The aftertaste

How COVID-19 Anticipated Part of Our Business Continuity Plan

Call To Sweets — Jul 2020 by Celfocus Information Security & Privacy Team

The COVID-19 pandemic has shown us, to exhaustion, how much organisations need to be prepared in order to deal with disruptive events that might affect their business.

Business Continuity Plans were already on the agendas of major organisations, however more recently we have witnessed our customers push us to demonstrate compliance with ISO 22301 (Security and resilience — Business continuity management systems — Requirements), which is the main standard in this area.

In the banking sector, Banco de Portugal had already established this obligation, back in 2008, through “Aviso 5” and the “Modelo de Avaliação de Riscos” (MAR) in which its supervisory practices are adjusted in order to comply with the guidelines issued by the Committee of European Banking Supervisors (CEBS) on this matter. This obligation has been passed on to customers in this sector.

In the telecommunications sector, customers have been questioning us more and more often and with greater demand on our compliance with this standard. The demand for infrastructure improvement, resulting from many organisations’ strategy to promote remote working, where possible, has made Business Continuity in the telecommunications sector even more pressing. The latest questionnaires regarding Business Continuity, received from customers, confirm the increase of this concern.

But what is Business Continuity?

Business Continuity encompasses the activities of planning and preparing an organisation for situations where serious incidents or disasters may occur, ensuring that it can continue to operate and that it can recover to an operational state within a reasonably short period.

It is essential that organisations seek to ensure the continuity of their business in the event of an anomalous or unexpected situation.  Measures are required to be implemented, in order to:

  • Protect the organisation’s interests and business activities;
  • Protect the organisation’s assets and knowledge;
  • Minimise the impact caused to customers and to society in general;
  • Comply with the legal and contractual requirements;
  • Protect the organisation’s image and defend its reputation.

Business Continuity Management includes the Business Impact Analysis (BIA) and Risk Assessment, the Business Continuity Plans (BCP), the Disaster Recovery Plan (DRP) and Crisis Management.

How are we addressing this challenge?

The necessary activities to achieve this compliance began in 2018 with the first BIA.
This work now continues with the updated version of the BIA, which will be the foundation for the Disaster Recovery Plan as per ISO/IEC 24762:2008 and the Business Continuity Plan, ISO 22301:2019. The Business Continuity Plan development will be completed by April 2021. The work related to this theme will be concluded later with the implementation of the Business Continuity Management System.

The Contingency Plan for COVID-19 is one of the pieces of the Business Continuity Plan regarding a pandemic scenario. Another part, already in place, relates to the Building Evacuation Plans which answer to physical disaster scenarios such as fires and earthquakes.