What is a BCMS and How Can You Certify?

Organisations and regulators don’t often agree on how businesses should be run, but lately both have championed the adoption of business continuity. It’s a practice that helps organisations prepare for disruptive incidents and ensure that they respond swiftly in case the unexpected happens.

Business continuity is essential in the modern landscape, with cyber attacks on the rise and an increasingly digital workforce creating additional strain on our reliance on technology.

Organisations can address those risks by creating a BCMS (business continuity management system), which contains the guidelines on what to in the event of various disruptions.

How does a BCMS work?

A BCMS helps organisations cope with incidents affecting their business-critical processes and activities, from the failure of a single server to the complete loss of a major facility.

ISO 22301, the international standard that describes best practice for business continuity, states that there are four major components to a successful BCMS.

The first component is to seek management support. As with any major project, a BCMS must be backed by senior staff for it to be effective. This ensures that the organisation will be given the necessary resources and that the project will be supported throughout the organisation.

The second component is to conduct a business impact analysis. It’s used to identify an organisation’s critical activities and dependencies, which determine its priorities for recovery following a disruption. A large part of the analysis is ascertaining how soon after the incident each activity needs to be resumed.

The third component is to perform a risk assessment. This enables organisations to determine:

  • The specific scenarios that can affect each business activity;
  • How likely it is that those scenarios will occur; and
  • How severe the damage of each scenario could be.

By assigning a number to each level of probability and severity, organisations can create a ‘risk score’ for each threat. Anything over a certain score – determined by the organisation based on its defence resources – will need to be planned for, but anything below the threshold can be ignored on the grounds that it probably won’t happen and/or won’t cause significant damage.

The fourth component is to create a BCP. The BCP is where the three previous components come together. It details the scenarios that an organisation needs to prepare for and how it will respond to them. The goal is to stabilise the situation and allow the organisation to continue operating as efficiently as possible until the disruption is resolved.

It’s possible to have a BCP but not a fully-fledged BCMS. That’s because there are further steps to a BCMS after the plan is in place – namely: developing, testing and reviewing the BCP.

Completing these steps obviously involves a bigger investment in time and resources, but it ensures that organisations have accounted for any new threats and are tackling existing ones as effectively as possible.

How to implement a BCMS

There is no single, correct way for an organisation to implement a BCMS. However, there are certain practices that we would recommend. For example, as we noted earlier, it’s essential to secure top management support at the outset of the project.

This ensures a top-down approach, encouraging all staff to consider the BCMS and its associated responsibilities a high priority. To convince management of the need to implement a BCMS, you should link the proposed system to corporate objectives and highlight the organisational benefits that the system will bring.

Once the project has been approved, you should adopt a clear and structured approach to its implementation. That means communicating with staff to ensure consistency across the entire organisation.

Another crucial step is to document every aspect of your BCMS. This demonstrates that your organisation has taken extensive measures to mitigate and prepare for disruptions, and it ensures that knowledge can be freely accessed.

You should also test your BCMS on a regular basis. Business environments are constantly changing, while the threat landscape is also evolving. Testing your BCMS at least once a year ensure that it works and that staff know their responsibilities.

Finally, you should ensure that your BCMS complies with the requirements outlined in ISO 22301. The Standard explains exactly what is needed to create effective and efficient business continuity, and by following its guidance you can ensure that you achieve certification.

You can find all the tools you need to certify in our ISO 22301 BCMS Toolkit.

It was designed and developed by experienced business continuity consultants, and enables you to view ISO 22301-compliant documentation and embed the documentation in your organisation quickly and easily.

The toolkit also helps you to mitigate the effects of unplanned business disruptions, and develop plans to cope with incidents.

It also includes professional guidance and advice, which helps you become your own expert while also saving time and money.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.