Maintenance of a BCP manual is broken down into three periodic activities. The first activity is the confirmation of information in the manual, roll out to ALL staff for awareness and specific training for individuals whose roles are identified as critical in response and recovery. The second activity is the testing and verification of technical solutions established for recovery operations. The third activity is the testing and verification of documented organization recovery procedures. A biannual or annual maintenance cycle is typical.
Information update and testing
All organizations change over time, therefore a BCP manual must change to stay relevant to the organization. Once data accuracy is verified, normally a call tree test is conducted to evaluate the notification plan’s efficiency as well as the accuracy of the contact data. Some types of changes that should be identified and updated in the manual include:
- Staffing changes
- Staffing persona
- Changes to important clients and their contact details
- Changes to important vendors/suppliers and their contact details
- Departmental changes like new, closed or fundamentally changed departments.
- Changes in company investment portfolio and mission statement
- Changes in upstream/downstream supplier routes
Testing and verification of technical solutions
As a part of ongoing maintenance, any specialized technical deployments must be checked for functionality. Some checks include:
- Virus definition distribution
- Application security and service patch distribution
- Hardware operability check
- Application operability check
- Data verification
Testing and verification of organization recovery procedures
As work processes change over time, the previously documented organizational recovery procedures may no longer be suitable. Some checks include:
- Are all work processes for critical functions documented?
- Have the systems used in the execution of critical functions changed?
- Are the documented work checklists meaningful and accurate for staff?
- Do the documented work process recovery tasks and supporting disaster recovery infrastructure allow staff to recover within the predetermined recovery time objective.
Treatment of test failures
As suggested by the diagram included in this article, there is a direct relationship between the test and maintenance phases and the impact phase. When establishing a BCP manual and recovery infrastructure from scratch, issues found during the testing phase often must be reintroduced to the analysis phase.
