Thoughts on working together, and supporting organizations
With business continuity, disaster recovery, and related optics, there are a number of concepts and practice-docs that can ‘matrix’ into corporate and operational competencies. It’s worth understanding these, to give a sense of where Even will need to track toward, as it becomes a company of sufficient scale of partner value and operations.
While the points on can be staged out in several ways, the early-stage options below are the first we would think about.
A BC DR audit is different in scope and context than a SOC II.
Especially: no version of a SOC II is considered to be encompassing of a BC/DR review and preparation.
Generally these will document how to practice Governance, Capabilities, and Tools.
Generally these will define the range and semantics of Governance, Capabilities, and Tools.
Note that in a SOC II, 70% or so will focus on InfoSec, data, and Recovery, just as we’ve already practiced.
Some firms that can do the audit will be highly exposed to our cohort and partners, and can provide guidance that improves our competitiveness.
This is one of the major reasons to pay a premium for such companies.
The audit would focus on our existing docs. The review and feedback would pertain only to the stated and planned scope.
The costs for kind of audit does not seem to cost any less than audits of lesser scope (‘value’). It will take less time, though.
From an outside perspective, this audit conveys that we have insured the minimum feedback needed for comprehensive coverage of topics.
This level of audit adds a focus on functional areas of the business, in order to ensure that these operational areas are considered by management in the stability of the services. The firm doing so would audit in the form of:
Based on the these conversations, specific referential guidance would be tailored for our company, and our teams.
The costs for this kind of audit are only slightly more than without functional-area review. The time may be twice as long (up to 4wk / 80hr)
From an outside perspective this audit would convey that each part of the company has undergone reflective consideration of business continuity, and that executive leadership has more that the typical guidance from SME advisors.
This level of audit will look beyond functional areas, to the impacts that come with different forms of their change. Identifying these impacts, and how services and operations can change from them, also helps define the redundancies and failover mechanisms. Instead of imaging failover practices in a vacuum, they can be planned, sized correctly, and grown in sync with KPIs.
Some typical analyses:
The costs for this kind of preparation will be a multiple of the businesses operations. Good prior planning can minimize the discovery phase of the auditor’s engagement. Costs are also implicit with the overhead from knowing (doing business to) offer a stronger industry & cohort comparisons.
From the outside perspective, completing this form of audit is a strong signal of business service reliability, necessary with a relationships that are more critical to one’s operation.
Working with a firm in this capacity differentiates a “controls based audit” vs “practices and outcomes audit.” Outcomes is a kind of code for speaking about ‘exercises’ that help us ensure we are practicing what we think we are practicing, and that we know how to do that practice sustainably. Passing this audit more-easily will require we have a well-developed sense of programmes or operating frameworks that we conduct, reschedule, and self-audit (governance).
Some common patterns, which should in-effect via one means or another:
Costs will be additional to more-simple audits, with the addition of the time spent monitoring each exercise scenario, and any time that was needed for prepare to correctly execute it. Preparation and demonstration can save time and effort, to avoid discovery.
From the outside perspective, these audits are more commonplace with business partnerships where one group bears responsibility to act on another parties behalf. Activities that are ‘typed’ by policy likely are part of common operational parlance, and are incorporated into SLAs.
An example of ‘validating outcomes’ includes checks of the recoverability for backup data.