The purpose of this report is to detail information relating to ISO22301 Business Continuity Management System (BCMS). It will detail an overview of the work involved in achieving certification and the benefits associated with the management system. Over the past decade I have been involved in numerous ISO22301 certification projects, these projects were for nationwide corporate security companies and commercial office properties within central London. One of the differences between company and property certification that I have noticed is that with the company certification projects I have worked on it focuses on key services outwardly provided by the company to multiple locations, and with properties if focuses on the services provided inwardly by the wider property management team, including the sub-contracted elements (security, engineering, reception, cleaning, IT, Lifts, etc).
The ISO22301 standard has crossovers with the Good Practice Guidelines (GPG) that are produced by the Business Continuity Institute (BCI), by tying in the GPG with the standard this greatly assists the certification projects. ISO22301 is made up of clauses and the GPG contains professional practices, all listed below;
Unique Selling Point – Initially when a security company I worked for became the first corporate security company in the UK to achieve certification it was a unique selling point, since then a handful of other security companies have also gained ISO22301, however the vast majority of organisations (not just corporate security) do not have this certification, so could still be considered a unique selling point.
Legal/Regulatory – Management systems in general (not just ISO22301) have emphasis on legal/regulatory risk, whilst the vast majority of organisations will monitor relevant legislation, management systems specify that a detailed documented, regularly reviewed legal/regulatory risk register is in place, this can assist organisations in ensuring compliance with relevant legislation.
Dependency – The system assists in highlighting single points of failure, one common one that Ive noticed over the years is there being dependency on a single staff member conducting a key task (payroll, IT, invoicing, etc) and that many key people know what to do in order to conduct their service, but on many occasions this information isn’t documented.
In order to achieve certification a number of activities need to be completed (and documented), these are;
Understanding the Context of the Organisation – When starting a project it is good to have a full understanding of what the company does, is it in the service sector, does it produce products, who is involved, what geographical areas does it operate in.
Interested Parties – Who is involved, either directly or indirectly, this can include, company stakeholders, staff, suppliers, banks, landlords, regulatory authorities, insurance, customers, to assist with this I produce a simple table that contains the following criteria;
Leadership – Leadership commitment is key, projects in organisations rarely succeed if no leadership support.
Policy & Awareness – A policy is an essential requirement of the standard, I keep them to a simple two pages and cover the following;
When the policy is made available I issue an awareness booklet that is issued to relevant parties, it essentially covers the purpose of the project, who is involved and what needs to be done.
Roles & Responsibilities – Roles and responsibilities relating to business continuity needs to be in place for relevant personnel, this usually includes reviewing job descriptions and training.
Risks & Opportunities – Risk management is a key component of the standard, I tend to split into the following categories;
Objectives – The objectives that are set should be realistic and measurable, we decide the objective, we list who is responsible, we state what will be done, we look at the resources required to achieve the objectives, the timeframe and how we evaluate the results.
Communication – Goes without saying that comms is key, this covers of escalation of incidents, how we inform people/organisations of relevant matters and ensure that are communication records are up to date, communication should in theory be simple.
Business Impact Analysis (BIA) – This is a useful tool in highlighting critical functions and key activities performed by the organisation, examples could include; provision of staff, key resource requirements, IT/comms, main products/services, etc, in addition certain timeframes need to be considered;
Business Continuity Plan(BCP) – A plan is required, my favored method is to produce action cards listing what we should do should there be an incident that could impact anything we have highlighted during the BIA. A BCP should be readily available for relevant parties, simple to follow and adaptable.
Performance Evaluation – This ties in with the aforementioned objectives and how the business continuity management system is working for the organisation, I cover the following; the objective, the frequency that we monitor the objective, how it is measured, how it is analysed, how the results are evaluated and the outputs.
Management Review – These need to be conducted at least annually, I tend to tie them in with management reviews of other standards as there are lots of similar criteria, the review needs to cover the following; actions, non-conformance, performance, testing, policy, awareness and risk management.
Non-Conformance & Corrective Actions – If any non-conformances are noted, it is important to register and track them, I record the following; date discovered, description of finding, corrective action, root cause and date closed.
Continual Improvement – All ISO management systems require continual improvement to be recorded, this can include slimming down of processes, pushing BC out to the wider company and testing and exercising, this will essentially be driven by the organisation.
Testing & Exercising – It is important to test the plans and the people that have to use them, use scenarios based on highlighted risks that can impact the service and validate the plan and knowledge of the staff following them, its better to highlight gaps in planning and knowledge during a test that finding gaps during a real incident.
To achieve certification a series of audits need to be completed;
Internal – On at least an annual basis an internal audit of the system needs to be completed, this involved someone with detailed knowledge of the system auditing the project manager and covers the criteria listed within the last section of this report.
External – An approved external auditing body has to assess the organisation's management system, this is conducted over a three-year period and covers the following;
Most decent organisations already do this, but the management system process ensures that everything is documented, not all organisations should get themselves certificated for the sake of it, certification should only really be considered if it is a benefit to them.
I myself find the ISO22301 standard and the GPG’s to be very useful, and have used elements of both on other work related projects including contract mobilisations, producing emergency procedures and conducting security reviews.