IGIS Business Continuity Management Framework Development

Requirements

Following a recent Internal Audit of the Office of the Inspector-General of Intelligence and Security (IGIS) Business Continuity Framework, the IGIS is seeking a full review and refresh of the current Business Continuity Management Framework (BCMF).

The IGIS’s current BCMF was updated in February 2023 and was due to be reviewed in February 2025. The BCMF was chosen as an internal audit topic in light of this need for update, and a concern the current framework was not fit for purpose. The objective of the BCP is to provide IGIS management and staff with guidance and supporting information to manage a business disruption incident.

The IGIS is a small highly specialised agency providing oversight of Australia’s Intelligence Agencies. This requires access to significant amounts of sensitive information, gives rise to the need to protect this information and ensure our functions can continue in the case of a significant incident.

The need to update the BCMF was identified during the recent internal audit and agreed to by management personnel. The IGIS does not have the resources or expertise in house to conduct the full refresh as outlined within the internal audit recommendations.

The internal audit outlined a range of recommendations, with the main recommendation to undertake a full review and refresh of the BCP. IGIS do not have the resources or expertise to conduct the full refresh as outlined within the internal audit recommendation. Within this recommendation the actions highlighted were to:

• Conduct a business continuity focused risk assessment to identify threats and vulnerabilities that could cause business disruptions.
• Perform a Business Impact Analysis to ensure previously identified critical functions are still relevant.
• Update the Business Continuity Policy and Plan to ensure consistency and eliminate any discrepancies that currently exist within the framework and ensure all documents align with the Australian Government Protective Security Policy Framework (PSPF) requirements that have been updated since the previous BCMF was established.
• Determine appropriate frequency to review the BCMF and ensure this is consistently documented.
• Establish a business continuity exercise schedule appropriate to its size and operation. The suggested minimum requirement would be an annual tabletop exercise with all members of the incident response team involved.

The work to review the BCMF needs to have a particular focus on ensuring it is fit for purpose, straightforward to implement and appropriate in size and scale for the office.