ASIS Commissioner Dr. Marc H. Siegel responds to a recent Continuity Central article.
A recent article published in Continuity Central authored by Paul Kirvan entitled ‘PS-Prep and Business Continuity Standards’ has generated much confusion in that it inaccurately describes collaborative standards development by ASIS International (ASIS) and the British Standards Institution (BSI). What was utterly perplexing is that Mr. Kirvan is an active participant in the very ASIS and BSI BCM standards development committee he brings into question. Therefore, we appreciate this opportunity by Continuity Central to set the record straight.
The intent of the PS-Prep Program is to promote ‘voluntary private sector preparedness’. ASIS has been outspoken in its support of the recommendations of the Sloan Report ‘Framework for Voluntary Preparedness’ prepared by ASIS International (ASIS), Disaster Recovery Institute International (DRII), National Fire Protection Association (NFPA), and Risk and Insurance Management Society, Inc. (RIMS). The document states that:
“It is important for the DHS to recognize that multiple approaches comply with the spirit of Title IX of PL 110-53. Therefore, greater resiliency success will be achieved if businesses are given the freedom and flexibility to determine how they will improve preparedness in a way that best fits their respective business models.” and
“For the private sector to adequately and voluntarily establish preparedness programs, it should be given the flexibility to choose from various standards, guidelines and best practices that best meet the respective organization’s needs for preparedness.”
The three standards (ASIS .SPC.1, BS 25999 and NFPA 1600) identified for adoption in the DHS PS-Prep Program represent three distinct approaches to preparedness, each can improve preparedness. In addition to the three designated standards, the private sector has been using other standards, guidelines and best practices for quite some time to improve preparedness. ASIS has consistently stated that businesses are best served if they are empowered to select any standard (not just the three designated standards) developed by voluntary consensus standards development organizations that allows the organization to best develop a fit-for-purpose approach to enhanced preparedness performance.
The decades tested and proven accreditation and certification process developed by the International Organization for Standardization (ISO) is quite adequate, having received market acceptance and credibility. The ANSI/ISO 9000 and ANSI/ISO 1400 document series’ wide usage in the United States shows that US organizations use of management systems. These standards are accepted as a means of demonstrating performance improvement, unfettered from government involvement in the certification process. ASIS has repeatedly called for use of existing mechanisms for conformance validation with all the checks and balances that have been proven in the marketplace.
Adoption or choice of a standard should not be based on pursuing certification, but rather based on what best fits the organization’s business mission, objectives and management style to improve its preparedness performance. Certification should only enter into consideration if there is a compelling business case to do so. For large organizations that have teams of RABQSA and IRCA certified Internal Lead Auditors, there is little incentive to certify under the PS-Prep program. They have an internal mechanism for continual improvement of preparedness and may not be able to justify the cost of third party certification nor the risk introduced by sharing their risk assessment and impact analysis with an external body. Third party certification is frequently a barrier to small and medium sized businesses and may prove to be counterproductive in encouraging private sector preparedness. There is a concern that small businesses may fall prey to consultants, training organizations, and certification bodies willing to pursue means of quick certification rather than continual improvement of business and preparedness. With no documented benefits of external third party certification at this time, there is no clear business case to justify the expense, as well as the cost of maintenance of certification for businesses of any size.
The development of the ASIS Organizational Resilience (OR) Standard was in response to an identified need for a standard that took a holistic perspective to managing disruptive events using adaptive, proactive and reactive strategies in a balanced approach, reducing both the likelihood and consequences of a disruption. ASIS members and non-members alike worldwide identified the need for a comprehensive standard for security, preparedness, crisis and continuity management to better prevent, avoid, prepare for, respond to and recover from disruptive incidents, building on an enterprise risk management perspective. By utilizing the ISO management system approach, the OR Standard not only can be readily implemented by organizations using other ISO standards, but it can be cost-effectively audited and certified to by an auditing process that is compatible and consistent with the clearly understood methodology of existing ISO standards. By building on the existing ISO model, organizations can leverage their existing management systems. ASIS has been involved in organizational resilience for many years and in several countries. This predates the PS-Prep Program and was not in response to the PS-Prep Program. The OR standard has already been adopted as a national standard in several countries and is the process of adoption in several more, as well as serving as a document for standards development in ISO.
Regarding the US business continuity standard referred to in the article, ASIS and the BSI have launched a joint development standard initiative for a proposed American National BCM Standard. The proposed BCM standard will use the ISO management systems approach and is based on BSI’s BS 25999 Standard (Part 1 – Code of Practice; Part 2 – Specification). It provides a unified approach to BCM on both sides of the Atlantic, effectively eliminating marketplace confusion and is consistent with any future ISO BCM standard. With the planned reciprocation between the standards, US companies can begin building their business continuity plans immediately by using the already mature BS25999 framework. The close working relationship between business continuity subject matter experts from across the globe will provide the marketplace with a standard that will be relevant for both domestic and international business and trade. The proposed American National BCM Standard will allow domestic as well as international certification for those wishing to do so. Given that the DHS has committed to consider additional standards in the future, we assume that the DHS will consider adoption of an American National BCM standard, as well as any future ISO standard.
The proposed BCM Standard is currently in the early stages of standard development at the working group level of which Mr. Kirvan is a member. The standards process is completely open and there is no quiet collaboration taking place behind the scenes as inferred in the article. The ANSI/American National Standards process does not permit such practices. ASIS International, an ANSI accredited Standards Development Organization (SDO), fully complies with ANSI’s requirements in the development of Standards.
The OR Standard will not be replaced by the proposed Business Continuity Management (BCM) Standard as they are two different standards. Additionally, neither the OR Standard nor the BCM Standard is based or contains content from the 2005 ASIS Business Continuity Guideline, with the exception of a few definitions of terms and the guideline listed as a bibliography reference.
Standards, like the processes they describe, use a continual improvement cycle. All standards evolve and change over time in response to market feedback. This is the true beauty of the private sector, non-regulatory, consensus-based standards development process. Mr. Kirvan asks if the government understands this. A better question is whether the parties that pushed for this legislation understand that standards are market-driven and not government-driven.
It is the view of ASIS International that the DHS PS-Prep Program should incentivize organizations to use what works best for them to improve preparedness. Free trade is supported by an open, transparent standards process, not by individual countries imposing artificial barriers restricting business decisions. Both the OR and proposed BCM Standard are applicable in the DHS PS-Prep Program in addition to many other standards. The market should be the deciding factor of what works best.
In the end, the intent of the PS-Prep program is improved private sector preparedness. It should not be about turf wars, excluding standards, approaches and disciplines. It should not be about the government picking winners and losers. It should not be a stimulus package for consultants, trainers and certification bodies. The focus needs to return to how the private sector organizations can become better prepared in the most cost-effective fashion.
Author: Dr. Marc H. Siegel, Commissioner, ASIS Global Standards Initiative, ASIS International, www.asisonline.org
Make a comment
It seems my recent op-ed piece stirred the ire of ASIS, particularly with my use of ‘disinformation’. So I spent a lot of research time (regrettably non-billable) to refute and split endless hairs on an issue that is really not on most business continuity professionals' radars. And it occurred to me that the real message here is not focusing on DHS, ASIS, BSI, NFPA or others. It should be focused on the consumer.
Standards are certainly a way to evaluate how something is being performed. In time they may even be something to discuss with senior management. However, my original intent in putting out my comments was to speak to the thousands of BC/DR practitioners regarding the Department of Homeland Security's recent decision to recommend three standards for its accreditation program. I've spoken with many practitioners over the past several years about standards, and the one question I get asked most often is: "Which one should I use?"
Practitioners are not concerned about whether ASIS has an organizational resilience standard or a business continuity standard. If anything the presence of the ASIS, NFPA and BSI options - and many others - makes the selection process more difficult. At the moment, users are not overwhelmingly concerned which standard is approved as an American National Standard.
Having been an end user practitioner myself, and having spoken to many users, the issues I believe most practitioners care about are the following:
1. Does the standard address the issue(s) that concern me and my company?
2. Is the standard recognized enough so that senior management may have heard of it (and thus may be more likely to approve my funding requests)?
3. Can the standard be adapted to fit my firm's existing and future requirements?
4. Is it necessary (and affordable) for the company to be compliant with one or more standards?
5. What is the business/operational/competitive/financial impact - if any - of not being compliant with a standard?
6. How will my job/career be affected if the company is not compliant?
The amount of work that goes into standards is significant. Taking a closer look at NFPA 1600 (2007), BS-25999:1/2 and ASIS SPC.1-2009, we can see overlap across the three documents. Just performing a ‘cross-walk’ on the tables of contents shows the overlaps. However, the devil is in the details, and that's where standards developers like to focus. Unless the practitioner analyzing a standard is looking for details, he/she can be equally successful with virtually any standard today.
I stand by my analysis (and it was just an analysis) on the DHS's selections. And I believe there will indeed be changes to the standards in play over the next 18-24 months. Sure, the joint ASIS/BSI standard will up the ante, and the ISO global BC standard ought to raise it even more. I'm not really sure what the ideal situation ought to be, so I support the ‘one standard for all’ philosophy. One standard should be all that's necessary for business continuity. And please, please keep it simple.
BC/DR plan accreditation (according to Title IX) is voluntary. The reality is that ‘voluntary’ will gradually disappear and an accredited BC/DR program will become a competitive necessity. Market forces will increase the focus on BC/DR standards. And I agree with ASIS that BS 25999 makes good sense when selecting a standard to adopt.
In all the noise regarding ‘standards’, we ought not to overlook the Resilience Management Model (RMM), developed by the Software Engineering Institute's CERT at Carnegie Mellon University. It's a very interesting and compelling framework that embraces and overlays BC/DR, security management, and IT operations and service delivery within the context of operational risk management. For once, the silos have been lowered. Where is this important framework amidst all the ‘standards’ hoopla?
To all BC/DR practitioners reading this: be patient. The stream will probably get quite muddy before it clears. Life should be much easier, however, when it finally clears.
Paul Kirvan, FBCI, CISA, CISSP, CBCP is an independent consultant and auditor and a board member of the Business Continuity Institute. The opinions expressed herein are his own and not necessarily those of the BCI.
•Date: 3rd November 2009• Region: US •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 6TH NOVEMBER