ISO 22301:2019 and business continuity management E-Book

ISO 22301:2019 and Business Continuity Management

Understand how to plan, implement and enhance a business continuity management system (BCMS)

ISO 22301:2019 and Business Continuity Management

Understand how to plan, implement and enhance a business continuity management system (BCMS)

ALAN CALDER

Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the reader’s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address:

IT Governance Publishing Ltd

Unit 3, Clive Court

Bartholomew’s Walk

Cambridgeshire Business Park

Ely, Cambridgeshire

CB7 4EA

United Kingdom

www.itgovernancepublishing.co.uk

© Alan Calder 2021

The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.

First edition published in the United Kingdom in 2021 by IT Governance Publishing

ISBN 978-1-78778-301-0

ABOUT THE AUTHOR

Alan Calder founded IT Governance Limited in 2002 and began working full time for the company in 2007. He is now Group CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Prior to this, Alan had a number of roles including CEO of Business Link London City Partners from 1995 to 1998 (a government agency focused on helping growing businesses to develop), CEO of Focus Central London from 1998 to 2001 (a training and enterprise council), CEO of Wide Learning from 2001 to 2003 (a supplier of e-learning) and the Outsourced Training Company (2005). Alan was also chairman of CEME (a public private sector skills partnership) from 2006 to 2011.

Alan is an acknowledged international cyber security guru and a leading author on information security and IT governance issues. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). Alan has consulted for clients in the UK and abroad, and is a regular media commentator and speaker.

CONTENTS

Introduction

The road to business continuity

A note on business interruption insurance

Chapter 1: Using ISO 22301

The PDCA cycle

Companion standards

Integrated management systems

‘Shall’ and ‘should’

‘Top management’

Chapter 2: Context, interested parties and scope

Chapter 3: Leadership, policy and responsibilities

Chapter 4: Planning

Chapter 5: Support

Chapter 6: Operation

Chapter 7: Business continuity strategies and solutions

Chapter 8: BCPs and procedures

Chapter 9: Performance evaluation

Chapter 10: Improvement

Chapter 11: Addenda

Certification

Business continuity manuals

Further reading

INTRODUCTION

In an increasingly volatile world – exemplified by the COVID-19 pandemic – organisations are looking at business continuity with new eyes. The illusion of business as a rampart against which the waves of the world break harmlessly has been shattered; it is no longer possible to pretend that an organisation can weather all storms equally, or that the limited contingencies organisations develop are sufficient to protect them against the rapidly changing face of modern risk.

Business continuity – the discipline of planning for, protecting against and ensuring recovery from disruptive events – is more important than it has ever been. As a result, more and more organisations are looking to ISO 22301 – the international standard that defines the requirements for a business continuity management system (BCMS) – to safeguard their future.

This book walks you through the requirements of ISO 22301:2019, explaining what they mean and how your organisation can achieve compliance in a practical manner. Whether you are seeking certification against the Standard or are simply looking to benefit from business continuity concepts and practices without developing a formal system, this book contains all you need to know.

The road to business continuity

The genesis of business continuity management (BCM) as a formal discipline arguably lies in the introduction of computers to business. The considerable benefits derived from the use of computers in speeding up business processes and improving productivity soon became dulled by the realisation that, like any machine, computers could malfunction or fail, resulting in significant disruption.

Sensing a gap in the market, computer manufacturers (and eventually, dedicated service providers) began to offer ‘disaster recovery’ services to help organisations restore their computer systems in the event of failure. These early offerings were the beginning of business continuity as we know it today.

Over time, disaster recovery evolved from a solely technological consideration to one encompassing the entire organisation, culminating in the publication of early business continuity standards such as PAS 56: 2003 (Guide to business continuity management). The arrival of BS 25999-1 in 2006 and BS 25999-2 in 2007 defined a formal approach for UK organisations engaged in anything to do with business continuity or resilience, and the possibility of national accreditation for those looking to set themselves apart from their competitors.

As worldwide demand for a business continuity standard grew, the International Organization for Standardization (ISO) developed a new business continuity standard, based in part on the earlier standards, which was published in 2012. ISO 22301:2012 Societal security – Business continuity management systems – Requirements described the specification for a BCMS – a formal methodology that organisations could use to prepare for and respond effectively to disruptive events.

As an ISO standard, ISO 22301 offered benefits over older standards. It was developed to match the movement towards a common structure for management system standards, allowing it to integrate easily with other management systems and streamlining adoption by experienced management system practitioners. It also offered the opportunity to achieve internationally recognised certification – a valuable mark of assurance in an increasingly insecure age and a significant advance over the limited national accreditation available for BS 25999.

October 2019 saw the release of ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements. Although largely an administrative revision, the new standard retains all the benefits of the 2012 edition, but uses clearer language and clarifies several key concepts, making the process of implementing a BCMS easier and more accessible.

A note on business interruption insurance

One of the more common arguments against implementing a BCMS is that the organisation has business interruption insurance, and therefore a BCMS is not necessary. Business interruption insurance compensates organisations for profit loss during the indemnity period, which can range from a few weeks or months to several years.

However, business interruption insurance does not compensate for losses that occur outside the indemnity period, or for loss of future business that follows a disruption. Most such insurance is designed with physical disruptions in mind – fire, flood, etc. – and offers little or no cover for disruptions that do not arise from a physical event. Many organisations discovered this to their detriment after claims related to the COVID-19 pandemic were rejected by insurers.1 In the rare cases where such cover is offered, it comes at a significant premium.

As a reactive rather than proactive measure, insurance provides minimal defence against disruption – all it can do is mitigate the financial impact. If a disruption lasts longer than the indemnity period, or if the disruption experienced is excluded by the terms and conditions, then the overall benefit of the insurance diminishes rapidly.

Even if you have the most comprehensive policy available, you must still find a way to mitigate the effects of the disruption while it is occurring and return to business as usual once it has ended. Insurance should be considered complementary to business continuity, but it cannot replace a BCMS, and insurance alone is not a defence.

1 Mary Williams Walsh, “Businesses Thought They Were Covered for the Pandemic. Insurers Say No.”, The New York Times, August 2020, www.nytimes.com/2020/08/05/business/business-interruption-insurance-pandemic.html.

CHAPTER 1: USING ISO 22301

Readers approaching ISO 22301 for the first time can be forgiven for feeling some trepidation on sitting down to read it. Business continuity is far from the most accessible discipline, and the terminology and processes used can be complex and opaque, especially for new practitioners.

Fortunately, the order in which the Standard is written is, by and large, the order in which the BCMS should be implemented, so it is perfectly feasible to begin at the start and implement each requirement in turn. Although you can implement some requirements in an order other than that specified in the Standard, some aspects of the BCMS can only be effectively implemented after others are in place. It would be challenging to develop a comprehensive internal audit programme, for example, if large chunks of the BCMS are not yet implemented – the internal audit requirements are placed towards the end of the Standard for that reason.

The PDCA cycle

ISO 22301 applies the Plan-Do-Check-Act (PDCA) cycle to both implement and maintain the BCMS. PDCA was developed by quality management pioneer Walter Shewhart in the decades following World War Two, and has since become the core improvement philosophy behind many management system standards.2 The PDCA cycle is an iterative approach to improvement that should be applied to any action taken in respect of the BCMS.

The PDCA cycle is as straightforward as it sounds. Before taking any action, plan out how it should proceed (plan). Once your planning is complete, take the action in accordance with the plan (do). Once the action has been implemented, monitor and evaluate its effectiveness (check), then use the information gained to make improvements (act).

Each iteration of the cycle improves your knowledge of the system, and ensures that change is applied in a controlled manner. Applying PDCA whenever changes are made to the BCMS should ensure that any change that introduces a detrimental effect is quickly identified and mitigated.

It may sound onerous to apply PDCA to every single action taken in respect of the management system, but it is important to remember that the planning and level of analysis should be proportionate to the action concerned. There is no need to create extensive plans and in-depth analyses of relatively minor actions, but more complex actions, or those that could result in potentially serious impacts, should be subject to more detailed consideration.

The Standard does not require evidence that you are applying PDCA, so there is no need to document the planning and analysis for every single action, and the topic is unlikely to arise in any detail during audits unless there is evidence that actions are frequently taken without considering their potential impact. That said, it is useful to retain some evidence of the application of PDCA when preparing for initial certification, and more generally, for complex or high-risk actions taken within a mature BCMS, in case a third-party auditor questions your approach.

Companion standards

Like many management system standards, ISO 22301 is supported by companion standards that expand on specific aspects of the management system, or offer guidance on applying the requirements in the ‘parent’ standard.

ISO 22301 is supported by two such standards:

1.ISO 22313:2020 (Security and resilience — Business continuity management systems — Guidance on the use of ISO 22301); and

2.ISO/TS 22317:2015 (Societal security — Business continuity management systems — Guidelines for business impact analysis).

The former offers general guidance on the application of ISO 22301, and the latter provides detailed guidance on the methodology behind business impact analysis (BIA; a key part of any BCMS).

Unlike many supporting standards, which frequently add little to further the reader’s understanding of the topic at hand, ISO 22313 and ISO/TS 22317 both expand on the requirements of ISO 22301 in a detailed and useful manner. They are an excellent resource for any organisation looking to implement a BCMS.

Integrated management systems

Many organisations already operate a management system, such as ISO 9001 (quality management), ISO 27001 (information security management) or ISO 14001 (environmental management).

All ISO management systems, including ISO 22301, can be combined with any other ISO management system to create an integrated management system (IMS). This provides several advantages: common functions such as internal audit and management review can be adapted to cover the requirements of multiple management systems with only minor impact on resources, while the context of the organisation, interested parties and other common factors will already have been identified to a great extent, saving time.

An integrated approach results in an IMS that makes the most efficient use of resources to achieve the goals of the constituent management systems. Not only does this make for a robust assurance framework, but it can also form the basis for a strong culture of governance and improvement that benefits the entire organisation.

‘Shall’ and ‘should’

As you read through the Standard, there are two important terms to watch out for: ‘shall’ and ‘should’. Any instance of ‘shall’ refers to a mandatory requirement of the Standard – something that must be present for the BCMS to be considered in conformity with ISO 22301. Auditors will expect you to be able to show evidence that a ‘shall’ requirement has been implemented.

‘Should’ refers to a recommendation – something that could benefit the organisation or the BCMS, but which is not a mandatory requirement (and for which you will not be expected to provide evidence). You will also encounter ‘may’ and ‘can’, both of which refer to permissions or possibilities that can be deployed if they suit the organisation.

‘Top management’

All ISO management system standards refer to senior leaders as ‘top management’. Top management refers to the board, executive leadership team or other top-level authority responsible for the organisation, and this book will also use this term.

In particular, ‘top management’ refers to those ultimately responsible for the organisation, or part of an organisation that operates the BCMS. For example, in the case of an organisation that operates multiple sites under a single, overarching BCMS, top management are the persons responsible for overseeing all those sites. If the same multi-site organisation were to operate a separate BCMS at each individual site, then top management would refer to the persons responsible for the site in question.

2 Although developed by Shewhart, PDCA was popularised by W. Edwards Deming (another key figure in the development of quality management systems). Deming preferred ‘plan-do-study-act’ in the later years of his career, as it emphasises the need for analysis and evaluation of the action, rather than simple inspection, as implied by ‘check’.

CHAPTER 2: CONTEXT, INTERESTED PARTIES AND SCOPE

4.1 Context of the organisation

Before implementing any management system, it is necessary to identify the context in which the organisation operates, and any issues that arise from it that might affect the organisation or its BCMS.

Organisations implementing their first management system sometimes struggle with this requirement. The Standard does not provide much information on what this process should look like or what its outputs should be, and as a result, even experienced practitioners approach this requirement in radically different ways.

The goal of this requirement is not merely to reiterate the obvious – organisation X is in the business of Y, and so on – instead, the requirement drives analysis of the conditions (both internal and external) that the organisation operates within to ensure that those conditions do not adversely affect the organisation or its BCMS. By considering where you are now, and where you are likely to be in the future, you lay the foundations for effective governance.

‘Internal issues’ can include the products or services the organisation offers (including any standards, e.g. safety standards, that they must adhere to), employees and unions, the culture and values of the organisation, operational and development priorities, warranty and service requirements, governance concerns (such as any other management systems already in operation) and more.

‘External issues’ can include legal and regulatory requirements (whether they apply to the products or services offered or to the organisation itself), the supply chain, media and communication, the environment in which the organisation operates (whether financial, operational, etc.) and even technological changes in the field that might affect your business, such as a competitor developing a superior product or a new method of manufacturing that reduces cost.

It is important to note that the process of identifying context should not focus solely on issues that might result in a negative impact. You should also consider opportunities that could lead to a positive outcome, as these can have just as significant an effect (albeit in a different way) on the organisation and its BCMS.

One method to define the external context of the organisation (though by no means the only method) is to perform a ‘PESTLE’ analysis. This approach places external issues into six categories;

This provides an at-a-glance view of the issues affecting your organisation. At this stage, you are not trying to identify specific risks that may arise from the issues you identify; this is a macro-scale exercise designed to capture sources of potential impact, not the impacts themselves.

Internal context can be identified through a ‘SWOT’ analysis. This method considers the organisation’s strengths, weaknesses, opportunities and threats, and is often used in tandem with a PESTLE analysis. The combination of the two makes for a wide-ranging view of the organisation, which satisfies the requirements of the Standard.

The Standard does not require you to retain evidence that you have considered the context of the organisation, but the external and internal context outputs feed directly into the requirement to address risks and opportunities related to the BCMS in part six of the Standard, so it is important to keep a record of those outputs for use in that procedure. You will also need to periodically review and update the issues you have recorded as part of the BCMS improvement process, which is a lot easier to do if they are documented.

4.2 Interested parties

Once you have identified the context your organisation operates in, the next step is to identify ‘interested parties’ and their requirements.

Interested parties refers to stakeholders of any sort, those to whom your organisation owes a duty of care (whether inside or outside the organisation) and those that could affect, or be affected by, the BCMS. The list of potential interested parties is long, and can include:

Each interested party has its own requirements. Your suppliers, for example, will no doubt require that you pay their invoices on time, while regulators will require that you follow applicable laws, contact authorities when appropriate, etc. Interested parties may have multiple requirements; if this is the case, you should identify those that are relevant to your organisation. As with the context of the organisation, this is a macro-scale exercise intended to identify the parties and their requirements, not the risks or opportunities that might arise from those requirements.