CHAPTER 12: CERTIFICATION

One could be forgiven for thinking that there is not much point in developing and implementing a BCMS, unless certification is achieved. Certainly, a potential customer or client is more likely to be swayed by an organisation that has been awarded a certificate, than by one that simply claims that its BCMS meets the requirements of ISO22301. In some organisations, the competitiveness and due diligence drivers may not be as important as in others, yet they may still have the assurance that they have developed and implemented a BCMS according to good, or even best, practice.

But for many, certification is worth the relatively small amount of additional effort and cost.

Essentially, the certification body will be assessing two things; that the BCMS is compliant with the Standard, and that it is being implemented and operated correctly; for example, that the management review process is happening, and that documents are being reviewed and updated.

It is very early days for certification under ISO22301; November 2012 marked the official cut-off for certification under BS25999 and, at the time of writing, the transition arrangements are unclear.

Like other management system standards, the certification process is essentially based upon the auditing of the system itself, and then of the organisation’s compliance with its own system.

System compliance

Typically, the first audit visit looks at how the BCMS meets the requirements of ISO22301:2012.

Sections 4-10 inclusive, the material parts of the Standard, comprise 38 substantive clauses, comprising something in the region of 270 individual compliance indicators, depending upon one’s reading of the Standard. Essentially, the business continuity manager or coordinator needs a thorough understanding of how the BCMS meets all of these requirements, and where the evidence is that supports this.

It is likely that the certification body will want to see at least three months of audit records for the documentation that has been put in place, though, as the Standard is so new, the requirement for evidence of the BCMS being audited may change.

Terms and definitions

ISO22301 differs in some respects from its predecessor, BS25999. ISO22301 has a significant number of terms listed in its section 3 that are not used in the main body of the Standard. Some certification bodies are more particular than others regarding the use of terminology, but there is ultimately no requirement to use all of the terms in section 3 within a BCMS. However, where terms are used that are also listed in section 3, it is important to ensure that their meaning is the same, and where an in ‘in-house’ term is used, because it makes sense to keep calling a spade, ‘a spade’, within an organisation, then it may be useful to include a terminology table in the BCMS that correlates in-house terminology with that of the Standard.

Section 4 – Context

Some management system standards are a little obsessive about things like context and ‘understanding the organisation’, almost as though people running business don’t really know what is going on and how everything fits together.

However, the logic of this section of the Standard is that the BC arrangements should be clearly based upon a comprehensive assessment of the organisation and how it works, as opposed to simple intuition.

Some organisations will already have documented all, or most, of their contextual issues in a business plan, or a similar document, and there is no reason why this couldn’t simply be referred to by the BCMS; in fact it is more logical and avoids duplication.

At the same time, there will be things that the Standard requires that are not within the business plan, such as a statement of risk appetite.

Essentially, this requirement is for an executive summary of the business and how BCM fits into it.

Some of the more specific, detailed, requirements are:

Risk factors

This information does actually have a useful purpose and should be satisfied by a statement, or list, of threats that are likely to give rise to operational disruption. The list is likely to include the usual suspects, such as:

• Utility failures
• Extremes of weather
• Fire and explosion
• Information system failures
• Pandemic illness.

In addition, factors such as proximity to a sensitive installation, or heavy reliance on supply chains based in less stable regions, might be included.

Risk appetite

This is covered in Chapter 3.

The most obvious way of defining risk appetite is in setting the limit(s) of acceptable risk, easily characterised by the position of red, amber and green bands on a risk matrix.

There is no definitive standard for doing this; it is for each organisation to decide where these limits are, and very often they are modified in the light of experience.

Section 3 – Planning

The auditors will be looking for evidence that the BCMS has been developed, and continuously maintained, with the key elements below.

Scope and objectives

The scope should set out clearly which parts of the organisation, which products and services (remember, the Standard continually refers to products and services), and which activities are included, and what the BCMS is there to protect. Objectives should also be clearly stated, so that there is proper justification for implementing the programme, and also so that the programme can ultimately be evaluated against these objectives.

A sensible place to set out scope and objectives is in the Policy (see Chapter 1); they should also reflect statutory, regulatory and contractual duties, and any relevant interests of stakeholders.

In addition, the Standard requires that the acceptable level of risk be stated. This, too, should almost certainly be included in the policy, but it must also be remembered that it is not always possible to state the acceptable level of risk at the outset.

Policy

We have already seen what should go into the policy. The Standard also requires that it should:

• Include scope and objectives
• Be approved by top management
• Be communicated to everyone working for the organisation
• Be reviewed regularly, and also when changes occur to the organisation.

Resources

There should be some evidence that the organisation has determined what resources are likely to be needed. Remember that the full extent of resource requirement cannot usually be established at the outset. However, the resources should contain roles and responsibilities for both the command structure and BCM programme management, including the BCM authority and the BCM programme manager.

The Standard does not set out any specifics about financial, and other operational resources, but it makes sense to be able to show that the programme is likely to be sustainable after certification.

Competencies

The principle here is that, if you have not got people with the skills to maintain it, the BCMS is likely to fall into disrepair. A schedule of competencies will be required (see Chapter 2 and Appendix 2), with evidence that there has been a training needs analysis for people who are taking on these roles, and that training is conducted, evaluated and documented.

BCM culture

Basically, if BCM does not become almost an every-day part of the organisation’s activities, it is much less likely to be effective. This is one of the harder parts of BCM to get right, not least because it depends, to some extent, on the will of everyone in the organisation. There will need to be evidence that there are activities aimed at raising awareness of BCM amongst everyone in the organisation, and educating those who are likely to have a greater level of involvement in developing the BCMS and, of course, in the BCM response to an incident.

Awareness activities should aim, not only to raise awareness, but to enhance and maintain it. The programme needs to be continuous or ongoing. There also needs to be evidence of a system for evaluating the effectiveness of awareness activities. This is yet another example of the management system trait of ‘closing the circle’.

Documentation

In addition to the five areas listed above, there are also clear requirements for all the analytical and executable documentation, which will include:

• Business impact analysis
• Risk assessment
• Business continuity strategy
• Incident response structure
• Plans, associated procedures, and so on
• Contact and other resource information.

There are further requirements for documented evidence of exercising, maintenance and review activities, including the preferred corrective and preventative actions. Not only will the existence of these documents be scrutinised, the document control system, or approach, will also be audited.

Section 4 –Implementation and operation

Still looking at how the BCMS meets the requirements of ISO22301, as opposed to how it is actually being implemented, the auditors will be looking for evidence of whether these parts of the Standard listed below have been reflected in the BCMS.

Business impact analysis (BIA)

The BIA will need to identify the activities that support key products and services (remembering that the organisation decides which products and services and, therefore, activities, are in scope), and the impacts arising from the interruption of those activities, over time.

The key elements that will be looked for in the BIA are:

• A method statement – how the BIA has been, and will be, conducted
• Activities
• Time-based impacts
• MTPD (full activity level) and RTO (minimum activity level)
• Minimum activity level
• Priority of activity recovery (recovery timeline)
• Resources requirements, including outsource providers
• BCM supplier assurance for outsourced critical activities.

Risk assessment

The existence of a risk register, as described in Chapter 3, should form a substantive part of the evidence for this section. In addition, evidence of the following should be made available:

• A method statement – how the risk assessment has been, and will be, conducted
• Impact assessment criteria
• Risk controls or treatments.

Strategy

Much of this will be set out in recovery plans (see Chapter 5), though the response structure (command structure) and plans for managing relationships with stakeholders and recovery service providers, may well be set out in other planning components, such as the master plan, scenario plans or procedures.

Because of the structure of the Standard, it is a good idea to create a BCM strategy document outlining the major recovery strategies referred to in Chapter 5; so that the auditors can see that the approach to the recovery of activities was established before the response (recovery) plans were developed.

The BCM response

The auditors will look for evidence that executable components in the BCMS are based upon the outputs of the BIA, risk assessment and strategy.

Some of the certification requirements in this section are repeated elsewhere, but evidence will be required of the mechanism for confirming the nature of an incident, activating the response, accessing plans and resources, and communicating internally and externally.

All these requirements can be readily satisfied by well-written plan documents, and a capable, knowledgeable and rehearsed, command structure.

The standard sets out a fair amount of detail in terms of plans, all of it good common sense and not requiring interpretation here. Suffice it to say that the auditors will need to be able to see that plans are based upon policy, strategy, BIA and risk assessment. These requirements also extend to procedural detail, which should be satisfied if the logical and contextual links between documents are correct.

Sections 5 and 6 – Monitoring, exercising, maintaining and reviewing

The Standard’s requirements in this area should be substantively satisfied by the existence of:

• An oversight and review body (committee)
• A documented management review process
• A documented internal audit procedure and system
• Maintenance arrangements – essentially the programmed review of documents and other resources
• A system of raising and processing preventative and corrective actions
• An exercise programme – documented records of any exercises conducted will be required for the implementation audit.

BCMS implementation

Having satisfied themselves during the first audit that the BCMS itself meets the requirements of ISO22301, auditors will look, in the second audit, to check how well the BCMS is being implemented and used.

It should also be remembered that there may be some non-conformances identified in the first audit, for which the assessor may allow corrective action to be taken, allowing the implementation audit to proceed. In this case, there may well be the need for a considerable amount of work between the two audits.

Section 3 – Planning

Some parts of this section are not truly implementable, but the auditors will look for evidence that, inter alia:

• The governing body discusses BCM, and demonstrates a commitment to it
• The BCM policy has been approved and promulgated
• Roles have been filled
• Competencies have been identified
• Training needs have been analysed
• Training has been arranged, with some having been delivered
• BCM awareness and education activities are making an impact
• The document management arrangements and controls are being implemented; and there are no non-conformities with these arrangements.

Section 4 – Implementation and operation

This should be straightforward, yet can be time-consuming.

The auditors will be looking to see how well the developed BCMS has been implemented, and, in theory at least, should not need to refer to the Standard at all.

So, to be successful in this final audit, it will be essential that all the parts of the system have been implemented, and are being operated as much as possible.

The vast majority of assessors really want the organisation to be successful. If experiences with other management systems are anything to go by, they will allow leeway in certain cases where they can see that there has not been enough time to operate every single facet of the system, and where corrective actions are, for example, possible overnight, for reassessment the next day.

Certification

When the certification audit process has been successfully carried out, the lead auditor will normally make a recommendation to the certification body’s certification team, who will make the award.

Naturally, the process does not stop there. There will then be further, continual assessment visits, usually annually, to make sure that the BCMS continues to meet the requirements of the Standard, and reflects any changes to the organisation, and that it continues to be implemented properly.

Keeping documents up to date, executing audits and reviews according to the forward plan, and formally reviewing the BCMS at management level, will all be scrutinised during surveillance visits. Whilst the majority of certification bodies are reluctant to remove certification status, remember that it is within their power to do so.

Any problems identified during these visits can usually be dealt with by corrective action, but, in some cases, this may require a return visit by the auditors to verify what has been done.

Certification bodies

In theory, it does not matter which certification body is used, providing they are UKAS (United Kingdom Accreditation Service) accredited. At the time of writing, the transition from certification under BS25999 to ISO22301 is a little unclear, and whilst certification appears to be available from some certification bodies, the UKAS website indicates that BS25999 remains available for certification until 31 May 2014.

UKAS has the right to decide who can provide certification because it operates under a memorandum of understanding (MoU) with the UK Government, through the Secretary of State for Innovation, Universities and Skills.

UKAS has also set out some requirements for the reassessment (at the end of an existing three year certification term) of organisations registered under BS25999-2, by way of transition to ISO22301.

Rogue traders

There are a considerable number of certification bodies which are not UKAS accredited. It is not illegal for anyone to offer, and provide, certification against standards, but it will be self-evident to most that non-accredited certification by ‘Tom, Dick or Harry’, is probably not worth a great deal– particularly if their consultants have also been responsible for designing and implementing the BCMS in the first place.

It is also theoretically possible that a certification body who, whilst accredited by UKAS for certain other standards, will offer certification under ISO22301. This is most unlikely, but nonetheless, any organisation seeking certification under ISO22301 should satisfy itself that its certification body is, in fact, accredited by UKAS, for this particular standard.