Experiences during certification to
By Andrew MacLeod, Needhams 1834.
Why transfer to ISO 22301
There are numerous reasons to become certified to ISO 22301, but we felt there were two fundamental reasons for updating our business continuity management system (BCMS) to certify with ISO 22301:
When putting together our BCMS for the ISO, we were in an enviable position. Within the organization, we had three qualified lead auditors which meant there was a sound understanding of the process of preparing for certification. Making full use of that knowledge base the steps we took to prepare our BCMS were:
There were some changes required to the BCMS, although the process was surprisingly ‘labour un-intensive’ as there is significant cross-over between the two standards. The main changes that we found we needed to implement were:
The certification process conducted by the accredited body was very similar in framework to a BS25999 certification with a two stage audit process. For those who are unaware of the process:
We found the biggest challenge to certification to ISO 22301 was the requirement to look at our BCMS from an independent position and critically access the differences between ISO 22301 and BS 25999. Our experience suggests that the best person for the job is not the usual business continuity manager or individual with business continuity responsibilities, as they will have owned (and probably authored) the documentation. An individual, who possesses the required level of knowledge of business continuity but has not been involved in the day to day running of business continuity, is the ideal choice as they will have less preconceived attachment to the BCMS. That said, they too may have preconceived ideas about how documentation should be presented from an ingrained knowledge of BS 25999, and should be encouraged to fully immerse themselves in ISO 22301 in advance of the review.
As all those who have previously been audited can testify, the thought of an auditor arriving can leave some members of an organization a little apprehensive. From our perspective, we had a new office manager who was nervous as she felt she didn’t have the intimate knowledge of business continuity shared by the rest of the organization. Whilst there is little that can be done to stop nervousness amongst individual team members (we don’t condone the non-medicated use of beta-adrenergic blocking agents!), what was clear from our audit was that the auditor was seeking proof of a depth of knowledge appropriate to the role of the individual in the organization. This necessitates an imaginative and interactive ‘all staff BC awareness session’ in addition to ensuring that the crisis management team (or its ilk) is familiar with the plans and processes and roles and responsibilities in the event of a disruption.
Our business continuity plan was designed to provide the structure to enable the recovery time objectives (RTO) of critical activities identified in the business impact analysis (BIA) to be met. We took the decision that specific plans for critical activities or events were not required - our shortest RTO is 18 hours. We use the plan as the enabling structure and thought process on which to base our response to any disruption. This caused some issues with the auditor, who had expected specific contingency plans for all major risks. There is no requirement in the ISO for specific plans, what is stated is:
“The organization shall establish documented plans that detail how the organization will manage a disruptive event and how it will recover or maintain its activities to a predetermined level, based on management approved recovery objectives.”
However, there is a practical challenge of being able to prove to an auditor that the business continuity plan can achieve this. Our response was that specific plans would be required should any of our RTOs for critical activities be time sensitive, but that in 18 hours a laid down set of procedures were not essential. At what point something becomes time critical enough to require a specified plan is a matter for each individual organization to determine and demonstrate.
Whilst discussing business continuity plans, we took the decision to store the plan in a number of locations so that it would always be available at the point of use no matter the location. Interestingly, whilst this may be ‘best practise’ there is nowhere in the ISO where that is detailed as a requirement.
The final challenge that we faced was with regard to the BIA. During the stage 1 visit, the auditor was satisfied with the content of our BIA, in particular that it:
The auditor did, however, feel that “the Operation Manual would benefit from being expanded to include the overall steps of the BIA process which is broadly embedded in the templates that implement the process”. Again, this was outside of the scope of the ISO, and could be perceived as ‘creeping excellence’. However, we took the decision to include a BIA methodology in our BCMS, as it was felt that it would bring operational benefit should the ownership of the BCMS ever be handed over.
The changes from BS 25999 to ISO 22301 were not a great leap into the unknown; rather, it was a process of evolving what was already a robust and workable BCMS. From our perspective the initial internal audit was crucial to critically analyse the changes required to ensure our BCMS conformed to ISO 22301. The identification of an individual, who possessed detailed knowledge of business continuity but has not been involved in the day to day running of business continuity, was essential to enable the BCMS to be evaluated independently. Once the independent assessment of the BCMS had been conducted, the changes required were minimal and in the most part procedural. A structured plan to ensure the changes were implemented (and can be included in the risks and opportunities log) was followed which enabled the successfully certification to ISO 22301 within 2 months of its release.
•Date: 3rd August 2012 • UK/World •Type: Article • Topic: BC standards