I normally shy away from long blog posts, but this one is
critical if you are considering getting your business continuity program
certified. BS ISO 22301 seems very hard
to implement at first, but if you understand the requirements of the standard,
it becomes very clear, almost too easy to implement across the organization.
There are only a handful of organization worldwide that
have been certified in BS ISO 22301.
Right now is a great time to get on the certification calendar be one of
those organizations who set the gold standard in Business Continuity.
Below are the 17 steps you will need to do reach program
certification.
Step 1: Management support
Business Continuity will not work if the leadership of
the organization or business does not support the effort. Therefore, it’s critical that leadership
understand and support the program continuously. Your job as a practitioner is to show them
why Continuity planning is necessary, not through scary stories and photos, but
through showing the value the program brings to the organization. Getting their support and commitment is the
first critical step in any Business Continuity effort, but especially in the
certification process.
Step 2: Identification of requirements
This is an easy one.
Identify the requirements of the Business Continuity Program. It’s similar to identifying the business
requirements for a large scale project.
If fact, it’s exactly like that.
But in all honesty, there is really only one requirement
for Business Continuity. If you own, run
or manage a business, you have a requirement. Business Continuity IS the requirement.
If you need a more detailed requirement, you can use BS
ISO 22103 as the requirement and make certification a goal of the program. This will cover everything.
Step 3: Business continuity policy & objectives
Developing clear Business Continuity Policy is critical
to getting the support and resources you will need. In fact, here is the one I use every time.
“[Organization name] will develop, implement and maintain
an actionable Business Continuity Program based on the BS IOS 22301 standard
with support for internal divisions and departments”.
Simple, to the point and it covers everything that
Business Continuity is and needs to be.
This will need to be signed off on by the leadership of the business or
organization and disseminated throughout.
Create goals and objectives that are in line with the BS
ISO 22301 standard. Make BS ISO 22301
certification a primary goal.
Step 4: Support documents for management system
This is a heavy lift.
You will need to get to writing documents that support the program. These support documents include incident
response plans, lifecycle management plans, measurement and continuous
improvement plans, concept of operations, and other documents that support the
overall management of the program.
Step 5: Risk assessment & treatment
Despite me wanting to leave risk management to the risk
management folks, you will have to conduct and annual risk assessment to meet
the IOS 20301 standard. This is not hard
to do, but getting everyone to agree on the risks and mitigations is another
story. Everyone has their own
perspective on what is risk and how it should be handled.
However, it has to be done and the best way to do it is
to use the ISO 27001 Risk Assessment and Treatment standard. It can be applied to both IT systems and BCP
Critical Services.
I have a very simple, but useful template you can
use. If you are interested in getting a
free copy, let me know.
Step 6: Business impact analysis
The Business Impact Analysis is a very useful tool if you
don’t use it the way you are supposed to.
Trying to assess impact before it has occurred is prediction and I leave
predictions to fortune tellers, weather people and economists. But, again it’s
part of the ISO standard, so it has to be done on an annual bases at the very least.
But I have modified it a bit to serve the Business
Continuity Program better. What I need
to know through the BIA are 4 critical elements for each division or department
in the organization.
By division or department:
- What Critical Services does it provide to the
organization?
- What are the Essential Functions that support those
Critical Services?
- Who are Critical Staff or what are the Critical Staff
Roles (internal and/or external) that support those Essential Functions?
- What is required to support the Critical Staff (IT
Systems, Alternate Facilities, Communications, etc.)?
Armed with this information, you can continue to the next
step.
I have a very simple, but useful template you can use for
this too. If you are interested in
getting a free copy, let me know.
Step 7: Business continuity strategy
This is the section where you determine the Continuity
Strategy you are going to use. The one I
have had the most success with I will share with you.
1) Have the
leadership assign (done during Step1 ) from within the organization a Business
Continuity Lead (BCL) and an IT Disaster Recovery Lead (IT DRL). These two roles are the program leads.
2) Have the
leadership assign (done during Step 1) someone from each division and/or
department the Department Recovery Coordinator (DRC) role to work with you
doing the program development process.
The DRCs are responsible for developing plans and recovery strategies
for their division or department. The
people in these roles need to have a clear and good understanding of the
products and services their division or department provides.
3) Have the IT
leadership assigned IT DR Recovery Teams to support the recovery of critical IT
systems
4) The BCL and
the DRCs are the Incident Response Team for divisions and department and the
DRL and DR Recovery Teams are the Incident Response Team for Critical IT
Systems
5) The
Organizational Leadership and the BCL and DRL make up the Crisis Management
Team
6) If you have a
communications department in the organization, they become the Crisis
Communications Team. If not, then the Crisis
Management Team is also the Crisis Communications Team.
The key is to: UTILIZE INTERNAL RESOURCES
The 8.4.2 section of BS ISO 22301 requires establishing
an Incident Response structure and framework.
I create one for Business Continuity and one for IT Disaster
Recovery. This is the process of
responding to incidents, tracking and managing them and it ties into post
incident reviews.
I have templates for incident response. If you are interested in receiving free
copies, let me know.
Step 8: Business continuity plan
This is another heavy lift, however it doesn’t have to be
time consuming. Once you have the
information from step six, you can begin populating plans. Each division and/or department needs to have
a unit plan, or Continuity of Operations Plan.
The combination of these plans along with the Crisis Management Plan,
the Crisis Communications Plan, and all of the support documentation that is
created in step 4 makes up the Business Continuity Plan. There are several templates that you can use
to make things easier. I prefer a
modified version the Continuity of Operations template developed and provided
free of charge from the Federal Emergency Management Agency (FEMA).
If you are interested in getting a free copy of the
modified version of the template, let me know.
Step 9: Training & awareness
Training and awareness is a key requirement for all of
this to function properly. FEMA offers
free awareness training. IS-546.A:
Continuity of Operations Awareness Course:
http://training.fema.gov/EMIWeb/IS/courseOverview.aspx?code=is-546.a
FEMA also offers Independent study courses here:
http://training.fema.gov/IS/crslist.aspx
This will get the organization part of the way. The remaining training must be tailored to the
organization. Here is a list of training
courses you will need.
- Crisis Management Training
- Crisis Communications Training
- Incident Response Training
Step 10: Documentation maintenance
The best way for meet this requirement is to follow the
ISO 9001:2008 standard of the section concerning document control. There is going to be quite a bit of
documentation generated by the program and the 9001:2008 standard will help
control it. I also use document
management systems like Microsoft SharePoint to manage documents and version
control.
Step 11: Exercising and testing
Exercising and testing is the cornerstone of Business
Continuity. A plan not tested and
exercised is not a plan. The Homeland
Security Exercise and Evaluation Program (HSEEP) is, by far, the most
comprehensive program out there. And
it’s free. But first, it would be wise
to take the free exercise training and development courses provided by FEMA
Step 12: Post-incident reviews
Post-incident reviews are necessary to review the
response to an incident and identify gaps.
An After Action/Corrective Action report needs to be developed,
corrective action tasks assigned and suspense dates for corrective actions
defined. You can modify the HSEEP AAR/IP template to meet this requirement.
Step 13: Communication with interested parties
This deals with communication as a whole. Communicating the program, statuses, incident
reporting and communications with external resources and 3rd party
vendors. Constantly communicate what you
are doing, how you are doing it and why is has to be done. You can do this in the form of status report,
newsletters, leadership reviews, awareness training, video information and
other forms of communicating during the Business Continuity Lifecycle (Plan,
Do, Check, Act model). Communicate up
and down the organizational structure often and clearly.
Step 14: Measurement and evaluation
You will have to establish a Lifecycle Management program
that includes performance metrics and evaluation criteria. This is much more simpler than it seems. Some people think you can only measure
Business Continuity when the plan is activated, but that is only a very small
portion of what can be measured. Instead
of going into the details of what can be measured (there are hundreds of
metrics), I can provide you two free templates that cover the most important
things in Business Continuity Measurement and Evaluation. Let me know if you would like the templates.
The Lifecycle Management Plan is part of the Continuous
Improvement Process.
Step 15: Internal audit
Internal auditing is necessary to ensure the program is
accurate and continues to meet the requirement of the BS ISO 22301
standard. Please note that this is an
“Internal’” audit team. This team and
their review criteria are established in the Business Continuity Lifecycle
Management Plan. I have a template for
this. If you are interest in a free
copy, let me know.
Step 16: Corrective actions
Corrective actions are part of the Plan, Do, Check, Act
model, however it needs to be integrated into every step in the BS ISO
standard. The Lifecycle Management Plan
takes on the role of evaluating and developing corrective actions across the
entire program, from development to implementation, activation and incident
response to review and internal audit. I
also have a template for this. If you
are interest in a free copy, leave a comment. This is also part of the
Continuous Improvement Process.
Step 17: Management review
This relates back to the very first step. Management
must have insight and continuous review ability. Invite them to exercises and plan review
sessions. Invite them to review all of
the Business Continuity documentation and strategies. Invite them to be a part of the working
groups. And as always, schedule
management review meetings regularly so they can gain better insight, ask
questions and offer suggestions before the documents and strategies become
active. A monthly In Process Review is
the best way to review the entire program with Management and Leadership. And
as always, generate an After Action Report of the corrective actions that need
to be taken and present the status of open action items results of closed
action items at the next In Process Review.
This is also part of the Continuous Improvement Process.
Another idea is to have management be members of the
Document Review Team for Lifecycle Management.
This way that will have detailed insight into the documents
themselves. I use this method for every
review team I have ever established and it is very effective.
Note: State and federal regulated industries and
governments have additional requirements that you will have to consider in
addition to the 17 steps above. The
federal government alone has many additional rules and requirements related to
Business Continuity in Federal Government and federal agencies, so be sure to
include those in your certification process.
Additional Information
2) If at all
possible, purchase copies of the ISO 27001 and the ISO 9001:2008 standards for
the same store.
3) If you intend
to submit the Business Continuity Program for certification (highly
recommended), be sure to visit the FEMA PS-Prep website
http://www.fema.gov/voluntary-private-sector-preparedness-program-ps-preptm-small-business-preparedness
for information, details and certification requirements.
I also have a BS ISO 22301 auditing template if your Business Continuity Program is already established and you want to evaluate it against the standard. If you would like a free copy, let me know.
Template requests should be sent to Mike Minzes at
info@inevolve.com
Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 years of experience in the Business Continuity and Disaster Recovery Industry.
For more information on INEVOLVE SB, please visit them at GOBCP.NET
.
______________________________________________________