ISO 22301 - The journey has begun
The Spanish and Greeks were rioting in the streets earlier this week due to the austerity measures imposed on them.
In this bulletin I am not going to write about riots as they were last week’s topic! Although I have to say, that just when I thought the Euro crisis has gone quiet, there are riots to remind us of them. We should also remember that if the Euro zone implodes and countries go back to their old national currencies this will have a major impact on almost all our organisations and I personally think that all organisations should have a plan in place for this.
This week I thought I might talk about something much less exciting, the new(ish) international standard for business continuity ISO 22301. The standard came out in the summer and we have been eyeing each other for a while. The time has come, when I have had to get to grips with the standard as I have a number of clients who are taking the certification.
For three days this week I have been trying to get to grips with it and understand it. I can admit for a while I have been tempted by the people who will sell you a complete set of compliant documentation but I have battered on and have started to decipher it.
I am familiar with BS 25999 having taken a number of organisations, including PlanB Consulting, through to certification so I roughly understand how standards work. ISO is very different to BS 25999 in that it contains much more “standard” stuff and less about business continuity. In fact the pure business continuity element of the standard has shrunk, while at the same time the number of ‘shalls’ (items you need to comply with) within the new standard have doubled and there is a lot more about the management system which will be very familiar to those who know other standards such as 9001 or 14001.
My personal feeling, in the end, is that it is all worth it and I believe that if you are going to do business continuity properly, then you should be going for the standard. I just do not believe people who say, looking very pleased with themselves, of course we are aligned to the standard. Yes what they do is look at part of the standard such as the plan section and check their plans against the criteria and check that they comply. The documentation part is the easy bit, it is the management system that really adds the value and makes sure that your processes for developing business continuity are followed, that plans are up to date and staff have been trained. I think it is too easy to let elements of business continuity slip and only by adherence to the standard, we can ensure that this oversight does not occur.
I can freely admit that the standard is not for everybody and one of the limiting factors is the appetite of senior managers for implementation of the standard. The standard requires major and ongoing commitment at all levels within the organisation and cannot be carried out as an initiative by the Business Continuity Manager. It is often organisations which have other standards already and who are happy to take plunge and go for ISO 22301 and they are aware of the workload and also the benefits of implementing the standard.
A few tips which I have learned from my past three days study:-
- If you have someone in your organisation that is familiar with standards and implementing them, they could be invaluable with helping you implement the standard.
- You can’t just reuse your BS 25999 documentation. There are lots of changes and tweaks to be made, to cover off all the areas and ‘shalls’ in the standard.
- There are a number of good documents out there, which will tell you the difference between the BS and ISO standard.
- If you are using the standard as a check list, which I encourage all my students to do on training, it helps to ensure all the parts of business continuity are covered. Use BS 25999 rather than ISO 22301, as the business continuity content is better in BS 25999.
- It’s a long job but you need to go through line by line of the standard and decide how you will comply with it. I have an excel spreadsheet and for each item I write down how we are going to comply and is there any relevant document associated with the action. This can double as your audit of the standard so it is not wasted time! If you are the manager responsible you have to get inside the standard and understand what each line means and how you are going to comply with it.
And finally – (I have a couple of answers so far) can anyone explain to me what section 6.1 is all about, I am struggling!