The Impact of ISO 22301 Moving Your BCM Program to a Management System Implementing the Newly Approved International Business Continuity Management System Standard & Guidance Documents ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance We have all sat through presentations on How to Get and Keep Management Support for Your BCM Program. The problem is now solved. The new question becomes, How to Implement an Auditable and Internationally-Accepted Business Continuity Management System. Moving your business continuity program to a management system requires management commitment. It involves embedding business continuity management into the culture of the organization. It is the endgame. It is what we have been seeking. We finally have a standard method for BCM program development and improvement. We no longer need to rely on Consultant X s Patented Approach. We no longer have to discuss and argue about definitions. The vocabulary is defined. So how to you begin? 1. Learn about the standards. Buy them. Read them. Study them. Take classes on how to implement them. 2. Benchmark your current program against the requirements of the standards. What s missing? In what areas can you improve your program? 3. Use the guidance documents to guide you through the process (it s why they re there!) 4. Demonstrate to management how the implementation of the standard will increase the resilience of your organization. Learn About the Standards ISO 22301: Societal Security Business Continuity Management Systems Requirements is one standard that is part of a series of standards developed with the intention to, as defined in ISO 22312: Technical Specifications, work towards international standardization that provides protection from and response to risks of unintentionally, intentionally, and naturally-caused crises and disasters that disrupt and have consequences on societal functions. This series of standards address the public planning & response as well as private sector planning & response. The intent of ISO 22301 is to provide the structure for an organization to design a BCMS that is appropriate to its needs and that meets its interested parties requirements. Built upon the foundation of British Standard 25999-1: 2007, it provides a framework for both BCM program development and improvement. If you are familiar with the requirements of BS 25999-1 you will note the following changes or modifications: New! Understanding of the Organization and its Context It is important for the cornerstone of the BCMS to be built upon an understanding of what internal and external factors should be taken into consideration when evaluating risk management and the requirements of interested parties. Terminology has been changed from key stakeholder to interested parties. Determining the Scope of the System Organizations must now document and explain exclusions from the scope of the BCMS.
Leadership & Support The standard is very specific on how management demonstrates is commitment. ISO 22301 includes the other requirements as well for competency of personnel and the required resources included in BS 25999-1. The Business Impact Analysis & Risk Assessment New Term! Minimum Business Continuity Objective (MBCO): Minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption. Maximum Tolerable Period of Disruption (MTPD) and Maximum Acceptable Outage (MAO) have been redefined as, time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable. The combination of Recovery Time Objective (RTO) and MBCO and setting prioritized timeframes for recovery of activities at a minimum acceptable level taking into consideration the time within which the impacts of not resuming them would become unacceptable is new language regarding the Business Impact Analysis. Regarding Risk Management, ISO 22301 specifically points to ISO 31000: Risk Management Principles and Guidelines as a reference to how to manage risk. Just like in BS 25999, the scope of the risk assessment may be limited to the scope of the business continuity management system. It can also be enterprise risk management, but is not a requirement for ISO 22301. Business Continuity Strategy What is interesting about how ISO 22301 has worded this section of the standard is that it requires the organization to differentiate between how it is going to mitigate identified risks that require treatment and those activities and their dependencies that need to have strategies developed to stabilize, continue, resume, and recover their operation as well as mitigate, respond to, and manage impacts. ISO 22313 (Guidance) offers these examples of what this might include.
Establishing Resource Requirements ISO 22301 draws a direct connection between the outputs of the BIA and RA and the development of risk treatments, including strategies for continuity and recovery. Included in this step is the establishment of resource requirements with the specific types of resources to be considered (at a minimum) as illustrated in the graphic. Business Continuity Objectives & the Plans to Achieve Them, Implementing Business Continuity Procedures, and Communication This section of the Standard is where there have been significant changes in both the organization and framework. In BS 25999-1, there was an incident response structure with incident management plan content as well as requirements for any types of plans. These requirements remain but have been expanded upon. Expanded Focus on Communication In ISO 22301 the focus is much larger in scope and in requirements. In addition to the required incident response structure, there is a focus on communication of business continuity requirements and objectives as well as a warning and communication structure that is to be used to detect an incident, to monitor an incident, to document an incident, and the means of communicating during and after an incident. Included also is the need to document what will be communicated, when to communicate, and to whom to communicate. The organization must also establish procedures for receiving communications from interested parties. ISO 22301 has included requirements of ASIS.SPC.1:2009 and NFPA 1600:2010 in this section. As part of the planning stage, the organization must document the following resource requirements:
The following sections included in ISO 22301 do not vary significantly in intent or requirements from BS-25999-1 although they may be found organized differently between the two standards: Legal and regulatory requirements Policy Documented information Awareness Exercising and Testing Performance Evaluation, Continuous Improvement, Audit with the exception that ISO 22301 does not include the requirement for preventive actions. Benchmark your current program against the requirements of the standards. What s missing? In what areas can you improve your program? This is where the real work begins. Certifying Bodies often report that 90% of the time and resources required for a certification audit is in the preparation for the audit and not the audit itself. Don t underestimate the time it will take to bring your organization into conformance with a standard. But the upside is, it gives you specific program improvement goals and objectives that should provide for an annual budget. Use the guidance documents to guide you through the process (it s why they re there!) Yes, each standard and the guidance documents cost money. You can find out the exact cost by visiting http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=295786 ISO 22300: Societal Security - Terminology: Use this as a reference for how the world is going to be using terms related to business continuity in the future. Consider the need to modify and update how your organization defines terms and the relevance of aligning to international standards (or not). ISO 22313: Societal Security Business Continuity Management Systems Guidance: A great resource for how to interpret the requirements of ISO 22301. Kind of like having a teacher s guide for the standard. This document is also utilized by Certifying Bodies as a reference document for understanding the requirements. ISO 22398: Societal Security Exercises and Testing - Guidance: Learn how to manage your testing and exercise program. Why are tests pass or fail and exercises a demonstration improvement of the system? Activities are organized as discussion-based or operationally-based. Includes great Annexes with examples of how to do everything from create a scenario to how to evaluate the exercise itself. Demonstrate to management how the implementation of the standard will increase the resilience of your organization This is really where the rubber meets the road or how you can gain traction. Sometimes program leadership is not interested in aligning their customized and internally created program to a management system. The argument is made that if they tell senior management that changes need to be made that they will question the quality of the current program.
Do you want management to believe that they have a state-of-the-art program only to discover later that it didn t meet the requirements of an international standard? A management system requires continual improvement. A management system involves management. It requires management to demonstrate commitment. The standard provides a baseline for what that commitment looks like and the requirements of the program leadership. A management system approach (versus the current often siloed approach) is more efficient and ties to other management systems often in place in the organization. It can eliminate waste and duplication of services. It embeds BCS into the culture of the organization versus maintaining ownership with a few individuals. A management system is a proven framework for managing and continually improving your organization s policies, procedures and processes. Business units work with a shared vision, with information sharing, benchmarking, and team work. Seeking Third-Party Certification? ISO 22301 is being considered for adoption by DHS/FEMA as an additional standard that can be used for PS-Prep certification. The addition of the international standard will allow organizations to concurrently fulfill the U.S. national interests for preparedness with international trade interests. Show your support for the adoption of ISO 22301 as a PS-Prep standard by writing a letter to FEMA/DHS Administrator W. Craig Fugate. For more information, contact Lynnda Nelson by email at Lynnda@theicor.org.