How to complete your governance & BC/DR controls
OVERVIEW
Risk Assessments: The risk assessment considers the identified risks, including new and existing. It populates, updates or confirms each risk into the risk register with the appropriate risk ratings based on the risk assessment criteria. Risk assessment activities should be governed by the Risk and Control Management Policy that sets a formal methodology for identifying, assessing, treating, monitoring and reporting the risks that threaten company objectives and the control activities that mitigate those risks.
The Board is responsible for setting the overall risk appetite and ensuring management takes appropriate actions to mitigate risks that could affect the organisation's objectives. They must also ensure adequate internal controls are in place to monitor and measure the effectiveness of the risk management system. To achieve this, the Board must clearly understand the organisation's risks and the controls in place to manage those risks. By doing so, they can make informed decisions and guide management to ensure the organisation's long-term sustainability.
Control Assessments: Business Continuity and Disaster Recovery (BC/DR) testing ensures that an organisation's plans and capabilities are effective and ready to respond to adverse events. These tests can be conducted separately or combined and typically involve assessing restoration capabilities and incident response plans. The testing can take different forms, such as live simulations, desk-based simulations, reviewing plans, and testing system and process components. The purpose is to evaluate the organisation's readiness to handle disruptive events and identify areas for improvement.
CONTROLS AND EVIDENCE
Board/Management: We will review your board charter (DCF-144). The board charter serves as a transparent communication tool for the roles and responsibilities of the board. It outlines the scope of their duties, including the meeting agenda, how meetings are conducted, and how decisions and actions are taken. The board charter ensures that the board is aligned with the organisation's objectives and goals.
As part of our review, we will assess a sample of board minutes (DCF-146), which are typically conducted at least once a year and record important board decisions and actions. This ensures that meeting minutes are properly maintained and can be referred to as needed.
For (DCF-143), we review the meeting minutes and board charter and should see a reference to your information security matters. This means that the board should clearly understand the organisation's information security risks and the controls in place to manage those risks. The board should be kept informed of and consulted on these security at least annually.
BC/DR: We inspect your disaster recovery plan (DCF-25) and business continuity plan (DCF-166). These prepare for major adverse events by designing a plan to respond and recover essential systems and data. We will review your BCP/DR tests (DCF-26) to ensure you have an effective response plan. They may be tested with a live simulation or through a desk-based run through that checks the plans make sense with the key stakeholders, or tested in parts. The parts may include testing a database restore is effective, that the emergency response team can mobilise effectively, that communication channels and distribution lists are available and effective, etc.
Restoration tests to confirm backup integrity and completeness (DCF-100). These tests are frequently performed as part of disaster recovery testing. However, they can also occur during the normal course of business or in response to an actual outage or failure to verify the effectiveness of backup recovery. Any lessons learned and actions to improve backup recovery should be identified.
Other resources