What you will learn in this tip: Business continuity certification is often overlooked in organizations, but it...
has many benefits. Learn about the process of getting certified in the U.S. and how it can help your business.
Certification of business continuity (BC) programs can make business sense, as it demonstrates to your customers, competitors, suppliers, staff and investors that your approach to business is consistent with good business practice through the use of industry-accepted standards and guidance.
Outside of the U.S., especially in the U.K., business continuity certification is an important business strategy, and is undertaken by more organizations every year.
The business continuity certification process in the U.S.
Ratification of Public Law 110-53, Implementing Recommendations of the 9/11 Commission Act of 2007, and Title IX in particular, launched the Voluntary Private Sector Preparedness Accreditation and Certification Program, known as PS-Prep. The U.S. Congress subsequently directed the Department of Homeland Security (DHS) to develop and implement a voluntary program of accreditation and certification of private organizations using standards adopted by DHS. The goal was to increase private sector preparedness through deployment of programs in disaster management, emergency management and business continuity.
PS-Prep provides a mechanism by which a private sector entity -- a company, facility, not-for-profit corporation, hospital, stadium, university, etc. -- may be certified by an accredited third party establishing that the private sector entity conforms to one or more DHS-approved preparedness standards.
Prior to PS-Prep, the U.S. had only one standard, NFPA 1600, that American businesses and other private sector entities could use to assess their all-hazard preparedness. Having a plan to mitigate how disasters affect a business and its employees can help ensure that a business will recover and reopen following a disaster or other emergency. Unfortunately, that standard was largely unknown outside the emergency management and first responder communities.
PS-Prep: A voluntary business continuity program
PS-Prep participation is completely voluntary. Despite DHS’s refusal to require private sector firms to comply with program standards, the agency still encourages private sector organizations to seriously consider certification against three standards that have been adopted by DHS. Descriptions of each standard follow.
|ASIS International SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition). Available at no cost.||Addresses issue of operational resilience, which advocates that private sector organizations must be able to recover and return to normal through the use of structured plans; includes a management system and Plan-Do-Check-Act framework like BS 25999.|
|British Standards Institution BS 25999 (2007 Edition) - Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management) The BSI offers both parts for $19.99 each.||Auditable standard for business continuity; features a business continuity management system (BCMS) and Plan-Do-Check-Act framework that addresses all phases of a business continuity program for private sector entities.|
Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions. Available at no cost.
|Originally an emergency management standard for public sector organizations, the standard was updated in 2002 to include business continuity activities for private sector organizations; the 2010 version includes a BCMS and Plan-Do-Check-Act framework like BS 25999.|
PS-Prep may gather momentum when certification becomes a competitive issue. Businesses that demonstrate official accreditation of their risk-based activities may be perceived as “better” than their counterparts. Also, in situations where prospective vendors are bidding for work from another company, the requesting company may require documented evidence of business continuity programs and business continuity certification. Accreditation of the bidding firm’s business continuity management (BCM) program may become an important differentiator.
How to obtain business continuity certification
To get your organization certified, there must be an entity that can officially evaluate an organization’s BCM programs and award the appropriate credential. Under an agreement with DHS, the ANSI-ASQ National Accreditation Board (ANAB) has been designated as the entity that officially certifies organizations that conform with ISO/IEC 17021, the international standard for organizations that provide audit and certification of management systems.
ANAB will not certify corporate business continuity plans. Rather, qualified organizations that pass ANAB’s criteria will conduct the evaluations and award certificates of conformance to organizations that comply with any or all of three DHS-adopted standards.
You can read the full details of the PS-Prep/ANAB certification process on the ANAB website.
The following certification bodies have indicated their intent to become accredited but at the moment ANAB is still managing through the accreditation process. Currently, no organization has been officially accredited to certify for the PS-Prep program.
- British Standards Institution
- Intertek Testing Services NA, Inc.
- National Quality Assurance, USA
- Orion Registrar Inc.
- SRI Quality System Registrar
ANAB will maintain a listing of private sector entities that have been certified in compliance with the program.
Small business considerations
The PS-Prep program recognizes that small businesses need to be treated differently. Because of this, DHS is required to give special consideration to small business concerns. This process is ongoing, and DHS continues to seek comments from small businesses and others on the adoption of business continuity standards for certification under the PS-Prep Program. At the moment, a small business program has not yet been introduced.
Non-PS-Prep business continuity certification programs
Aside from the PS-Prep program, organizations that wish to seek certification of their business continuity program may contact the British Standards Institution (BSI) to pursue its BS 25999 certification program.
The BSI’s program can facilitate the process of successfully implementing and certifying a business continuity management system (BCMS). The list below is a summary of the BSI seven-step certification process:
- Choose the standard – Obtain a copy of the applicable standard (e.g., BS 25999, Part 2:2007) and familiarize yourself with it.
- Make contact – Discuss specific needs with BSI so that the firmcan identify the most appropriate services and provide a proposal of the cost and time involved in a formal assessment.
- Meet the assessment team – Once you have signed on to the program, meet with the BSI project contact and members of the assessment team.
- Consider training – If there is an education gap, it may be useful to have some training on the standard.
- Pre-assessment – BSI can conduct an optional preliminaryassessment of your BCMS against the relevant standard, and identify any omissions or weaknesses that need resolving before commencing a formal assessment.
- Formal assessment – BSI conducts a multi-stage formal assessment based on the selected standard.
- Certification and beyond – Upon successful completion of theassessment, BSI issues a certificate of registration that summarizes the scope of your certification and is valid for a defined period of time depending on the standard.
In a recent ANAB memo, the organization said that there are currently no training programs that have been accepted to provide auditor training for the PS-Prep-accredited certification program. Accredited auditors will conduct audits in accordance with procedures acceptable to ANAB. Auditors may be individual practitioners or associates with an ANAB-approved PS-Prep certification firm.
ANAB also stated that it was aware of training firms that have been marketing “PS-Prep training courses.” These firms claim that their training will be accepted retroactively and that participants who successfully complete classes prior to the class being certified or accredited will be acceptable as ANAB PS-Prep auditors. ANAB stated that this is an inaccurate assumption for individuals planning on being employed as an auditor by certifying bodies (CBs).
Further, CBs seeking ANAB PS-Prep accreditation must be aware of when a training course became accredited/certified and when each individual potential auditor attended the training. ANAB will (and each CB should) only accept evidence of successful completion of such a course on a date after the course was accredited or certified.
Finally, be careful when considering any firm that claims to be authorized as an auditor for PS-Prep. Make sure the firm has been officially accredited by an appropriate credentialing organization.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at firstname.lastname@example.org.