BCM, Goodbye to an old friend

On 30th November 2006, the world was introduced to BS 25999-1:2006 Business Continuity Management – Code of practice and, in standards terms, quickly followed on 20th November 2007 by BS 25999-2:2007 Business Continuity Management Specification.

These documents formally established the process, principles and terminology of Business Continuity Management (BCM) and BS 25999-2 specified the requirements for setting up and managing an effective BCM System (BCMS). At that time the documents proved to be the top purchases from the British Standards Institute Shop, proving at the very least a widespread understanding of the need for BCM and a desire to understand the requirements.

Since then many organisations have undertaken to certify to, or align with, BS 25999-2 to be able to provide evidence of their BCM capability. This has been for a variety of purposes, not least to satisfy internal risk management, or to comply with external contractual and supply chain requirements.

On 31st May, BS ISO 22301:2012 Business Continuity Management Systems Requirements, the worlds first international standard for BCM was published. This replaces BS 25999-2:2007, which will be withdrawn on 1st November 2012.

The most significant implication of the introduction of this standard is actually nothing to do with BCM! During 2011, the ISO was developing Guide 83 which specifies the following common structure and terminology for future management system based standards:

Context of the organisation: covering issues such as the scope and expectation for a management system;

Leadership: covering aspects such as management commitment, policy, responsibilities and authorities;

Planning: including the identification of risk and opportunities as well as objectives and plans to improve performance;

Support: covering issues such as the provision of resources, competence, awareness, communication and documentation requirements (management system and document control);

Operation: basically operational control;

Performance evaluation: including monitoring, evaluation of performance, internal audits and management review; and

Improvement: covering nonconformities, corrective action and continual improvement.

BS ISO 22301:2012 is the first standard to which Guide 83 has been applied. It is intended that all standards will either be introduced with, or revised over time to use, Guide 83 as the basis for the management system.

Allied to the above, different terminology has been introduced so the standard is more suited to the international audience it is intended for.

The major differences and what it means for your existing BCM programme are:

Greater focus on planning and preparing resources for BCM, including: Understanding the context of the organization and understanding the needs of interested parties, determining the risk appetite and using that as a basis for BC strategy and objectives. The impact of this will be that organisations will have to spend much more time on up-front planning and preparation to implement a BCM capability, rather than just dive in and start writing BC Plan documents which might not necessarily fit in with the overall BC Strategy.

More emphasis on top management commitment, through greater leadership, enabling an environment of support and involvement in BCM. This will mean that management will need to commit more time and resources to ensuring they implement a BCM capability, rather than going through a tick-box exercise.

Greater emphasis on BCM system performance and metrics analysis and determining the effectiveness of your BCM System. This is reinforced by the requirement for permanent monitoring of the BCM System as well as periodic reviews to measure and improve its operation. This will mean that organisations will need to prove, on an on-going basis, the cyclical nature of the BCMS lifecycle, i.e. measuring the effectiveness of the BCMS against the BC Strategy and goals and providing proactive remediation where needed.

There is recognition of more modern working practices particularly relating to third party arrangements and the requirement for organisations to control and take responsibility of those activities which could affect their business. The standard requires that: “Organisations shall control processes that are contracted out or outsourced”. This will mean that organisations will have to be more proactive in their management and responsibility for 3rd party service providers, ensuring that an appropriate level of due diligence and on-going audit and remediation takes place. You cannot pass responsibility to the 3rd parties.

MTPD (Maximum tolerable period of disruption) and RTO (Recovery time objective) have been replaced with the following: “Setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable”. In essence there is no change here, apart from wording (which is part of the rationale for introducing the revised Management System Model) Organisations will still need to identify minimum recovery time requirements prioritized across all critical systems in a proper top-down way.

BC Procedures (formally 4.3 Developing and implementing a BCM Response), now has the following requirements: Procedures need to be established to ensure interested parties are warned and communicated with Incident response must include a trigger point for invocation Each plan must include information which might have been previously stated collectively, i.e. each plan must be capable of standing alone. Organisations must make sure they include all interested parties in their incident communications and an invocation trigger point must be decided and adhered to, rather than making it an Incident Management Team responsibility. This reinforces the up-front planning and preparation noted in the first point. Additionally, each BC Plan must now contain enough information to be stand-alone, rather than having core elements aggregated into one central plan overlay.

So what are the practicalities if your organisation has already got certification to BS 25999:2? The first thing is that your accreditation body will need to transition to ISO 22301 and they have until May 2014 to do this. After that, you will have 1 year to transition to ISO 22301 using surveillance audits.

If your organisation decides to just let its BS 25999:2 certification lapse and go for ISO 22301 at a later date, you will have to go through the whole certification process from scratch.

If you are currently going through the BS 25999:2 certification process, this will still be valid although no new certificates will be issued after 2013. No doubt your certification body will contact you to notify you of next steps.

So is this really goodbye to our old friend BS 25999? Well, no. BS 25999:1 Code of practice is staying, for the time being, as it is felt it still has a purpose. At least, that is, until BS ISO 22313 Business Continuity Management Systems guidance is published.