BUSINESS CONTINUITY MANAGEMENT & ISO22301

FREQUENTLY ASKED QUESTIONS

July 2013

Protect

Comply

Thrive

IT Governance Green Paper

BUSINESS CONTINUITY MANAGEMENT & ISO22301

Business Continuity Management (BCM) is often described as a business-critical activity, but conversation on the subject is often confused by the parallel concept of Disaster Recovery Management (DRM). Understanding has not been improved by the existence of several different business continuity related standards. In May 2012, however, the publication of ISO/IEC 22301 provided a single standard that replaced the prior dominant standard, BS 25999, while offering greater clarity on the subject. So, what exactly is business continuity management, and how do the current standards relate to one another? 1. What is Business Continuity Management (BCM)? A range of internal or external risks could negatively impact your organisation. These include a fuel crisis, pandemic, loss of business facilities due to fire, flooding, theft and vandalism, communications failure, industrial action, power failures any event that interferes with the normal running of your business. Business Continuity Management is the planning process and activities used to identify those aspects of your business activities and resources that are essential or critical. Documented and tested plans are essential if your organisation is to continue with business as usual when there is a civil emergency or business interruption. The formal definition from ISO/IEC 22301 is: A holistic management process that identifies potential threats to an

Statistics indicate that 80% of organisations that are faced with a significant business discontinuity, and do not have adequate and appropriate plans to ensure business continuity, do not survive the event.
organisation and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. 2. And what is Disaster Recovery Management (DRM)? One definition is: the ability of an organisation to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilise and restore the organisations critical functions. On the surface, then, it seems extremely similar to BCM. 3. So, how do the two concepts relate? A simple way of approaching these two concepts is to view business continuity management as the overall process of identifying and planning to counteract business continuity risks; part of that planning should include recovering the business from a disaster scenario to get it back to normal working.

IT Governance Ltd 2013

BCM-DR-FAQ-v3-EU

IT Governance Green Paper

In essence, BCM ensures that a business can continue to function while recovering from the disaster. DRM, meanwhile, is a broader process of returning a business or organisation to a state of normality after a disastrous event. This will ordinarily incorporate business continuity, but the focus is upon total recovery. 4. Does BCM really matter? Statistics indicate that 80% of organisations that are faced with a significant business discontinuity, and do not have adequate and appropriate plans to ensure business continuity, do not survive the event. Sensible organisations take steps well in advance of possible disasters to ensure they will survive them; in todays climate, organisations want to be sure their suppliers and the companies in which they have invested are going to be able to cope. An ISO 22301 accredited certificate provides evidence of due diligence where BCM is concerned. 5. What is ISO22301? ISO 22301 is an international standard that describes the function of a BCM system. It follows the work established by BS 25999, which was the first formal national (British) standard for Business Continuity Management, published in two parts to worldwide interest in 2007 and 2008. 6. What if we have BS25999 certification? Although BS 25999 has been superseded by ISO 22301, the United Kingdom Accreditation Service (UKAS) has approved a transition period for certification bodies. From 31 May 2012 to 31 May 2014, all certification bodies are required to reassess organisations that have been certified for compliance with BS 25999. No new certificates or renewals for BS 25999 will be issued after 31 December 2013.1 7. How is ISO22301 related to ISO22313? ISO 22301:2012, published in May 2012, is a specification for a BCM system.

ISO 22313:2012, published in January 2013, is guidance for the implementation of the BCM system described in ISO 22301. 8. What is the difference between the two and are they both equally important? ISO 22301 provides a framework for an effective BCM system. It provides sufficient clarity that it is the basis for an accredited certification scheme. ISO 22313 provides guidance in implementing ISO 22301. It recognises that organisations have differing needs, and so the information can be followed by organisations anywhere, in whole or in part. The framework and guidance are complementary, but only ISO 22301 is audited for certification. 9. Where can I get copies of the two standards? Both are available for purchase from ISO distributor, IT Governance: ISO/IEC 22301 (Specification) ISO/IEC 22313 (Guidance) 10. What are the benefits of BCM and ISO22301? It is vital that organisations are able to withstand serious incidents such as fire and flooding, and quickly reopen for business as normal or, even better, switch to alternative facilities without losing any business. Even a relatively short interruption to normal activity can seriously damage customer relationships and your reputation. Implementing a best practice BCM system can help to: Safeguard your reputation and competitive edge. Preserve customer loyalty and trust. Protect financial income and key business activities. Protect business assets. Enhance business recovery following serious discontinuities.

IT Governance Ltd 2013

BCM-DR-FAQ-v3-EU

IT Governance Green Paper

Support insurance claims.

13. What is the relationship between ISO/IEC 22301 and ISO/IEC 27001? ISO 23001 is not part of the framework established in ISO 27001, but there is a degree of overlap in requirements, particularly with reference to ISO 27001s risk management requirements. ISO27001 and ISO22301 certification are independent of one another, although many of the drivers for achieving one form of certification are likely to be common for the other. 14. Are there toolkits that can help me simplify the process of creating a BCM plan? Yes, there are. One of the most popular is also the most comprehensive: the ISO22301 BCMS Implementation Toolkit. It contains all the templates and tools that will enable a Business Continuity manager to create a BCM plan and develop a Business Continuity Management System (BCMS) in line with ISO22301.

11. What steps are required to achieve certification to ISO22301? There is an ISO 22301 certification scheme, and organisations can have their BCM systems audited against the specification contained in the standard. Please contact us (servicecentre@itgovernance.eu) for more information about how you can have your ISO 22301 BCM system independently certified. 12. What other standards exist? There are two other standards that are important to the business continuity professional with particular reference to those concerned with IT service continuity and disaster recovery: ISO/IEC 24762 the international code of practice for information and communications technology disaster recovery services; and ISO/IEC 27031 the guidelines for ICT readiness for business continuity.

IT Governance Ltd 2013

BCM-DR-FAQ-v3-EU

IT Governance Green Paper

Useful Resources
IT Governance offers a unique range of products and services, including books, standards, pocket guides, training courses, staff awareness solutions and professional consultancy services.

Business Continuity Resources

ISO22301 BCMS Implementation Toolkit ISO22301 is the international standard for a Business Continuity Management System. This toolkit contains all the templates and tools that enable a Business Continuity manager to quickly implement an effective BCMS in line with ISO22301. The Route Map to Business Continuity Management. Meeting the Requirements for ISO22301 A guide to implementing an ISO 22301:2012 Business Continuity Management System (BCMS) and achieving certification against the standard. This guide will lead you through setting up, managing and improving a BCMS. Disaster Recovery and Business Continuity (2nd Edition) Designed specifically for executives with limited time, this is a straightforward, nononsense guide to BCM and disaster recovery.

Business Continuity Planning Business Continuity Planning: A Step-by-Step Guide is a consistently popular guide to BCM (but not to BS25999) which comes complete with planning forms on a CDRom.

Standards
ISO/IEC 22301 (Specification) ISO/IEC 22313 (Guidance)

IT Governance Ltd 2013

BCM-DR-FAQ-v3-EU

IT Governance Green Paper

IT Governance Solutions
IT Governance source, create and deliver products and services to meet the evolving IT governance needs of today's organisations, directors, managers and practitioners. IT Governance is your one-stop-shop for corporate and IT governance information, books, tools and training. Our products and services are unique in that all elements are designed to work harmoniously together so you can benefit from them individually and also use different elements to build something bigger and better. Books Through our website, www.itgovernance.eu, we sell the most sought after publications covering all areas of corporate and IT governance. We also offer all appropriate standards documents. In addition, our publishing team develops a growing collection of titles written to provide practical advice for staff taking part in IT Governance projects, suitable for all levels of staff knowledge, responsibility and experience. Toolkits Our unique documentation toolkits are designed to help small and medium organisations adapt quickly and adopt best management practice using pre-written policies, forms and documents. Visit www.itgovernance.eu/t-free_trial.aspx to view and trial all of our available toolkits. Training We offer training courses from staff awareness and foundation courses, through to advanced programmes for IT Practitioners and Certified Lead Implementers and Auditors. Our training team organises and runs in-house and public training courses all year round, covering a growing number of IT governance topics. Visit www.itgovernance.eu/c-49-information-security-training.aspx for more information. Through our website, you can also browse and book training courses throughout the UK that are run by a number of different suppliers.

Contact us: www.itgovernance.eu

00 800 48 484 484 servicecentre@itgovernance.eu

http://www.ukas.com/services/Technical_Bulletins/BCM_BS25999_to_ISO_22301_Transition.asp

IT Governance Ltd 2013

BCM-DR-FAQ-v3-EU