The purpose of Service Continuity is to ensure the continuity of essential operations of services and related assets if a disruption occurs as a result of an incident, disaster, or other disruptive event.
The continuity of an organization’s service delivery is a paramount concern in the organization’s operational resilience activities. The organization can invest considerable time and resources in attempting to prevent a range of potential disruptive events, but no organization can mitigate all risk. As a result, the organization must be prepared to deal with the consequences of a disruption to its operations at any time. Significant disruption can result in dire circumstances for the organization, even bankruptcy or termination.
Service Continuity describes the organizational processes responsible for developing, deploying, exercising, implementing, and managing plans for responding to and recovering from events and restoring operations to business as usual. This requires that the organization have a plan and program for service continuity, assign adequate and sufficient resources to the plan and program, and have the requisite infrastructure to carry out the plan and program. Based on risk appetite and tolerance, the organization must determine which service continuity plans it needs to establish, develop the plans, and exercise them on a regular and sufficient basis to ensure they remain viable as long as the service is vital to the organization.
The organization also must consider the range of service continuity activities. Business continuity or contingency plans are developed and implemented to sustain a high-value service, while recovery and restoration plans are focused on bringing services back to an acceptable level of business as usual. To ensure that all plans can be executed at will when called upon, the organization must also develop sufficient logistics and delivery capabilities.
Before the organization can develop, exercise, and position service continuity plans for implementation, several other organizational activities must occur. These include identification of
• the high-value services and associated assets for which service continuity plans must be developed (This is addressed in the Enterprise Focus and Asset Definition and Management process areas.)
• the potential hazards or risks to these high-value services and assets (This is addressed in the Vulnerability Analysis and Resolution and Risk Management process areas.)
• the consequences of these risks to the organization and its susceptibility to them (This is addressed in the Risk Management process area.)
In managing operational risk and resilience, the Service Continuity process area is complementary to Controls Management. Controls Management focuses on “condition management” to prevent risk, while Service Continuity directs the organization’s attention to “consequence management” or planning for managing the consequences of risks that are realized. Together, these process areas provide a comprehensive, coordinated, optimized, and holistic approach to managing asset and service resilience.
The development, implementation, and management of an internal control system to prevent risks and disruptive events are addressed in the Controls Management process area.
The identification and management of incidents that may require the execution of a service continuity plan are addressed in the Incident Management and Control process area.
Providing training for staff involved in service continuity plan testing and execution is addressed in the Organizational Training and Awareness process area.
The identification and prioritization of the organization’s high-value services as strategic planning activities are addressed in the Enterprise Focus process area.
The consideration of consequences as a foundational element for developing a service continuity plan is addressed in the Risk Management process area.
The association of assets to the high-value services they support is performed in the Asset Definition and Management process area.
The development, implementation, and management of strategies for technology asset availability and integrity are addressed in the Technology Management process area.
The identification of vital records and databases for service continuity is addressed in the Knowledge and Information Management process area.
The resilience considerations of the organization’s reliance on public services and public infrastructure are addressed in the Environmental Control process area.
The organizational processes for sustainability planning and execution are established.
Service continuity management requires both planning and execution. Planning involves establishing how the organization is going to address service continuity so that it is a consistent and pervasive organizational competency focused on operational resilience management. This involves developing a service continuity plan, establishing a service continuity program, assigning resources, and establishing service continuity standards and guidelines to ensure consistency.
Planning is performed for developing and implementing the organization’s service continuity process.
Service continuity management is a fundamental organizational process that ensures that high-value organizational services—both internally and externally focused—are able to continue to achieve their missions when disruptions occur. Service continuity cannot be effectively managed by reaction—the organization must plan its approach to service continuity, align this plan with strategic objectives, provide sponsorship and oversight to the plan to ensure that it is accepted by the organization as a strategic function, and obtain organizational commitments to the plan to ensure that service stakeholders understand and accept their responsibilities for service continuity.
The organization should develop and document its plan for service continuity and outline the specific objectives of the plan. The plan should reflect the organization’s philosophy on service continuity and be translatable into a program for service continuity that can be implemented and managed.
The development of a plan for service continuity should not be confused with the development of service continuity plans. Service continuity plans are service-specific plans for sustaining services and associated assets under degraded conditions. A plan for service continuity is an organizational construct from which a service continuity program is developed and implemented as part of an operational resilience management system.
Typical work products
Subpractices
The plan for managing service continuity should address at a minimum
• the organization’s philosophy on service continuity
• the structure of the service continuity program and process
• the requirements of the service continuity program relative to managing operational resilience
• the means and activities involved in identifying and prioritizing services and assets for continuity
• the roles and responsibilities necessary to carry out the plan and the program
• applicable training needs and requirements
• resources that will be required to meet the objectives of the plan
• relevant costs and budgets associated with service continuity
Documented commitments by those responsible for implementing and supporting the plan are essential for plan effectiveness.
The guidelines and standards for service continuity are established and communicated.
Guidelines and standards for service continuity ensure consistent plan documentation, distribution, testing, and execution enterprise-wide. They ensure that common, important elements of service continuity are considered by all organizational units and provide standards for consistent documentation, testing, and handling of plans. Guidelines and standards also provide the organization an ability to view service continuity at an enterprise level and to manage this function to meet organizational goals.
Typical work products
Subpractices
Guidelines and standards are organization-specific but may address areas such as the following:
• plan ownership and responsibility
• requirements for when a plan must be developed
• documentation requirements for plans
• the standard content of plans (i.e., what must be addressed at a minimum)
• testing requirements for plans, including testing intervals and reporting of results
• identification and involvement of stakeholders
• plan distribution and communication
• plan versioning, storage, archiving, and security
• training standards for service continuity and plan execution
The services that are required to meet the organization’s mission are identified and prioritized.
The high-value services of the organization must be identified as a baseline for identifying the extent and types of service continuity plans to be developed and implemented. Failure to identify and prioritize these services may result in the development of service continuity plans that are unnecessary or ineffective and increases the operational resilience management costs for the organization.
Prior to building service continuity plans, the organization must prioritize services, analyze service dependencies and interdependencies, and identify associated information and knowledge that must be addressed in the plans.
The high-value services of the organization and their associated assets are identified.
The identification and prioritization of the organization’s high-value services as strategic planning activities are addressed in the Enterprise Focus process area. This practice is included here to emphasize the importance of prioritizing high-value services as a foundational activity in the identification and development of service continuity plans.
A fundamental risk management principle is to focus on activities to protect and sustain services and assets that most directly affect the organization’s ability to achieve its mission. Identifying high-value services, their associated assets, and the activities that support these services must be performed before the organization attempts to develop service continuity plans.
The association of assets to the high-value services they support is performed in the Asset Definition and Management process area.
Typical work products
Subpractices
Consideration of the consequences of the loss of high-value organizational services is typically performed as part of a business impact analysis. In addition, the consequences of risks to high-value services are identified and analyzed in risk assessment activities. The organization must consider this information when prioritizing high-value services.
The consideration of consequences as the result of risk is addressed in the Risk Management process area.
The identification and prioritization of the organization’s high-value services as strategic planning activities are addressed in the Enterprise Focus process area.
The internal and external relationships necessary to ensure service continuity are identified and analyzed.
The resilience considerations of the organization’s reliance on public services and public infrastructure are addressed in the Environmental Control process area. The association of internal and external assets to the services they support is addressed in the Asset Definition and Management process area. Managing relationships with external entities is addressed in the External Dependencies Management process area. This practice is included here to emphasize the need to determine the layers of support on which services depend in order to develop effective and comprehensive service continuity plans.
Services depend on organizational assets, both internal and external, to ensure continuity of operations. They also rely on external entities such as public agencies and infrastructure such as public utilities and telecommunications. These dependencies and interdependencies must be identified in order to ensure a robust consideration of the range of planning that must be incorporated into the service continuity plans.
Typical work products
Subpractices
This practice requires that the organization document the association between services and the internal and external assets—people, information, technology, and facilities—that support the services. (This practice is formally performed in the Asset Definition and Management process area.)
Vital information required for service continuity is identified.
The resilience of information is addressed in the Knowledge and Information Management process area. This practice is included here to emphasize the importance of information assets in the development of effective and comprehensive service continuity plans.
Vital records and databases constitute high-value information assets that are essential to the continued operation of services during and after a disruption. Thus, these assets must be considered in the development of service continuity plans. Because information in the form of vital records and databases tends to be distributed organization-wide, vital records and databases must be inventoried to ensure that they are properly included in the service continuity plans. (Developing and maintaining a comprehensive asset inventory are addressed in the Asset Definition and Management process area.)
Vital records are typically distinguished from other types of information. Vital records include those records that the organization relies upon to protect the legal and financial rights of the organization and of individuals directly affected by disruption. In contrast, files and databases are types of information that are most typically associated with the direct operation of a specific service. For example, the vendor database is a necessary component of paying invoices. Vital records may be more universal in that they can apply to many service continuity plans, while files and databases may be more applicable to specific services.
Typical work products
• organizational orders of succession
• delegations of authority
• contracts and service level agreements with external entities, including vendors and business partners
• organizational legal operating charters
• personnel records
Subpractices
This practice is formally performed in the Knowledge and Information Management process area.
This practice is formally performed in the People Management process area.
This practice is formally performed in the Knowledge and Information Management process area.
Service continuity plans for high-value organizational services are developed.
Service continuity plans are a proactively established description of the actions an organization will take if a service disruption occurs. They are generally focused on managing the organizational consequences of service disruption based on a range of potential events that can cause disruption, such as incidents and disasters. Service continuity plan development is in essence a risk management and control activity that seeks to limit or control the consequences of realized risk. Thus, the genesis for a service continuity plan may be risk assessment and mitigation activities or lessons learned from past disruptions.
Service continuity plans can take many forms, and often a service continuity plan is the aggregation of more than one type of plan.
Typically, continuity and recovery plans provide for immediate, response-driven activities, while restoration plans are longer-term activities that may extend for a considerable time after the immediate consequences of disruption have been experienced.
Service continuity plans are best developed when they are the result of a comprehensive and optimized consideration of the requirements for protecting and sustaining a service. In other words, as a foundation for operational resilience, the organization should develop service continuity plans as a part of implementing strategies for protecting and sustaining services and assets to meet resilience requirements.
Service continuity plans come at a cost to the organization. The development and maintenance of these plans are cost-intensive, as is the regular exercising of the plans to ensure they work as intended. Executing a service continuity plan is also costly to the organization. Thus, the cost of these plans must be evaluated and balanced with protective controls that have been implemented to prevent disruption and the value of the services and assets that would be disrupted.
The development of service continuity plans involves the identification of plans to be developed, the development of the plans, the assignment of resources to the plans, and the maintenance of the plans.
Required service continuity plans are identified.
The organization identifies the service continuity plans to be developed, tested, executed, and maintained. This can be done through several means:
• in the regular course of designing and implementing resilience requirements for services and assets
• as the result of security risk assessment and management activities (in the development of preventive controls and mitigation actions)
• as part of the business impact analysis process (a typically business-continuity–driven activity that seeks to identify the consequences of service disruption)
• as a result of legal, regulatory, compliance, and audit activities (where existing controls may not be deemed as effective across a range of potential disruptive events)
• in response to a major event or catastrophe (whether or not the organization was affected)
Typical work products
Subpractices
The required service continuity plans are developed and documented.
Required service continuity plans are developed by the organization or its assigned representatives. Plans are typically developed by the service owner, but this varies by organization and might include significant involvement of IT staff if the service is highly automated or has one or more application systems associated with it.
The contents of the plan and the documentation requirements are established by the organization as part of the organization’s service continuity standards and guidelines. This ensures consistency and enterprise-wide understandability and applicability.
The development of service continuity plans occurs as both a foundational and an ongoing activity. Plans are developed at the time of service development and implementation but also on an ongoing basis as new risks are encountered and the operational environment changes.
Subpractices
A service continuity plan typically includes the following information:
• identification of authority for initiating and executing the plan (plan ownership)
• identification of the communication mechanism to initiate execution of the plan
• alternative activities that would have to be performed (technical or manual)
• alternative resources and locations that would support the organization’s high-value services
• identification of
— vital staff roles and responsibilities
— high-value technology assets necessary to support the plan
— high-value information assets and vital records necessary to support the plan
— high-value facilities assets necessary to support the plan
— relevant stakeholders of the plan and method of communicating with them (See subpractice 3 below.)
• documentation of
— the recovery sequence for the service
— the restoration sequence for the service
— security- and access-related issues that are required to execute the plan
— any special handling of information or technology that is required
— the test plan for the service continuity plan (See SC:SG5.SP2.)
— the service continuity training plan
• coordination activities with other internal staff and external entities that must be performed to implement the strategy
• the levels of authority and access needed by responders to carry out the strategy and plan
• the cost of the plan and the activities necessary to carry out the plan
• the logistics of the plan
Documentation of the plan must be consistent with the standards and guidelines established by the organization to ensure plan consistency, accuracy, and ability to implement. (See SC:SG1.SP2.)
Consider also that the service continuity plan may in reality require the development of one or more subplans (such as a restoration plan or a recovery plan).
Service continuity plans may have many different stakeholders. In addition to those who must execute and participate in the plans, other organizational groups (both internal and external) may have a vested interest in understanding them. For example, plans may be provided to public emergency management staff, to suppliers and vendors, and to external entities to which the organization is a supplier. These organizations may even have a stated role in the plans. In addition, some regulatory and legal entities may require that the organization submit service continuity plans as evidence that they have taken appropriate actions to prepare for specific threats such as natural disasters or terrorism.
Because there are many stakeholders for service continuity plans, the organization must identify the relevant stakeholders and communicate the plans to these stakeholders as necessary.
Communicate the service continuity plans to stakeholders and review and adjust them as necessary.
Ensure that compliance obligations that require communication and submission of service continuity plans are identified and satisfied. (Meeting compliance obligations is addressed in the Compliance process area.)
Staff members are assigned to the service continuity plans to ensure effective execution.
The activities documented in the service continuity plans must be assigned to responsible and skilled individuals in the event that the plans must be executed. These staff members may be internal to the organization or external (through outsourcing arrangements and service contracts). The organization must define the staff requirements that are required to meet the objectives of the plans, identify potential internal and external staff who will be needed to meet these requirements, and assign staff to activities in the plans.
When staff members do not have the necessary skill sets to meet the basic, minimum requirements of the plans, the organization must provide training and ascertain that the staff members are able to perform to the objectives stated in the plans as a result of this training. (Training for service continuity plans is addressed in SC:SG3.SP5.)
Typical work products
Subpractices
Ensure that those who are assigned tasks in the plans are aware of their assignments, have the authority to act as prescribed in the plans, and are held accountable for their activities. Ensure that these staff members commit to performing their roles as described in the plans.
Service continuity plans are stored and made accessible to those with a need to know.
The ability to execute service continuity plans during a disruption is related to their accessibility and viability. When service continuity plans that are developed but misplaced or are allowed to be changed at will, they are not usable by those who are responsible for executing them. Given that many service continuity plans are executed under emergency or crisis circumstances, the ability to know where the current version of the plans is stored is invaluable. To achieve this, the organization must take steps to ensure that the plans are archived, that the most current versions of the plans are available, that the plans are secured and free from intentional or unintentional modification, and that those who need to access the plans can readily retrieve them when necessary.
An inventory of service continuity plans can be established through the development and maintenance of a service continuity database. This allows the organization to secure access, provides a one-stop place to archive plans, and allows for plan version control. It also provides a means from which to perform plan maintenance and change control. (Change control over service continuity plans is addressed in SC:SG7.)
Typical work products
Subpractices
Ensure that the service continuity plans are properly protected but accessible on demand to those who have proper authorization.
Training in the service continuity plans is developed and administered.
Training is an effective means for ensuring that participants in service continuity plans understand their roles and are capable of carrying out these roles in times of disruption and emergency. It is a means for communicating the contents of the service continuity plans to stakeholders and for ensuring that those responsible for carrying out the plans are qualified. Effective training increases the organization’s capability in executing the plans and for ensuring that the plans’ objectives are met. Poor advance training in service continuity plans often is a major contributor to their failure, which is typically learned under undesirable and unstable organizational conditions.
Not all staff members who are assigned to plans may have the requisite skills to perform the tasks they have been assigned. Thus, the organization must determine any skill gaps and ensure that appropriate training is made available and completed before the service continuity plans are validated.
The provision of training for skill sets necessary to execute service continuity plans is addressed in the Organizational Training and Awareness process area.
Typical work products
Subpractices
The strategy should address how the training is delivered and the means by which the competency of the resources involved is ascertained. The strategy should also note the frequency of training offerings and how participation in the training is documented.
Service continuity plans are validated to ensure they satisfy requirements and standards and to resolve conflicts between plans.
Before plans can be executed, the organization must validate the plans to ensure that they meet the organization’s standards and guidelines, that they enable the satisfaction of resilience requirements, and that plans do not cause resource conflicts or other potential bottlenecks.
The identification, documentation, and analysis of operational resilience requirements for services and associated assets are addressed in the Resilience Requirements Development process area.
The management of requirements for services and associated assets is addressed in the Resilience Requirements Management process area.
Service continuity plans are examined to ensure they satisfy requirements and standards.
The service continuity plans are part of the organization’s overall operational resilience management strategy for services and assets. In essence, the plans are one of many functional controls that the organization implements to ensure that services and assets are resilient to disruption and interruption. Thus, service continuity plans are a means for satisfying the resilience requirements of services and assets. As a result, service continuity plans must be objectively reviewed to ensure that they are sufficient given the resilience requirements of related services and assets.
In addition, to ensure plan consistency, accuracy, completeness, and effectiveness, service continuity plans are examined against the organization’s standards and guidelines for plan development. This ensures consistent levels of documentation, the inclusion of required elements (such as stakeholders), and the ability of the plans to meet stated objectives. This also provides the organization an ability to review the logic of the plans and to make appropriate adjustments where inconsistencies or gaps are found.
Typical work products
Subpractices
The plan walk-through can identify issues that pose risk to the organization because of poor coverage, inability of a plan’s stated activities to meet objectives, poor documentation, etc. These issues must be identified and addressed as risks to meeting the related service or asset resilience requirements. As with all risks, proper risk disposition and mitigation actions should follow this practice.
Managing risks to high-value services and assets is addressed in the Risk Management process area.
Conflicts between service continuity plans are identified and resolved.
Because of the sheer volume of service continuity plans and the operational interconnection of many services and assets, service continuity plans often overlap or place reliance on the same set of organizational resources. For example, an organization may have an off-site facility that is named in more than one plan as a backup site, but if more than one plan is executed simultaneously, the facility may not be able to satisfy requirements as prescribed in any single plan. More commonly, some people are often named in multiple service continuity plans that may have to be executed simultaneously. These types of conflicts must be identified and resolved.
Typical work products
Subpractices
Conflicts that would impede successful plan execution pose operational risks that must be mitigated by the organization. Remember that the conflict may affect more than one plan, and therefore mitigation actions may have to be performed on more than one plan.
Service continuity plans are tested to ensure they meet their stated objectives.
In addition to validation, service continuity plans must be tested (typically called “exercised”) on a regular basis to ensure that they will achieve their stated objectives when executed as the result of a disruption. Testing provides information about the effectiveness of the plan in advance of its use and provides an opportunity to improve the plan based on the test results.
To perform plan exercises, the organization must develop a testing program and standards (to ensure consistent test objectives and results), document test plans, test the plans, and debrief the test results to identify potential improvements and revisions.
A program and standards for service continuity plan testing are established and implemented.
Having a test program and standards helps ensure regular and consistent testing of service continuity plans to ensure their viability during an event or emergency. Testing is conducted in a controlled and measured environment and is the only opportunity for the organization to know whether the plans it has developed will achieve the stated objectives and satisfy requirements.
The organization establishes the plan testing standards, structure, and reporting requirements. The testing program and standards are enforced for all plan owners and developers to ensure consistency, comparability, and ability to interpret results at the organizational level. In addition, a consistent schedule of plan testing is established based on factors such as risk, potential consequences to the organization, and other organizationally derived factors. A quality review capability is established to review the results of plan tests and to look for trends and other information that could be used in improving the general state of service continuity plans and the testing of plans.
Typical work products
Subpractices
Service continuity test plans are developed and documented.
Service continuity test plans must be documented to ensure that all involved in a test understand the test objectives, their roles in the test, and the manner in which the test will be conducted. Those with the most specific knowledge of the service continuity plan should be involved in developing and documenting the test plan.
One of the most important parts of the test documentation is the establishment of test objectives—what the test should be able to prove or disprove. Documenting a test plan also involves detailing specific information about the test environment and stakeholders involved in the test.
Typical work products
Subpractices
Service continuity plans are exercised on a regular basis and results are documented.
On a regular basis, service continuity plans are exercised (tested) according to their test plan. The test should establish the viability, accuracy, and completeness of the plan. It should also provide information about the organization’s level of preparedness to address the specific area(s) included in the plan. The test is performed under conditions established by the organization and the results of the test are recorded and documented.
Typical work products
Subpractices
Ensure that all staff involved in the testing understand their roles, are equipped and trained to participate in the test, and understand how to document results. Ensure that testing infrastructure has been obtained and established, that other conditions have been met, and that all stakeholders have been notified of the test.
Opportunities for improving service continuity plans are identified and implemented as a result of testing.
The objective for developing and executing service continuity plan tests is to ensure that the plans work as intended, but also to identify required improvements to the plans and the test plans.
The evaluation of test results involves comparing the documented test results against the established test objectives. Areas where objectives could not be met are recorded and strategies are developed to review and revise the plans. Improvements to the testing process and plans are also identified, documented, and incorporated into future tests.
Typical work products
Service continuity plans are executed and reviewed.
Service continuity plans may be executed for a variety of reasons. Plans may be implemented in response to a perceived or known threat, as the result of an incident, or as a means to address an immediate crisis. Organizations may also implement their service continuity plans for other, less urgent reasons such as during the cut-over from one application system to another, while an office location is being moved, or as part of an organizational merger or acquisition.
Whatever the catalyst for executing the plan, the organization must be able to determine when the plan must be executed and who is responsible for initiating action.
Service continuity plans may be executed in response to an incident. (The management of incidents and the organization’s response is addressed in the Incident Management and Control process area.)
Service continuity plans are executed as required.
The service continuity plans are executed as organizational conditions require.
Typical work products
Ensure that the owners of service continuity plans understand these conditions and have the authority and responsibility to execute the plans if necessary.
Post-execution review is performed to identify corrective actions.
The debriefing of the execution of service continuity plans is an invaluable means for identifying plan shortcomings and for improving the plans. Plan improvements are documented through this process and incorporated into future plan versions. In some cases, new plans are developed in addition to or as replacements for existing plans. Logistical considerations of the plans are reviewed and analyzed, and changes are recommended. Unforeseen circumstances that arise during the execution of the plans—due to either the incident or the execution of the plan activities—are documented and addressed.
Typical work products
Subpractices
Examples of areas of improvement that may result from plan execution are similar to those included in practice SC:SG5.SP4.
Changes to service continuity plans are identified and managed.
The testing and execution of service continuity plans are two sources of potential changes. However, the dynamic operating environment, sources of new threats and risks, and changes in other organizational entities such as staff, geographical locations, and relationships with external entities can require changes to service continuity plans and their corresponding test plans.
Because changes to plans may occur frequently, the organization must establish baseline criteria for changes and manage changes to the plans through regular review, updating, and version control.
Change criteria for service continuity plans are established.
Because of changing operational and organizational conditions, service continuity plans may have a short useful life. Identifying and understanding the types of organizational and operational triggers that may indicate a need to revisit and revise service continuity plans ensures that these plans remain viable.
Typical work products
Subpractices
Changes are made to service continuity plans as conditions dictate.
Changes to service continuity plans are made as conditions dictate based on the change criteria established by the organization in practice SC:SG7.SP1. The changes are made to existing service continuity plans (although new plans may result), and versions of existing plans are incremented according to the organization’s versioning protocol and standards.
Subpractices
Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the Service Continuity process area.
The operational resilience management system supports and enables achievement of the specific goals of the Service Continuity process area by transforming identifiable input work products to produce identifiable output work products.
Perform the specific practices of the Service Continuity process area to develop work products and provide services to achieve the specific goals of the process area.
Elaboration:
Specific practices SC:SG1.SP1 through SC:SG7.SP2 are performed to achieve the goals of the service continuity process.
Service continuity is institutionalized as a managed process.
Establish and maintain governance over the planning and performance of the service continuity process.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the service continuity process.
Elaboration:
Elaboration:
Establish and maintain the plan for performing the service continuity process.
Elaboration:
SC:SG1.SP1 requires the development of a plan for how the organization will carry out service continuity planning and execution. A plan for service continuity is an organizational construct from which a service continuity program is developed and implemented. In generic practice SC:GG2.GP2, the planning elements required in SC:SG1.SP1 and the plan for the service continuity process are formalized and structured and performed in a managed way. The plan for the service continuity process should be directly influenced by the strategic planning process of the organization and reflect strategic initiatives where appropriate.
The plan for the service continuity process should not be confused with a plan (and program) for service continuity or service-specific continuity plans (refer to SC:SG3). The plan for the service continuity process details how the organization will perform service continuity planning, including the development of service continuity plans. Service continuity plans are service-specific plans for sustaining services and associated assets under degraded conditions.
Subpractices
Provide adequate resources for performing the service continuity process, developing the work products, and providing the services of the process.
Elaboration:
SC:SG1.SP1 requires the assignment of resources to the plan for the service continuity process. SC:SG3:SP3 calls for the assignment of resources to service-specific continuity plans. In SC:GG2.GP3, resources are formally identified and assigned to process plan elements.
Subpractices
Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.
Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.
Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for service continuity.
Elaboration:
Assign responsibility and authority for performing the service continuity process, developing the work products, and providing the services of the process.
Elaboration:
SC:SG1.SP1 requires that the plan for managing service continuity address the roles and responsibilities for carrying out the plan and the program. SC:SG1.SP2 establishes standards and guidelines, including plan ownership and responsibility. SC:SG6 calls for identifying who is responsible for initiating action in any service continuity plan. In generic practice SC:GG2.GP4, resources are formally identified and assigned to plan elements.
Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.
Elaboration:
Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.
Train the people performing or supporting the service continuity process as needed.
Elaboration:
SC:SG3.SP5 describes the activities necessary to develop and conduct effective service continuity training that conveys the contents of plans to those responsible for their execution. This specific practice also calls for identifying and filling service continuity skill gaps and needs before service continuity plans are validated.
Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.
Refer to the Human Resource Management process area for more information about inventorying skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill deficiencies.
Elaboration:
Elaboration:
Certification training is an effective way to improve service continuity skills and attain competency. Certifications such as the Business Continuity Certified Planner, Certified Specialist, and Certified Expert and the Certified Business Continuity Professional are available for staff who focus specifically on continuity planning and execution.
Place designated work products of the service continuity process under appropriate levels of control.
Elaboration:
SC:SG7.SP2 addresses the change control process over service continuity plans, including establishing criteria for making changes to plans. However, other work products of the service continuity process (such as the service continuity process plan and service continuity process policies) must also be managed and controlled. Tools, techniques, and methods should be employed to perform consistent and structured version control over service continuity plans to ensure that all who must rely on a plan have the most current and “official” version. The tools, techniques, and methods can also be used to securely store the service continuity plans, to provide access control over inquiry, modification, and deletion, and to track version changes and updates.
Identify and involve the relevant stakeholders of the service continuity process as planned.
Elaboration:
Several SC-specific practices address the involvement of stakeholders in the service continuity process. For example, SC:SG1.SP1 describes obtaining commitments to the plan for service continuity from service stakeholders. SC:SG1.SP2 requires that standards and guidelines address the identification and involvement of stakeholders. SC:SG3.SP2 calls for stakeholder identification for communication and review of service-specific continuity plans. Generic practice SC:GG2.GP7 generically covers the role of stakeholders throughout the service continuity process.
Subpractices
Elaboration:
SC:SG3.SP2 requires that stakeholders for service-specific continuity plans be identified and that plans be communicated to them. Subpractice 3 provides a list of examples of relevant stakeholders.
Monitor and control the service continuity process against the plan for performing the process and take appropriate corrective action.
Elaboration:
SC:SG5.SP4 requires that the results of service continuity plan testing be evaluated to determine if plans accomplished their objectives and met service continuity requirements, standards, and guidelines and produced test results as expected. SC:SG6.SP2 calls for post-execution review of service continuity plans that have been executed to ensure that plan objectives and expectations were met.
In generic practice SC:GG2.GP8, the service continuity process is formally monitored to ensure it is performing in accordance with the process plan.
Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.
Subpractices
Elaboration:
Elaboration:
Objectively evaluate adherence of the service continuity process against its process description, standards, and procedures, and address non-compliance.
Elaboration:
Review the activities, status, and results of the service continuity process with higher-level managers and resolve issues.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.
Service continuity is institutionalized as a defined process.
Establish and maintain the description of a defined service continuity process.
Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.
Subpractices
Collect service continuity work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.
Elaboration:
SC:SG5.SP4 requires that the results of service continuity plan testing be evaluated to determine if plans accomplished their objectives, met service continuity requirements, standards, and guidelines, and produced test results as expected. SC:SG6.SP2 calls for post-execution review of service continuity plans that have been executed, to ensure that plan objectives and expectations were met. Both of these specific practices and their work products may provide useful improvement information.
Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.
Subpractices