Crisis preparedness

Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.

Each continuity plan shall contain at least the following information:

• Event for which the plan has been made
• Goal for recovery time
• Responsible persons and related stakeholders and contact information
• Planned immediate actions
• Planned recovery steps

The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.

Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.

Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.

The organisation has identified the tasks that are critical for the continuity of its operations. Alternative courses of action for specific exceptional situations and staff availability and contingency arrangements have been planned and prepared for the continuation of critical tasks.

To implement the continuation plans, the plan owners, their alternates and other persons required to implement the plan have been identified. In addition, their ability to carry out their tasks under normal circumstances has been ensured.

The organization has to include disaster recovery in their continuity planning. Relevant disasters for the planning are natural disasters (e.g floods, earthquake, hurricanes) and human caused disasters (e.g terror attack, chemical attack/incident, insider attack).

In disaster planning there is greater emphasis on the returning operations to normal levels safely than in continuity planning. After this focus moves to resuming normal operations.

The continuity plans must be updated at least annually or after significant changes.

Relevantit henkilöt tuntevat omaan toimintaan liittyvät jatkuvuussuunnitelmat sekä niiden tarkemmat sisällöt riittävän tarkasti ja osaavat toimia niiden mukaisesti.

The organisation should establish and maintain a comprehensive crisis management framework. This involves implementing methods to detect potential crisis situations by identifying general indicators and specific predictable crises, along with clear procedures for invoking and escalating crisis management when necessary. Strategic goals and priorities must be defined, focusing on ethical considerations for example:

• protecting life and health
• safeguarding core business processes
• ensuring appropriate information security

A dedicated crisis management team should be formed, including representatives from all major organizational functions, with defined structures, roles, competencies, expectations, authority, and decision-making procedures.

Crisis management policies and procedures need to be developed and approved, encompassing exceptional authorities and decision-making processes, communication methods, emergency operating procedures, and organizational structures for reporting, information gathering, and decision-making.

The entire crisis management plan should be reviewed and updated regularly to ensure its ongoing effectiveness and relevance.