365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
So that you can make an onsite appointment, the appointment request will open in a new tab.
Emergency plans come before the emergency. Those who skimp on precautions will lose out, because without precautions, disaster can easily strike after an emergency.
Companies with good contingency planning have a clear advantage in an emergency: they can minimise failures significantly. The new German BSI Standard 200-4 helps with planning. It puts practicality in the foreground.
Security authorities see deficits in emergency planning: "Crisis response plans are still a major challenge," head of German Bundeskriminalamt (BKA), Holger Münch, recently said, as reported.
After cyber attacks, there are often striking differences in how the consequences are dealt with. While some quickly resume operations - albeit with restrictions - others are offline or not productive for weeks. The reason for this is usually emergency preparedness. Those who have foregone this must first carry out costly analyses in order to at least be able to establish emergency operation. This can rarely be done on one's own; as a rule, external help from experts or service providers is needed. However, these are rarely available at short notice.
No certification without an emergency concept
An emergency concept is also mandatory for certification, for example in accordance with ISO 27001 or for the conclusion of cyber insurance policies. Emergency plans are one of the central components of emergency management. At the same time, they present companies with great difficulties. This is because they are usually created on the basis of an elaborate Business Impact Analysis (BIA), which must identify the core processes for which contingency plans must then be created.
The German BSI has finally published the new standard 200-4. It deals with the topic of business continuity management (BCM) and is a revision of the standard 100-4. While emergency management was still the central term in the old standard, it became business continuity management (BCM) in the new standard. The background to the renaming is, as reported, a broader orientation of the subject area: In essence, there was a reorientation from IT emergency management, which was the main focus of the 100-4, to a broader orientation towards all connected company areas. The BSI says: "BCM is understood to be a holistic process that is intended to minimise interruptions to IT operations".
The BKA has published a plan of action for IT emergencies to help.
One of the aims of the revision of BSI Standard 200-4 was to make the standard practical, manageable and adaptable. "Thus, the new BSI Standard 200-4 is tailored to institutions of any type, industry and size," explains the BSI.
The standard also offers practical guidance on how to set up a Business Continuity Management System (BCMS) in one's own institution. Furthermore, it addresses possible "synergy potentials with the adjacent topics of information security and crisis management and thus represents a central component for organisational resilience", the Office explains on its website.
In particular, inexperienced persons should be given an easy introduction to the topic. For this purpose, tools and document templates are included to help with the implementation of processes and methods in BCM. They contain sample texts, tables and illustrations for customisation.
However, not everything is up to date yet: "Some of the tools are still based on the community draft and will be fully adapted to the final BSI Standard 200-4 in the course of the second half of 2023," the BSI admits. Before publication, the BSI standard went through two "community draft phases" in which all interested users could give their feedback. "This ensured that the approaches and methodology of the standard both meet the BSI's own requirements and the current, theoretical developments in the field of BCM, as well as passing the first practical test," the Federal Office explains.
