Defend Against Disruptive Events with BCM ISO Standard Cheat Sheet!
When noodles are the core of your business, guess what happens when something disrupts your noodles? A Singapore-based noodle manufacturer didn’t want to find out. To prevent a potential catastrophe, the company adopted business continuity management standards from the International Organization for Standardization (BCM ISO Standard 22301) – and it literally saved their business.
Like many food-production companies, Tan Seng Kee Foods faces unexpected threats on a regular basis. In an interview with ISO magazine, the company described one such hazardous situation in which their Pollutant Standards Index skyrocketed—a drop in air quality and a huge safety risk for workers.
Thankfully, with BCM ISO Standards already in place, the company was able to take action without disrupting operations. Medical masks were distributed and several other precautionary measures were implemented for the health and well-being of employees. The company was able to maintain “business as usual.”
If you’re new to BCM or taking a fresh look at your continuity planning, the ISO standards are a great place to start. In this post, we’ll outline the ISO’s recommendations and how to implement them at your organization.
What is the ISO?
The International Organization for Standardization has been a trusted source for operational standards since its founding in the 1940s.
Headquartered in Switzerland, the organization is made of 162 national standards bodies across the globe. Through its global members, the organization is able to produce consensus-based guidelines for a wide range of industries.
ISO says it has developed more than 21,000 international standards, “covering almost every industry, from technology, to food safety, to agriculture and healthcare.” These standards are important for numerous reasons, but their purpose boils down to three fundamentals:
If you’ve ever wondered who decided how your child’s car seat should be anchored, or how much electricity should pass through your laptop’s power supply, the ISO had something to do with that.
And how about the solar eclipse last week? If you bought some eclipse-viewing glasses, then you probably inspected your glasses for a code to ensure they were legit: ISO 12312-2. That’s the ISO standards code for the manufacturing of filters designed for direct viewing of the sun.
Unless you’re living in a cave, ISO standards influence nearly every aspect of your life. The standards are created by the top experts in each field, thus reflecting a wealth of knowledge and experience to be leveraged by businesses and consumers worldwide.
So, what does ISO have to say about business continuity? Let’s take a look.
BCM ISO Standard – A brief background
As ISO points out, business continuity management, as we know it today, was largely nonexistent until the 1980s and early 1990s. With the proliferation of tech and data storage in the workplace, businesses realized they need to have contingency plans for natural disasters, terrorism and other events.
Over time, businesses naturally began looking to standards organizations to provide consistent guidance for disaster planning and recovery. By the late 2000s, the trusted source for BCM standards was BS 25999, produced by the British Standards Institute.
Not long after, companies across the globe started calling for a single international standard that would provide a business continuity framework for almost any organization.
Thus came ISO 22301: “Societal security – Business continuity management systems – Requirements.” Released in 2012, the standards were “the result of significant global interest, cooperation and input,” and they are widely used today.
Designed ‘to save your business’
The key word here is “framework.”
BCM ISO Standards are generic. They aren’t going to tell you what type of data backup system to implement or what size cooling fans your servers should have. However, the standards will advise you to consider such questions and figure them out for yourself as part of your comprehensive continuity strategy.
ISO has intended for these standards to be used by organizations “of all sizes and types.” As such, some of the standards may be more applicable to your business than others, depending on your operating environment and complexity.
But make no mistake. The ISO BCM Standards are valuable guidelines that can save your business from disaster. Use these standards as the foundation for creating and improving upon your company’s business continuity plan and disaster recovery procedures.
The 7 keys to BCM
The BCM ISO Standard 22301 is divided into 7 parts, each of which we’ll define in more depth below.
Here’s a high-level overview of these key sections:
- Context: Understand your business and its unique BCM objectives
- Leadership: Get the blessing of upper management (approvals, resource support, etc.)
- Planning: Define your risks and the impact of operational disruption
- Support: Create response teams and manage communication procedures
- Operation: Plan, implement and control your BCM processes
- Evaluation: Periodically evaluate your continuity planning and procedures
- Improvement: Correct and improve any weaknesses identified during evaluation and/or as requirements evolve
Remember, as the ISO instructs: “How you apply ISO 22301 is up to you and will depend on your organization’s unique business continuity needs and obligations … [It will also] depend upon your organization’s unique structure, its legal and regulatory obligations, and the processes it uses to support and deliver its products and services.”
Okay, let’s look at the recommendations in each of these sections.
In the actual ISO Standard documentation, each section listed below includes several core directives, which are further broken down into additional instructions.
For our purposes, we’ll just hit the high-level points, but we strongly recommend viewing the complete standards from ISO.
You cannot prevent an operational disaster if you don’t have a deep understanding of your operations.
- Understand your organization and its unique context (Organizational objectives, risk criteria, etc.)
- Define the needs of and expectations of interested parties (Stakeholders, vendors, governmental/regulatory entities, etc.)
- Figure out what your BCMS should apply to and clarify its scope (Define why BCM is critical and the types of events it aims to prevent)
- Develop a BCM system that meets your needs and complies with this standard
BCM can’t happen without the approval and commitment from management.
- Provide leadership for your organization’s BCM system (Make sure managers are committed to its success)
- Show that you support your organization’s BCM system (Ensure that policies are established and objectives are followed)
- Establish a suitable BCM system policy for your organization (Define the groundwork for your business continuity plan)
- Assign responsibility and authority for your BCM system (Define who’s in charge of BCM and what their roles are)
Every business has unique risks for disaster. Understanding them is the key to prevention and survival.
- Specify actions to manage your risks and address your opportunities (Perform a risk assessment and identify solutions for prevention and recovery)
- Set business continuity objectives and develop plans to achieve them
Make sure your continuity planning has the support it needs to be successful.
- Support your BCM system by providing the necessary resources (Identify and secure the resources needed to meet the objectives you’ve defined)
- Support your BCM system by making sure that people are competent (Set competence/performance requirements for those that will make up your disaster recovery / BCM teams)
- Support your BCM system by making people aware of their responsibilities (No confusion, no guesswork!)
- Support your BCM system by establishing communication procedures (How will communication occur, internally or externally, after a disruptive incident?)
- Support your BCM system by managing all relevant information (Supervise the creation, modification and management of business critical documents, including your BCP)
In a disaster, everyone must know their roles and responsibilities: what steps to take and whom to contact.
- Carry out process planning and establish controls (Plan, implement and maintain the processes that make up your continuity strategy)
- Study disruptions and risks and set your priorities (Define how your risk assessments and impact analyses should be executed; prioritize disruptions by impact and likelihood)
- Develop a business continuity strategy to handle disruptions (Identify the solutions and strategies that will mitigate the risks and disruptive events you’ve outlined)
- Establish and implement business continuity plans and procedures (Outline the specific steps for managing disruptive incidents: how, where, who, with what tools, etc.)
- Conduct exercises and test business continuity plans and procedures (Examine how your organization responds to events in a test scenario; make sure processes are being followed)
Don’t make assumptions. Make sure your continuity planning works.
- Monitor, measure, and evaluate your organization’s BCM system (Define how you will evaluate the performance and establish a record of your findings)
- Set up an internal audit program and use it to evaluate your BCM system
- Review the performance of your organization’s BCM system
Your business evolves. So does BCM. Make sure your systems are as good as they can be.
- Identify nonconformities and take corrective actions (Fill any gaps in your disaster response ASAP)
- Enhance the overall performance of your BCM (Continually improve the effectiveness of your processes, as well as your implement solutions and technologies)
Identify your business continuity technology
Find out how you can protect your data from threats like ransomware and natural disasters. Talk to our business continuity professionals at Invenio IT. Request a free demo or contact us by calling (646) 395-1170 or by emailing [email protected].