This tool is a high-level self-assessment checklist for use by an audited prior to a review of the business continuity management (BCC) process. It gives the audited an opportunity to inform Internal audit about controls and processes they employ, and It also gives the audited Ideas about other controls and processes that may be appropriate.
In addition, this questionnaire can be used as follows: * During the audit-planning phase to gulled the creation of Internal audit work programs During reviews as a checklist that will help you to quickly assess the types of internal intros being employed within a particular process * As a training tool to educate new internal auditors about processes and their relevant controls 1. Have you developed a formal business continuity and/or disaster recovery plan? Is a continuity management process in place? Yes No I Comment: 2. Are procedures of the business continuity management developed to update its relevant processes?
Are these tested on a regular basis? Yes I 3. Are the backup tapes stored In a secured location? Is there an offside or hot-site agreement with a third party? Is the backup data periodically restored or tested to ensure that recovery Is possible? Yes I No 4. Has an initial analysis to identify and assess business continuity risks and their likelihood of occurrence on an enterprise-wide basis been performed? Yes I 5. Has a business impact analysis been performed (I. E. , answered the question, “what happens to our business when our systems go down and which systems should we focus on bringing up first? )? Are there any procedures to keep the business Impact analysis current? Yes I . Is there any process to perform threat/vulnerability analysis to identify the source and likelihood of occurrence of specific threats in order to plan recovery actions as well as risk mitigation steps? Yes I 7. Are metrics for key business continuity tasks (e. G. , acceptable outage time frames, acceptable service levels following an outage, etc. ) identified? Do those metrics require further refinement? Yes I 8. Have you conducted a formal risk assessment based on your industry and locations of operations?
Yes I Noel 9. Are you comfortable your company is adequately prepared to handle unplanned 10. Have you performed a supply-chain continuity assessment? Yes I 1 1 . Who in your organization “owns” the BCC process? 12. How much does your organization budget toward the development and maintenance of the BCC process (do not include IT asset costs such as SAN implementations, etc. )? Comment: 13. Do you have an alternate facility to recover operations in the event that your main offices, production locations or distribution centers are inaccessible?
If yes, how far away are their facilities from your primary operating site? Yes I 14. Does your organization maintain a crisis communications plan, which includes having designated people who are trained to speak to the media? Yes I 15. Does your organization offer a formal training and awareness program to familiarize employees with your business continuity plan? Yes I 16. Has your business continuity plan ever been benchmark against industry standards/codes or your competitors?