Business Continuity Management

BCM & BIA

In the QSEC® module BCM (Business Continuity Management), the requirements of ISO 22301 and BSI standard (IT-Grundschutz) 100-4 are implemented. The process begins with the analysis of the business processes by a BIA (Business Impact Analysis), continues with the GAP analysis of the assigned assets and ends with the administration of the documents for emergency planning.

Impact Analysis – Determination of the risk acceptance level

An impact analysis can be carried out for each process recorded in QSEC according to the impact category (financial, image, legal, etc.). The time period for the impact assessment (maximum process downtime by hours/days) is evaluated for all processes by the process owner. Not only the downtime of the processes is evaluated, but also the availability of employees with workstation details and any required service providers. The scaling depends on the typical damage patterns of the business processes in the industry of the considered company.

Based on the information provided by the process owner, the assets (infrastructure, IT systems etc.) can be subjected to a GAP analysis (ACTUAL/SOLL RTO/RPO).

The QSEC BCM function is used to describe the specifications of the business processes and assets for emergency planning and emergency testing with the associated emergency documentation.

QSEC®: Business Continuity Management – BIA process evaluation

QSEC®: Business Continuity Management – BIA process evaluation

Features (excerpt)

  • Display of the processes for BIA evaluation
  • Entry of the specifications for MTPD, RTO, RPO etc.
  • Evaluation of the business processes regarding the time effects of RTO, RPO for the criteria financial, reputation, control, legal (individually adjustable
  • Evaluation of business processes with regard to time effects for number of employees, workstation requirements, service providers
  • Calculation of the process criticality
  • Presentation of the GAP analysis (target/actual RTO; RPO) and creation of measures for each asset group
  • Definition of contingency planning and emergency tests for critical business processes
  • Review and evaluation of the documentation for critical asset groups (IT contingency plan, operating manual, restart plan) with all test results that have been carried out (individually adjustable)

QSEC® GRC can implement and manage compliance, IT risk, security incident and business continuity management in one single system.

QSEC modules

Data-Protection-Management-System-QSEC Information_Assets Compliance_Management_System
IT-Risk-kachel Security Incident Management Measure-Management
Document-Management Master-Data-qsec Business_Continuity_Management
Reporting-Dashboard Interview-Wizard Interview-transfer-Wizard
Compliance-Wizard Risk-Assessment-Wizard Security-Level-Wizard
Measure-Evaluation-Wizard Usability Task-Manager
Administration Technology