ISO 22301 Business Continuity Standard in IT

ISO 22301 is the Business Continuity Standard in IT. Continued operations in the event of a disruption, whether due to a major disaster or a minor incident, is a fundamental necessity for any organization. Without the ability to recover, countless organisations have gone out of business

Business continuity management (BCM) is a process that helps organisations manage risks to the smooth running or delivery of a service, ensuring continuity of critical functions in the event of a disruption, and effective recovery afterwards.

The key objective of any business continuity/disaster recovery plan is the ability to duplicate, isolate and then (importantly) to be able to restore critical business data and functions in a way which will allow your business to continue to operate effectively if the worst happens.

Civil contingencies

Governments spearhead policies to protect the nation’s infrastructures, such as digital communications, energy supply and transport in the event of disaster. For example, in the UK the Civil Contingencies Act 2004 sets out the national procedures that are in place to deal with civil emergencies.

Business decision makers must have contingency plans in place to protect high risk environments such as finance, telecommunications, transport and the public sector, where the ability to continue operating is paramount for the organization itself and its customers and stakeholders. Keeping your business going during the most challenging and unexpected circumstances – protecting your staff, preserving your reputation and providing the ability to continue to operate and trade is crucial to continued growth and success.

Imagine what might happen if your critical business systems and networks were water damaged due to flooding, power failed because of a terrorist attack, or IT staff was off work due to a flu epidemic. Good BCM helps organisations identify their key products and services, threats to these, planning and prompt resumption of service helping to protect market share, reputation and brand.

The key objective of any business continuity/disaster recovery plan is the ability to duplicate, isolate and then (importantly) to be able to restore critical business data and functions in a way which will allow your business to continue to operate effectively if the worst happens.

However, a business continuity/disaster recovery strategy is worthless unless it actually works in practice. We know of far too many instances where businesses have tried to restore their data from back-up files, only to find that their data is corrupted, only partly recorded or that there are unforseen incompatibilities between their back-up devices and their network storage systems. Either way, a critical part of a sound disaster recovery strategy is having 100% certainty that your back-up data can actually be recovered and that your business systems can be fully restored.

Developing a disaster recovery plan – what should it look like?

A well-structured and fully tested disaster recovery plan will provide employees and managers with the confidence that if the worst happens, steps are already in place to ensure that business will continue, orders can be taken and staff will be paid. To that end, you should identify and take steps to protect areas of your business which would be critical to its continued survival.

These could include:

  • Customer data
  • Marketing/prospect data
  • Order book and/or resource planning system
  • HR/payroll system
  • Accounts/finance system
  • Email/correspondence archive
  • Operational/business process information

Much of this list will depend on the precise nature of the business concerned. However, you will also need to consider (if you haven’t already) the practical side of how you intend to keep your data safe so that it can be accessed quickly and restored efficiently in the event of an emergency.

Think about where your server is based and whether you can easily retrieve your information from another country, especially if you are using the cloud

You should consider the following basic techniques for ensuring data is both adequately protected and readily available:

  • Business data copied to tape/removable disk and stored away from business premises (this should be a daily or weekly practice)
  • Copy backup data to an off-site location via a network link – this generally involves the use of ‘storage area network’ technology
  • High availability systems which keep both the data and system replicated and ‘mirrored’ off-site, enabling continuous access to systems and data.

Simple steps you can take to protect your business

  • Get board-level buy-in - top-level buy-in disseminates the importance of BCM throughout the organisation. Engaging senior staff is crucial to the success of any major programme because of the influence they have over resource allocation and the culture of an organisation.
  • Understanding the organisation - before writing plans, understand your business, including its products and services, and the impact any failure might have on their delivery using Business Impact Analysis (BIA)
  • Developing plans - incident management plans allow the organisation to manage the initial impact of an event, for example staff evacuation or media response. The business continuity plan allows the organisation to maintain or recover the delivery of the key products and services that the BIA identified.
  • Exercising plans - plans cannot be considered reliable until they are exercised and have proved to be workable. Exercising should involve: validating plans; rehearsing key staff; and testing systems which are relied upon to deliver resilience (e.g. uninterrupted power supply). Review the plans regularly
  • Training and awareness - make sure all relevant workers (employees, contractors and consultants) know what is going on.

The business continuity standards

There are two important business continuity management standards (BCMS)

BS 25999 comprises two parts:

Being independently certified to the BS 25999 Part 2 by BSI Group, an independent third-party, will be the ultimate assurance to your stakeholders that you comply with BCM best practice.

New international standards

ISO 22301:2012 specifies the requirements for a business continuity management system (BCMS). The requirements for a BCMS can be employed by any organisation, no matter their size, type or location.

Deploying a BCMS that is ISO 22301-compliant will allow your organisation to demonstrate to stakeholders - employees, customers, suppliers, shareholders - that your organisation is prepared for disruptive incidents that might otherwise affect you achieving your organisational goals.

ISO 22301 is based on the Plan-Do-Check-Act model as found in other management system standards.

Organisations that don't employ a BCMS face being unprepared should a disruptive incident occur. Organisations suffering a disruptive incident without having a BCMS face the following consequences of doing so:

  • Loss of customers
  • Reputational damage
  • Monetary loss
  • Potentially going out of business

The list of side-effects is endless, do you really want to risk your organisation?

Key Features and Benefits:

  • A standard that specifies the requirements for a BCMS. Deploying a BCMS and achieving certification against the standard demonstrates an organisation is prepared should a disruptive incident occur, and that your organisation should be able to continue should an incident occur.
  • The requirements in the standard can be applied in any type or size of organisation, no matter the location, making it widely applicable.
  • Why risk damage to your organisation's turnover, profits and reputation by not being prepared should a disruptive incident occur?