22301

+Will Your Communications Plan

Meet The New 2012 Standard?

PREPARED BY: Dave Austin, Director Operational Resilience, Ltd

2011 Everbridge, Inc. 2011 Everbridge, Inc.

ISO 22301
Will your communications plan meet the new standard?

Background
Business continuity is one aspect of managing an organizations risks and has become a key component in making organisations more resilient to natural disasters, terrorism and the many disruptive incidents that can interrupt the operation of an organization. Regulators and government increasingly recognise how business continuity contributes to the resilience of the whole of society and want to encourage it in order to provide greater stability in key business sectors. To enable management, regulators, government and other key stakeholders to share a common benchmark, standards emerged in a number of different countries. The UK business continuity standard, BS25999, was the first standard that led to accredited certification and has now been translated into French, Spanish and German, and adopted by organizations around the world. However, it was clearly desirable to have a single international standard for companies operating internationally to avoid conflicting and competing requirements, and to enable the introduction of recognised good practice into countries with no existing standards of their own.

How Are International Standards Created?

The International Organization for Standards (ISO) is the worlds largest developer and publisher of standards. It is a network of 162 national standards bodies with a central secretariat in Geneva working to establish standards through consensus that meet both the needs of business and the broader needs of society. The organization is referred to as ISO from the Greek isos meaning equal, a standard adopted by the organization to avoid the inevitable variance in acronyms that would arise in different languages. ISO works through a democratic process, one member one vote, and the adoption of standards is entirely voluntary. However, it may become mandated by government in some countries or become a market requirement such as in defining the size and shape of bank cards. Indeed, you might be reading this in an A4 format a paper size defined by ISO standards. Most standards are very specific, but there are some that can be applied to organizations of all types, large or small, business or government or voluntary. ISO 9001 and ISO 14001 both define such generic standards, the first for Quality Management and the second for Environmental Management. These are management systems standards with universal applicability.

2011 Everbridge, Inc.

ISO 22301
Will your communications plan meet the new standard?

2.1

ISO and Business Continuity Standards

ISO is developing ISO 22301, which is set to become the worlds first International Standard for business continuity management. It is a generic management systems standard just like ISO 9001 and ISO 14001. In parallel to the development of ISO 22301, ISO has been working to develop common headings and common text for management systems standards. This arose because as more management systems standards were published, organizations found identical requirements being described in similar but non-identical terms. It became clear that some standardization of common terms and common requirements was needed. ISO 22301 has adopted these common terms, structure, headings and common text and adapted these as necessary to meet the specific requirements of business continuity. As new management systems emerge and existing ones are revised, the common content will become increasingly apparent.

2.2

The Process
ISO works through the establishment of Technical Committees (TC) comprising of experts in the appropriate field chosen by their national standards bodies to represent the stakeholders with an interest in the standard being developed. Business Continuity falls under the remit of TC 223 on Societal Security. Within the TC, there are Working Groups (WG) that consider various aspects relating to standardisation in this field, with WG4 specifically responsible for preparedness and continuity. The TC is producing standards across a remarkable range of topics which reflects the very wide scope of the committee, and these include guidance for emergency services organisations to work together more effectively regardless of borders and language, a standard on video surveillance and of course, business continuity. ISO 22301, which defines business continuity requirements, is to be accompanied by ISO 22313, which will provide guidance on the ISO 22301 standard. Both of these documents have been developed by WG4, which comprises professional expertise from a wide range of countries including the USA, UK, Canada, France, Germany, Sweden, Denmark, Austria, South Africa, Singapore, Australia, Japan, Korea, Thailand and a number of others, such as China, Colombia, Malaysia and Indonesia, at various times. The Secretariat, which deals with all of the administration, is provided by the Netherlands. The experts have a variety of backgrounds, including some with recent personal experiences addressing of the fires in Australia and the massive earthquake and tsunami in Japan in 2011. Others provided academic backgrounds, expertise in the drafting of standards, management systems expertise and representation from auditors who ensure that the standard is auditable when written.
2011 Everbridge, Inc.

ISO 22301
Will your communications plan meet the new standard?

What Are the Key Elements of ISO 22301?

The standard requires organizations to create a management system that will ensure that business continuity is implemented with top management support, the resources needed and is regularly reviewed to ensure that it remains fit for purpose and is improved over time. ISO 22301 requires the adoption of current good practice which may be briefly summarised thus: 1. identifying business activities that must be resumed following a disruptive incident, through the process known as business impact analysis (BIA); 2. identifying the risks that the organization faces that may lead to a disruptive incident; 3. defining the business continuity strategy; 4. implementing the business continuity solutions, including defining an incident response structure, warning and communication and writing appropriate business continuity plans; 5. exercising the arrangements made to ensure that they will work as anticipated and when required. As can be seen, warning and communication is a key component of the standard.

Warning and Communication in ISO 22301

ISO 22301 introduces specific requirements for warning and communication. This is new and distinct from BS 25999, which is in recognition of the importance of this element, particularly in the initial stages of an incident. Specifically, ISO 22301 requires organizations to have procedures to: a) detect an incident; b) regularly monitor the incident; c) undertake internal communication within the organization and receiving, documenting and responding to communication from interested parties; d) receive, document and respond to any national or regional risk advisory system or equivalent; e) assure availability of the means of communication during a disruptive incident; f) facilitate structured communication with emergency responders;

g) record vital information about the incident, actions taken and decisions made; 2011 Everbridge, Inc.

ISO 22301
Will your communications plan meet the new standard?

Furthermore it also requires consideration of procedures for: a) alerting interested parties potentially impacted by an actual or impending disruptive incident; b) assuring the interoperability of multiple responding organizations and personnel; c) operation of a communications facility. There is an obligation to ensure that these procedures are regularly exercised.

4.1

The Implications of These Requirements

How would you detect an incident? This is often a neglected part of the thinking around incidents, as we often assume that it will be obvious we can see a fire in the building, see a storm coming. However, incidents are not always so clear in presenting themselves and may not be found by your own people. One example of this was when an office was flooded by a burst pipe. The flooded office was discovered by a cleaner, who told her supervisor. He told the landlord and sent some people to turn off the water. None of these people worked for the impacted company, and none of them thought to call and let the company know. The pipe burst on the Thursday night before Easter, and on the Tuesday morning after the holiday, staff arrived to a soaking, and now smelly and unusable office. So you need to think about who finds the problem and how they raise an alert so that you know, as you cannot act until you know you have a problem. Having established there is an incident, you need to ensure that you are monitoring the situation and know how this may be changing. For instance, a forest fire approaching your building will require you to have regular updates on its progress, where safe exit routes remain and so on. Now we know that we have a problem, lets make sure that we can communicate within the organisation. Communication is not just giving people a message - communication requires us to check that it was received, understood and acted upon and be in a position to receive feedback. We must not only deal with our own staff but others too, visitors to our building, contractors, consultants, members of the public, other organisations who may be neighbours, customers, suppliers, regulators. We are required to consider all of these and work out how we will communicate with all of these, and it may be in circumstances where communication is more difficult than usual. The BlackBerry network might happen to be down, the cell phone network could be overloaded, staff may be spread over a large area rather than in a single office so what are the procedures to deal with this? Your organisation may need to receive warnings from official sources regarding risks specific to your region or country, in which case we need
2011 Everbridge, Inc.

ISO 22301
Will your communications plan meet the new standard?

to be sure that someone monitors this and you know how to deal with the warning when received. For instance, flood warnings may be issued for those in the flood plain of a river, tsunami or typhoon warnings where appropriate, or perhaps an alert from a nearby industrial plant that warns of chemical or nuclear leak. Similarly we need to ensure that we can communicate with the emergency responders, such as police, fire and medical services. If we were faced with a fire, the authorities take control of the situation and you will need to provide information to them when requested such as to assure them that the building has been completely evacuated and to obtain information from them when they are ready to provide it, such as the extent of the damage and when access may be possible. Throughout the life of the incident, it is important to record vital information, actions taken and decisions made - so you must have considered how you might do this during the varying circumstances in which you may have to operate. Keeping a manual record with paper, pencil and clipboard may seem like a good idea until you try to do it in the dark when it is raining. The final set of requirements that must be considered depend on the nature of your organization. The requirement to alert interested parties relates to the need for certain types of organization to tell neighbours and the public if they have an incident which will impact upon them. For instance, a chemical plant that might pollute the air or water used by neighbouring businesses and the public will have an obligation to alert them to the danger. Remember that many ordinary organisations can pose a risk to the public on occasions. For instance, the emission of legionella from a poorly maintained air conditioning unit killed several people in the UK although the problem was known, and no warning had been given. Larger organizations are liable to need to consider the requirement for interoperability of multiple responding organizations and personnel. For instance, a large campus site that I worked at had 44 different buildings and a number of industrial and manufacturing processes on site. They had their own in-house fire service with a fire engine and a team of staff trained as firemen. It was vital to ensure that they could work alongside the public fire service when they arrived and that fire hydrants and hoses were compatible. The teams planned together and exercised together to ensure that they could manage the response, but also to ensure that they could communicate with each other effectively in an emergency. The need for a communications facility refers to the need that some organisations will have to make specific arrangements for communication in a time of crisis. Such facilities might be as simple as a designated room with a dedicated landline or may be sophisticated facilities for managing thousands of incoming calls, such as are deployed by airlines when an air crash occurs. Facilities may not be premises; they can include appropriate tools to send voice, SMS and other messages to staff and to allow them to confirm that they are okay.
2011 Everbridge, Inc.

ISO 22301
Will your communications plan meet the new standard?

Finally, it is required to exercise these procedures regularly. How often constitutes regularly is for the organisation to determine and will also depend on factors such as how often elements of these procedures change, how reliable they are and so on. Some elements may change frequently and therefore require exercising every month, others may be stable over a longer time and so an annual check is all that is required.

When Will ISO 22301 be Published?

Standards proceed through a number of stages as they move towards publication. The document is now being submitted to the ISO Central Secretariat for the final circulation of 2 months. It is not possible to be precise about timescales as this depends on ISOs internal administrative processes and the volume of work being dealt with at this time. The intention is that the Final Draft International Standard (FDIS) should be available in December, 2011, with final publication likely in Q2 2012.

5.1

ISO 22313 Comments Are Open

ISO 22313 is about to proceed to DIS and this will be your chance to contribute your thoughts to this guidance document. In this we can provide a great deal more detail and suggestions about areas to consider that may not be a requirement for all organisations. I encourage you all to read it and provide feedback.

5.2

Ongoing Refinements
Furthermore, as business continuity professionals you can all contribute to these standards and their future development. Once published there is a review cycle where feedback is incorporated into the next revision of the document. It is inevitable that once in use in the marketplace that opportunities for improvement will emerge. There might be a particular term or text that causes confusion, or perhaps auditors find it difficult to find evidence of implementation. For instance, in BS 25999, a new term was introduced called the Maximum tolerable period of disruption, and this caused a great deal of debate and confusion once the standard was in use. This lesson has led us to use plain English wherever possible in ISO 22301 and to avoid acronyms as far as possible. Where acronyms are in widespread use in business continuity, these will be explained in the guidance and the terms defined in the glossary sections, which are the same for both ISO 22301 and ISO 22313.

2011 Everbridge, Inc.

ISO 22301
Will your communications plan meet the new standard?

What Effect Will the Standard Have?

What we have seen in the adoption of standards elsewhere is that regulators and government will cite this standard as a requirement for organizations in certain markets, whilst suppliers to key government and national infrastructure will also be expected to implement business continuity and to do this through reference to the standard. In the UK, this is already common practice and we expect similar to occur in markets who currently do not have a national standard, or who may withdraw their standard in favour of the ISO. This provides both an obligation and an opportunity. Clearly, suppliers who are pro-active in obtaining certification as soon as possible will have an advantage over their competition, whilst in time it will become a simple condition of entry into certain markets and so those without certification will simply be excluded from bidding for certain business. Furthermore, we see the application of business continuity standards occurring in B2B relationships, where key suppliers are asked to provide evidence of their business continuity to customers. For instance, a supplier of IT Services will be expected to show that it has good practice business continuity implemented as well as technical solutions.

How Does My Organization Meet the Requirements of the New Business Continuity Standard?
In ISO language, meeting the requirements of a standard is called conformity assessment, and there are three ways to do this: 1. First party this is self-assessment against the standard by the organization itself. Therefore you might decide to adopt ISO 22301 and assess yourself against the requirements, you then declare that you conform to the standard. 2. Second party this is where a customer assesses whether you meet the requirements of the standard. Where a standard relates to a manufactured product this is a common practice. The manufacturer supplies the product and the customer undertakes an assessment to ensure for themselves that it meets the agreed standard. In principle, your customer could audit your conformity to ISO 22301. 3. Third party this is performed by an independent body who undertakes an assessment of conformity and will then typically issue a certificate showing compliance with the relevant standard, in this case ISO 22301. (You may have seen similar certificates and logos for ISO 9001 quality management.) In determining which of these is appropriate for you, there are some considerations to keep in mind. Self-assessment against a standard is a
2011 Everbridge, Inc.

ISO 22301
Will your communications plan meet the new standard?

necessary step towards both second and third party assessments; after all, you would want to assure yourself that you were compliant before inviting others to inspect your arrangements. It can provide management with some confidence that good practice is being adhere to within an organization. However, self-assessment is of limited value to other organizations who are seeking some assurance that your organization has really implemented business continuity effectively. Where businesses are working closely together, second party assessment may be a useful approach. For instance, where a service has been outsourced, the two organizations may work closely together to determine the outsourcers conformity to the standard. However, this approach is clearly limited where the supplier has multiple clients and common corporate services - so it cannot share all of the details of its operations for reasons of commercial confidentiality. Indeed, in some cases an organization may not do so for reasons of security, both national and organizational. Third party conformity assessment therefore provides an independent review that can verify that your organization is indeed conforming to the standard. Earlier I used the term, accredited certification, and it is important to understand this element of third party assessment. It is possible to engage anyone to undertake a third party assessment and issue a certificate; however, what qualifications do they have as auditors and what do they know about business continuity? In order to present evidence of conformity that will mean something to others, it is essential that the organisation that undertakes the assessment is credible and therefore such organisations themselves have to be accredited. So accreditation is the formal recognition that an organization has the necessary technical and organisational competence to undertake assessments for specific services, whilst certification is the formal recognition by a third party of conformity with the standard.

How Do I Obtain Certification?

Organizations who are asked to provide evidence of BCM capability to stakeholders and customers will be able to show this through appropriate certification. Organizations of all sizes and types e.g. private, government or voluntary - will be able to obtain accredited certification against this standard. The first step towards certification is to read the standard. Now this may seem like a statement of the obvious, however it is one of the commonest reasons for failing to satisfy the auditors. Read the standard and ensure that you understand what you need to do to satisfy every word of the requirements, think about what evidence you can provide to support your case that you are meeting that requirement. Ensure that you have organised your documentation and that you have all the documents that are required by the standard. Now you can undertake a
2011 Everbridge, Inc.

ISO 22301
Will your communications plan meet the new standard?

self-assessment and obtain a view for yourself about how close to meeting the requirements you are. An organization that is currently accredited to provide certification against ISO 9001 or other standards cannot automatically assume the same ability to audit against ISO 22301. They have to formally apply to the accreditation services in their country to become accredited for ISO 22301. Our experience in the UK, where accreditation is through the UK Accreditation Service (UKAS), was that organisations under-estimated the skills needed to audit BS 25999 and whilst there were plenty of qualified auditors, there were few with business continuity skills. The US has a substantial pool of business continuity professionals and auditors, but marrying the two will take time. Therefore it is important to realize that once ISO 22301 is published, there will be a period where organizations are becoming accredited in order to undertake assessments. It may therefore be some time before we see the first certificates being issued for ISO 22301 and the first will probably be organizations that have already achieved certification against similar standards, in particular BS 25999, and will be able to undertake an agreed transition to the new standard. Companies that offer certification vary in approach, costs and capability. It is therefore worthwhile asking for tenders from more than one accredited organization and exploring which offer the most appropriate services and level of knowledge for your organization before committing yourself.

8.1

Certification Process
Once you have selected an appropriate organisation that you feel comfortable working with, the general process is as follows: 1. Stage 1 audit: this undertakes a review of the documentation and will usually take samples of particular documents for detailed examination. The purpose of this is to determine if the organisation is ready for the full evaluation. The person responsible for business continuity will be interviewed and the scope of the certification discussed. A report will be provided to show the areas where the auditor believes you fall short of the standard, and these are called nonconformities. These in turn may be described as Major or Minor, the latter may be a document that is incomplete or out of date, whilst a major nonconformity would mean some significant part of the standard has not been complied with such as the absence of any evidence of exercising. Depending on the outcome of stage 1 you may either be asked to undertake remedial work or you will proceed to stage 2. 2. Stage 2 audit: this will review any of the nonconformities raised in stage 1 and then fully examine every piece of documentation. All key personnel will need to be interviewed; this includes top management such as board members, chief operating officers, top officials within government and so on. They will also want to see personnel who are responsible for key

2011 Everbridge, Inc.

10

ISO 22301
Will your communications plan meet the new standard?

operational areas that have been identified in the business continuity plans. Finally, they will speak to any ordinary member of staff to check if they have an understanding of business continuity appropriate for their role. At the end of this audit, they will once again discuss any nonconformities that they have identified. Providing there are no major nonconformities and only 1 or 2 minors, then they will recommend your organisation for certification. 3. The accreditation body will check that the auditing body has done an effective job and will then confirm the certification. The auditing organisation then issues a certificate to you detailing the scope, the standard to which you have been assessed and the dates from which it is valid and when it expires. Certificates are for 3 years. You should be suspicious of anyone who presents certificates for longer than this. After all, most organisations change considerably in 3 years, let alone longer. However, this is not the end of the process. Throughout the 3 years of the certification, the audit organisation will return regularly to undertake surveillance audits which seek to ensure that you continue to comply with the standard throughout the period, managing changes to maintain capability and showing evidence of improvement over time. It is clear that this is not something to be undertaken lightly and there are costs involved in certification. However, given the investment that organisations have already made, the additional costs are generally not onerous and should be proportionate to the size of the organisation

Conclusion
As you can see, these few words that specify the requirement imply a great deal of thought and preparation to satisfy them. However, you should not feel daunted, and those organisations that achieve certification can feel that they really have achieved something worthwhile. This allows them to demonstrate objective assurance that they have implemented good practice business continuity and they can demonstrate this with confidence to management, customers, regulators and other interested parties. It is good for the organization, and as more organizations achieve this level of good practice, society itself benefits through the improved resilience of the society as a whole. Unfortunately, as organizations vary in size and complexity, it is not possible to give any benchmark figure for how much certification would cost. However, if you are already undertaking business continuity to recognised good practice, then the additional cost and effort of obtaining certification is relatively small compared to the investment and effort you will have already committed. If the whole subject is new or very immature in your organization
2011 Everbridge, Inc.

11

ISO 22301
Will your communications plan meet the new standard?

then there is clearly a lot more that is required to achieve appropriate business continuity capability in the first place, but again the incremental costs of certification are not great.

About the Author

Dave Austin is a Director of Operational Resilience (Oprel) Limited, a leading UK-based business continuity management consultancy, and serves an ISO 22301 Project Team Leader. He is a highly experienced Business Continuity, ICT Continuity and Crisis Management consultant and has specialised in these areas since 1993. Dave has 30 years of IT experience, with over 20 years experience in IT disaster recovery and Business Continuity. His experience extends to numerous sectors including Finance, Manufacturing, Retail, Central Government, Local Government, Technology, Transport, Utilities and Broadcasting; and across the full lifecycle of business continuity management. Dave has spoken at conferences including Germany and Slovenia and is an effective presenter with wide-ranging knowledge of Business Continuity and the related industry best practice. Dave is a member of the BSIs committee to develop and promote a Business Continuity standard, BS25999 and chaired the panel that has produced BS25999-2 to which organizations are now able to verify their compliance. Dave is also a member of the committee that developed BS25777, a standard for ICT Continuity, a member of the UK committee on Societal Resilience (SSM/1) and a member of the International Standards working group (TC223) that is developing ISO 22301 which will be the first International guidance on continuity planning. For more information, visit www.oprel.co.

888.366.4911

@everbridge

Facebook

webinars
2011 Everbridge, Inc.

12