Business continuity certification

The Business Continuity Professional

It's a good idea for an organization serious about business continuity practices to have a certified business continuity professional in its ranks. Here's some information about the various certifications available. by Avinash Kadam

Information security ensures the confidentiality, integrity and availability of information. And availability is the assurance that a computer system is accessible by authorized users whenever needed.

While major disasters like fire, flood, and earthquake are obvious threats to the availability of information systems, minor annoyances like a blip in the power supply, though not so obvious, are equally potent. Non-availability could also be an outcome of a malicious virus attack or DoS attack on a website.

Occurrence of an incidence causing non-availability of information is a certainty in the life of an organization. It happens to all, sooner or later. What differentiates a well-prepared organization from an unprepared one is the time it takes to recover and restore normalcy. The increasing dependence on information systems and the need to recover within an acceptable time frame has given rise to the discipline of Business Continuity Planning.

Disaster Recovery Institute International (DRII) (www.drii.org) is a body with a mission to provide best practices for all business continuity and disaster recovery planners and organizations. Towards this mission, it has created a common body of knowledge called 'Professional Practices for Business Continuity Planners'.

Certifications

This is the basis of various certification exams conducted by DRII like Associated Business Continuity Professional (ABCP), Certified Business Continuity Professional (CBCP), and Master Business Continuity Professional (MBCP).

These certifications require you to pass the CBCP examination. The requirements for obtaining a particular certificate differ in terms of years of experience and the number of subject matter areas of professional practice in which the experience is obtained.

ABCP does not require any experience; CBCP requires two years experience in three subject matter areas and MBCP requires five years experience in seven subject matter areas. In addition, MBCP requires you to score 85 percent in the examination, and ABCP and CBCP need you to score 75 percent.

Subject areas for the BCP examination

The subject areas are divided among 10 topics, grouped in three stages of a business continuity project.

Pre-Planning

1. Project Initiation and Management

2. Risk Evaluation and Control

3. Business Impact Analysis

Planning

4. Developing Business Continuity Strategies

5. Emergency Response and Operations

6. Developing and Implementing Business Continuity Plans

Post-planning

7. Awareness and Training Programs

8. Maintaining and Exercising Business Continuity Plans

9. Public Relations and Crisis Communication

10. Coordination with Public Authorities

Subject area 1: Project Initiation and Management

The first logical step while starting any project is to establish the need for the project. So, the first subject area is to establish the need for Business Continuity Plan (BCP), including obtaining management support, organizing and managing the project to completion within the agreed time, and budget limits.

This subject area expects you to understand how to sell the concept to the management and staff, develop the project plan and budget, get approvals, and set up a project structure and management in place.

Subject area 2: Risk Evaluation and Control

In this subject area, you understand how to determine the events and environmental surroundings that can adversely affect the organization and its facilities. It talks about disruption and disaster, the damage such events can cause, and the controls needed to prevent or minimize the effects of potential loss.

You study how to identify potential risks to the organization, identify vulnerabilities, threats and exposures. You also study about the risk-reduction alternatives and provide a cost-benefit analysis to justify investment in controls to mitigate risks.

Subject area 3: Business Impact Analysis

The risks become tangible when we assess the impact these may have on the business. In this subject area you learn how to identify the impact resulting from disruptions and disaster scenarios that can affect the organization. You also look at the techniques that can be used to quantify and qualify such impact, establish critical functions, the recovery priorities, and interdependencies so that recovery time objective can be set.

This is by far the most critical subject area. Any error in judgment may lead to bad decisions.

Subject area 4: Developing Business Continuity Strategies

The next step after business impact analysis is to develop the strategy about how to continue being in business. There could be a number of alternatives. Each strategy will have different recovery time and cost. Shorter the recovery time, higher the cost.

You need to determine and guide the selection of alternative business recovery operating strategies for recovery of business and information technologies within the recovery time objective, while maintaining the organization's critical functions.

Subject area 5: Emergency Response and Operations

This part relates to handling of a disaster. You have to develop and implement procedures for response and stabilizing the situation following an incident or event, including establishing and managing an Emergency Operations Center to be used as a command center during the emergency.

Subject area 6: Developing and Implementing Business Continuity Plans

Under this subject area, you learn how to design, develop, and implement the Business Continuity Plan that provides recovery within the acceptable time frame.

You need to define various business continuity procedures like locating and cataloguing organization information, the protection and replication of information, information recovery processes, damage assessment and restoration process, human resources and personnel related procedures, information technology recovery plans, and various testing procedures.

Subject area 7: Awareness and Training Programs

Training is essential to create awareness and preparedness among the staff members. You have to prepare a program to create corporate awareness and enhance the skills required to develop, implement, maintain, and execute the Business Continuity Plan.

Subject area 8: Maintaining and Exercising Business Continuity Plans

The business continuity plan will not work if it is not kept up-to-date and tested frequently. In this subject area you learn how to pre-plan and coordinate exercises, evaluate and document plan exercise results, how to develop processes to maintain the currency of continuity capabilities, and the plan document in accordance with the organization's strategic direction.

You also need to verify that the plan will prove effective by comparison with a suitable standard, and report results in a clear and concise manner.

Subject area 9: Public Relations and Crisis Coordination

This is often neglected at the planning stage and handled more as a knee jerk reaction. This subject area explains how to develop, coordinate, evaluate, and exercise plans to handle media during crisis situations.

You learn how to communicate with and, as appropriate, provide trauma counseling for employees and their families, key customers, critical suppliers, owners/stockholders, and corporate management during a crisis. You have to ensure all stakeholders are kept informed on an 'as needed' basis.

Subject area 10: Coordination with Public Authorities

Finally, you will also be called upon to coordinate with public authorities. You will need to establish applicable procedures and policies for coordinating response, continuity, and restoration activities with local authorities while ensuring compliance with applicable statutes or regulations.

Mapping the subject areas with BS 7799

The entire CBCP common body of knowledge maps quite well with the Business Continuity Management domain of BS 7799. In fact, it covers a few areas more than required by BS7799.

Towards CBCP

The CBCP examination is usually held along with a DRI seminar. The seminar currently offered in India is the Business Continuity Planning Review DRP-501 seminar, which is held for two days, and on the third day the CBCP examination is conducted. The duration of the exam is three and half-hours.

After you pass the examination, a detailed application has to be prepared for submission to DRII. This application requires you to provide details of your work experience under the heading 'How my work experience qualifies me for professional certification?'

The next requirement is about your experience in professional practice areas. You need to have minimum two years experience in minimum three professional practice areas. You also have to get the experience confirmed by your supervisor/manager/client, who has to send a confidential report about your claims directly to DRII.

Apart from this, you have to provide your detailed bio-data, employment history, symposiums/courses/conferences on BCP attended by you and any articles published by you. Preparation of all this paperwork is tougher than the examination itself. When your claims are duly verified, the Certification Board approves your application and you become a CBCP.

Retain your CBCP certification

DRI follows the usual process of continued professional education and annual certification maintenance fees. More details about this are available on www.drii.org and the Asian wing www.driasia.org.

Avinash Kadam is Director of MIEL e-Security, Pvt. Ltd.

He can be reached at awkadam@mielesecurity.com