Throughout the history of BCM, there have been noticeable variances in terms of understanding, implementations, and requirements across the world. These were caused by a local and isolated approach towards BCM, neglecting the international and cross-border effects. As the world effectively moved closer together, the BCM industry needed a push towards standardization. In 2003, the British Standards Institute (BSI) took a major step forward and issued a publicly available specification (PAS), which was given the code 56, addressing the subject of business continuity management. PAS 56 remained in circulation until December 2006, when the BSI issued the first British, intended to be global, BCM Standard with the code BS25999.
The International Standards Organization (ISO) built heavily on the BS25999 to draft the first ISO Standard on BCM in 2012. With the release of this Standard, it is now possible to say that BCM has reached acceptable levels of standardization and acceptance across the world.
This Standard represents the first ISO Standard on BCM. Together with Standard ISO27031, ICT readiness for business continuity (IRBC), ISO are providing a complete package of integrated standardization to organizations and BCM practitioners.
The Standard is based on the widely adopted Plan-Do-Check-Act (PDCA) approach. Such features should enhance integration with other organizational standards, like the ISO9000 series and the ISO14000 series.
Although BS25999 represents a major foundation for the ISO22301 Standard, there are still some differences between the two Standards. The most considerable difference is that the ISO Standard does not recognize MTPD as a continuity specification. Rather, it emphasizes the RTO and RPO, as well as the minimum business continuity objective (MBCO), as two main criteria for setting the pain threshold for the organization.
The Standard is divided into 10 sections that cover the overall activities of the BCM programs, or the BCM systems (BCMSs), as the Standard refers to them. In the context of discussing this Standard, BCMS and BCM program are used interchangeably. The Standard’s sections are:
1 scope
2 normative references
3 terms and definitions
4 general requirements
5 leadership
6 planning
7 support
8 operation
9 performance evaluation
10 improvement.
Within this section, the Standard defines the uses of its specifications and requirements. These cases cover design and implementation as well as the internal and external certification, assessment, and compliance of BCMSs within organizations.
The Standard stresses the flexibility of the BCMSs to meet the various requirements of the various stakeholders.
ISO22301 uses a set of definitions similar to the ones used by the BS25999 Standard. Yet there are no references to MTPD. The Standard uses the RTO, RPO, and MBCO as continuity specifications. MBCO refers to the minimum acceptable level of services and operations to be recovered.
This section discusses the high-level, or general, requirements for the BCMSs, especially the scoping and needs.
This section discusses the management commitment and involvement in the BCMSs, or BCMS governance. In particular, the section discusses the main features of the BCM policy as well as organizational roles, responsibilities, and authorities.
The main features of the BCM policy are relevance, practicality, and reviewability. As for the organizational roles, responsibilities, and authorities, the main features are the establishment of effective roles and responsibilities as well as reporting related to BCMSs.
In this section, the Standard lists the specific and individual features of the BCMS goals and the plans that the implementing organization needs to devise in order to achieve such goals. The devised plans need to be equipped with clear timeframes as well as specific roles and responsibilities. These plans should also include the actions needed to manage external and internal threats in the context of BCMSs.
This section focuses on the requirements related to the supporting activities of the BCMSs. The right delivery of these activities would be a success factor for the implementation of the BCMSs. These activities are:
This section represents the core of the Standard as it contains the various detailed requirements of the BCMSs. The Standard divides the activities of the BCMSs as follows:
In this section, the Standard sets the main requirements for conducting effective audits of the BCMSs, especially internal audits.
Completing the logical sequence of requirements, the review and performance evaluation would trigger an improvement process to fill the identified gaps. In addition, the BCMSs should grow and mature in order to enhance readiness levels and capabilities. In this section, the Standard lists the main requirements for improvements, especially the ones required by audits and reviews.
This Standard is issued by the American National Standard Institute (ANSI) in coordination with ASIS International (ASIS), which is the leading organization for security professionals within the United States.
ASIS SPC.1-2009 integrates the areas of information security, BCM, and operational continuity within a unified view for the organization’s capabilities to manage and recover from crises and incidents resulting from various failures in such areas. In other words, it provides a road map to build organizational resilience (OR). It sounds logical and does not contradict any of the other standards since disasters and crises may be triggered from failures in information security measures as well as other areas within the focus of BCM.
The Standard suggests PDCA as a methodological approach for implementation and enhancement of OR.
This comprehensive Standard has two main parts:
There are other sections within the Standard as well:
This part forms the core of the Standard as it lists the various requirements for an effective OR management system. The requirements span a sequence of phases, similar to the BCM life cycle, of six stages:
1 Know your organization
2 Policy
3 Planning
4 Implementation and operation
5 Checking and corrective actions
6 Management review.
In this stage, the scope of the OR management system is defined as well as the boundaries of the organization. Also in this stage, an initial identification of likely threats and risks scenarios is conducted.
Similar to the BCM policy, the policy in the OR management system documents and displays the management’s commitment towards protecting the organization, the effective implementation of the OR management system and the allocation of sufficient resources required for such implementation. The policy needs to be reviewed and approved by top management and is communicated to the relevant stakeholders. The policy, as with any other policy, needs to be reviewed periodically or upon significant change within the environment or the scope of the program.
The planning stage in the OR flow matches the “understanding the organization” and “strategy” stages in the BCM life cycle where the activities of BIA, threat and risk assessment, and strategy take place. This stage gives special consideration to legal and other types of requirements. In this stage, the organization defines the required objectives and action programs to fulfill the requirements.
This stage is similar to “implementing BCM response” in BS25999. Here the Standard discusses the resources and framework for implementing an effective OR management system in terms of roles and responsibilities, authorities, financial and administrative support, competencies and training, and communication.
The Standard covers the required documentation for the OR management system. The documentation set includes:
The OR management system requirements extend to cover the areas of incident prevention, preparedness, and the required response in terms of planning, testing, and review. It lists the general features that should be present in the plans relevant to this area.
Within this section, the Standard lists the general requirements for the ongoing monitoring and measurement of threats and the performance of the overall OR management system.
The checking includes compliance checks as well as the exercising and testing activities. The Standard also suggests the main features of corrective and preventive post-checking actions.
Within the checking stage, the Standard discusses aspects of internally auditing the OR management system and the requirements in that area.
Management review is the stage through which the OR management system’s components and elements are kept updated and current. The Standard lists the inputs and outputs of the review process.
This forms the second main part of the Standard. If we want to create an analogy, the OR management system requirements part is analogous to “BS25999-2 (specifications)” and “Annex A: guidance on the use of the Standard” is analogous to “BS25999-1 (code of practice).” Understanding this analogy is essential in understanding the Standard and its relationship and integration with the other relevant BCM standards implemented in the world.
The guidance provides additional instructions, tools, and information that can help an organization through the implementation program of the OR management system. Therefore, its sections follow the same structure as those of the requirements section. The auditable and certifiable part of the Standard is the requirements part. Other parts, including Annex A, are not included within the certification and audit scopes.
In the following sections, we shall provide an overview of the information and tools included in Annex A.
This section outlines the general requirements and main activities included in the OR management system.
The policy section is entirely focused on the creation of the OR policy as a governing umbrella for the relevant programs and activities.
Planning includes the activities of risk assessment and impact analysis. The Standard’s main feature is that it gives heavier weights to risk assessment activities than other standards do. The idea behind this is that the more mature the organization gets in risk assessment, the lower the probability and impact of disasters become. This is a valid idea as long as there is focus on the reactive parts of the program.
This section lists the main features of the risk assessment and impact analysis processes and the factors to consider when performing such processes. The Standard also lists the term “maximum acceptable outage time,” which matches the “maximum tolerable period of disruption” in the BS25999 Standard.
Some consideration is also given to the requirements in the legal area as well as other relevant areas. The world is full of regulations, laws, and statutory requirements relevant to BCM, information security, risk management, and other areas. Therefore, the OR program should be compliant with such laws and regulations. That is why the Standard seems to focus on the legal requirements.
Setting objectives, targets, and programs is also included within this section. These represent the organizational requirements of the OR program and will be implemented across the organization.
This section covers the tactical implementation of the OR management system. The tactical implementation covers several main areas that are each translated into practical implementation programs.
The first is related to roles and responsibilities, resources, and authority. The OR management system needs an administrative and authoritative structure that can support its objectives and goals.
The second area is training and awareness, which aims to build the competencies and skills required by the OR management system.
The third is for the communications and alerts of the OR management system. It is of critical importance in times of crisis to establish proper and effective communication channels and programs as they help to reduce the impact and invoke resources as required by the recovery process.
The fourth area is the documentation requirements of the OR management system and the control process for these documents.
The fifth is operational control, which is similar to the activities of the BCM manager and the BCM team in addition to the BCM coordinators. The main objective of operational control is making sure that the implementation programs are being run as planned and that changes are being reflected and updated.
The sixth area is incident prevention and management. Similar to the incident management and CMPs, this area lists the requirements and features of the plans and preparations required to reduce and effectively manage incidents affecting OR.
Checking is the phase where the OR management system and its performance are benchmarked against its own objectives and targets to make sure that they are being met and achieved. It includes the activities of monitoring and measurement of different aspects to trigger corrective or preventive actions. It also includes the activities of testing and exercising, compliance checking, and internal audit.
Management review provides the OR management system with the process to maintain, update, and enhance resilience levels by reflecting changes to the system as well as leveraging ongoing enhancement in resilience preparations, skills, and capabilities.
5 International Organization for Standardization. ISO/IEC 22301 societal security – preparedness and continuity management systems – requirements (2010).
6 ASIS International. ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems Requirements with Guidance for Use. (2009).
7 ASIS International. ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems Requirements with Guidance for Use. (2009).
3.145.54.55