Q. I am trying to determine the most effective way to ensure that my company is proceeding in the right direction as we develop a business continuity plan. Can you provide any guidance on standards that I might benchmark against?
A. First, let’s talk about what business continuity is. According to Georgetown University, “The term Business Continuity can be described as a mentality or methodology of conducting day-to-day business, whereas Business Continuity Planning is an activity of determining what that methodology should be.” Ideally, business continuity planning is an activity performed daily by an organization to ensure that its critical business functions will be available to all respective internal and external stakeholders before, during, and after a crisis. The business continuity plan can then be described as the tool that places that methodology into a structure to be followed by everyone in the organization in order to fulfill its business continuity planning requirements.
Business continuity planning (BCP) identifies an organization’s exposure to various risks while bringing together various resources in order to provide effective assessment, preparedness, response, and recovery from these risks negatively impacting the organization. Business continuity planning is an ongoing strategic practice governing how business is conducted. Long-term, fact-based, strategic business plans designed to attain the objectives of the business must be supported by parallel plans intended to ensure continuity of business operations regardless of the type of threat or risk encountered.
Over the past few decades, business continuity planning has evolved from something undertaken by a few companies, primarily for compliance purposes, to a mission critical part of every organization’s annual strategic planning process. In today’s global business environment, man-made, technological, and natural risks transcend borders and business functions. Hence, the increasing need to leverage a business continuity standard with which to benchmark a business continuity program. Benchmarking is a useful exercise that enables the demonstration of a program’s value and diligence undertaken to the appropriate internal and external stakeholders as required.
The following are some of the most common standards corporations use to help them develop their business continuity program.
· NFPA 1600
· BS 25999-1 and BS 25999-2
· ISO/IEC 27001
· ISO 22301
· ISO/PAS 22399
The Security Executive Council recently conducted a Security Barometer quick poll to find out from security practitioners what business continuity standards they prefer. Click here to view the results.
The brief descriptions and links below will provide more information on three of the most common standards corporations use when developing their business continuity programs:
NFPA 1600 and ISO 22301 are two of the most common standards corporations use to help develop their business continuity programs. Although NFPA 1600 was initially launched to address emergency management, it is currently the international standard for emergency management, incident response and business continuity as well. ISO 22301, published by the International Standards Organization (ISO) addresses requirements from several national standards including the United States, Japan, Singapore, Canada and Australia.
BS 25999-1 is an independent standard released by the British Standards Institution (BSI) that is applicable to all organizations, whereas prior to its release Business Continuity Planning professionals relied on an Information Security Standard, BS 7799. BS 25999 focuses largely on business continuity and is comprised of two parts – Part 1, Code of Practice and Part 2, Specification – and is positioned so organizations may submit to a formal audit and certification process.
Answer provided by Dean Correia, Security Executive Council Emeritus Faculty member.