I am often asked about SAS70 conformity in relationship to the need for business continuity planning. Technically speaking business continuity planning or any variation thereof is NOT a requirement of SAS70. When reviewing a client’s vendor management process from a business continuity perspective, I often will hear that the client is not concerned about their third party provider’s business continuity plan “because they have provided proof of a SAS70 Type II audit”.
If you are truly interested (and you should be) in your critical third party provider’s business continuity planning process you really need to dig deeper. Specifically, you will need to do further inquiry. First off – determine if your vendor’s SAS70 Type II has an existing control specifically written for their Business Continuity Plan. Most don’t and therefore it is not being audited as part of the SAS70 Type II audit process. You should determine if there plan meets profession best practices and guidelines. To include, process management, risk assessment and mitigation, business impact analysis, solutions planning and implementation, plan documentation, testing and exercising and plan audit in certification.
Until you get more specific, you will NOT know whether your critical third party provider’s have a viable business continuity plan that will allow them to respond to a major business disruption, resume their critical business functions and recover their business over time.
It is paramount that your critical service provider’s have a working and documented business continuity management plan in place. It just makes good business sense – for them and you.