An IT Service Continuity Management program exists along a spectrum of maturity states. The questions below are largely adapted from those published by the itSMF in regards to ITILv2 assist in determining a maturity level.
1. Process Preconditions
1.1. Are at least some IT service continuity – aka disaster recovery (DR) or business continuity (BC) activities established within the organization, e.g. business impact assessment, recovery testing?
1.2. Have the minimum operational requirements been determined by the business?
1.3. Has the organization developed an overball business continuity strategy?
1.4. Has the purpose and benefits of IT service continuity planning been disseminated within the organization?
1.5. Is there senior management commitment for the implementation of IT service continuity measures?
1.6. Has the scope of IT service continuity activity been determined i.e. identifying, prioritizing and documenting all business critical processes?
1.7. Has a business impact analysis been completed?
1.8. Is there regular testing of the IT Service Continuity Management and Disaster Recovery procedures?
1.9. Are the necessary resources being made available for the complete business continuity life-cycle stages through a strategic directive?
2. Process Capability
2.1. Have responsibilities for IT service continuity activities been assigned?
2.2. Have the minimum business critical requirements been determined through business impact analysis?
2.3. Has a risk assessment been conducted?
2.4. Is there an overall co-ordination plan for implementation, including emergency response, damage assessment, salvage, identification of vital records etc?
2.5. Have the BC/DR components for business continuity been identified?
2.6. Is there a check-list covering the specific actions required during all stages of recovery of the system?
2.7. Is there a formal procedure for testing and reviewing contingency plans?
2.8. Is there an IT risk reduction or mitigation program to implement mechanisms in order to deliver the continuity requirements?
2.9. Is there a formal procedure for invoking recovery?
2.10. Is guidance on the invocation process readily available, including details of associated action and decision points?
2.11. Has a crisis management team been established?
2.12. Is BC/DR management responsible for the completeness of the IT contingency plans?
2.13. Do business continuity planners inform BC/DR management of the required service criticality / priority?
2.14. Are BC/DR plans regularly reviewed, and the procedures and processes tested and updated where necessary?
2.15. Is there an established planning structure clearly identifying responsibility for overall co-ordination of the recovery?
2.16. Are the technical activities necessary in order to invoke the contingency measures fully documented, so that IT personnel can undertake recovery actions?
2.17. Are reports concerning risk assessments and risk mitigation measures produced regularly?
2.18. Does BC/DR management produce reports on alternative IT contingency planning options that would provide potentially acceptable service levels for cost consideration?
2.19. Are formal Requests for Change issued in order to amend BC/DR arrangements?
3. Inter-Process Integration (i.e., in relationship to other service management processes)
3.1. Are regular meetings held with business continuity planners?
3.2. Does BC/DR management exchange information with Availability Management for risk mitigation?
3.3. Does BC/DR management exchange information with Availability Management for testing availability management components of the plan, including operating level agreements / support contracts?
3.4. Does BC/DR management exchange information with Change Management for consideration of changes which may affect the currency and accuracy of IT Continuity Plans?
3.5. Does BC/DR management exchange information with Change Management for assessment of proposed changes and actions necessary to avoid / reduce risks?
3.6. Does BC/DR management exchange information with Capacity Management for consideration of capacity / storage risks and implications?
3.7. Does BC/DR management exchange information with Capacity Management for specific capacity / storage requirements for recovery plan tests?
3.8. Does BC/DR exchange information with Service Level Management for cross-references between SLAs and IT contingency plans, and specific service levels during contingency or recovery situations?
3.9. Does BC/DR management exchange information with Configuration Management for contingency requirements and final configuration details, ensuring currency of configuration details used?
3.10. Does BC/DR management exchange information with Configuration Management for full relationship between components and services?
3.11. Does BC/DR management exchange information with Problem Management and Incident Management for reviewing major incidents?
3.12. Does BC/DR management exchange information with Problem Management and Incident Management for discussion of problems where cause / resolution is possibly within the domain of BC/DR management?
4. Quality Control
4.1. Are the standards and other quality criteria for BC/DR made explicit and applied?
4.2. Are the personnel responsible for BC/DR activities suitably trained?
4.3. Does the organization set and review either targets or objectives for BC/DR?
4.4. Does the organization use any tools or proprietary methods for conducting risk assessments and/or keeping the IT contingency plans up-to-date?
5.1. Does BC/DR management provide information concerning areas and nature of vulnerability to the continuation of business operations?
5.2. Does BC/DR management provide information concerning IT contingency planning options?
5.3. Does BC/DR management provide information concerning the IT contingency plans?
5.4. Does BC/DR management provide information concerning changes to the IT contingency plans?
5.5. Does BC/DR management provide information concerning verification tests of recovery plans?
5.6. Does BC/DR management provide information concerning risk mitigation (source and nature of risk, proportion avoided / reduced)?
5.7. Does BC/DR management provide information concerning effectiveness of business continuity strategy?