Business Continuity Plan Exercise for Outsourced Services

eSBee15

Starting to get Involved
Hello everyone. Just want to check if a company can require their outsourced service providers i.e. contractors and suppliers to test their BCP and submit a report to us. Is this part of ISO 22301 standard requirement or any other ISO standard or just a good practice to implement?

Thank you.
 

DanBan

Registered
This is not necessarily an ISO requirement but could be part of their contractual obligations to you. Your certification body make audit how YOU are managing your suppliers and part of that will be the checking/DD of their management system.
 

eSBee15

Starting to get Involved
This is not necessarily an ISO requirement but could be part of their contractual obligations to you. Your certification body make audit how YOU are managing your suppliers and part of that will be the checking/DD of their management system.

Thanks @DanBan. Our CB has threatened to issue us an NC for not testing our supplier's BCP. I was surprised since this was the first time this was raised. We have tested our own BCP but I am trying to find out which clause in the standard requires testing of our supplier's BCP.
 

DanBan

Registered
To be clear - YOU do not need to test suppliers BC plans, they (the CB) will be checking how you are checking on your supplier (think of yourself as acting like a CB). If however there is nothing in the contract between you and the supplier - you may find it difficult to get them to do things like BC exercise and testing. You can obviously support and guide them.

Contract renewal will be the obvious carrot to dangle! :)
 
M

malasuerte

What standard was being assessed when the CB determined this NC? This is a bogus NC.
 

dimitrz

Lets share Experience
This is a little late in the day , however your CB cannot give you a NC just because you have not tested your supplier's BCP.
They can however give you an NC if you were unable to show with reasonable confidence that your supplier has reasonable Business Continuity measures in place.
Here again note that , to what extent you need to show that confidence depends completely upon
a) Nature of your supplier ( You cant make depends to supplier like Microsoft or your local power company )
b) what is the dependence criticality your business have on your supplier . for example you don't go asking for BCP & BCMS compliance to your local vendor who supplies you office stationary until and unless your business suffers drastically due to their non delivery .
 
Top Bottom