ISO 22301 Business Continuity Services

ISO 22301 Business Continuity Questions and Answers

What does ISO 22301 Business Continuity mean? ▼

The BCI states that a Business continuity system bcms is about having a plan to deal with difficult situations, so your organisation can continue functioning with as little disruption as possible.

Whether it’s a business, public sector organisation, or charity, you need to know how you can keep going under any circumstances.

So, the basics are having an advanced plan and preparing for an unknown event so that a business can recover and operate to agreed levels to maintain minimal service levels. Some of the critical areas to consider are:

How does the business communicate with its customers?
How does the company ensure products are manufactured or produced?
How soon after the event can we be back?
How do we support our employees during an event?
How soon do we recover IT services to support the business?
How does the company communicate to employees and customers?
Should we have business continuity built into development processes?

What is a business continuity strategy? ▼

One of the critical elements of any business continuity project is to review the business impact and draw up an overarching strategy. This crucial step is missed for many companies, and vital analysis is not considered or may even be overlooked.

Over many years we have seen business continuity plans developed straight from the business impact analysis, missing department dependencies and suppliers.

The results of conducting a business continuity strategy are numerous:

Allowing for a more relevant and quicker recovery
Departments will be able to understand business recovery and minimum service delivery to meet customers' needs
Highlight supplier requirements, with the possibility of seeking additional resources.
Allow for more robust exercises and testing to take place
Qualify and quantify exposures to the organisation's operation

How to start to implement ISO 22301? ▼

ISO 22301 doesn’t detail a BIA (Business Impact Analysis) requirement. It leaves your company to decide what is required and what risks you face. Companies will have varied issues that need addressing. No matter what method a company uses, consistent topics have to be understood. The most important part of an analysis is to gather as much information as possible. Areas to cover are dependencies, processes, risk and capabilities. The best method is a questionnaire covering all the topics mentioned.

When you have gathered the completed questionnaires, a report analysing all the questionnaires will be written and consider what is to be recovered, including expected timescales. Several companies often miss this step.

when considering analysing departments or business processes, areas to cover are:

The key activities of the company;
Critical recovery tasks, including data recovery;
How dependencies on other departments will reduce recovery times;
How will the data owners sample data for issues;
How long will the company take to recover following different scenarios?

How to understand your Business through ISO 22301? ▼

During the early stages of any ISO 22301 business continuity implementation, it is essential to establish the project’s objectives. When implementing a business continuity system, the organisation must decide whether to cover the whole organisation or just specific products or services.

Such issues concerning the business's strategy concerning business continuity will require discussion with the top management and the project team to ensure alignment. This discussion will also form part of the scoping, project plan and schedule. These will be forthcoming within the Project Control Document.

What is a business impact analysis in disaster recovery terms? ▼

How to ensure resilience in the supply chain in ISO 22301? ▼

Ensuring the supply chain’s resilience is a critical success factor for business continuity and information security in all industries sectors.

To achieve this objective, Supply Chain Management needs to incorporate an appropriate set of measures and an understanding of supply chain risks to implement adequate control within the procurement processes.

Some Businesses take for granted that customer data will be kept secure, and supplier risk assessments are on the back burner.

Some of the critical areas to be considered are as follows:

Has the business considered supply chain disruption in your risk assessment?
Has the company identified and assessed the resilience of your supply chain?
Has sufficient business information available about supply chain risks?
Has the company considered unacceptable risks or performance by suppliers?
Has the company reviewed the results of supplier audits and acted upon them?
Has the company considered a program for supplier qualification?

How often should business continuity plans be tested? ▼

Business continuity plans require testing to ensure that the agreed strategies and plans will work effectively following a disruption. To achieve this, a company must test the process and rehearse the people identified in business continuity plans.

There are three levels to consider in testing and rehearsing the agreed Recovery Strategy and supporting Business Continuity Plans:

Full-Scale Simulation - Testing all aspects of the Recovery Strategy (i.e., plans, IT, telephony and facilities) within one comprehensive event.
Integrated Testing - Combining several processes or components that may have interdependencies (e.g., a Recovery Site test, including all aspects of IT and telephony) into a single event.
Component Testing - Looking at areas that to test in isolation.

The recommendation is to conduct component testing in isolation to enhance business continuity plans. Once tested successfully, the components can be combined for Integrated Tests. Finally, a full-scale simulation can be scheduled if the organisation is comfortable that the integration will work.

Creating a clear, concise ISO 22301 certification scope? ▼

Your scope should be quick and easy to understand. Anyone in or beyond your organisation should be able to look at it and instantly see what’s included and what’s not.

Try using diagrams to show what’s in and out of scope
Don’t write twenty-page tomes that nobody wants to read

A clear, simple diagram of your scope can be a useful communications tool. It makes it easy to show everyone exactly what your ISMS covers. Bear in mind that:

If people can’t remember it, it won’t work

When you’re writing your scope, it’s beneficial to remember the difference between your:

Overall scope of security
Certification scope

Your scope of security covers every location and element of your business. But you can limit your certification scope to specific departments, locations or processes. So you can create shorter, sharper content and still protect critical parts of your organisation.

For example, if you’re looking at a hub and spokes, you can focus on the corner. Everyone who comes into it from a spoke has to follow the hub’s security rules

Studying the ISO 22301 standard before implementing it? ▼

Familiarise your organisation with the standard and its purpose. It is not uncommon for organisations to introduce an information security management system before they completely understand what the average is about and its requirements.

Companies sometimes use the standard as a checklist of requirements that must be ticked off; however, you can easily spend time preparing documentation that is not required with this strategy. In addition, you risk only partially meeting the requirements of the standard.

Preparations are essential to a successful management system and, ultimately, compliance or certification.

Should management approve an ISO 22301 project? ▼

Success requires that management be involved and committed. Management must commit to plan, implement, monitor, review, maintain and continually improve the management system.

Management should also ensure that resources are available to work with the business continuity management system. The employees responsible for developing, implementing and maintaining the system have the necessary competence and receive appropriate training.

With ParkinsonHowe will put these prerequisites in place and assist you to:

Develop an business continuity policy
Determine objectives and plans relating to business continuity
Define and allocate roles and responsibilities within business continuity

How to determine the policy and scope in ISO 22301? ▼

When your management is involved and committed, you can start developing your management system.

Your first step is to define the following:

policy
Objectives
Clear roles and responsibilities

Once this has been completed, you can develop the scope of the management system based on your company requirements and which parts of the business should be included, for example, offices, locations resources, etc.

How to consider effective business continuity communication? ▼: Effective business continuity communication involves creating clear and concise plans for how your company will communicate during disruptions. Identify key stakeholders, designate communication channels, and craft templates for different scenarios. Regularly update contact information and practice mock communication drills. Ensuring timely and accurate information dissemination, minimizing confusion and maximizing your company's ability to navigate challenges seamlessly.

What is effective ISO 22301 competence management?? ▼

Is the purpose of providing sufficient evidence that employees are competent within the management system.

All people staff and contractors working in or for the business should be able to demonstrate they are competent for the role.

Here are some of the areas auditors will look for:

Competency objectives and targets are set for all organisational levels;
Management and staff development programs are in place;
A succession planning system is in place;
Competence requirements are set for contractors and temporary staff;
Periodic refresher training is provided;
Systematic cross-training and rotation of personnel are applied where feasible;
Feedback is in place to capture the views of personnel as well as interested parties;
A competency management process is in place that considers improvements

Continuity and business resilience what to consider? ▼

All business wants to continue when a disruption strikes and looks to have resilient processes for business continuity. maintaining and improving resilience relies on investment of all kinds, not just financial, in order to continue business during disruption

Here are some of the areas you should look for:

Are there plans for resilience to be measured?
Does the Incident Management structure and the response match a resilient approach
Are resilience objectives measurable and quantifiable?
Is risk mitigation more towards prevention than business continuity?
Are risks regularly reviewed to check if they align with the risk appetite?
Is there a post-disruption incident analysis?
Are amendments made to spend if the objective of managing risks is not met?

Effective management of ISO 22301 risks? ▼

For any business management system, one of the critical areas that require addressing is the evaluation of both risks and opportunities to allow a business to increase its effectiveness and achieve its intended results.

So, what does a business need to consider:

Has the business stated the actions needed to address risks and opportunities?
Has the business determined the outputs required when setting objectives?
Has the business applied risk management to functions?
Has the business specified the methods to be used for risk identification?
Has the business stated using internal audits to review risks and opportunities?
Does the business share best practices for managing risk?

Where does business continuity planning belong? ▼

Under ISO 22031, business continuity belongs to top management and keeps consistent with business strategy and direction. It does not mean that a junior staff member cannot be responsible for maintaining business continuity.

Some would say that ownership depends on key departments; inevitably, the Directors or Board have to take ownership and provide reassurance to stakeholders.