In May 2012, ISO 22301:2012 Societal security – Business continuity management systems – Requirements was finally released. This international standard will replace BS 25999-2:2007 Business Continuity Management Specifications in November 2012. On 26 July 2012, we became the first UK organisation to achieve certification to the new standard.
This article aims to provide some guidance to any organisation that is considering achieving certification based on the lessons learnt by us during the process. The article is broken into 3 parts: why we transferred our BCMS to ISO 22301; the process that we went through to achieve certification; and the challenges we faced in gaining certification.
Why transfer to ISO 22301?
There are numerous reasons to become certified to ISO 22301, but we felt there were two fundamental reasons for updating our BCMS to certify with ISO 22301:
Internationally recognised competitive advantage.
The revision of the standard has made it more meaningful, precise and relevant than BS 25999.
When putting together our BCMS for the ISO, we were in an enviable position. Within the organisation, we had three qualified lead auditors which meant there was a sound understanding of the process of preparing for BS25999 certification. Making full use of that knowledge base the steps we took to prepare our BCMS were:
Conducted an internal audit of our old BCMS against the new ISO, thereby identifying potential non-conformities;
Re-ordered our BCMS so that it followed the ISO Chapter headings, making it easier for the external certifying body easier to audit the system.
Took the opportunity to subject all our BC arrangements and documents to through review and update.
There were some changes required to the BCMS, although the process was surprisingly ‘labour un-intensive’ as there is significant cross-over between the two standards. The main changes that we found we needed to implement were:
What was previously the Corrective Action and Preventive Action Log needed to be split. The ISO requires under 8.3.3 a protection and mitigation log.
There was a requirement to create a Risk and Opportunity Log, which although similar to Preventive Actions, gives rise to a wider scope that addresses opportunities that could arise from the BCMS.
Whilst our top management has always maintained an active overview of the BCMS, our documentation, particularly in chapter 5, needed to reflect in writing a more enhanced role.
Ensured that the BCMS stated the links between business continuity and the business as a whole, with demonstrable evidence of how it is incorporated into the business processes
To better demonstrate the accountability of 3rd party suppliers, we took the decision to conduct independent audits of all of our critical outsourced dependencies and incorporated these into Monitoring and Measurement. Part of this included planning to involve those suppliers in our exercise and testing regime.
Enhanced written documentation in relation to understanding the needs and expectations of external stakeholders as part of Context of the Organisation.
The certification process conducted by the accredited body was very similar in framework to a BS25999 certification with a two stage audit process. For those who are unaware of the process:
Stage 1 of the audit is a review of the BCMS documentation.
Stage 2 of the audit is the confirmation of how the BCMS is enabled and implemented.
We found the biggest challenge to certification to ISO 22301 was the requirement to look at our BCMS from an independent position and critically access the differences between ISO 22301 and BS 25999. Our experience suggests the best person for the job is not the usual business continuity manager or individual with business continuity responsibilities, as they will have owned (and probably authored) the documentation. An individual, who possesses the required level of knowledge of business continuity but has not been involved in the day to day running of business continuity, is the ideal choice as they will have less preconceived attachment to the BCMS. That said, they too may have preconceived ideas about how documentation should be presented from an ingrained knowledge of BS 25999, and should be encouraged to fully immerse themselves in ISO 22301 in advance of the review.
As all those who have previously been audited can testify, the thought of an auditor arriving can leave some members of an organisation a little apprehensive. From our perspective, we had a new office manager who was nervous as she felt she didn’t have the intimate knowledge of business continuity shared by the rest of the organisation. Whilst there is little that can be done to stop nervousness amongst individual team members (we don’t condone the non-medicated use of beta-adrenergic blocking agents), what was clear from our audit was that the auditor was seeking proof of a depth of knowledge appropriate to the role of the individual in the organisation. This necessitates an imaginative and interactive ‘all staff BC awareness session’ in addition to ensuring that the Crisis Management Team (or its ilk) is familiar with the plans and processes and roles and responsibilities in the event of a disruption.
Our business continuity plan was designed to provide the structure to enable the Recovery Time Objectives (RTO) of critical activities identified in the Business Impact Analysis (BIA) to be met. We took the decision that specific plans for critical activities or events were not required – our shortest RTO is 18 hours. We use the plan as the enabling structure and thought process on which to base our response to any disruption. This caused some issues with the auditor, who had expected specific contingency plans for all major risks. There is no requirement in the ISO for specific plans, what is stated is;
“The organization shall establish documented plans that detail how the organization will manage a disruptive event and how it will recover or maintain its activities to a predetermined level, based on management approved recovery objectives.”
However, there is a practical challenge of being able to prove to an auditor that the business continuity plan can achieve this. Our response was that specific plans would be required should any of our RTOs for critical activities be time sensitive, but that in 18 hours a laid down set of procedures were not essential. At what point something becomes time critical enough to require a specified plan is a matter for each individual organisation to determine and demonstrate.
Whilst discussing business continuity plans, we took the decision to store the plan in a number of locations so that it would always be available at the point of use no matter the location. Interestingly, whilst this may be ‘best practise’ there is nowhere in the ISO where that is detailed as a requirement.
The final challenge that we faced was with regard to the BIA. During the stage 1 visit, the auditor was satisfied with the content of our BIA, in particular that it:
Identified activities that support the provision of products and services.
Assessed the impacts over time of not performing the activities.
Set prioritised timeframes for resuming the activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable.
Identified dependencies and supporting resources for the activities, including suppliers, outsource partners and other relevant interested parties.
The auditor did, however, feel that “the Operation Manual would benefit from being expanded to include the overall steps of the BIA process which is broadly embedded in the templates that implement the process”. Again, this was outside of the scope of the ISO, and could be perceived as ‘creeping excellence’. However, we took the decision to include a BIA methodology in our BCMS, as it was felt that it would bring operational benefit should the ownership of the BCMS ever be handed over.
The changes from BS 25999 to ISO 22301 were not a great leap into the unknown; rather, it was a process of evolving what was already a robust and workable BCMS. From our perspective the initial internal audit was crucial to critically analyse the changes required to ensure our BCMS conformed to ISO 22301. The identification of an individual, who possessed detailed knowledge of business continuity but has not been involved in the day to day running of business continuity, was essential to enable the BCMS to be evaluated independently.
Once the independent assessment of the BCMS had been conducted, the changes required were minimal and in the most part procedural. A structured plan to ensure the changes were implemented (and can be included in the risks and opportunities log) was followed which enabled the successfully certification to ISO 22301 within 2 months of its release.
Authored by Needhams 1834 Consultants.