365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
So that you can make an onsite appointment, the appointment request will open in a new tab.
The complexity of a standard should not be underestimated. BSI specialists explain what matters and what IT security experts can expect.
Companies often don’t deal with emergency management until an emergency has occurred, by which time it is too late, however. To establish an emergency management system, also known as business continuity management (BCM), the German Federal Office for Information Security (BSI) developed Standard 100-4. This standard is now being revised and will be published as BSI Standard 200-4. A draft is already available (for details go to the document “BSI experts talk about the new BSI standard on emergency management”.
The new version addresses current developments like cloud services, outsourcing or the handling of pandemics. “In addition, we took great care to ensure that the revised version is compatible with the relevant ISO standard 22301:2019 (Security and resilience – Business continuity management systems – Requirements),” emphasises Cäcilia Jung, the project manager responsible for the standard on emergency management at BSI. The revisions to the ISO standard in 2019 increased its stringency and incorporated numerous simplifications, which were well received by the professional community.
One of the key features of the revised BSI standard is a new phased model: “The phased model takes greater account of the differing needs of large and small companies,” says Jung of the rationale for this change. “The aim is to be able to react as quickly as possible,” she adds. The standard therefore offers various points of entry depending on requirements. The managers responsible can decide which level to start from. Three basic variants of BCM are available: responsive, advanced and standard. A business continuity management system, or BCMS for short, is based on an organisational system of processes and rules designed to ensure the continuation of critical business processes even in emergency situations.
The first phase, responsive BCMS, is a minimum version designed to achieve a basic capacity to act in emergency situations with relatively little time and effort. “To create a responsive BCMS you first need to establish responsive structures, for example emergency teams and a line and staff structure, develop an early warning system and determine a suitable room that is available even in emergencies,” explains Jung. But that is not all, she continues: “In addition, you need to look at the most urgent business processes and examine which of them can be protected using simple means that may already be on hand.” Generally, the individual business processes are evaluated by means of a business impact analysis. The objective is to find out which processes are time-critical and to what extent, i.e., how long they can be unavailable for.
Although a responsive BCMS uncovers potential gaps, these are not usually closed during this phase. This does not happen until the second phase, the advanced BCMS, which is considerably more elaborate and requires comprehensive precautions: “For an advanced BCMS a very accurate analysis is essential, for example to close the gaps identified. And this also costs a bit more,” explains the mathematician. The third and last phase then successively records and reviews other business processes until all processes to be covered by the BCMS have been included, she says. At this point a standard BCMS has been achieved.
The new standard offers others advantages: “It allows better scalability of the company’s own resources deployment,” which Jung describes as follows: “For example, you can start with the especially time-critical processes and protect everything that must not be allowed to fail for even single day, and you then find your way forward from there, e.g. you then look at everything that shouldn’t be unavailable for more than three days, and so on.”
Another reason to revise the standard is to make it more accessible through simplifications. “The focus is on newcomers,” stresses her colleague Daniel Gilles, deputy project manager. “The standard is as easy as possible, so you can also just use it as a guide to get you started,” he adds. It therefore provides numerous document templates. “You can simply take these and fill them out,” says Gilles. The same applies for the other supplementary tools, including instructions about how to close any gaps you’ve identified or special considerations for IT emergencies.
Author: Uwe Sievers
