Charlie Maclean-Bristol provides some practical advice for business continuity managers who are preparing for an ISO 22301 certification audit.
Recently I was in Fremont, California, supporting a business through an ISO 22301 audit. My company had been working with the business in question for a year to get it ready for the audit and we had already taken part of the organization (the part based in Sweden) to ISO 22301 certification, so we were fairly confident that we would pass this audit. However, a different auditor is always an unknown entity. This meant that the audit was, as always, approached with a little apprehension.
The following are 15 points I learned from this particular audit:
1. If you have part of your organization certified to ISO 22301 you do not need to go through a part 1 (documentation) and a part 2 audit (interviews with staff), you can just go for a single extension of the certificate audit.
2. It is important to remember that, although the auditor is auditing you and your BCMS (business continuity management system), you have invited them into your company and are paying them to do the audit. An auditor should add value to your BCMS and should help the continual improvement process. In the end that is why we go for the standard: to improve business continuity within our organization. Too many auditors just treat it as a box-ticking exercise and want to slavishly go through the standard. Where they find issues they make a recommendation on how to meet the requirements of the standard, not how to help you understand what value that section has in improving your BCMS. The auditor, having seen other organizations address the section, could suggest how they approached the section and hence promote good practice. The audit, as the check part of the plan-do-check-act cycle, should add value to the BCMS and not be an end in itself. This is one item I am going to take up with our auditing body on return to the UK.
3. Auditors seem obsessed with scope and so may question your scope and spend a lot of time ensuring that the scope is correct on the certificate. If your scope covers less than the whole organization then you should have a think about how to define your scope.
4. Make sure you use the correct nation’s terminology or, better still, the terminology from the standard itself. I used ‘directors of the company’ when I should have used ‘vice presidents’. Better still is to use the phrase ‘top management’ and you can’t go far wrong!
5. Understand the difference between nonconformity and an opportunity for improvement. A nonconformity means you have not met the requirements of the standard. Either you have not complied with one of the clauses or not met your own requirements e.g. not updated your plans every six months. An opportunity for improvement is just what it says, a recommendation on how to carry out an action better.
6. If you find nonconformity it is not sufficient just to take steps to address the issue. You should carry out a route cause analysis (you could use the 5 whys), decide what you are going to do to remedy the action, who is going to do it and when it will be done. Finally determine what steps you are going to take in future to ensure that the remedy is effective.
7. You need to state who is going to report to top management on the state of business continuity within the organization. Just because you have a sponsor for business continuity doesn’t mean you have met this requirement: the role of briefing top management needs to be stated within their responsibilities.
8. If you use a third party to help you gain the standard, you need to make sure that you can convince the auditor that your organization is truly committed to the standard and that all the business continuity knowledge does not reside in the third party.
9. It is encouraged to do your internal audit 2-3 months before the external audit rather than the week before!
10. Never say you don’t have something to the auditor unless you really don’t have that item. During the audit of the Fremont business, a member of staff said that the organization didn’t have a written IT disaster recovery plan; and due to that answer we were heading towards a minor nonconformity. Asking a more senior manager the same question, he was able was able to produce suitable documentation to prevent the minor nonconformity. If in doubt produce something that exists within the organization and leave it up to the auditor to decide whether they will accept it as evidence.
11. During the development of your BCMS you will develop your own internal standards, for example: that a plan should be updated every six months. It is a good idea to have a checklist of these internally determined standards and monitor them though your management review.
12. In section 9.3 of the ISO 22301 standard there is a list of items which should be considered as part of the management review of the BCMS. In the past I have put them within the management review and used them as a checklist to go through each time a management review was conducted. Recently I shortened them to make them a little less unwieldy to go though at a meeting. The auditor suggested that the list should not be shortened as this might result in one of the items being missed.
13. Make sure when you are carrying out awareness training for staff that the message is not too complex for them as they may forget the message. A few simple messages such as ‘Yes I have been briefed on business continuity in a disaster’, ‘My role is…’ and ‘I can find out further information from…’ are enough. Keep it simple. It is a pleasure when staff recount the simple messages to the auditor!
14. Decide how you will make available all the documents to the auditor. I have in the past given them a big stack of printed out documents. You may want to consider giving the auditor all the documents on a memory stick rather than printing them all out. If in doubt ask them in advance.
15. Finally I still strongly suggest that if you want to do business continuity properly and want to truly embed it within your organization, you go for ISO 22301 Certification.
The result of the audit was that the business was recommended for certification with no nonconformities!
Charlie Maclean-Bristol, MBCI, FEPS, is director of PlanB Consulting. PlanB Consulting is certified to BS 25999 and ISO 22301.