Emergency management and regular drills are not yet standard everywhere, according to a result of the BSI (German Federal Office for Information Security) cyber security survey. This is to be changed by the planned BSI standard 200-4. The step-by-step model for getting started with BCM (business continuity management) plays an important role here.
Further development of BSI standard 200-4
According to the BSI’s 2018 Cyber Security Survey, three quarters of respondents see cyber threats as a relevant hazard: For 76 percent, cyber attacks hold the potential to impair operational processes. Only 20 percent do not expect cyber incidents to cause disruptions and/or failures in operations.
Almost nine out of ten institutions expect digitalization to exacerbate the threat situation. Despite this, in 2018 the proportion of respondents operating an emergency management system, including regular drills, to enable them to act quickly in the event of a cyber incident was only 43 percent. At 49 percent, the proportion of operators of such a system was significantly higher among large companies than among small and medium-sized enterprises at 38 percent.
Many companies do not take care of their emergency management until an emergency has occurred. This is, of course, much too late for consequential damage to be reduced as much as possible. Companies also need to address the issue of emergency management and BCM (business continuity management) with a view to the necessary responses following a data breach, as required by the General Data Protection Regulation (GDPR).
Waiting for BSI Standard 200-4?
The BSI offers support for the introduction of emergency management, including the BSI standard “Emergency Management – BSI Standard 100-4 on Business Continuity” since November 2008, as well as an implementation framework for emergency management according to BSI Standard 100-4. However, this BSI standard is currently being revised, with the aim of publishing a BSI Standard 200-4.
The goal of the revision is to provide guidance with best practices for establishing, maintaining, and continuously improving an institution-wide BCM system. The new BSI standard is intended to be “practical, manageable and adaptable” and, similar to BSI Standard 200-2, will include a tiered model with an easy entry level (e.g., for micro-institutions).
This level model is intended to enable the following goals, according to the BSI:
A simplified entry-level lowers barriers to entry and makes it easier to get started. Institutions are empowered to “rudimentarily manage” emergencies or crises.
Practical guidance on how to establish a BCMS (Business Continuity Management System) that is as fully comprehensive as possible, examines all business processes and is ISO 22301 compliant
Definition of one or more intermediate levels that facilitate the transition from the entry-level to an established BCMS.
However, it will be some time before the new BSI Standard 200-4 is available: the BSI plans to create the new BSI Standard 200-4 with external support. To this end, a call for tenders was published on the e-tendering platform on June 10, 2019.
Currently, the glossary for the new BSI standard is being updated, there will be a BSI presentation at the BCM Summit 2019 with up-to-date information on BSI Standard 200-4, as well as the opportunity to exchange information on BCM topics at the BSI booth during it-sa 2019.
However, this is no reason not to already start preparing for your own emergency management and BCM. On the contrary, BSI Standard 200-4 will still be of help later on to further develop and maintain one’s own emergency management.