ISO 22301:2014 Business Continuity Management Systems #BCAW2016
News and information from the Advent IM team.
A look at the Business Continuity international standard by Del Brazil for Business Continuity Awareness Week
The worldwide recognised standard for Business Continuity is ISO 22301:2014 – Business Continuity Management Systems which was preceded by BS 25999 – Business Continuity Management. The ISO 22301 standard clearly provides direction to all businesses/organisations on how to plan, implement, test and improve business continuity plans. It is written in such a manner that is applicable to almost all organisations big or small who are not governed by some other higher documentation.
Even though some organisations maybe governed by a separate set of guidance documents, the underlying business continuity principles are very similar if not the same.
The ISO 22301:2014 standard states that ‘The International Standard is applicable to all types and sizes of organizations that wish to:-
• establish, implement, maintain and improve a BCMS,
• ensure conformity with stated business continuity policy,
• demonstrate conformity to others,
• seek certification/registration of its BCMS by an accredited third party certification body, or
• make a self-determination and self-declaration of conformity with this International Standard.
This International Standard can be used to assess an organization’s ability to meet its own continuity needs and obligations.’
The standard sets out in a logical sequence, the basic principles to Business Continuity, whilst also stressing the importance upon its place with organisations. It makes further reference to the standard being consistent with numerous other ISO standards such as the ISO 9001 – Quality Management systems and ISO 27001 – Information Security management systems.
As with all the standards there is a simple but effect Plan, Do, Check & Act (PDCA) methodology, which facilitates the continual improvement of the Business Continuity Management System (BCMS). To apply the PDCA model to BCMS the following diagram fully explains this:-
Plan (Establish) Establish business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity in order to deliver results that align with the organisation’s overall policies and objectives.
Do (Implement and operate) Implement and operate the business continuity policy, controls, processes and procedures.
Check (Monitor and review) Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement.
Act (Maintain and improve) Maintain and improve the BCMS by taking corrective action, based on the results of management review and reappraising the scope of the BCMS and business continuity policy and objectives.
Table 1- Explanation of PDCA model from ISO 22301:2014 – Business Continuity Management Systems
The standard is not designed as an idiots guide or a toolkit for organisations to use, but it does attempt to put everything into plain non-technical speak so that its easier understood throughout every organisation.
It is split into a number of sections each covering a specific area/topic:-
Section 4 looks at the Context of the Organisation which includes:-
• Understanding of the Organisation and its context
• Understanding the needs and expectations of interested parties
• Determine the scope of the BCMS
• Business Continuity Management System – implementation and management
Section 5 moves into the Leadership of the organisation:-
• Leadership and commitment
• Management commitment
• Policy
• Organisational Roles, Responsibility and authorities
Section 6 highlights the need and requirements associated with planning:-
• Actions to address risks and opportunities
• Business Continuity objectives and plans to achieve them
Section 7 raises the importance of Sources:-
• Resources
• Competences
• Awareness
• Communication
• Documented Information
Section 8 discusses the Operation of the various elements of the BCMS:-
• Operational Planning and Control
• Business Impact Analysis and Risk Assessment
• Business Continuity Strategy
• Establish and Implement Business Continuity Procedures
• Exercising and testing
Section 9 highlights the importance of Performance Evaluation:-
• Monitoring, Measurement, Analysis and Evaluation
• Internal Audit
• Management Review
Section 10 there are always areas for Improvement:-
• Nonconformity and corrective action
• Continual improvement
It is fair to say that the above list is a straight lift from the standard but then what would be the use in referencing a standard and not actually quoting or using extracts from it.
On occasion, standards have been given a bad reputation for being too detailed and technical for organisations to fully embrace or adhere to, however in the case of ISO 22301 this is not the case as everything is clearly articulated.
Normally when the topic Business Continuity is raised in meetings, people’s heads drop and there’s a general sigh to be heard coming from the meeting participants. That’s not to say that Business Continuity is boring or tedious but the general feeling amongst staff is that it’s a pointless exercise and waste of time, money and resources. There is an old saying that is still quite relevant here and that is ‘Failure to Prepare generally leads to Prepare to Fail’ and coupled with the latest whitepaper released by the BCI which clearly shows how Business Continuity can bring value to an organisation not only in terms of assurance to partnering organisations or suppliers but also it is now seen as a cost saving measure by insurance companies.