Monday, March 10, 2014

BS ISO 22301 in 17 Easy Steps

I normally shy away from long blog posts, but this one is critical if you are considering getting your business continuity program certified.  BS ISO 22301 seems very hard to implement at first, but if you understand the requirements of the standard, it becomes very clear, almost too easy to implement across the organization.

There are only a handful of organization worldwide that have been certified in BS ISO 22301.  Right now is a great time to get on the certification calendar be one of those organizations who set the gold standard in Business Continuity.

Below are the 17 steps you will need to do reach program certification.

Step 1: Management support

Business Continuity will not work if the leadership of the organization or business does not support the effort.  Therefore, it’s critical that leadership understand and support the program continuously.  Your job as a practitioner is to show them why Continuity planning is necessary, not through scary stories and photos, but through showing the value the program brings to the organization.  Getting their support and commitment is the first critical step in any Business Continuity effort, but especially in the certification process.

Step 2: Identification of requirements

This is an easy one.  Identify the requirements of the Business Continuity Program.  It’s similar to identifying the business requirements for a large scale project.  If fact, it’s exactly like that.

But in all honesty, there is really only one requirement for Business Continuity.  If you own, run or manage a business, you have a requirement.  Business Continuity IS the requirement.

If you need a more detailed requirement, you can use BS ISO 22103 as the requirement and make certification a goal of the program.  This will cover everything.

Step 3: Business continuity policy & objectives

Developing clear Business Continuity Policy is critical to getting the support and resources you will need.  In fact, here is the one I use every time.

“[Organization name] will develop, implement and maintain an actionable Business Continuity Program based on the BS IOS 22301 standard with support for internal divisions and departments”.

Simple, to the point and it covers everything that Business Continuity is and needs to be.  This will need to be signed off on by the leadership of the business or organization and disseminated throughout.

Create goals and objectives that are in line with the BS ISO 22301 standard.  Make BS ISO 22301 certification a primary goal.

Step 4: Support documents for management system

This is a heavy lift.  You will need to get to writing documents that support the program.  These support documents include incident response plans, lifecycle management plans, measurement and continuous improvement plans, concept of operations, and other documents that support the overall management of the program.

Step 5: Risk assessment & treatment

Despite me wanting to leave risk management to the risk management folks, you will have to conduct and annual risk assessment to meet the IOS 20301 standard.  This is not hard to do, but getting everyone to agree on the risks and mitigations is another story.  Everyone has their own perspective on what is risk and how it should be handled.

However, it has to be done and the best way to do it is to use the ISO 27001 Risk Assessment and Treatment standard.  It can be applied to both IT systems and BCP Critical Services.

I have a very simple, but useful template you can use.  If you are interested in getting a free copy, let me know.

Step 6: Business impact analysis

The Business Impact Analysis is a very useful tool if you don’t use it the way you are supposed to.  Trying to assess impact before it has occurred is prediction and I leave predictions to fortune tellers, weather people and economists. But, again it’s part of the ISO standard, so it has to be done on an annual bases at the very least.

But I have modified it a bit to serve the Business Continuity Program better.  What I need to know through the BIA are 4 critical elements for each division or department in the organization.

By division or department:
  1. What Critical Services does it provide to the organization?
  2. What are the Essential Functions that support those Critical Services?
  3. Who are Critical Staff or what are the Critical Staff Roles (internal and/or external) that support those Essential Functions?
  4. What is required to support the Critical Staff (IT Systems, Alternate Facilities, Communications, etc.)?
Armed with this information, you can continue to the next step.

I have a very simple, but useful template you can use for this too.  If you are interested in getting a free copy, let me know.

Step 7: Business continuity strategy

This is the section where you determine the Continuity Strategy you are going to use.  The one I have had the most success with I will share with you.

1)    Have the leadership assign (done during Step1 ) from within the organization a Business Continuity Lead (BCL) and an IT Disaster Recovery Lead (IT DRL).  These two roles are the program leads.

2)    Have the leadership assign (done during Step 1) someone from each division and/or department the Department Recovery Coordinator (DRC) role to work with you doing the program development process.  The DRCs are responsible for developing plans and recovery strategies for their division or department.  The people in these roles need to have a clear and good understanding of the products and services their division or department provides.

3)    Have the IT leadership assigned IT DR Recovery Teams to support the recovery of critical IT systems

4)    The BCL and the DRCs are the Incident Response Team for divisions and department and the DRL and DR Recovery Teams are the Incident Response Team for Critical IT Systems

5)    The Organizational Leadership and the BCL and DRL make up the Crisis Management Team

6)    If you have a communications department in the organization, they become the Crisis Communications Team.  If not, then the Crisis Management Team is also the Crisis Communications Team.

The key is to: UTILIZE INTERNAL RESOURCES

The 8.4.2 section of BS ISO 22301 requires establishing an Incident Response structure and framework.  I create one for Business Continuity and one for IT Disaster Recovery.  This is the process of responding to incidents, tracking and managing them and it ties into post incident reviews.

I have templates for incident response.  If you are interested in receiving free copies, let me know.

Step 8: Business continuity plan

This is another heavy lift, however it doesn’t have to be time consuming.  Once you have the information from step six, you can begin populating plans.  Each division and/or department needs to have a unit plan, or Continuity of Operations Plan.  The combination of these plans along with the Crisis Management Plan, the Crisis Communications Plan, and all of the support documentation that is created in step 4 makes up the Business Continuity Plan.  There are several templates that you can use to make things easier.  I prefer a modified version the Continuity of Operations template developed and provided free of charge from the Federal Emergency Management Agency (FEMA).

If you are interested in getting a free copy of the modified version of the template, let me know.

Step 9: Training & awareness

Training and awareness is a key requirement for all of this to function properly.  FEMA offers free awareness training.  IS-546.A: Continuity of Operations Awareness Course: http://training.fema.gov/EMIWeb/IS/courseOverview.aspx?code=is-546.a

FEMA also offers Independent study courses here: http://training.fema.gov/IS/crslist.aspx

This will get the organization part of the way.  The remaining training must be tailored to the organization.  Here is a list of training courses you will need.

  • Crisis Management Training
  • Crisis Communications Training
  • Incident Response Training

Step 10: Documentation maintenance

The best way for meet this requirement is to follow the ISO 9001:2008 standard of the section concerning document control.  There is going to be quite a bit of documentation generated by the program and the 9001:2008 standard will help control it.  I also use document management systems like Microsoft SharePoint to manage documents and version control.

Step 11: Exercising and testing

Exercising and testing is the cornerstone of Business Continuity.  A plan not tested and exercised is not a plan.  The Homeland Security Exercise and Evaluation Program (HSEEP) is, by far, the most comprehensive program out there.  And it’s free.  But first, it would be wise to take the free exercise training and development courses provided by FEMA


IS-130: Exercise Evaluation and Improvement Planning: http://training.fema.gov/EMIWeb/IS/courseOverview.aspx?code=IS-130


FEMA HSEEP: Website: https://www.llis.dhs.gov/hseep

Step 12: Post-incident reviews

Post-incident reviews are necessary to review the response to an incident and identify gaps.  An After Action/Corrective Action report needs to be developed, corrective action tasks assigned and suspense dates for corrective actions defined.  You can modify the HSEEP AAR/IP template to meet this requirement.

Step 13: Communication with interested parties

This deals with communication as a whole.  Communicating the program, statuses, incident reporting and communications with external resources and 3rd party vendors.  Constantly communicate what you are doing, how you are doing it and why is has to be done.  You can do this in the form of status report, newsletters, leadership reviews, awareness training, video information and other forms of communicating during the Business Continuity Lifecycle (Plan, Do, Check, Act model).  Communicate up and down the organizational structure often and clearly.

Step 14: Measurement and evaluation

You will have to establish a Lifecycle Management program that includes performance metrics and evaluation criteria.  This is much more simpler than it seems.  Some people think you can only measure Business Continuity when the plan is activated, but that is only a very small portion of what can be measured.  Instead of going into the details of what can be measured (there are hundreds of metrics), I can provide you two free templates that cover the most important things in Business Continuity Measurement and Evaluation.  Let me know if you would like the templates.

The Lifecycle Management Plan is part of the Continuous Improvement Process.

Step 15: Internal audit

Internal auditing is necessary to ensure the program is accurate and continues to meet the requirement of the BS ISO 22301 standard.  Please note that this is an “Internal’” audit team.  This team and their review criteria are established in the Business Continuity Lifecycle Management Plan.  I have a template for this.  If you are interest in a free copy, let me know.

Step 16: Corrective actions

Corrective actions are part of the Plan, Do, Check, Act model, however it needs to be integrated into every step in the BS ISO standard.  The Lifecycle Management Plan takes on the role of evaluating and developing corrective actions across the entire program, from development to implementation, activation and incident response to review and internal audit.  I also have a template for this.  If you are interest in a free copy, leave a comment. This is also part of the Continuous Improvement Process.

Step 17: Management review

This relates back to the very first step.  Management  must have insight and continuous review ability.  Invite them to exercises and plan review sessions.  Invite them to review all of the Business Continuity documentation and strategies.  Invite them to be a part of the working groups.  And as always, schedule management review meetings regularly so they can gain better insight, ask questions and offer suggestions before the documents and strategies become active.  A monthly In Process Review is the best way to review the entire program with Management and Leadership. And as always, generate an After Action Report of the corrective actions that need to be taken and present the status of open action items results of closed action items at the next In Process Review.  This is also part of the Continuous Improvement Process.

Another idea is to have management be members of the Document Review Team for Lifecycle Management.  This way that will have detailed insight into the documents themselves.  I use this method for every review team I have ever established and it is very effective.

Note: State and federal regulated industries and governments have additional requirements that you will have to consider in addition to the 17 steps above.  The federal government alone has many additional rules and requirements related to Business Continuity in Federal Government and federal agencies, so be sure to include those in your certification process.

Additional Information

1)    Purchase a copy of BS ISO 22301 from the BSI store: http://shop.bsigroup.com/ProductDetail/?pid=000000000030207716.

2)    If at all possible, purchase copies of the ISO 27001 and the ISO 9001:2008 standards for the same store.

3)    If you intend to submit the Business Continuity Program for certification (highly recommended), be sure to visit the FEMA PS-Prep website http://www.fema.gov/voluntary-private-sector-preparedness-program-ps-preptm-small-business-preparedness for information, details and certification requirements.

I also have a BS ISO 22301 auditing template if your Business Continuity Program is already established and you want to evaluate it against the standard.  If you would like a free copy, let me know.

Template requests should be sent to Mike Minzes at info@inevolve.com

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 years of experience in the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET .
 ______________________________________________________

1 Comments:

This comment has been removed by the author.

Post a Comment