Hilary Estall MBCI, IRCA BCMS Lead Auditor is a business continuity practitioner and seasoned management system Lead Auditor. Following the recent publication of ISO/TS 22332:2021 Hilary offers her opinion on its value.
I can almost hear the collective groans as readers learn there is another, new, ISO published document relating to business continuity. But do not dismiss this latest offering out of hand. It’s shorter than a lot of other documents published by ISO and manages to get to the point quickly and adeptly.
‘PD ISO/TS 22332:2021 Security and resilience – Business continuity management systems – Guidelines for developing business continuity plans and procedures’, to give it its full title, sits comfortably between the Requirements Standard ISO 22301:2019 and Guidance ISO 22313:2020, applying a consistent approach with these standards.
Guidelines, such as ISO 22332, are defined as ‘general rules, principles, or pieces of advice’ and with this document we are given clear and concise information and advice on the different types of plans, what they should contain, and how to maintain them.
Being guidelines (and not requirements), we see wording such as “plans can include…” and “plans should identify…” rather than “shall”.
ISO 22332 may be applied as standalone advice for developing business continuity plans and procedures rather than having to be part of a broader business continuity management system (BCMS). It draws on best practice and can therefore be followed even if you are looking to align with or certify to other BC standards.
A closer look…
Working through the clauses I shall highlight the key ‘takeaways’ that I consider worthy of specific comment. You should read the entire document for a comprehensive understanding of the Guidelines. I have emphasised some words in italics, where I consider extra attention should be paid.
A set of prerequisites to developing business continuity plans and procedures have been established which refer to:
- The importance of identifying the organizations’ interested parties, their needs and expectations
- The identification of approved business continuity strategies and solutions. It goes on to list some you would be expected to include. The ability to demonstrate that your BC strategies have been approved is important, not least because very often they just ‘appear’ in a BCMS/set of plans.
- Competencies (some), expected to enable the development of plans, have been listed and include the need for broad organizational awareness as well as project management and communication skills. We know such role holders are also expected to be authorised to undertake their role but here we see an expectation it may also include the authority to approve plans and procedures.
Clause 5: Response
There is an expectation that plans and procedures will be flexible in their approach and content so they can deal with evolving situations. This is also referred to in ISO 22301 (clause 8.4.1 b) but so often I come across business continuity plans which rigidly follow the path of a certain scenario, not allowing for ‘real life’ to get in the way. Remember, it’s about having a framework in place to support your response. More on scenarios later…
A hierarchical approach with multiple response teams is offered as a possible structure (Strategic, Tactical and Operational teams are stated) whilst acknowledging that smaller organizations may need or prefer to limit their response to one or two teams only. A suggestion as to whom and how the teams should be comprised is also included as well as a useful table outlining the competences for each team member.
Referring back to ISO 22301 for a moment, it is worth mentioning the 2019 version introduced a requirement for the relationships between the teams to be stated as well as their roles and responsibilities. Remember this when you are considering the interrelation of your teams and try to design your plans to take these relationships into account.
Clause 6: Types of business continuity team plans and procedures
For the purposes of clarity, the first statement in this clause is “Procedures are documented in plans”. ISO 22301 doesn’t make this basic statement and it’s open to interpretation as to whether there is an expectation that BC plans should be accompanied with (separate) supporting procedures. I’ve seen evidence of such confusion on my travels.
Following the three tier plan structure, clause 6 discusses each suggested level.
Strategic Team Plan
Focused on an organization’s response to an incident and primarily concerned with outward facing issues such as reputation management, continued legal and regulatory compliance, ongoing communications with interested parties, both internal and external, and generally keeping the ‘show on the road’.
The strategic team will be made up of top management but may decide to bring in additional expertise, if required. Specific attributes required for leading the strategic response are listed as decision making under pressure, possibly based on incomplete or incorrect information, and being able to manage those individuals operating under stress. I think this detail is hugely important because so often the strategic team ‘lead’ defaults to the most senior person on the team when, instead, a mature conversation is required to ensure that the best qualified person leads the team.
Administrative support for the strategic team is recommended and ownership of the plan should fall to a nominated member of the team. (Note: Not defaulting to the BC Manager!)
Tactical Team Plan
This team is interrelated with both the Strategic and Operational Teams and primarily acts as coordinator of resources, sites/business units’ activities/response. Membership consists of senior managers across the relevant business functions. Again, ownership (and maintenance) of the plan should sit with someone within the team who is responsible for decision making. (Again, note: Not defaulting to the BC Manager!)
Operational Team Plan
I like the use of the phrase “action orientated” information and guidance which this team provides in its emphasis on maintaining the delivery of products and services. It’s as if the other two teams don’t do much! The operational team is interrelated to both the strategic and tactical teams although in practice this sometimes only seems to extend up one level. The team ordinarily consists of the head of function and a nominated group of staff. The owner of the plan is likely to be the head of the respective function and they are responsible for the plan and its maintenance. (Once again, note: Not defaulting to the BC Manager!)
Remember, whilst the content of plans will differ, the structure applied should be consistent. This will help with understanding and application across the organization.
Clause 7: Content of business continuity plan and procedures
We know that BC plans should contain certain, core information. Individual plans then go on to contain specific details, pertinent to the plans’ scope and purpose.
ISO 22301 states in clause 188.8.131.52 a) “Each plan shall include the purpose, scope and objectives” and here in ISO 22332 we are given suggestions as to what those objectives may include. The list may seem obvious to readers but it makes you consider your plans in a little more detail.
Activation criteria are required but also the “assembly” of the team (i.e. meeting locations) and standing down the team should be based on “predefined criteria”.
The storing of contact information, the use of appendices for checklists, maps, event logs etc. and the basic protocols required around document control and distribution are also covered.
Specific procedures addressing emergency response, communications, recovery of ICT, alternative facilities and resources are all covered.
Clause 8: Plans for response to specific disruptions
Two examples of scenario specific plans are addressed. In general terms, opinion is split between whether your plans should be fluid enough to respond to the impacts of any disruption or having dedicated plans to respond to a given event. Leaving this aside, the two “disrupters” cited are pandemic/epidemic and cyber attack. The content is practical and reflective of current world events and our gained wisdom. The two lists are self-explanatory.
Clause 9: Guidance on documenting plans
I think the first paragraph sums up the entire premise of BC plans very well. It states:
“A business continuity plan is a document intended to be used in high pressure, time limited situations. Plans are not manuals or reports and should not contain unnecessary information which is not relevant during a disruption. To reduce the need to refer to external sources, keep the plan self- contained as possible. Where possible, team members should be involved in developing and maintaining the plan, so its content is clear to them.”
I have nothing to add to this statement other than to say I wish more organizations would try and follow this advice!
Clause 10: Plan controls, storage and availability
Distribution, access, retrieval, use, storage, preservation, control of changes, retention, and disposal of plans remain core requirements, whether you are maintaining a management system or not.
Storage of plans need to be considered, be this electronically or in hard copy, using hosted software or internal systems. Availability is critical.
Clause 11: Next steps after documenting business continuity plans and procedures
Maintaining staff awareness of plans and procedures is important. Methods and frequency will vary depending on the nature of change or new issue.The importance of exercising is stressed along with the need for “management endorsed objectives and success criteria”. No further information is offered in term of type and frequency but this area is more than adequately covered in ISO 22313.
Clause 12: Monitoring and reviewing business continuity plans and procedures
The need to review the performance of plans, including the adequacy of BC strategies and solutions is mentioned, as is the importance of identifying occasions where breaches of legislation and regulatory requirements occur. The need to maintain plans and procedures is well known, in particular following an incident and organizational changes.
The more formal “Management Review” of business continuity plan documentation and the maintenance process is also referred to, with specific reference to BCMS.
As always, the underlying aim of all reviews is to encourage the continual improvement of plans and procedures.
A helpful Annex (A) is included at the end of the document, detailing procedures for the maintenance of a business continuity capability.
In my opinion, ISO 22332 is a useful addition to the suite of standards and guidance available on this subject. If your organization is not seeking to implement a full business continuity management system but is looking for succinct advice, based on industry-wide knowledge, this document will provide you with an excellent reference point.
Hilary Estall is Director of Perpetual Solutions. Hilary is the author of Business Continuity Management Systems; Implementation and certification to ISO 22301. ISBN 9781780171463
Perpetual Solutions is an authorised affiliate of BSI Standards. Visit the BSI shop.