Many organizations experience a Catch 22 when it comes to Business Continuity Management (BCM). They know they need a plan that implements the procedures to fulfill the organization’s requirements within the critical timeframes when something bad happens. But they don’t fully understand what their requirements are, or really how to identify them.
Does that mean you need to make a plan to write the plan before you can write your plan? Not exactly… but some preliminary groundwork is essential.
Top 3 Business Continuity Management Planning Tips
Here are my top tips on BCM planning to get you started on the path to success.
Tip #1: Download a Free ISO 22301 Checklist and Roadmap
A great way to start off on the right foot with business continuity management planning is to download Pivot Point’s comprehensive (and free) ISO 22301 checklist to make sure you include all the key points in your Business Continuity Plan (BCP).
We’ve also created a free roadmap to guide your preliminary scoping efforts.
The Value of ISO 22301 Certification
These tools provide a high-level overview of what you need to do to prepare and develop an ISO 22301 compliant Business Continuity Management System (BCMS). As our checklist illustrates, developing a BCMS includes performing a Business Impact Analysis (BIA) and a Recovery Strategy Analysis (RSA), writing the BCP, training your people and then exercising the plan. It may or may not actually include achieving ISO 22301 certification, but becoming certified offers a number of valuable benefits:
- You’re plan gives you a competitive advantage. Prospects and current clients naturally have greater confidence in partners who demonstrate robust BCM in accordance with an international standard. This helps open new opportunities and win new business.
- You’re ready if a disruptive event occurs. ISO 22301 certification creates effective operational business continuity plans… period.
- You’re plan will work. This may seem obvious but there are plenty of horror stories of BCP’s failing when they are needed most. Aligning with ISO 22301 ensures your BCP aligns with strategic organizational objectives.
- You’re plan will adapt as your organization changes. ISO 22301 provides for continual improvement of your BCP as your organization continues to innovate and advance.
- You’re a quality partner to your clients. ISO 22301 certification reduces the time needed to respond to requests for proof of a viable recovery capability… AKA you are easier to work with.
Whether you ultimately pursue ISO 22301 certification or not, using the standard as a framework to develop your BCMS will ensure it covers all those little things that people tend to forget about… Like training.
Tip #2: Invest in Employee Training
Training will make or break your BCMS. People laugh when I quote Attila the Hun in this context, but he said it best: “The consequence of not adequately training your huns is their failure to accomplish that which is expected of them.” That says it all right there.
Even some organizations that recognize the criticality of BCM-related training fail to recognize one size of training does not fit all. BCM training must relate specifically to the audience and its role in recovery.
Executive management is probably not going to directly implement IT recovery procedures, for instance. Instead, they’re going to integrate the effectiveness, rapidity and efficiency of recovery with the company’s strategic vision, goals and marketing. Meanwhile, line managers are probably going to be responsible for managing functional recovery within their departments. Training for those two groups needs to reflect their differing responsibilities.
The rank-and-file employees are going to be implementing the associated procedures that enable functional recovery. These “worker bees” bear the brunt of recovery and need targeted training because they must regain functionality while dealing with backlogs in a stressful, confusing environment.
Tip #3: Discover Business Continuity Management Planning First-Hand
To discover BCM best practices first-hand, I recommend attending this year’s Certified InfoSec Conference, which takes place on October 9-11, 2017 in Washington, DC. The agenda will encompass all the leading certified enterprise security standards from an implementation perspective, including ISO 27001, ISO 22301, CSA STAR, FISMA/FedRAMP and SOC.
I’ll be speaking at the conference on Business Continuity Basics and Actionable Insights, as well as conducting a three-hour, pre-conference workshop on Understanding ISO 22301.
BCM is all about doing things smart, efficiently, cost-effective and in line with industry proven requirements. It’s not about blessing a generic “insurance policy” that you pray you never need.
Using the framework afforded by ISO 22301 ensures you cover all the bases, so you know your plan will work when you need it. Planning for BCM isn’t rocket science, but there are a lot of puzzle pieces to fit together. If your team has the time, know-how and patience to put them together, have at it.
If not, contact Pivot Point Security. We can help you put the pieces together to make you successful and create exactly the BCP you need.