ISO 22301 - Implementing a Business Continuity Management System

J

JoLCS

Hi,

I`m getting ready to start creating a business continuity management system which would be at the ISO 22301 standard. I have to come up with a BC (business continuity) and a DR (disaster recovery) plan, create an internal BC&DR audit, have a BC exercise in place (logged in the internal audit), and so on. I'm fairly new with this particular standard, so I was hoping I can find someone who could provide me some templates, but most of all any advice on this topic. Any inputs about this would be very much appreciated :bonk:
Thank you
:eek:
 

Marc

Fully vaccinated are you?
Leader
Anyone have any relevant templates to share? Thanks in advance!
 
P

pldey42

In my experience as a tutor and auditor of ISO 22301 BCM systems, it's vital to get the business impact analysis and risk assessment right. These activities identify and prioritize the key business processes that must be preserved through a disruptive incident, and risks that bear upon BC planning. It's important to understand that BC planning cannot be driven by risk assessment alone.

For example, electric power is an essential resource for most organizations. Whilst one could enumerate all the hazards that could interrupt power (power station runs out of coal, electric cables break, bill not paid, fuses blown by incompetent electrician, etc.) the impact of electric failure is that work stops. So we plan anyhow for electric failure, for example with supplies from two alternative power stations, uninterruptible power supplies, diesel generators and so forth. Risk analysis might tell us whether lightning is a significant threat and, if so, we might install lightening conductors - as well as the BC arrangements like backup generators. If you like, business continuity plans are for use when risk assessment and mitigation fail.

It's important also to understand that ISO 22301 doesn't talk of DR planning. Rather, it expects plans for (a) dealing with the immediate consequences of a disruptive incident, (b) plans for continuing vital processes while (c) longer term recovery plans restore things back to normal. Organizations differ in their understanding of what DR planning actually means, so the standard offers a common vocabulary - which avoids arguments by not using the DR term.

Another common error is to see BC planning as an IT issue. While IT is almost certainly involved, so too are people and operational processes. For example, if the call centre is essential, IT DR planning alone won't be enough. There must be plans for, e.g., firing up an alternative call centre location, for getting the right staff to it, and for providing them with food and drink.

While templates can be useful and are available from several vendors I think they have limited value because, as anyone with real experience of serious disruptive incidents knows, the key factors are the people on the ground dealing with the incident, its consequences, and maintaining service while recovery proceeds.

For example, while BP may have had templates in their BC plans for what executives should say in public, they didn't stop Tony Hayward making insensitive comments about his yachting vacation just after his company flooded the Gulf with oil.

And when the Costa Concordia sank off the coast of Italy having struck a rock its Captain reportedly said should not have been there, true leaders emerged such as the dancer who herded her allocated passengers together and timed the rate at which water was rising, watching the rescue boats, so she could tell her charges to swim if the boats didn't reach them in time - but they did, so her group survived. I think one learns that a critical element of BC planning is getting the right people leading aspects of incident management, and empowering them to make it up as they go along if necessary.

If an organization goes for formal certification to ISO 22301, the CB will expect a regular, planned exercise programme that demonstrates the system will likely work if called upon, and that leads to corrective actions and improvements in BC planning, including the BIA and risk assessment activities as appropriate. This is worth mentioning because many organizations find BC exercises expensive and disruptive and resist doing them properly. In my experience CBs may insist that some 66% of the system had been exercised by Stage 2 (and 33% by stage 1) - and that the results are being acted upon.

How seriously one takes all this depends upon the impact upon life and death of one's activities. BC planning is clearly more vital for a hospital than a fish and chip shop - except, for the latter, the business is mom and pop's livelihood, so they plan as much as they need to, e.g. so that they have sufficient power for the lights and fryers to feed the local community through a power cut.

Which raises another aspect: BC isn't just about survival, it can also bring competitive edge. If mom and pop can feed people fish 'n chips through a power outage, and the burger joint next door has its lights and fryers out, who wins more long term customers when power returns?

Here's some UK Government guidance that might be helpful:

https://www.gov.uk/resilience-in-so...ommunities-and-businesses#business-continuity

http://www.cpni.gov.uk/Security-Planning/Business-continuity-plan/

It refers in some places to BS 25999 which was ISO 22301's predecessor. In concept the two are similar; ISO 22301 benefitted from practical experience gained with BS 25999.

It helps, perhaps, to understand that BS 25999 was introduced here in the UK after we were hit hard by some major incidents. For example, in the 7/7 bombing incidents in London, the emergency services learned that (a) they had not prepared for several similar incidents at the same time (so the response to the second bomb was delayed because incident managers thought that the people calling it in were referring to the first bomb) and that (b) police, fire and ambulance services could not properly co-ordinate because their different radio systems could not inter-communicate. Thus, BS 25999 and now ISO 22301 were designed, not just to help organizations survive disruptive incidents but, with common vocabulary, concepts and processes, to co-ordinate joint planning, amongst organizations, especially in critical national infrastructure, hence the rather clumsy "societal security" terminology.

Hope this helps,
Pat
 
K

kukani41

Hi,

I`m getting ready to start creating a business continuity management system which would be at the ISO 22301 standard. I have to come up with a BC (business continuity) and a DR (disaster recovery) plan, create an internal BC&DR audit, have a BC exercise in place (logged in the internal audit), and so on. I'm fairly new with this particular standard, so I was hoping I can find someone who could provide me some templates, but most of all any advice on this topic. Any inputs about this would be very much appreciated :bonk:
Thank you
:eek:
Hi

I have just created a similar business continuity management system. I have already carried out a business impact analysis and risk analysis. I have created the Business continuity plan and currently pulling together the IT recovery plan. However, I now have to come up with the testing exercises. So any help with pulling these together would be really helpful. Let me know what you need and I will try to help where I can.
 

Marc

Fully vaccinated are you?
Leader
It would be best to attach your related procedures if you want feedback on how to test them. Just a thought.
 

Richard Regalado

Trusted Information Resource
Hello. The first step, as with most ISO-based management system standards, is to define your scope. The standard provides guidance in this regard:

1. Determine interested parties
2. Determine needs and expectations of the interested parties
3. Determine the context of the organization in relation to business continuity

Do the above and come up with a scope for your BCMS.
 
F

feldspath

Is the beginning of an ISO 22301 project the right time to use such softwares (Business Continuity Planning Suite for instance) or must the business acquire a certain maturity in business continuity before moving towards the use of softwares? Also since undertaking a certification is akin to a project, why not use project management software?
 
Last edited by a moderator:

AndyN

Moved On
Is the beginning of an ISO 22301 project the right time to use such softwares (Business Continuity Planning Suite for instance) or must the business acquire a certain maturity in business continuity before moving towards the use of softwares? Also since undertaking a certification is akin to a project, why not use project management software?

Hi Feldspath, welcome!

The use of such a software shouldn't really depend too much on the maturity of the BCMS. You can help it build what you have to have, for sure. You are correct, also, that the implementation IS like a project, so should be managed like one, too. Software for either is likely to be different, although the BCPS might have some PM aspects built in (I've not used it). PM software ISN'T going to be satisfactory for actually building an ISO 22301 BCMS, however.
 
Top Bottom