Business continuity is the goal of remaining fully operational during an outage. ISO/IEC 27031 covers business continuity in detail (it provides a framework to build on, along with methods and processes covering the entire subject). Business continuity requires a lot of planning and preparation. The actual implementation of business continuity processes occurs quite infrequently. The primary facets of business continuity are resilience (within a data center and between sites or data centers), recovery (if a service becomes unavailable, you need to recover it as soon as possible), and contingency (a last resort in case resilience and recovery prove ineffective).
- Develop and document scope and plan. Developing the project scope and plan starts with gaining support of the management team, making a business case (cost/benefit analysis, regulatory or compliance reasons, etc.), and ultimately gaining approval to move forward. Next, you need to form a team with representatives from the business as well as IT. Then you are ready to begin developing the plan. Start with a business continuity policy statement, then conduct a business impact analysis (as explained in the next bullet), and then develop the remaining components: preventive controls, relocation, the actual continuity plan, testing, training and maintenance). Be familiar with the difference between business continuity (resuming critical functions without regard for the site) and disaster recovery (recovering critical functions at the primary site, when possible).
- Conduct a business impact analysis (BIA). Identify the systems and services that the business relies on and figure out the impacts that a disruption or outage would cause, including the impacts on business processes like accounts receivable and sales. You also need to figure out which systems and services you need to get things running again (think foundational IT services such as the network and directory, which many other systems rely on). Be sure to prioritize the order in which critical systems and services are recovered or brought back online. As part of the BIA, you will establish the recovery time objectives (RTOs) (how long it takes to recover), the recovery point objectives (RPOs) (the maximum tolerable data loss), and maximum tolerable downtime (MTD), along with the costs of downtime and recovery.