Finding your way through the continuity standards maze
Tuesday, February 1st 2011
Posted by Tony Gimple.
With the new ISO standard for Business Continuity (22301) currently at the enquiry stage (or 40.20 in standards language), another continuity standard will be added to the fold. What should those looking for gold standard continuity be looking for and what impact will ISO22301 have on the continuity standards stage?
What are the standards out there?
Here are just some of the standards that exist around continuity.
- BS25999 – Specification for Business Continuity Management
- ISO22301 (not yet published) – Societal Security, Preparedness and continuity management systems
- BS10012 – Data Protection, Specification for a personal information management system
- BS25777 – Information and Communications Technology Continuity Management
- BS31100 – Risk Management Code of Practice
- ISO31000 – Risk Management, Principles and Guidelines
- ISO17799 – Information Technology, Code of practice for information security management
- NFPA1600 – Standard on Disaster/Emergency Management and Business Continuity (USA)
- ISO22399 – Societal Security, Guideline for incident preparedness and operational continuity management
- ISO24762 – Guidelines for Information and communications technology disaster recovery services
What should you be looking at?
There is only one standard that exists right now that will give you peace of mind and a robust business continuity plan. BS25999 is THE industry standard and puts in place a full management system which will allow your organisation to survive a denial of access to your critical business functions, even in the event of the unforeseen. The British Standard is also completely certifiable allowing you to easily demonstrate your organisation’s commitment to resilience.
This is not to say that other standards are unimportant, but when it comes to Business Continuity, only BS25999 will give you a complete continuity assurance from IT to office space.
What about ISO22301?
Where then, will ISO22301 fit into the picture when it is eventually published? All the indications point to ISO drawing heavily upon BS25999 for its continuity standard and any changes will probably be very minor. There has been some suggestion that there will be less focus on contingency arrangements, but this is very unlikely to affect organisations looking to add ISO22301 to an existing BS25999 certification. If you’re thinking of waiting for the new standard before committing yourself it would be better to start now because the ‘good management systems’ principals will remain constant. The quality assurance and commercial benefits to your organisation of acting now will FAR outweigh the negligible (if any!) costs of tweaking your arrangements to the new standard.