How often should a BIA be conducted?

Generally: Every 2-3 years unless there are significant reorganizations, divestitures or acquisitions.

~ Patrick Ridder, MBCP, MBCI, CHPCP ISO 22301 Lead Auditor

Culture and Legal/regulatory environment: Every organization is different and requirements for BIA frequency are often dictated by an organization's culture as well as it's associated regulatory guidelines.

Program Maintenance: Many organizations review BIA's yearly and some even quarterly. The review is often baked into a plan review process where the process level RTO and associated impacts are confirmed to ensure they still apply.


How do I rate / evaluate/ audit my data center?

I would recommend you partner with your internal audit department.  They can help you understand what they would be looking for.

~ Beth Epstein, MA, CBCP, MBCI

The Uptime Institute established the criteria for Data Center ranking. I'd start by reviewing their tier levels and develop an understanding of what the various rankings require. Measure your facility against that criteria and build a gap report from the results. It's also helpful to have an idea of what type of performance you require from your Data Center.

~ Patrick Ridder, MBCP, MBCI, CHPCP  
ISO 22301 Lead Auditor

I have been hearing about a variety of business continuity standards. A.) Which are the most recognized? B.) What should I be looking at? C.) What is this certification process?

There are many to chose from:

ISO 22301

National Fire Protection Association: NFPA 1600:2010

ASIS International: ASIS SPC.1-2009

Australia/New Zealand Standard AS/NZS 5050

British Standars Institute:  BS 25999, Part

Canadian Standard: CSA Z1600

Government of Japan BCP Guideline

Japanese Corporate Code – BCP

ISO 24762 (IT Disaster Recovery)

National Association of Stock Dealers: NASD 3510/3520

National Institute of Standards and Technology: NIST SP 800-34

New York Stock Exchange: NYSE Rule 446

~ Beth Epstein, MA, CBCP, MBCI

I work in risk management at my firm and we now have responsibility to making sure we have plans in place to protect our people and assets. We like standards and best practices here. Which standards do you recommend we review as a starting point?

Your best bet is to start by researching your organization’s management and how they feel about standards.  There are many standards to choose from.  This link can provide you with a side-by-side comparison of a few: All of the business continuity standards are not the same, but they all address the established issues for business continuity management. It then becomes a matter or corporate preference, or perhaps the ultimate standard will be dictated by industry regulations.   Keep in mind, however, the standards address Business Continuity Management, but very few provide any real instructions as to how to plan and implement a Business Continuity program.

~ Beth Epstein, MA, CBCP, MBCI


Leave a Reply

Your email address will not be published. Required fields are marked *