This page contains a Flash digital edition of a book.
Certification
GettinG your
house in order
Hilary Estall walks us
through the many pitfalls
which organisations
experience when seeking
certification and provides
advice on avoiding these
S
ince the publication of BS25999:2 by the British Standards By linking it with the BCM Lifecycle it goes to show that there is
Institution in November 2007, the business continuity standard an evolving cycle to the business continuity management system
has sold faster than any other British standard to date. When by following the phases of establishing, implementing, monitoring,
one considers other well known standards, this is highly impressive reviewing, maintaining and improving business continuity.
and goes some way to demonstrating that business continuity is
gaining greater recognition and credibility across the globe. The classic mistakes
So, what can this level of interest be attributed to? Is it world So, what are the classic assumptions being made and pitfalls when
events such as 9/11, environmental disasters like Hurricane dealing with compliance or certification and how can we overcome
Katrina or the 2007 floods in the UK, or is it just that our level of these?
expectation for continuity of service and lifestyle is driving up this • Top heavy on documentation – For those people who don’t
requirement? Well in truth, it’s all of these and there is nothing to have experience of other management systems there may be a
suggest that this interest in BCM is likely to dissipate any time soon. tendency to over-produce materials such as manuals, procedures,
Governments and organisations alike are looking for a medium to process maps and other documentation in the belief that this is
instil a recognised and evaluated level of control over what they what the auditor wants to see. Whilst documentation is a source
expect from their businesses and their suppliers. of auditable evidence, BS25999 is very clear in stating what it
At the time of writing, approximately 50 organisations in the UK expects. Where an organisation has a particular desire to produce
and a further 50 in the rest of the world have become certified to more than what is required, this should be limited to practical
BS25999:2. Whilst this is only a tiny proportion of the overall level materials. Business continuity plans have been known to run in
of interest in the standard and representative of the initial flurry of to hundreds of pages (each!) and clearly are of limited practical
interest that is seen with all new standards, it is significant in its use in the event of a disruption.
own way. • Why do we have to have written procedures? – To ensure
consistency of approach, some management system processes
The findings so far are required to be documented in the form of procedures. These
Based on the assessments carried out on those organisations tend to be along similar lines for each management system and
seeking compliance or certification under the standard, we have for BS25999-2 are stipulated for just five elements: control of
witnessed some interesting trends emerging. For example, there has business continuity management systems (BCMS) documentation
been a tendency to focus more on the technical areas of business and records (this may be combined into one procedure); internal
continuity (clause 4) rather than ensuring that all the elements of audit; preventive action and corrective action. These procedures
the management system have been fully implemented. Under- should be written in line with the requirements of the standard (in
estimating the importance of determining what the necessary full) and be readily accessible for staff to read in particular should
competencies are for BCM personnel has also been a recurring they be required to undertake any related BCMS activities.
issue. Furthermore, in some instances there have been difficulties in • The provision of BCM resources and determining competencies –
ensuring that there is a meaningful link between the organisation’s All being well, senior management will have identified what roles
business objectives and their business continuity objectives and are required and who will fill them. This may be from existing staff
these are traceable through the business impact analysis and or from a recruitment initiative, but either way there will need
business continuity strategies. to be clear evidence of how this selection process took place
e At the core of every business continuity management system is and what competencies, skills and knowledge were considered
the Plan-Do-Check-Act (PDCA) cycle, which all organisations must appropriate for each role. These roles and responsibilities may be
get to grips with if their plans are to be effective. This was added to added to an existing job description or be added in an appendix.
BS25999: 2 in an attempt to be consistent with other management It is not sufficient to blame the HR department for “not getting
systems such as IS0 9001:2008; but to some the addition of the around to updating the job descriptions” come the time of the
PDCA cycle simply adds an unnecessary layer of confusion to what assessment. And don’t forget about defining individual authorities
s
tockphoto.com/lorrainedark
©i
for many is their first foray into the world of management systems. too, which is a classic mistake.
January/February 2010  Continuity  2
Cont Jan/Feb 2010_insides.indd 29 3/2/10 14:52:37
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44
Produced with Yudu - www.yudu.com