Emergency plans come before the emergency. Those who skimp on precautions will lose out, because without precautions, disaster can easily strike after an emergency.
Companies with good contingency planning have a clear advantage in an emergency: they can minimise failures significantly. The new German BSI Standard 200-4 helps with planning. It puts practicality in the foreground.
Security authorities see deficits in emergency planning: "Crisis response plans are still a major challenge," head of German Bundeskriminalamt (BKA), Holger Münch, recently said, as reported.
After cyber attacks, there are often striking differences in how the consequences are dealt with. While some quickly resume operations - albeit with restrictions - others are offline or not productive for weeks. The reason for this is usually emergency preparedness. Those who have foregone this must first carry out costly analyses in order to at least be able to establish emergency operation. This can rarely be done on one's own; as a rule, external help from experts or service providers is needed. However, these are rarely available at short notice.
No certification without an emergency concept
An emergency concept is also mandatory for certification, for example in accordance with ISO 27001 or for the conclusion of cyber insurance policies. Emergency plans are one of the central components of emergency management. At the same time, they present companies with great difficulties. This is because they are usually created on the basis of an elaborate Business Impact Analysis (BIA), which must identify the core processes for which contingency plans must then be created.
The German BSI has finally published the new standard 200-4. It deals with the topic of business continuity management (BCM) and is a revision of the standard 100-4. While emergency management was still the central term in the old standard, it became business continuity management (BCM) in the new standard. The background to the renaming is, as reported, a broader orientation of the subject area: In essence, there was a reorientation from IT emergency management, which was the main focus of the 100-4, to a broader orientation towards all connected company areas. The BSI says: "BCM is understood to be a holistic process that is intended to minimise interruptions to IT operations".
Important BCM measures:
- Risk analysis and Business Impact Analysis (BIA): A thorough analysis of risks and potential impacts.
- Develop a business continuity strategy based on the results of the risk analysis and BIA.
- Create detailed emergency plans with clear instructions, responsibilities and step-by-step guidance.
- Continuous monitoring and updating of the plans developed.
- Regular exercises are the only way to ensure that the plans meet the requirements and work.
The BKA has published a plan of action for IT emergencies to help.
New BSI standard focuses on practical relevance
One of the aims of the revision of BSI Standard 200-4 was to make the standard practical, manageable and adaptable. "Thus, the new BSI Standard 200-4 is tailored to institutions of any type, industry and size," explains the BSI.
The standard also offers practical guidance on how to set up a Business Continuity Management System (BCMS) in one's own institution. Furthermore, it addresses possible "synergy potentials with the adjacent topics of information security and crisis management and thus represents a central component for organisational resilience", the Office explains on its website.
In particular, inexperienced persons should be given an easy introduction to the topic. For this purpose, tools and document templates are included to help with the implementation of processes and methods in BCM. They contain sample texts, tables and illustrations for customisation.
However, not everything is up to date yet: "Some of the tools are still based on the community draft and will be fully adapted to the final BSI Standard 200-4 in the course of the second half of 2023," the BSI admits. Before publication, the BSI standard went through two "community draft phases" in which all interested users could give their feedback. "This ensured that the approaches and methodology of the standard both meet the BSI's own requirements and the current, theoretical developments in the field of BCM, as well as passing the first practical test," the Federal Office explains.