There’s no denying that business continuity (BC) has evolved significantly over the last few years. We’re now in a situation where various approaches to arriving at what was perceived as “good practice” appear to have converged to the point where there is broad agreement on the nature of good business continuity management (BCM).
This has mirrored the development of standards in the field, kicked off back at the end of 2006 by the publication of the British Standard BS 25999. Arguably the principal standard for BCM in the English-speaking world and beyond, with its translation into a number of languages and its function as the basis of a number of national standards, it was used as the foundation for the US Standard ASIS BCM.01-2009, as well as influencing work on international standards such as ISO 22301. That the British Standard became used across Europe can be ascertained not only by the number of languages in which it became available but also the extent to which BC practitioners across the continent continue to refer to it in a variety of online fora and other communications.
Now we have ISO 22301, which uses much of the language and concepts contained within 25999-2 and while there are some differences in approach, it is plain that the fundamental “DNA” of the British Standard is contained within it. However, one caveat is that it places much greater emphasis on a management system and this has led to some criticism that it could encourage a ‘tick box’ mentality, rather than measure true BC effectiveness.
“Many who did not want to certify to a national standard may decide that at least part of their organisation will use the new ISO standard, either internally or as a requirement for suppliers.”
There is a transition programme for organisations that are certified to BS 25999-2 and this will see the move to the new standard take place over a period of 2 years. It is possible that many who did not want to certify to a national standard will decide that at least part of their organisation will use the new ISO standard, either internally or as a requirement for suppliers.
It must be remembered though that as a requirements standard, ISO 22301 does not provide guidance, neither does it embody “good practice”. It is simply a set of requirements for a management system (using a Plan, Do, Check, Act process), which seeks to apply a common approach to business continuity management across the globe.
That guidance will arrive in the form of the forthcoming ISO 223313.
This is currently at Final Draft Standard phase and is likely to be published in late 2012 or 2013.
But other things have been happening too. There has been – at long last – a convergence of BCM and IT disaster recovery (DR) approaches. BS 25777 was launched in 2008 as a guidance standard for ICT continuity and its relationship with BCM.
It supported and complimented BS 25999 and provided additional guidance for continuity practitioners and IT managers in ensuring that the required information and communications technology and services were resilient and could be recovered to predetermined levels.
But while BCM practitioners were enthusiastic about this development, it’s fair to say it met with a somewhat muted response from IT departments. However BS 25777 went on to form the core of the information security standard ISO/IEC 27031 – ICT Readiness for Business Continuity – and by plugging this essentially BC-based standard into the ISO/IEC 27000 family we reached a point of maturity in this field too. Indeed, ISO 22313 – the guidance for BCM – takes the IT continuity guidance contained in ISO 27031 and applies it in the context of BC.
So there we have it. Information security standards that state the need for BCM and the need to define BC requirements through the BCM route, while BC standards use guidance contained in information security standards to define what’s needed for IT.
In his book “The World is Flat – A Brief History of the 21st Century”, the author Thomas L Friedman explains how globalisation and the “flattening” of the world happened at the dawn of the twenty-first century and in it he talks about the role of standards in this process. He states, “Once a standard takes hold, people start to focus on the quality of what they do as opposed to how they are doing it.”
Ultimately, perhaps, that is where standards will lead us across Europe. We’ll stop arguing about the right approach and actually do things better.
Ron Miller is principal consultant in SunGard Availability Services’ consulting team. He was a co-developer of BS 25999 and, subsequently chaired the panel that developed, BS 25777. He co-edited ISO 27031 and continues to be involved in ISO and British Standards activities.
For more information about Business Continuity visit the SunGard website