in Sydney, Australia. In its mission for growth, one of the key areas identified by XYZ Management is to ensure the continuance of critical business functions under all circumstances. Thus there is the need for a well-defined and structured Business Continuity Program to ensure the business is minimally impacted in the event of a disaster and can continue to operate. As a result of a recent audit finding regarding the maturity of XYZs Business Continuity Management (BCM), CSC Business Continuity Services was engaged by the CIO of XYZ to review their BCM framework. The work was undertaken by Mr Ashish Dahiya of CSC, at XYZ s Sydney Head office from 12 January 2015 to 15 February 2015. This document BCM Gap analysis report intends to highlight the gaps observed in the Business Continuity Management structure and the BCM documentation required to comply with mandatory requirements of APRA/ ISO 22301. The CIO will present the findings and recommendations contained in this report to the Risk Governance Steering committee at the next meeting scheduled on 13 April 2015. Objective The objective of the Gap Assessment was to understand the gap between what is required by the business continuity methodology ISO 22301/ISO 27001 and what is in place at XYZ. This report details these findings. Approach The project approach was to collect data via a CSC developed gap analysis survey, completed by the identified BC stakeholder at XYZ. The aggregated data from the survey has been analysed and the results are contained in this report. This report contains findings, conclusions and recommendations based on the information supplied by the XYZ representatives that participated in the survey. Scope In accordance with agreed terms of reference, CSC has taken Business Continuity Management (BCM) Program assessment work to cover the following BCM program components at the location XYZ Sydney Head Office. Existing Business Continuity and Disaster Recovery plans framework Existing BIA (Business Impact Analysis) and RA (Risk Analysis) reports (if any) Recovery strategies in place Crisis and Emergency Management plan BC and Disaster Recovery (DR) testing approach and past outcomes Training and awareness materials and approach Continual improvement records The overall objective of this gap analysis was to provide a high level BCM program assessment report to XYZ Executive Management with all reasonable key findings and recommendations. COMMERCIAL-IN-CONFIDENCE PAGE 5 OF 11
s and recommendations Summary of s The following graph highlights the current perceived level of maturity against the primary domains of a Business Continuity Program with 0 being the lowest and 5 the highest. Figure 1: Business Continuity Domain Maturity COMMERCIAL-IN-CONFIDENCE PAGE 6 OF 11
Figure 2 below, maps the level of maturity against industry standard ranges for each of the domains and maps maturity levels required or expected that XYZ wishes to obtain. The expected level required will determine the level of activities in the recommendations that XYZ will need to undertake. Figure 2: Business Continuity Industry Vertical Maturity COMMERCIAL-IN-CONFIDENCE PAGE 7 OF 11
Business Continuity Management (BCM) Program Supporting Documentation 1. BCM Program roles and responsibilities are not defined and documented BCM framework (Doc #) 2. BCM Program competencies should be clearly established and documented A BCM Program organisation structure should be in place. The roles and responsibilities should also be clearly defined and documented in the BCM framework. BCM Program steering committee should ensure that they have competent personnel in the BC team and documented in Business continuity framework. Training should be provided to these candidates on an ongoing basis to improve and maintain their competency. Business Continuity Program Management 1. Objective of the Business Continuity Management Program has to be further refined to incorporate the obligations, acceptable level of risk, statutory or regulatory requirements and interest of key stakeholders The scope and objectives should be documented with regards to: a) requirements of business continuity b) organisational objectives and obligations c) acceptable level of risk d) statutory, regulatory and contractual duties e) interest of key stakeholders Further, this should form part of the framework document policy section (Doc#) Business Continuity Policy 1. The policy does not clearly document the scope of the Business Continuity Management Program including any exclusion or limitations The policy section should clearly incorporate the objectives and scope including the limitations and/ or exclusions if any. The scope should clearly identify the location of the organisation and the departments covered. Business Impact Assessment (BIA) 1. BIA working sheets are not available BIA working sheets should be made available to management along with Recovery Time Objective (RTO), Recovery Point Objective (RPO) and Maximum Tolerable Period of Disruption (MTPD) values for their approval. These sheets will assist them to find out priority and order of recovery for critical business processes during any disaster event. 2. Due to non-availability of BIA working sheets, RTO, RPO calculation is not clear. Further Maximum Tolerable Period of Disruption (MTPD) value is also not obtained. XYZ should conduct a fresh BIA to derive the relevant calculation of RTO and RPO. These BIA working sheets should be made available to management and business unit heads for their approval. Further MTPD should also be established to comply with ISO 27001/ 22301 standards. BIA methodology should also be established for compliance purpose. COMMERCIAL-IN-CONFIDENCE PAGE 8 OF 11
Risk Assessment (RA) 1. Risk Assessment is not conducted A Risk Assessment should be conducted for all assets and business enablers related to identified critical processes and business. A Risk treatment plan should also be in place for the same. RA methodology should also be established for compliance purposes. Business Continuity Strategies (Corporate, Process and Resource level) 1. Recovery strategies are not developed for all critical processes (mentioned in doc # and doc # for X and Y unit respectively) identified by management. 2. Records related to approval of recovery strategies are not made available. Recovery strategies should be based on the RA and BIA outcomes. All the recovery strategies should be duly approved by Executive Management and approval record should be retained in a centralised location. Records should be made available during any audit to fulfill the compliance requirement. Business Continuity Plans (BCP) 1. Business Continuity Plans do not reflect the most upto-date BIA figures, recovery strategy and critical recovery resource requirements. Business Continuity Plans should be built upon the BIA and effective recovery strategies. It should be updated with all critical resources including people with their contacts. Most updated BC plans should be stored at a centralised location and easily accessible to the Business Continuity Core Team of XYZ. Crisis Management Plan 1. A crisis communication plan has not been developed as a part of Business Continuity Management Program A proper crisis communication plan should be developed and incorporated in Business Continuity Framework document. Business Continuity Training and Awareness 1. Records related to Business Continuity Management program training to employees, BC team members, evacuation teams is not available for XYZ staff Records pertaining to BCM program training like training presentation, feedback, training material, training calendar, fire drill timings, etc. should be made available to all staff members via a centralised location or via some other means which is easily accessible to all employees and auditors. COMMERCIAL-IN-CONFIDENCE PAGE 9 OF 11
Business Continuity Testing 1. Exercise and testing does not include full testing of the BCM organisation and infrastructure (including physical/facilities, IT and telecommunications). A proper testing calendar along with scope and success criteria should be developed to fully test the BCP and Disaster Recovery (DR) plans. Business Continuity Monitoring 1. Management review is not established as part of the BCM Program documentation. 2. Preventive and corrective actions are not part of the BCM Program documentation. 3. Continual improvement is not part of BCM program documentation. 4. Control of the BCM Program records is not established as part of BCM Program policy. 5. Controls of the BCM Program documentation is not established as part of BCM Program policy. Management review should take place as part of the BCM Program. The BCM policy and framework should be updated with the management review process. Once the BCM Program is implemented as per ISO 27001/22301 standards, it should be noted that any changes arising due to implementation of preventive or corrective controls should be documented. A documented policy should also exist for the same. Continual improvement shall exist as part of BCM Program documentation. A policy needs to be established on the same. BC effectiveness and measurement matrix can be further established to ensure that BCM Program undergoes improvement on a continuous basis. Controls of the BCM Program records should be established. Control of the BCM Program documentation should be established as part of BCM program policy to ensure that documents are: reviewed, updated and approved document version status is maintained distribution is controlled to required personnel unintended use of obsolete documents are prevented. Business Continuity Audit 1. Business Continuity Management (BCM) Audit program, policy, scope and procedures are not defined Business Continuity Management (BCM) Audit programs, policies, scope and procedure should be defined in order to ensure that XYZ carry internal and external certification audits for its BCM Program on a periodic basis. COMMERCIAL-IN-CONFIDENCE PAGE 10 OF 11
CSC Australia Pty Limited Global Security Solutions (GSS) 26 Talavera Road Macquarie Park, NSW 2113 Australia +61(0)29034.3000 About CSC Computer Sciences Corporation (CSC) is a global leader of next generation information technology (IT) services and solutions. The Company's mission is to enable superior returns on our client's technology investments through best-in-class industry solutions, domain expertise and global scale. Globally, CSC has approximately 72,000 employees with a presence in over 70 countries. In Australia, CSC has offices in most capital cities and has over 2,500 employees. Australian clients number over 350 which include multi-million dollar corporations across the banking, insurance and health sectors, and key state and federal government departments. For more information, visit the company's website at www.csc.com COMMERCIAL-INCONFIDENCE PAGE 11 OF 11