Page 569 - ITGC_Audit Guides
P. 569

GTAG —  Appendix




            9.  Appendix                                           •   Determine whether the BC plan(s) include(s) appro-
                                                                      priate testing to ensure the business process(es) will be
            9.1   Sample BCP Audit Guide                              maintained, resumed, and/or recovered as intended.
              The Federal Financial Institutions Examination Council   •   Determine whether the IT environment has a prop-
            has  an  excellent  Business  Continuity  Planning  Booklet   erly  documented  BC  plan  that  complements  the
            (March 2008). The guide can be found at the council’s Web   enterprise-wide and other departmental BC plans.
            site, www.ffiec.gov. Below are the major objectives discussed   •   Determine whether the BC plan(s) include(s) appro-
            within the booklet.                                       priate hardware backup and recovery.
               •   Determine  examination  scope  and  objectives  for   •   Determine whether the BC process includes appro-
                  reviewing the BC planning program.                  priate  data  and  application  software  backup  and
               •   Determine the existence of an appropriate enterprise-  recovery.
                  wide BC plan.                                    •   Determine whether the BC plan(s) include(s) appro-
               •   Determine  the  quality  of  BC  plan  oversight  and   priate preparation to ensure the data center recovery
                  support provided by the board of directors and senior   processes will work as intended.
                  management.                                      •   Determine whether the BC plan(s) include(s) appro-
               •   Determine whether an adequate BIA and risk assess-  priate security procedures.
                  ment have been completed.                        •   Determine whether the BC plan(s) address(es) crit-
               •   Determine  whether  appropriate  risk  management   ical outsourced activities.
                  over the BC process is in place.                 •   Discuss corrective action and communicate findings.





            9.2   BCM Standards and Guidelines


             Organization/Governing Body          Standard                  Description of Standards
             Business Continuity Institute (BCI)                  Business Continuity Institute’s 10 Competencies

             International Standards          ISO 9000            Quality Management
             Organization (ISO)
                                              ISO 14001           Environmental Management System

                                              ISO 25002           Code of Practices for Information Security
                                                                  Management  —  Business Continuity Management
                                                                  section

             British Standards Institute      AS/NZ 4360          Risk Management — (AS/NZ: Australia / New
             (BSI) includes:                                      Zealand Standards)
                • United Kingdom
                • Australia                   HB221               Guide to Business Continuity Management —
                • New Zealand                                     handbook supplement to 4360

                                              AS/NZ 4390          Records Management

                                              AS/NZ 4444          Information Security with Business Continuity
                                                                  Management

             Publicly Available Standard (PAS)  PAS 56            Guide to BCM — (PAS — UK)
             UK and Commonwealth nations








                                                             22
   564   565   566   567   568   569   570   571   572   573   574