ISO 22313 provides detailed guidance on how a business continuity management system (BCMS) should operate. It complements ISO 22301, which is the new global standard for business continuity. This article provides tips on how to effectively use the materials provided in ISO 22313.
In general, ISO 22301 provides high-level advice and ISO 22313 fills in the details with practical suggestions. Chapters in both documents largely map to each other, so if you are working on an issue in ISO 22301 and need additional background and more detailed content for your planning purposes, use ISO 22313 for that additional detail. Let's focus exclusively on ISO 22313 to avoid confusion.
For example, Section 8.2 addresses business impact analysis (BIA) and risk assessment (RA), two very important discovery activities when developing a business continuity plan. In ISO 22313, you'll see details on issues to be researched and validated in the BIA and RA, as well as guidance on how to conduct each.
If you are preparing an internal document or a presentation on business continuity to senior management, ISO 22313 provides details on key aspects of business continuity that will help you answer questions from your audience.
When writing policies and procedures for your BCMS, use language contained in ISO 22313 to help you frame your policy statements and procedures.
Scoping out the BCMS is often a challenge. You'll need to think about whether the BC plan addresses the entire organization, individual departments, business processes (e.g., manufacturing), specific corporate locations or something else. Use ISO 22313 to help you define how you will scope out your plans.
Securing senior management support and funding are two key activities in the early stages of a business continuity project. The level of management commitment to the project can be easily defined using the standard as a guide.
Resources, in addition to people, are needed to develop a BCMS and its associated plans. ISO 22313 helps you identify the right mix of resources, including staff, facilities, technology, information and management controls.
Incident response is a key component of a business continuity plan. It defines the response to an out-of-normal condition and delineates what happens, who is responsible and what steps need to be taken to address the situation. ISO 22313 outlines the steps to be taken in an incident response, as well as the responsibilities of the incident response team.
One area of a business continuity program that is often overlooked is communicating awareness of the program to employees and other stakeholders. ISO 22313 lists numerous activities that can help spread the program's messages, such as internal websites, bulletin boards and senior management briefing papers.
When a disaster occurs, communicating information about the incident to employees, stakeholders and other interested parties is essential. But who should be informed and what kinds of messages should be disseminated? The standard provides useful advice on how to address these issues.
One area in which business continuity programs often fail in an audit is documentation, specifically the program, the plans, emergency contact lists and other relevant data. If you're not sure how much of your program to document, or what kinds of documents are necessary, refer to the standard, since it provides a comprehensive list of program/plan documents and guidance on how to maintain and safely store them.
Assuming your organization has already adopted an existing business continuity standard and is considering a change to the new global standard, the transition will be much easier using ISO 22313.
Finally, you'll need details on how to structure BC plans, define strategies for business recovery and resumption, plan and conduct exercises, coordinate BC plans with technology disaster recovery plans, maintain plans, and review and audit plans to ensure they are compliant with the standards. Use ISO 22313 for all of these activities. Not only does it describe what must be done, but also provides suggestions on how to perform the necessary activities.
Access to useful information is a key ingredient when developing business continuity plans and a business continuity management system. Fortunately, business continuity practitioners, vendors and consultants have ISO 22313 as a handy tool that addresses most of the planning and operational issues.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant/auditor and is secretary of the Business Continuity Institute USA chapter and member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.