Business continuity certification
The Business Continuity Professional
a good idea for an organization serious about business continuity practices
to have a certified business continuity professional in its ranks. Here's some
information about the various certifications available. by Avinash Kadam
Information security ensures the confidentiality, integrity and availability
of information. And availability is the assurance that a computer system is
accessible by authorized users whenever needed.
While major disasters like fire, flood, and earthquake are obvious threats to
the availability of information systems, minor annoyances like a blip in the
power supply, though not so obvious, are equally potent. Non-availability could
also be an outcome of a malicious virus attack or DoS attack on a website.
Occurrence of an incidence causing non-availability of information is a certainty
in the life of an organization. It happens to all, sooner or later. What differentiates
a well-prepared organization from an unprepared one is the time it takes to
recover and restore normalcy. The increasing dependence on information systems
and the need to recover within an acceptable time frame has given rise to the
discipline of Business Continuity Planning.
Disaster Recovery Institute International (DRII) (www.drii.org) is a body with
a mission to provide best practices for all business continuity and disaster
recovery planners and organizations. Towards this mission, it has created a
common body of knowledge called 'Professional Practices for Business Continuity
This is the basis of various certification exams conducted by DRII like Associated
Business Continuity Professional (ABCP), Certified Business Continuity Professional
(CBCP), and Master Business Continuity Professional (MBCP).
These certifications require you to pass the CBCP examination. The requirements
for obtaining a particular certificate differ in terms of years of experience
and the number of subject matter areas of professional practice in which the
experience is obtained.
ABCP does not require any experience; CBCP requires two years experience in
three subject matter areas and MBCP requires five years experience in seven
subject matter areas. In addition, MBCP requires you to score 85 percent in
the examination, and ABCP and CBCP need you to score 75 percent.
Subject areas for the BCP examination
The subject areas are divided among 10 topics, grouped in three stages of a
business continuity project.
1. Project Initiation and Management
2. Risk Evaluation and Control
3. Business Impact Analysis
4. Developing Business Continuity Strategies
5. Emergency Response and Operations
6. Developing and Implementing Business Continuity Plans
7. Awareness and Training Programs
8. Maintaining and Exercising Business Continuity Plans
9. Public Relations and Crisis Communication
10. Coordination with Public Authorities
Subject area 1: Project Initiation and Management
The first logical step while starting any project is to establish the need for
the project. So, the first subject area is to establish the need for Business
Continuity Plan (BCP), including obtaining management support, organizing and
managing the project to completion within the agreed time, and budget limits.
This subject area expects you to understand how to sell the concept to the management
and staff, develop the project plan and budget, get approvals, and set up a
project structure and management in place.
Subject area 2: Risk Evaluation and Control
In this subject area, you understand how to determine the events and environmental
surroundings that can adversely affect the organization and its facilities.
It talks about disruption and disaster, the damage such events can cause, and
the controls needed to prevent or minimize the effects of potential loss.
You study how to identify potential risks to the organization, identify vulnerabilities,
threats and exposures. You also study about the risk-reduction alternatives
and provide a cost-benefit analysis to justify investment in controls to mitigate
Subject area 3: Business Impact Analysis
The risks become tangible when we assess the impact these may have on the business.
In this subject area you learn how to identify the impact resulting from disruptions
and disaster scenarios that can affect the organization. You also look at the
techniques that can be used to quantify and qualify such impact, establish critical
functions, the recovery priorities, and interdependencies so that recovery time
objective can be set.
This is by far the most critical subject area. Any error in judgment may lead
to bad decisions.
Subject area 4: Developing Business Continuity Strategies
The next step after business impact analysis is to develop the strategy about
how to continue being in business. There could be a number of alternatives.
Each strategy will have different recovery time and cost. Shorter the recovery
time, higher the cost.
You need to determine and guide the selection of alternative business recovery
operating strategies for recovery of business and information technologies within
the recovery time objective, while maintaining the organization's critical functions.
Subject area 5: Emergency Response and Operations
This part relates to handling of a disaster. You have to develop and implement
procedures for response and stabilizing the situation following an incident
or event, including establishing and managing an Emergency Operations Center
to be used as a command center during the emergency.
Subject area 6: Developing and Implementing Business Continuity
Under this subject area, you learn how to design, develop, and implement the
Business Continuity Plan that provides recovery within the acceptable time frame.
You need to define various business continuity procedures like locating and
cataloguing organization information, the protection and replication of information,
information recovery processes, damage assessment and restoration process, human
resources and personnel related procedures, information technology recovery
plans, and various testing procedures.
Subject area 7: Awareness and Training Programs
Training is essential to create awareness and preparedness among the staff members.
You have to prepare a program to create corporate awareness and enhance the
skills required to develop, implement, maintain, and execute the Business Continuity
Subject area 8: Maintaining and Exercising Business Continuity
The business continuity plan will not work if it is not kept up-to-date and
tested frequently. In this subject area you learn how to pre-plan and coordinate
exercises, evaluate and document plan exercise results, how to develop processes
to maintain the currency of continuity capabilities, and the plan document in
accordance with the organization's strategic direction.
You also need to verify that the plan will prove effective by comparison with
a suitable standard, and report results in a clear and concise manner.
Subject area 9: Public Relations and Crisis Coordination
This is often neglected at the planning stage and handled more as a knee jerk
reaction. This subject area explains how to develop, coordinate, evaluate, and
exercise plans to handle media during crisis situations.
You learn how to communicate with and, as appropriate, provide trauma counseling
for employees and their families, key customers, critical suppliers, owners/stockholders,
and corporate management during a crisis. You have to ensure all stakeholders
are kept informed on an 'as needed' basis.
Subject area 10: Coordination with Public Authorities
Finally, you will also be called upon to coordinate with public authorities.
You will need to establish applicable procedures and policies for coordinating
response, continuity, and restoration activities with local authorities while
ensuring compliance with applicable statutes or regulations.
Mapping the subject areas with BS 7799
The entire CBCP common body of knowledge maps quite well with the Business
Continuity Management domain of BS 7799. In fact, it covers a few areas more
than required by BS7799.
The CBCP examination is usually held along with a DRI seminar. The seminar currently
offered in India is the Business Continuity Planning Review DRP-501 seminar,
which is held for two days, and on the third day the CBCP examination is conducted.
The duration of the exam is three and half-hours.
After you pass the examination, a detailed application has to be prepared for
submission to DRII. This application requires you to provide details of your
work experience under the heading 'How my work experience qualifies me for professional
The next requirement is about your experience in professional practice areas.
You need to have minimum two years experience in minimum three professional
practice areas. You also have to get the experience confirmed by your supervisor/manager/client,
who has to send a confidential report about your claims directly to DRII.
Apart from this, you have to provide your detailed bio-data, employment history,
symposiums/courses/conferences on BCP attended by you and any articles published
by you. Preparation of all this paperwork is tougher than the examination itself.
When your claims are duly verified, the Certification Board approves your application
and you become a CBCP.
Retain your CBCP certification
DRI follows the usual process of continued professional education and annual
certification maintenance fees. More details about this are available on www.drii.org
and the Asian wing www.driasia.org.
Avinash Kadam is Director of MIEL e-Security, Pvt. Ltd.
He can be reached at firstname.lastname@example.org