How we got here and where we are going...
By Werner Verlinden, CIRM, FBCI.
Put at its simplest, a standard is an agreed, repeatable way of doing something. It is a published document that contains a technical specification or other precise criteria designed to be used consistently as a rule, guideline, or definition (1).
Prior to a standard being elaborated there are usually a series of documents around. Amongst these we can find professional practices (e.g. DRII PP), good practice guidelines (e.g. BCI GPG), guides, principles, circulars, regulatory requirements and others. Some research on the web and a visit to some of the popular business continuity sites helped me in building a little database (which is obviously not exhaustive). Displaying the number of documents on a time axis (based on date of first publication) led to the following diagram:
[Click the diagram to see a larger version]
The above clearly shows that there have been quite some documents generated over the timeframe 2004-2008. When looking at the details from the database, I came to the following conclusions:
In the period 2000-2003, industry specific bodies (such as BCI and DRII) published their initial good practices and guides, which acted as a catalyst for other organizations.
In the period 2004-2008, the growth in the number of documents can find its origin in the publication of sector-specific guidelines/requirements (with the finance sector clearly leading the way) and the publication of some initial national standards, some of which are standards against which third party certification is possible.
In the period 2007-2009, we witness the publication of national business continuity management standards and to the end of this period, the first auditable BCM standards make their appearance.
Although business continuity management finds its historical roots in disaster recovery, it is surprising to see that there are currently more auditable BCM standards than there are auditable disaster recovery standards. Might this be another opportunity for the BSI to develop a specification version of BS25777:2008?
Statistics about how many organizations are compliant with a given standard or, even better, have certified against an auditable business continuity management standard are fairly scarce. The first organizations are clearly benefitting from what is known in marketing terms as the first mover competitive advantage. In addition these organizations can count on increased confidence and trust from their customers and partners because an objective third party has confirmed that a business continuity management system (BCMS) has been appropriately implemented.
It goes without saying that BS25999 has received significant international attention and depending on the source, tens of organizations have already certified against it and apparently a few hundred are underway.
All of this may make people forget that there is yet another level of standards that needs to be considered: the international level. The International Organization for Standardization (ISO) has published the following standards:
• ISO 24762:2007 ‘Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services’ covers requirements for both IT disaster recovery solutions and IT DR providers alike (with obvious input from SS507:2004);
• ISO PAS 22399:2007 ‘Societal security - Guideline for incident preparedness and operational continuity management’, which is following the internationally accepted Plan-Do-Check-Act lifecycle approach.
Furthermore work has started on:
• ISO 22301 - currently in stage 30.604 (according to the international harmonized stage codes: see http://www.iso.org/iso/catalogue_detail.htm?csnumber=50038). This addresses ‘Societal security - Preparedness and Continuity Management Systems – requirements’, which will be an auditable BCM standard. With an impressive bibliography (ten business continuity standards being referred to, from seven countries), it looks like a lot of groundwork and research is being put into the elaboration of this new standard. I am looking forward to its release (sometime in 2010?) and am curious to see whether this could mean another boost to business continuity management certification!
Author: Werner Verlinden, CIRM, FBCI, is principal consultant BCM & director, Ascure; and a trainer with the BCM Academy.
Ascure is a qualified and independent operation risk management services provider, specialized in consulting, training and staffing.
•Date: 22nd Jan 2010 • Region: World •Type: Article •Topic: BC general
Rate this article or make a comment - click here