As most of you know this is the new International standard for business continuity which was published in May 2012.

I have had a reasonable amount of experience with the standard having taken PlanB Consulting and a client, Water Direct, through the process of being awarded the standard. We are now helping a couple of other organisations through this process and I have written the BCT course ISO22301 Masterclass on achieving ISO22301. My wife Kim was on the Committee that wrote the standard – BCM/1 so, if I have any questions on it, I ask her!

A few thoughts…

1. In terms of pure business continuity content, the ISO is not as good as the BS25999, the previous British Standard for business continuity. ISO contains a lot of content which is familiar to those who are implementing other standards such as ISO9001 or IS027001, so it has more “standard text” and less business continuity text. I always advise students on the “The BCI Good Practice Guidelines 5-day training Course,” if carrying out a business continuity task, to always check against BS25999 should they have missed anything. I have seen plans written which are missing whole sections. Had they been checked against BS25999, they perhaps would not have been missed.

So, one of my tips to you today is…. get yourself a copy of the BS25999 Part 2.

2. The next point I would like to make is, “alignment to ISO22301”. Many consultants or business continuity managers, very proudly, say that their business continuity provision is aligned to ISO22301. “Aligned to IS022301” for most people is meaningless and to me seems more of a marketing ploy rather than a fact. To get ISO22301 and to fulfill all the requirements, especially in a large organisation, is difficult and time consuming. If they were really fully aligned to the standard then why not receive certification, as it is not that expensive? I suspect most who are aligned are far away from ever getting the standard and only certain parts of their business continuity provision would actually meet the requirements of the standard.

Tip – If you are fully aligned to the standard, get certified!

3. My third point is about those who are actually certified to ISO22301.  Not all certifications are equal. I was asked a couple of years ago by a friend to quote for implementing BS25999 in the organisation he worked for. I did my pitch and quoted what I thought was a reasonable price. The organisation already had a number of ISO certifications. The company which did the other certifications offered to carry out their BS25999 certification and do all the work for a quarter of the price I offered it at. Perhaps I was too expensive but, if I did the work I would use an independent company to do the certification, rather than provide the certification myself.

For those that don’t know this, there are two sorts of certification to any ISO standard. Any company can certify to the standard and can do the work to get you there. I think if you want to go for an ISO certification then you should use a UKAS accredited company. This means that they are accredited to certify to the standard and they have to follow a code of conduct which includes not certifying their own work. To tell if a certification is UKAS accredited they have a little tick in their logo. The company, which did my friend’s certification, was sharp, in that they have added a tick to their logo, so it looks like they are UKAS accredited when they are not.

Tip – if you want to get certified to ISO22301 (or any other standard) make sure you use a UKAS accredited company. If you are an organisation, check who the certification body is!

________________________________________________________________________________________________________________________________

Comment:

I read your weekly blog with interest – you usually find some interesting BC message in current events and I am surprisingly often in agreement with you.

However the latest ISO 22301 blog was rather off message and contained a number of errors which you could correct in a future blog otherwise your advice could mislead.

Firstly  it was NOT “BCM/1 who wrote the standard” (ISO 22301).  All national bodies (or individuals) had an equal opportunity to contribute comments – but TC223 wrote the standard not BSI BCM/1.  I can see what you are trying to imply about inside knowledge but BCM/1 has no special role in ISO 22301 in this respect.

To assert that ISO 22301 has  “less business continuity text” than BS 25999 (I presume you are talking here about part 2) is true but misses the point. It is less prescriptive but a careful comparison of requirements shows only very minor omissions (eg. requirements to document certain things – which are implied anyway).  The four of us who were actually on the TC223 committee were very careful to not lose any significant requirements. Instead there are a number of additional requirements – such as the sections on warning and communications and leadership of top management which are significantly additions. It is therefore incorrect to imply that “the ISO is not as good as BS25999” and therefore has lower requirements. You need to make clear that an organisation with BS 25999 certification will have to provide additional evidence to transfer to ISO 22301.

You say, rather  dissmissively, that ISO 22301 has a lot of “content which is familiar to those who are implementing other standards such as ISO9001 or IS027001 so it has more “standard text” “. This is Management Systems text – which is vital for certification – the standard is as much to make sure top management are in control of BCM as that BCM is being done correctly. Anyway this text is not common to ISO9001 and ISO 27001 – but will appear in the new versions of 9001 and 27001 as ISO 22301 is the first standard to use the new common management structure and text which the others will follow too as they are revised.

Hope you find something interesting to comment on next week – gas fracking? bent nobles?

Regards

Ian

Ian Charters, FBCI

Continuity Systems Limited

Friday 24th May 2013