CHAPTER 4: BCM STANDARDS

Throughout the history of BCM, there have been noticeable variances in terms of understanding, implementations, and requirements across the world. These were caused by a local and isolated approach towards BCM, neglecting the international and cross-border effects. As the world effectively moved closer together, the BCM industry needed a push towards standardization. In 2003, the British Standards Institute (BSI) took a major step forward and issued a publicly available specification (PAS), which was given the code 56, addressing the subject of business continuity management. PAS 56 remained in circulation until December 2006, when the BSI issued the first British, intended to be global, BCM Standard with the code BS25999.

The International Standards Organization (ISO) built heavily on the BS25999 to draft the first ISO Standard on BCM in 2012. With the release of this Standard, it is now possible to say that BCM has reached acceptable levels of standardization and acceptance across the world.

ISO22301 societal security – preparedness and continuity management systems – requirements5

This Standard represents the first ISO Standard on BCM. Together with Standard ISO27031, ICT readiness for business continuity (IRBC), ISO are providing a complete package of integrated standardization to organizations and BCM practitioners.

The Standard is based on the widely adopted Plan-Do-Check-Act (PDCA) approach. Such features should enhance integration with other organizational standards, like the ISO9000 series and the ISO14000 series.

Although BS25999 represents a major foundation for the ISO22301 Standard, there are still some differences between the two Standards. The most considerable difference is that the ISO Standard does not recognize MTPD as a continuity specification. Rather, it emphasizes the RTO and RPO, as well as the minimum business continuity objective (MBCO), as two main criteria for setting the pain threshold for the organization.

The Standard is divided into 10 sections that cover the overall activities of the BCM programs, or the BCM systems (BCMSs), as the Standard refers to them. In the context of discussing this Standard, BCMS and BCM program are used interchangeably. The Standard’s sections are:

1   scope

2   normative references

3   terms and definitions

4   general requirements

5   leadership

6   planning

7   support

8   operation

9   performance evaluation

10 improvement.

Scope

Within this section, the Standard defines the uses of its specifications and requirements. These cases cover design and implementation as well as the internal and external certification, assessment, and compliance of BCMSs within organizations.

The Standard stresses the flexibility of the BCMSs to meet the various requirements of the various stakeholders.

Terms and definitions

ISO22301 uses a set of definitions similar to the ones used by the BS25999 Standard. Yet there are no references to MTPD. The Standard uses the RTO, RPO, and MBCO as continuity specifications. MBCO refers to the minimum acceptable level of services and operations to be recovered.

General requirements

This section discusses the high-level, or general, requirements for the BCMSs, especially the scoping and needs.

Leadership

This section discusses the management commitment and involvement in the BCMSs, or BCMS governance. In particular, the section discusses the main features of the BCM policy as well as organizational roles, responsibilities, and authorities.

The main features of the BCM policy are relevance, practicality, and reviewability. As for the organizational roles, responsibilities, and authorities, the main features are the establishment of effective roles and responsibilities as well as reporting related to BCMSs.

Planning

In this section, the Standard lists the specific and individual features of the BCMS goals and the plans that the implementing organization needs to devise in order to achieve such goals. The devised plans need to be equipped with clear timeframes as well as specific roles and responsibilities. These plans should also include the actions needed to manage external and internal threats in the context of BCMSs.

Support

This section focuses on the requirements related to the supporting activities of the BCMSs. The right delivery of these activities would be a success factor for the implementation of the BCMSs. These activities are:

  • resources
  • competence
  • awareness
  • communication (external and internal)
  • documented information (documentation control and management).

Operation

This section represents the core of the Standard as it contains the various detailed requirements of the BCMSs. The Standard divides the activities of the BCMSs as follows:

  • Preparation: preparation is mainly focused towards requirement gathering, scoping, and goal setting.
  • Planning: the planning part includes the requirements of kicking off the BCMS activities, starting with the development of the BCM policy. Similar to BS25999, the main primary activities to follow are the business impact analysis and risk assessment. The following activity is the definition of the BCM options, known as BCM strategy in BS25999. Together with the BCM options are protection and mitigation, which are discussed above as risk treatment plans.
  • Performing: here the requirements center on the plans and structures that would be activated in the event of disasters or crises. The Standard sets the main features for establishing these plans and structures. The Standard pays special attention to the early detection of disasters and incidents. For the response, the Standard divides the plans into response procedures and business continuity plans. Response procedures concern the initial response to the incident and the management of the recovery activities. The business continuity plans concern the recovery and continuity of activities to minimal acceptable levels. The Standard also lists the requirements for returning to normal business conditions following the end of disasters.
  • Checking: after the development of the various plans, there should be verification of their contents through effective exercising, testing, and monitoring. Doing these activities properly would identify hidden, or forgotten, gaps as well as enhance the applicability and knowledge of such plans.
  • Reviewing: this part discusses the main requirements for the reviewing the BCMSs by management. Within the listed requirements, the management would know where the BCMS activities stand against the set objectives, legal and regulatory requirements, standards and best practices, and BCM policy.

Performance evaluation

In this section, the Standard sets the main requirements for conducting effective audits of the BCMSs, especially internal audits.

Improvement

Completing the logical sequence of requirements, the review and performance evaluation would trigger an improvement process to fill the identified gaps. In addition, the BCMSs should grow and mature in order to enhance readiness levels and capabilities. In this section, the Standard lists the main requirements for improvements, especially the ones required by audits and reviews.

ASIS SPC.1-2009 organizational resilience: security, preparedness, and continuity management systems requirements with guidance for use6

This Standard is issued by the American National Standard Institute (ANSI) in coordination with ASIS International (ASIS), which is the leading organization for security professionals within the United States.

ASIS SPC.1-2009 integrates the areas of information security, BCM, and operational continuity within a unified view for the organization’s capabilities to manage and recover from crises and incidents resulting from various failures in such areas. In other words, it provides a road map to build organizational resilience (OR). It sounds logical and does not contradict any of the other standards since disasters and crises may be triggered from failures in information security measures as well as other areas within the focus of BCM.

The Standard suggests PDCA as a methodological approach for implementation and enhancement of OR.

This comprehensive Standard has two main parts:

  • OR management system requirements: This part lists the requirements in different areas that the organization should fulfill to build, maintain, and certify acceptable levels of OR.
  • Annex A: Guidance on the use of the Standard: Annex A provides additional information on implementing the Standard’s requirements to achieve acceptable levels of OR.

There are other sections within the Standard as well:

  • Scope: This section identifies the main applicable scenarios and objectives that the Standard supports. Its main use is to assure and demonstrate the conformity of OR implementations, internally or externally.
  • Normative references: Normative references are those documents that are being referenced within the Standard and those that integrate with it. The Standard refers to ISO guide 73:2002, Risk management – vocabulary – guidelines for general use in standards. It also refers to the Standards titled ISO9001:2000, ISO14001:2004, ISO/IEC 27001:2005, and ISO28000:2007 as integrated standards.

4: BCM Standards

OR management system requirements

Image

Figure 25: OR management system flow diagram7

This part forms the core of the Standard as it lists the various requirements for an effective OR management system. The requirements span a sequence of phases, similar to the BCM life cycle, of six stages:

1 Know your organization

2 Policy

3 Planning

4 Implementation and operation

5 Checking and corrective actions

6 Management review.

Know your organization

In this stage, the scope of the OR management system is defined as well as the boundaries of the organization. Also in this stage, an initial identification of likely threats and risks scenarios is conducted.

Policy

Similar to the BCM policy, the policy in the OR management system documents and displays the management’s commitment towards protecting the organization, the effective implementation of the OR management system and the allocation of sufficient resources required for such implementation. The policy needs to be reviewed and approved by top management and is communicated to the relevant stakeholders. The policy, as with any other policy, needs to be reviewed periodically or upon significant change within the environment or the scope of the program.

Planning

The planning stage in the OR flow matches the “understanding the organization” and “strategy” stages in the BCM life cycle where the activities of BIA, threat and risk assessment, and strategy take place. This stage gives special consideration to legal and other types of requirements. In this stage, the organization defines the required objectives and action programs to fulfill the requirements.

Implementation and operation

This stage is similar to “implementing BCM response” in BS25999. Here the Standard discusses the resources and framework for implementing an effective OR management system in terms of roles and responsibilities, authorities, financial and administrative support, competencies and training, and communication.

The Standard covers the required documentation for the OR management system. The documentation set includes:

  • OR policy and objectives
  • OR scope
  • description of OR program components
  • OR records
  • other necessary records required to support OR.

The OR management system requirements extend to cover the areas of incident prevention, preparedness, and the required response in terms of planning, testing, and review. It lists the general features that should be present in the plans relevant to this area.

Checking

Within this section, the Standard lists the general requirements for the ongoing monitoring and measurement of threats and the performance of the overall OR management system.

The checking includes compliance checks as well as the exercising and testing activities. The Standard also suggests the main features of corrective and preventive post-checking actions.

Within the checking stage, the Standard discusses aspects of internally auditing the OR management system and the requirements in that area.

Management review

Management review is the stage through which the OR management system’s components and elements are kept updated and current. The Standard lists the inputs and outputs of the review process.

Annex A: guidance on the use of the Standard

This forms the second main part of the Standard. If we want to create an analogy, the OR management system requirements part is analogous to “BS25999-2 (specifications)” and “Annex A: guidance on the use of the Standard” is analogous to “BS25999-1 (code of practice).” Understanding this analogy is essential in understanding the Standard and its relationship and integration with the other relevant BCM standards implemented in the world.

The guidance provides additional instructions, tools, and information that can help an organization through the implementation program of the OR management system. Therefore, its sections follow the same structure as those of the requirements section. The auditable and certifiable part of the Standard is the requirements part. Other parts, including Annex A, are not included within the certification and audit scopes.

In the following sections, we shall provide an overview of the information and tools included in Annex A.

General requirements

This section outlines the general requirements and main activities included in the OR management system.

Policy

The policy section is entirely focused on the creation of the OR policy as a governing umbrella for the relevant programs and activities.

Planning

Planning includes the activities of risk assessment and impact analysis. The Standard’s main feature is that it gives heavier weights to risk assessment activities than other standards do. The idea behind this is that the more mature the organization gets in risk assessment, the lower the probability and impact of disasters become. This is a valid idea as long as there is focus on the reactive parts of the program.

This section lists the main features of the risk assessment and impact analysis processes and the factors to consider when performing such processes. The Standard also lists the term “maximum acceptable outage time,” which matches the “maximum tolerable period of disruption” in the BS25999 Standard.

Some consideration is also given to the requirements in the legal area as well as other relevant areas. The world is full of regulations, laws, and statutory requirements relevant to BCM, information security, risk management, and other areas. Therefore, the OR program should be compliant with such laws and regulations. That is why the Standard seems to focus on the legal requirements.

Setting objectives, targets, and programs is also included within this section. These represent the organizational requirements of the OR program and will be implemented across the organization.

Implementation and operation

This section covers the tactical implementation of the OR management system. The tactical implementation covers several main areas that are each translated into practical implementation programs.

The first is related to roles and responsibilities, resources, and authority. The OR management system needs an administrative and authoritative structure that can support its objectives and goals.

The second area is training and awareness, which aims to build the competencies and skills required by the OR management system.

The third is for the communications and alerts of the OR management system. It is of critical importance in times of crisis to establish proper and effective communication channels and programs as they help to reduce the impact and invoke resources as required by the recovery process.

The fourth area is the documentation requirements of the OR management system and the control process for these documents.

The fifth is operational control, which is similar to the activities of the BCM manager and the BCM team in addition to the BCM coordinators. The main objective of operational control is making sure that the implementation programs are being run as planned and that changes are being reflected and updated.

The sixth area is incident prevention and management. Similar to the incident management and CMPs, this area lists the requirements and features of the plans and preparations required to reduce and effectively manage incidents affecting OR.

Checking

Checking is the phase where the OR management system and its performance are benchmarked against its own objectives and targets to make sure that they are being met and achieved. It includes the activities of monitoring and measurement of different aspects to trigger corrective or preventive actions. It also includes the activities of testing and exercising, compliance checking, and internal audit.

Management review

Management review provides the OR management system with the process to maintain, update, and enhance resilience levels by reflecting changes to the system as well as leveraging ongoing enhancement in resilience preparations, skills, and capabilities.

5 International Organization for Standardization. ISO/IEC 22301 societal security – preparedness and continuity management systems – requirements (2010).

6 ASIS International. ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems Requirements with Guidance for Use. (2009).

7 ASIS International. ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems Requirements with Guidance for Use. (2009).

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.54.55