Business continuity planning (BCP) is the process in place for companies to ensure that their key operations and products/services continue to be delivered at an accepted level of availability. That is typically predetermined in a service level agreement (SLA) as a part of your organization’s contract with the vendor.
Your organization should be reviewing the vendor’s BCP during vendor vetting, but also annually as part of your ongoing monitoring after you’ve selected and contracted with them, to determine if there are any concerning changes. What would be considered a concern?
Things to Watch Out for in Your Vendor’s Business Continuity Plan
Here are 4 things to watch out for in a vendor’s BCP:
- BCPs that only contain IT disaster recovery information. Some vendors do not differentiate between business continuity (e.g., people, processes and facilities) and IT disaster recovery (e.g., information systems, data and networks).
- BCPs that haven’t been updated or tested within the last 12 months, or within the time range defined by the vendor in their plans. BCPs that aren’t updated to reflect changes in the company won’t be of use when disaster strikes.
- BCPs that don’t address products/services that are applicable to your relationship with the vendor. Ensure that if your vendor has multiple BCPs, the plans you review are applicable to the products/services you’ve contracted for. This can sometimes be difficult when a vendor has a multitude of product lines.
- Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) aren’t defined or aren’t in line with your recovery needs. If RTOs and RPOs are outside of your needed timeframe to provide products/services to your customers, then additional measures may be needed. Understanding what level of service you should expect after a business impacting event at your vendor will ensure you’re prepared to handle any dip in service, availability or functionality.
Note: It’s important to understand that an RTO is the time to recovery to an “established level of service” and may not be a total recovery to full operation.
Keep in mind, any of the following are also cause for concern:
- Applicable RTOs weren’t met or adjusted.
- Applicable RPOs weren’t met or adjusted.
- There are no remediation plans established for issues identified.
- Plans haven’t been tested, meaning they can’t be trusted in times of distress.
2 Best Practices to Help You with These Issues
Now that we have some background on issues to be on the lookout for, let’s dive a little deeper into best practices to assist you with locating these issues. First of all, I must be frank, there’s unfortunately no universal format for writing a BCP. Every vendor’s plan will be slightly different. However, keep the following in mind:
- Prior to beginning your review of a vendor’s BCPs, it’s important to fully understand the vendor’s role in assisting with the services your organization provides. Understanding this will give you further insight into how much scrutiny you should give to the vendor’s BCP. The more critical the vendor is to operations, the more scrutiny.
- Not all plans are created equally, and not all plans are easy to understand. For that reason, an expert should be reviewing the plan. The expert can be someone internal who is a Certified Information Systems Security Professional (CISSP), for example, or you can outsource to an external expert if needed.
It Can Be Complex, But Fully Understood Plans Help Avoid Risk
Reviews won’t always go smoothly, but well tested plans can help make the bumps in the road of business a lot easier to handle. Verifying that your critical vendors align with your organization’s strategic and operational goals will guarantee you won’t hit an unforeseen hole in your road to recovery.
With an increase in high-profile data breaches, it's critical to be prepared. Download the infographic now.