What happens in the event of a cyber attack and how can important processes be restarted as quickly as possible? These are questions that Business Continuity Management (BCM) deals with and that Martin Ennenbach also has to deal with on a daily basis. At TÜV TRUST IT GmbH, TÜV AUSTRIA Group, the ISMS Division Manager is responsible, among other things, for the establishment and further development of information security management systems (ISMS) and business continuity management systems (BCMS). In this interview, he explains what is important for efficient BCM and how TÜV TRUST IT can support companies in this regard.

BCM is a holistic area that is not limited to IT security. What are the most important tasks of Business Continuity Management?

Exactly, BCM is not IT-specific, but concerns practically all areas of the company and should enable it to maintain all important processes and services in the event of a crisis or emergency. Responsible for the implementation is a BCM officer, who does not necessarily have to be anchored in IT and acts as an interface between IT and the business units. Of course, IT must be brought on board when it comes to BCM, and it must also fulfil the IT-relevant requirements specified by the business units. However, IT is only a supplying unit and implements what the business units specify.

It makes sense to combine the individual disciplines of BCM in a BCMS. What advantages does this offer?

The BCMS supports companies in dealing comprehensively with all the topics covered by business continuity management, starting with the planning phase. It offers guidelines, so to speak, which companies can use to carry out a business impact analysis, for example. Among other things, this involves working out which units, services or processes are critical and how critical they are, as well as what interdependencies exist. A problem with the personnel system, for example, is certainly less critical at the beginning of the month than towards the end, when payroll is due. Following this analysis, it is a matter of creating preventive contingency plans that define what needs to be done when the emergency occurs, and also what needs to be in place beforehand. So: Which people do I need to contact in an emergency? Are there sufficient computing capacities and office space available elsewhere? And what needs to be done to restore critical processes as quickly as possible? These are the necessary steps and the entire structure for this comes from the BCMS.

Over the last few years, the number of companies using a BCMS has increased significantly. In your experience, what is the reason for this?

Legislation is certainly acting as a driving force here. Due to the IT Security Act, companies, especially CRITIS operators, are increasingly dealing with the topic of BCM and recognise the necessity of such a management system. After all, dealing with the topic must be proven in the CRITIS area anyway, and the use of a BCMS is simply obvious. And this really applies to all companies, especially with regard to the highly topical issue of ransomware, which affects small companies just as much as large enterprises.

How can TÜV TRUST IT support companies in the introduction of a BCMS and the entire topic of BCM?

We offer a wide range of services in this field. Starting with GAP analyses in accordance with the relevant standards ISO 22301 and BSI Standard 200-4, through support with the introduction of a BCMS to the provision of an external BCM manager. Appropriate events and training courses are also regularly offered for companies, where employees can be trained as BCM managers or generally inform themselves about the introduction and further development of a BCMS.

Finally: What can and should companies themselves do for efficient and secure BCM?

It is very important to always remain on top of things, to optimise any weaknesses that are discovered promptly and, despite all prevention, not to forget about emergencies. We advise our clients to carry out regular exercises to test the procedures in an emergency. Ideally, different crisis scenarios should be run through several times a year to see, for example: Does the communication chain work in the event of an IT failure? How do employees react when information that is available in the daily work environment is suddenly no longer accessible? Here, training in emergency exercises is extremely important in order to be able to develop an effective BCM. By the way, training sessions are completely in line with the much-quoted continuous improvement process of a management system. Here, too, we at TÜV TRUST IT are of course happy to provide support and are always available to answer any questions.

Many thanks for the interview, Mr Ennenbach!