ISO 22301 Consulting
What is ISO 22301?
A Business Continuity Management System (BCMS) ensures an organization’s resiliency in recovering its infrastructure and operations after a disaster. ISO 22301 defines the requirements that an organization must apply to certify a BCMS. To comply with the ISO standard, an organization needs to document their; development, implementation, operation, monitoring and review, maintenance, and continuous improvement of its BCMS. A complete BCMS requires documentation, just as an ISMS. These documents include:
- Risk Assessment (can be the same as from ISO 27001 or other mangement system.
- Business Impact Analysis.
- Recovery Strategy Analysis.
- Recovery Plan(s).
- Exercises and Results.
- Audit results.
What does it provide to you?
A certified BCMS provides you with a clearly defined scope of the management system so that management has a clear understanding of the activities (functions) that are performed, the existing infrastructure that supports or enables those activities and the policies and procedures that allow for an effective and cost efficient recovery in the event of an outage. The BCMS provides clearly defined recovery requirements which include identifying and prioritizing all activities and their enabling resources. It ensures clearly defined and pre-approved policies and procedures for operational and infrastructure recovery so that the organization can resume operations within acceptable time frames and within acceptable costs. In short, a certified BCMS provides clear recovery guidance so that an organization can continue providing services to their clients within an acceptable time subsequent to a disruptive event.
It’s true that if an organization has unlimited time and unlimited funds, any organization can recover from any disaster. The key points for having a viable recovery capability are:
- Knowing exactly all of the functions that are performed and how quickly or slowly they must be recovered before the loss of any given function becomes unacceptable.
- Knowing all of the resources required for each function. Resources include personnel, IT systems, and data interdependencies.
- Knowing the recovery strategies that will be used in the event of a disaster to reduce, and hopefully eliminate confusion. Also, if you know exactly where you’re going to relocate operations, you will get there first. Remember – a regional disaster will affect others in the area and if you know when to declare a disaster and implement strategies that have been pre-approved you come out of the starting blocks faster than the other guy.
- Having a plan that includes pre-approved decisions, strategies and procedures allows for a smooth transition from normal operations to crisis response without confusion.
- The other benefit for pre-approved decisions and strategies allows for a delegation of authority should a disaster occur without the “nornal” executives there to approve response and recovery activities.
- Proving to clients that you are there for them, regardless of what happens. It instills confidence in an organization’s ability to provide essential services.
How do we do it?
Unlike ISO 27001 which is driven by the information, ISO 22301 is driven by the activities that are performed. Project scope is determined through conversations with you to ascertain which facilities, departments or other sub-organization are to be included in the BCMS.
Business Continuity Planning (BCP) provides the; policies, assessments, requirements, priorities, strategies and procedures necessary for the effective and cost efficient time-phased recovery of an organization’s activities (functions). A complete BC management system (BCMS) includes; effectiveness, training, and exercises and continuous monitoring methods and metrics. An ISO 22301 engagement is broken down into three (3) Phases, each with its own deliverables as listed below.
The first phase focuses on analyzing recovery requirements, the second phase is where we develop the plans themselves. The Analysis Phase assumes that the organization has a current Risk Assessment. If this is not the case, we will use Pivot Point’s ISO 27001 Risk Assessment Process.
There will always be at least two plans – a recovery plan and the exercise plan. A recovery plan comes in 2 flavors; a recovery plan that focuses on the IT infrastructure and one that focuses on recovering business functions. An IT Business Continuity Plan (ITBCP) as used by Pivot Point Security, is often referred to as a Disaster Recovery Plan (DRP). This is an IT-centric/IT-specific recovery plan. An ITBCP only addresses the recovery of IT infrastructure and the functions conducted in a data center (e.g. help desk, system engineering). A functional BCP provides for the recovery of all functions within the project scope, which will almost always include the data center.
Once all plans in the project have been developed and approved, then we will write the documents required by the ISO standard for managing the BCMS. The training plan will be geared to the personnel competencies of the recovery-related roles. Roles will include: Executive sponsor and Executive Response Team, Organization Recovery Coordinator, Deparmental Recovery Representatives, Recovery Team Members. BCMS Metrics and audit plans will be based on set of core requirements but will be tailored to each individual client.