No one knows what the future holds, and uncertainty is part of life, especially when it comes to business. However, you can be prepared by identifying potential threats to your business by implementing the ISO 22301 standard for a Business Continuity Management System (BCMS).
A BCMS helps to reduce or eliminate the potential negative effects of a disruptive incident, such as a fire, flood, cyber-attack or even a loss of services. In real terms this could save the business a significant amount of time, money, customer retention and reputational impact.
In this blog, we are going to look at 10 steps to implement a Business Continuity Management System and prepare for ISO 22301 certification. Don’t worry if you’re not planning on certifying you can still use these steps to help your implementation.
Before starting to prepare for ISO 22301 certification, it’s important to do the following for a successful implementation:
Next, you will need to identify what areas of the business are covered by the BCMS. The scope of the management system covers:
You will also need to identify your interested parties. These are anyone who could be affected by the activation of your Business Continuity Plans (BCP). Interested parties will be identified as you go through your process of identifying your internal and external issues. In general these would include:
You should also identify any legal and regulatory requirements required to your business’s products or services and keep these up to date.
Once this has been done it must be documented. All the information identified during this process must be maintained within a file, or part of the BCMS manual as applicable.
An important aspect is to establish and document a Business Continuity Policy. The Policy needs to be aligned to the business’s strategic direction and reflect that the BCMS is integrated into the processes within the business, supported and adequately resourced.
There are several stipulations within the ISO 22301 standard that are required for the content of the policy. These are:
For the BCMS to be effective it must have people who will be responsible for it. The business will need to identify and assign responsibilities to those staff members within their roles. These staff members will be responsible to:
The BCMS must have a clear organizational structure, and this can be linked to a responsibility matrix.
Within the standard, a strong emphasis is placed upon the responsibility of senior management. An auditor will expect to see an active involvement from the senior management, not just during implementation, but throughout the lifetime of the Business Continuity Management System.
During the planning of the BCMS the business needs to take into consideration risks and opportunities that were identified during the scoping of the BCMS. These include interested parties. The business will need to identify which risks and opportunities need to be addressed to ensure that the BCMS can:
In order to do this, the business must define a risk process. There are many risk processes out there, so evaluate some of these to find the one that works for your business model.
This is also the time to look towards identifying and setting business continuity objectives. These objectives need to be established at relevant functions and levels within the business and can be at a senior management or departmental level. These objectives must be:
The planning of objectives must include how they will be achieved. So before finalising objectives ensure that there is a clear statement on:
As new ‘threats’ are identified, there will inevitably be changes required to the BCMS. It is important to identify how changes to the BCMS are to be carried out, implemented, and tested in a planned manner. Things to consider are:
In order for the BCMS to run effectively and achieve its desired outcomes, there must be the right people with the right skillsets in the right roles. The ISO22301 standard requires that the business has identified roles, associated responsibilities and competency levels for staff involved within the BCMS. The business must also ensure that the equipment or infrastructure needed to support the BCMS is capable and in sufficient supply. You may identify staff for roles, but don’t have the necessary skills or competencies identified for that role. A training programme should be setup to develop those staff members. This will need to be documented as an auditor may want to see evidence of this.
There is a requirement to put into place an awareness programme for all staff, not just BCMS staff. As mentioned at the start of this blog, managing change will require staff being aware of the reasons and benefits of ISO 22301 Certification. However, as the BCMS matures, and for new staff joining, continued awareness training is required, especially if there are changes being made that could affect them, or their actions during an incident.
To ensure that processes and plans in your BCMS work effectively they will need to be communicated across the business to the relevant areas and people.
A communication plan can be defined which would include:
Much of this information may be contained in your processes or BCPs and this should satisfy an auditor. However, if they are not, then these need to be documented in the form of a table or procedure.
Talking about documenting information brings us nicely onto documented information within the BCMS. You should have a clear procedure for the creation, numbering, reviewing, updating, archiving and eventual destruction of all documented information within the BCMS.
It is a good idea to identify one person or a small team who will be responsible for ensuring that document control is maintained. They would ensure that new or modified documents are maintained as required, reviewed prior to issue, and more importantly stored in the right locations. They would also be responsible for ensuring that superseded documents are removed from circulation and version control.
Documented information pertains to all processes, procedures, plans, forms, and reports that are associated to the BCMS. These can be in pretty much any form, for example, paper, electronic, jpeg etc. However, they must all follow the numbering system as defined in your documented information procedure.
It can be difficult to know where to start with creating documentation for your BCMS, which is where the ISO22301 toolkit can help as it is designed to provide you with all of the documents and tools needed to prepare for ISO 22301 certification.
Now that all the planning, risk and opportunity assessments and documented information required by the ISO22301 standard has been completed, you can now ensure the processes and actions identified to address the risks and opportunities are implemented and controlled.
The processes to ensure the effectiveness of the BCMS should be:
You now need to carry out a Business Impact Assessment (BIA). The ISO22301 standard requires those who wish to be certified to implement and maintain a process for analysing business impact and assess the risk of disruption to its key activities.
This is a useful exercise as the results will enable the business to determine the appropriate strategy and solutions needed to respond to a disruptive incident.
The outcome of the BIA will allow the business to determine the correct business continuity strategy and identify the resources required to respond and manage disruptive incidents until operations can resume as normal.
Associated documented information to support the strategy are then produced. These include Business Continuity Plans (BCPs) and Procedures. BCPs can be separated out to business wide and departmental. The BCPs will have associated procedures referenced from them, all of them being created in line with the Documented Information procedure as mentioned in step 6.
Once all the documented BCPs and procedures have been produced they must be tested. A programme of business continuity exercises must be established. Before certification at least a few of your BCPs and procedures must be practiced. Any changes properly documented, and related documented information updated.
This gives the business time to assess the effectiveness of the incident response procedures and amend and update them as necessary. It will also allow the business to check that the response resources are adequate or decide if they need additional resources to ensure the procedure can achieve its expected outcome(s).
An important step prior to ISO 22301 certification is to check that the BCMS is effective and can achieve its intended outcomes. This is done through completing some of the programmed exercise events, reviewing the documentation, internal audits, and management review meetings.
Throughout the lifetime of your management system, you will need to carry out internal audits as this is a requirement of the certification audit. This can be conducted by your own staff or outsourced to an ISO Internal Auditor. If you decide to have your own auditors, then you will require at least two. This is because an auditor cannot audit themselves. If conducting internally, staff will need to attend a course on how to conduct an audit on the required standard, this will give them a good working knowledge of the ISO22301 standard. They don’t need to be experts in every aspect of your business, but will be expected to be able to identify, through provided evidence, if the requirements of the BCMS are being met.
Internal audits should cover all areas of the BCMS scope over a 12-month period. Results of the internal audits are one of the inputs to the management review meeting.
For a business that has just been certified, the management review meeting should be conducted at least twice a year. Within the standard itself there is a list of the required areas to be reviewed, internal audit results being one of them. Minutes of the management review must be kept as this is part of the evidence an auditor will review to ensure that you are compliant in that area of the standard.
Any nonconformities must be followed up to check that corrective actions agreed have been implemented and whether they have achieved their intended solutions.
BCMS objectives is another area that will be reviewed. Doing the management review biannually will allow senior management to assess if the objectives are on target to achieve their intended outcome. If they aren’t there is still time before the next review to amend, change the way they are being implemented or remove them.
An internal audit could bring up nonconformities. These are areas that either partially comply or don’t comply with a requirement of the standard, business procedure or regulatory requirement. These need to be reviewed along with any corrective actions that were agreed to put in place. This can lead to opportunities for improvements to the BCMS. These should be documented and can be either implemented as per the change procedure or as a new objective.
The end of the beginning is in sight! Having completed the management review meeting you should be well placed to decide if all is ready for certification. To help do this we suggest reviewing your initial gap assessment to check that all the noncompliant and partially compliant areas have been checked off. Any that are still outstanding need to be addressed before certification.
Allocate a person or persons to be responsible for closing all outstanding actions. Don’t forget to set realistic timelines for their closure and allow for assessment of the fix.
Take a final check of the ISO22301 implementation plan and update as necessary.
Now it’s time to book in your ISO 22301 certification. If you haven’t already got a certification body in mind, now is the time to do some research to find a suitable Registered Certification Body (RCB). These are the people who will audit you against the requirements of the standard and can award you certification.
During your research get quotes and timelines from the potential RCB. Although they all serve the same purpose, they all have different costings, so shop around. The most expensive may not be the best choice. Our blog on choosing a Registered Certification Body will help you decide how to pick the most suitable RCB for your certification.
Leave enough time before the certification audit to do a pre-certification internal audit. This is a final sweep to pick-up any overlooked areas and to also satisfy yourself that everything is in place.
Any management system takes time to implement and embed. Don’t expect to gain ISO 22301 certification within 3 or 4 months of starting implementation, otherwise you are setting yourself up to have a BCMS that will not fulfil its reason for being implemented. Allow 6-12 months to fully implement and embed the BCMS. At the end of the day a well implemented and embedded BCMS will save you time, money and allow you to recover from an incident quickly and efficiently.
For more information on the ISO22301 standard, how to implement and the certification audit, download our free ISO22301 implementation guide today.