What you will learn in this tip: With more new business continuity (BC) standards being added to an already crowded playing field, learn how to determine which ones are most useful for your organization.
Business continuity standards provide what might be described as an ideal way to develop, deploy and manage business continuity. While there are probably as many different approaches to business continuity/disaster recovery (DR) as there are practitioners, standards can provide a clear and consistent framework for plan development and execution. None of the BC standards are officially mandated in this country (as opposed to regulations, which are mandated). But it’s advisable to review the standards and determine how closely your business continuity/disaster recovery program aligns to them. It also makes sense to add business continuity standards to your BC program development efforts, if for no other reason than to ensure that your program is consistent with industry-accepted practices.
With the recent releases of the International Organization for Standardization’s ISO 22301 draft business continuity standard and the joint ASIS International/British Standards Institution BCM.01-2010 standard, the global playing field for BC standards is now fairly crowded (see "International business continuity standards").
International business continuity standards
In addition to the most recent ISO 22301 draft business continuity standard and the joint ASIS International/British Standards Institution BCM.01-2010 standard, several other well-known standards include:
- British Standards Institute: BS 25999, Parts 1 and 2
- National Fire Protection Association: NFPA 1600:2010
- ASIS International: ASIS SPC.1-2009
- Australia/New Zealand Standard AS/NZS 5050
- Singapore Standard SS540
- Canadian Standard: CSA Z1600
- Government of Japan BCP Guideline
- Japanese Corporate Code – BCP
- ISO 24762 (IT Disaster Recovery)
- National Association of Stock Dealers: NASD 3510/3520
- National Institute of Standards and Technology: NIST SP 800-34
- New York Stock Exchange: NYSE Rule 446
Why are there so many business continuity standards?
The business continuity profession is relatively new, having its roots in data center disaster recovery dating back to the 1970s. As the industry has grown over the past 20-plus years, one of the developments has been a focus on professional practices, such as how to conduct a business impact analysis (BIA) or write a business continuity plan. As part of that evolution, business continuity and disaster recovery standards have emerged.
Recognition of the value of business continuity has encouraged a dozen or more countries to establish their own standards and practices. Within some countries, such as the U.S., U.K., Australia/New Zealand and Singapore, we can observe dramatic growth in additional standards and practices. Now that the ISO has issued a draft BCM standard (ISO 22301), we are at the dawn of a new era in business continuity management.
Which business continuity standard should I use?
At the moment there are a glut of standards and practices. All are consistent with established BCM practices. So which one is the best, then, if that level of accolade is relevant?
Should you wait for formal release of ISO 22301? Or, should you use existing standards that have demonstrated their value, such as the BS 25999, NFPA 1600, ANZ 5050, CSA Z1600, and SS 540? Since the official release of ISO 22301 is anticipated in 2011, it may be appropriate to wait. However, if you don’t have the time, consider any one of the established standards.
Start by researching your organization’s management and how they feel about standards. If they are non-committal, then consider one of the three standards approved for the PS-Prep program. As the British Standard BS-25999 is probably the most widely used business continuity standard, it is an excellent starting point. BS 25999, Part 2 is also designed as an auditable standard, which can help if you expect to be audited.
Comparing the business continuity standards
A popular way to compare similar business continuity standards and guidelines is to use “crosswalks” or a comparison table that aligns the different standards side-by-side so they can be compared against a common set of criteria. Table 1 below compares the three currently approved standards in the U.S. Department of Homeland Security’s Public Sector Preparedness Program (known as PS-Prep) with the two newest standards, the Joint ASIS/BSI BCM.01-2010 and ISO 22301.
The left-hand column lists commonly observed components in BCM standards. Columns for each standard describe where the information for each category can be found. This table does not examine the level of detail or usefulness provided in each standard; only that the information is in fact provided.
Most standards are prescriptive; they describe what should be done. They do not describe how each activity is to be implemented – this is usually at the discretion of the organization. Table 1 is a starting point in the process of selecting a standard. The table points out that essentially any business continuity standard can be used in an organization.
Table 1: Comparison of ASIS/BSI BCM.01-2010 with ISO 22301 and PS-Prep Standards
|BCM Element||ISO 22301||ASIS/BSI BCM.01-2010||ASIS SPC.1:2009||BS 25999:2||NFPA 1600:2010|
|Introduction||Section 0.1||Section 0||Section 0||Introduction||Introduction|
|Plan-Do-Check-Act||Section 0.2||Section 0.2||Section 0||Introduction||Annex D|
|Scope||Section 1||Section 1||Section 1||Section 1||Chapter 1.1|
|References||Section 2||Section 2||Section 2||Section 3.1||Chapter 2|
|Terms & definitions||Section 3||Section 3||Section 3||Section 2||Chapter 3|
|Business continuity management system||Section 4||Section 4||Section 4||Section 3||Annex D|
|Policy||Section 5.3||Section 4.3||Section 4.2.1||Section 3.2.2||Chapter 4|
|Planning||Section 6||Section 4.4||Section 4.3||Section 3||Chapter 5|
|Risk analysis||Section 8.4.3||Section 184.108.40.206||Section 4.3.1||Section 4.1.2||Chapter 5.4|
|Business impact analysis||Section 8.4.3||Section 220.127.116.11||Section 4.3.1||Section 4.4.1||Chapter 5.5|
|BC strategies||Section 8.4.4||Section 4.3||Section 4.2||Section 4.2||Chapter 5|
|Implementation||Section 8.5||Section 4.5||Section 4.4||Section 4||Chapter 6|
|Identifying resources||Section 7.1||Section 4.5.1||Section 4.4.1||Section 4.3||Chapter 6.1|
|Roles and responsibilities||Section 5.4||Section 4.5.2||Section 4.4.1||Section 3.2.4||Chapter 6.6|
|BC response||Section 8.5.4||Section 4.5.6||Section 4.4.7||Section 4.3.3||Chapter 6.9|
|Emergency notification||Section 8.5.7||Section 4.5.7||Section 4.4.3||Section 4.3.2||Chapter 6.8|
|Business continuity plans||Section 8.4||Section 18.104.22.168||Section 4.3||Section 4.3.3||Chapter 6.7|
|Monitoring and measurement||Section 9.1||Section 4.6.1||Section 4.5.1||Section 4.4||Chapter 7.1|
|Evaluation of compliance||Section 8.7.2||Section 4.6.2||Section 4.5.2||Section 5.1||Chapter 7.1|
|Testing and exercising||Section 8.6.1||Section 22.214.171.124||Section 126.96.36.199||Section 4.4||Chapter 7|
|Records management||Section 7.5||Section 4.6.4||Section 4.5.4||Section 3.4.2||Chapter 4.8|
|Training and awareness||Section 7.3||Section 4.5.3||Section 4.4.2||Section 3.2.4||Chapter 6.11|
|Auditing||Section 9.2||Section 4.6.5||Section 4.5.5||Section 5.1||Chapter 8.1|
|Continuous improvement||Section 10.2||Section 4.7.4||Section 4.6.5||Section 6.2||Chapter 8|
As you can see, all of the business continuity standards conform to the outline provided in the table above. Does this mean they are all the same? No, but it means they all address the established issues for business continuity management. It then becomes a matter or corporate preference, or perhaps the ultimate standard will be dictated by industry regulations.
Each standard addresses BCM issues, but keep in mind that very few provide any real instructions as to how to plan and implement a BCM program using the standards. A notable exception is the Joint ASIS/BSI BCM.01-2010 standard, which includes a section on guidance that will provide greater understanding on how to plan and execute a BCM program.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at email@example.com.
This was first published in May 2011