Business Continuity / ISO22301 Consulting

Prepare for Disruptions & Disaster Recovery Management with ISO 22301 Consulting

Pivot Point Security provides ISO 22301 consulting services to help organizations develop and maintain a Business Continuity Management System (BCMS). Our team of experienced professionals will work together with your organization to:

  • Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
  • Identify, document, and implement to recover critical business functions and processes.
  • Organize a business continuity team and compile a business continuity plan to manage a business disruption.
  • Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.

With Pivot Point Security’s expertise in Business Continuity, you can be confident of attaining and maintaining ISO 22301 certification.

What is ISO 22301?

A Business Continuity Management System (BCMS) ensures an organization’s resiliency in recovering its infrastructure and operations after a disaster. ISO 22301 defines the requirements that an organization must apply to certify a BCMS. To comply with the ISO standard, an organization needs to document their; development, implementation, operation, monitoring and review, maintenance, and continuous improvement of its BCMS. A complete BCMS requires documentation, just as an ISMS. These documents include:

  • Risk Assessment (can be the same as from ISO 27001 or other mangement system.
  • Business Impact Analysis.
  • Recovery Strategy Analysis.
  • Recovery Plan(s).
  • Metrics.
  • Exercises and Results.
  • Audit results.

What does it provide to you?

A certified BCMS provides you with a clearly defined scope of the management system so that management has a clear understanding of the activities (functions) that are performed, the existing infrastructure that supports or enables those activities and the policies and procedures that allow for an effective and cost efficient recovery in the event of an outage. The BCMS provides clearly defined recovery requirements which include identifying and prioritizing all activities and their enabling resources. It ensures clearly defined and pre-approved policies and procedures for operational and infrastructure recovery so that the organization can resume operations within acceptable time frames and within acceptable costs. In short, a certified BCMS provides clear recovery guidance so that an organization can continue providing services to their clients within an acceptable time subsequent to a disruptive event.

It’s true that if an organization has unlimited time and unlimited funds, any organization can recover from any disaster. The key points for having a viable recovery capability are:

  • Knowing exactly all of the functions that are performed and how quickly or slowly they must be recovered before the loss of any given function becomes unacceptable.
  • Knowing all of the resources required for each function. Resources include personnel, IT systems, and data interdependencies.
  • Knowing the recovery strategies that will be used in the event of a disaster to reduce, and hopefully eliminate confusion. Also, if you know exactly where you’re going to relocate operations, you will get there first. Remember – a regional disaster will affect others in the area and if you know when to declare a disaster and implement strategies that have been pre-approved you come out of the starting blocks faster than the other guy.
  • Having a plan that includes pre-approved decisions, strategies and procedures allows for a smooth transition from normal operations to crisis response without confusion.
  • The other benefit for pre-approved decisions and strategies allows for a delegation of authority should a disaster occur without the “nornal” executives there to approve response and recovery activities.
  • Proving to clients that you are there for them, regardless of what happens. It instills confidence in an organization’s ability to provide essential services.

How do we do it?

Unlike ISO 27001 which is driven by the information, ISO 22301 is driven by the activities that are performed. Project scope is determined through conversations with you to ascertain which facilities, departments or other sub-organization are to be included in the BCMS.

Business Continuity Planning (BCP) provides the; policies, assessments, requirements, priorities, strategies and procedures necessary for the effective and cost efficient time-phased recovery of an organization’s activities (functions). A complete BC management system (BCMS) includes; effectiveness, training, and exercises and continuous monitoring methods and metrics. An ISO 22301 engagement is broken down into three (3) Phases, each with its own deliverables as listed below.

The first phase focuses on analyzing recovery requirements, the second phase is where we develop the plans themselves.  The Analysis Phase assumes that the organization has a current Risk Assessment.  If this is not the case, we will use Pivot Point’s ISO 27001 Risk Assessment Process.

There will always be at least two plans – a recovery plan and the exercise plan. A recovery plan comes in 2 flavors; a recovery plan that focuses on the IT infrastructure and one that focuses on recovering business functions. An IT Business Continuity Plan (ITBCP) as used by Pivot Point Security, is often referred to as a Disaster Recovery Plan (DRP). This is an IT-centric/IT-specific recovery plan. An ITBCP only addresses the recovery of IT infrastructure and the functions conducted in a data center (e.g. help desk, system engineering). A functional BCP provides for the recovery of all functions within the project scope, which will almost always include the data center.

Once all plans in the project have been developed and approved, then we will write the documents required by the ISO standard for managing the BCMS. The training plan will be geared to the personnel competencies of the recovery-related roles. Roles will include: Executive sponsor and Executive Response Team, Organization Recovery Coordinator, Deparmental Recovery Representatives, Recovery Team Members. BCMS Metrics and audit plans will be based on set of core requirements but will be tailored to each individual client.

What is ISO 22301 Certification?

ISO 22301 is the international standard for business continuity management (BCM). ISO 22301 helps organizations prevent, prepare for, respond to, and recover from disasters and other unplanned, disruptive events. Achieving ISO 22301 certification enables a company to prove that it meets the requirements of the ISO 22301 standard, while also demonstrating its commitment to business continuity. Strong business continuity practices reduce risk not only for the ISO 22301 certified company, but also for its customers, partners, investors, and other stakeholders.

What is ISO 22301 business continuity framework?

A business continuity management system (BCMS) that aligns with the ISO 22301 standard provides a policy and operational framework for efficient and effective disaster recovery and ongoing business continuity. ISO 22301 offers procedural guidance to help organizations develop plans that prevent, prepare for, respond to, and recover from disasters and other disruptions. An overarching business continuity plan (BCP) or framework is fundamental to ensuring business continuity as part of an overall risk management strategy.

What is the definition of business continuity management ISO 22301?

The purpose of business continuity management is to ensure organizational resiliency to recover infrastructure and operations following a disaster. ISO 22301 is an internationally recognized standard that defines the requirements an organization must meet to ensure a robust Business Continuity Management System (BCMS).

How to get ISO 22301 Certification?

One of the major advantages of aligning with the ISO 22301 standard versus other business continuity frameworks is that an accredited assessment body (a registrar) can certify you as compliant—the highest standard of proof for customers, investors, management, and other stakeholders.

Any organization of any size or industry can benefit from ISO 22301 certification and applying the standard to their operations. ISO 22301 certification could be considered mandatory for businesses that are legally required to perform contingency planning, such as energy, transportation, healthcare, and other critical infrastructure entities.

What is the ISO 22301 Certification process?

A formal ISO 22301 certification is performed by an accredited third-party assessor. The process consists of a review of business continuity management system (BCMS) processes against a checklist of ISO 22301 requirements. If all requirements are met, the second phase of the assessment evaluates whether the implementation and operation of the controls are effective as defined per ISO 22301. Firms that pass both audit steps are awarded an ISO 22301 certificate, which is valid for three years.