Auditing Business Continuity - Copyright 2005 Information...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
I NFORMATION S YSTEMS C ONTROL J OURNAL ,V OLUME 1, 2005 Copyright © 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org. T he confidentiality, integrity and availability of information systems must be ensured to protect the business from the risks relating to information technology. An IS audit helps to identify areas where these are vulnerable or inadequately protected through systematic examination and evaluation. The dependence of today’s enterprises on IT is significant. For an organization that uses IT extensively for its operations, not just recording of transactions, the nonavailability of its information systems could mean the end of its existence. Even for other organizations, there would surely be varied negative impacts. Hence, availability is one of the major criteria for IS audit. Availability is ensured through various means, technologies and processes—all broadly covered under the umbrella of business continuity and disaster recovery. Business Continuity Plan (BCP) Every organization should have a business continuity plan that seeks to ensure that its information systems are available and running at all times to support and enable the business to function and grow. In spite of all precautions and preventive controls, disasters can occur. Some disasters cannot be controlled and/or prevented. In such cases, the business continuity plan should also enable recovery of information systems within an acceptable time frame to avoid any serious damage to the business. An IS audit of business continuity is essentially an audit of this plan with reference to the adequacy, completeness and appropriateness of the plan; availability of the processes and people to implement the plan; its testing; and the verification of the various day-to-day functions that need to be performed to make the plan effective and ready at all times. Approach to Auditing Business Continuity The audit of business continuity can be broken into three major components: 1. Validating the business continuity plan 2. Scrutinizing and verifying preventive and facilitating measures for ensuring continuity 3. Examining evidence about the performance of activities that can assure continuity and recovery Validating the Business Continuity Plan The IS auditor knows (or should know) the business, the information systems in use and the extent of the business’ dependence on IT. The auditor’s focus should be on validating the plan against this knowledge. The following points are written with this objective and are not meant to be a comprehensive description of everything that should be in the business continuity plan: •The IS auditor should check whether the plan covers all mission-critical systems or is only for the ERP or other, selected systems. If the plan does not cover all systems, the auditor should evaluate the impact of its inability to recover some systems and notify management. For example, if one
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 01/29/2012 for the course INTERNATIO 101 taught by Professor Mr.johnnash during the Spring '11 term at Symbiosis International University.

Page1 / 3

Auditing Business Continuity - Copyright 2005 Information...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online