Business continuity is essential to any organisation’s cyber security practices, and those adopting its principles should follow the requirements of ISO 22301, the international standard that describes best practice for a BCMS (business continuity management system).
The 2020 Horizon Scan Report found that 71% of respondents now use the Standard, which suggests that organisations are beginning to appreciate its importance.
However, only 20.5% of these organisations have actually certified to ISO 22301; the other 50.5% use it simply as a guideline for their BCMS.
This is hard to justify – if an organisation goes to the effort of implementing the Standard’s requirements, why shouldn’t it reap the benefits of certification?
Benefits of ISO 22301 certification
Organisations that certify to ISO 22301 can:
- Prove to existing and potential clients that they have an effective BCMS. Without documented proof, clients will have to take the organisation’s word for it, which is rarely effective;
- Obtain an independent opinion about their security posture. Accredited certification involves regular reviews and internal audits of the BCMS to make sure it continually improves; and
- Meet regulatory requirements. The GDPR (General Data Protection Regulation) and the NIS Directive state that organisations must implement incident response capabilities. Certification to ISO 22301 provides a best practice approach to business continuity.
ISO 22301 and COVID-19
If organisations needed any more evidence of the benefits of ISO 22301, they needn’t look any further than the coronavirus pandemic.
With staff told to work from home where possible, many employers were left scrambling to put together the necessary tools and resources.
The solutions have often been haphazard, creating an inefficient work process that negatively affected productivity and exposed the organisation to a variety of cyber threats.
However, organisations that had a BCMS were able to quickly adapt their plans to their needs and get on with work with only a small delay.
Although coronavirus is a once-in-a-lifetime disaster (one hopes, anyway), there are plenty of other events that could cause similar problems, so organisations must be prepared.
For example, a snowstorm could knock out your electrical supply, or an electrical fire could damage your premises. These are both incidents that will leave your staff unable to work from the office, so you’ll need to find an alternative.
Fortunately, you now have first-hand experience of how to deal with this threat, but you need to ensure those lessons aren’t forgotten over time. The best way to do that is to document your response strategy as part of a BCMS.
How to create a BCMS
You can find out more about this topic by reading ISO 22301:2019 – An introduction to a business continuity management system (BCMS).
Written by IT Governance’s founder and chief executive, Alan Calder, this guide provides an easy-to-read and straightforward introduction to business continuity management, which will help organisations of all sizes get their implementation project started.
It covers the basics of businesses continuity, including key terms and definitions, before going on to explain ISO 22301’s compliance requirements and how you can certify to the Standard.
A version of this blog was originally published on 22 March 2018.