The New Business Continuity Standard
What Organizations Should Know About ISO 22301The ISO 22301 standard for business continuity has been issued. What do organizations need to consider as they implement the new standard? Lyndon Bird of the Business Continuity Institute offers insight.
See Also: 10 Ways to Defend Against Insider Threats
Bird, technical director of UK-based BCI, says ISO 22301 aims to provide a formal way to embed business continuity practices into the organization.
"It isn't dependent on key individuals, and it won't go away when people leave, because it's actually something that management has bought into," he says in an interview with Information Security Media Group's Tom Field [transcript below].
And that's the most important step of the new business continuity standard - gaining the commitment from upper management. "For those organizations that are struggling, moving toward the standard would help very much in that it would demonstrate the need to have that commitment and that understanding from top management," Bird says.
Another element of ISO 22301 is providing proper documentation. Those that believe they have a good business continuity program in place often overlook certain aspects of documentation, proof of the way they're developing and improving their program. It's that documentation that some business continuity practitioners "aren't so familiar with," Bird explains.
The new business continuity standard also introduces a fundamental change of bringing business continuity programs into an organization's management system concepts. "Those organizations that have already adopted management system standards - developing quality information security environments and management - will be quite familiar with the requirements of a management system standard," Bird says.
In an exclusive interview about business continuity, Bird discusses:
- Highlights of the new ISO standard;
- The evolution of the business continuity profession;
- Career advice for those wanting to enter the profession today.
Bird is the Technical Development Director of the Business Continuity Institute. He has an honours degree in Chemistry and a Masters in Management from the University of Manchester. He helped found the BCI in 1994, and was awarded the Institute's highest grade of FBCI.
Prior to taking his current executive role with the BCI, he served as a voluntary member of the elected BCI Board for six years, including three years as Chairman. Bird was also a founding member of Continuity Planning Associates BV in The Netherlands. He has worked exclusively in the Business Continuity world for over 25 years as a consultant, presenter, author and business manager.
TOM FIELD: For people who haven't listened to our interviews in the past, perhaps you could tell us a little bit about yourself and what your recent focus has been.
LYNDON BIRD: I've been around the business continuity world for the last 25 years, so I guess I've tended to do a bit of everything. But my current role is technical development director of the Business Continuity Institute, which, for those listeners who don't know us, is actually the world's largest professional membership organization for business continuity practitioners.
My role mainly is both technical and developing the institute's influence globally, and I spend quite a bit of my time traveling. I just got back from the U.S., where we launched the first Business Continuity Awards in North America, which we did at the DRJ Conference in Orlando. And I've just been to Nigeria where we launched a BSI forum in conjunction with the Central Bank of Nigeria.
ISO 22301
FIELD: The big news for business continuity professionals is ISO 22301, the new international standard for business continuity management. What are the highlights you want to bring to professionals' attention?
BIRD: In a way, the highlights are that it's here at all, and I know that may sound a little flippant, but it has been a long time coming, and it's very soon going to be available to us. The highlight to me is that it's an end to uncertainty because I have seen quite a bit of uncertainty about exactly what it would contain and to some extent whether we could actually get it published or not on occasion. I think the highlight is they've now gotten rid of that uncertainty. We have got a framework for business continuity that's pretty widely accepted across the world, and the countries that have their own standards - such as the U.K., U.S., Singapore, Australia, etc. - may not necessarily need to end their standards, but they've got a common framework which allows us to talk with our fellow professionals internationally. That to me is the most important thing of all, but at the content level I think it's very much improved some of the national standards in terms of its mandated management requirement, clarity for the involvement of senior and top management, the relationship with risk management in an organization and thus better defining the boundaries of business continuity and its relationship with disaster prevention as opposed to a recovery activity. I would say those are some of the highlights for me.
FIELD: As you say, this has been in development for quite some time. In that period, how has the standard evolved in your eyes?
BIRD: It's a bit like all ISO standards, to be frank with you. The very nature of ISO standards means that there's going to be compromise. Right from the beginning of the discussions for these standards there's been a lot of debate, negotiation and compromise - what I call horse trading - going on, and that's not really surprising, given the starting points. I think they were very different starting points. In my part of the world in the U.K., we've always tended to look at business continuity largely as a business discipline while dealing with interruptions rather than specifically disasters, whereas the U.S. has very much had a stronger disaster prevention program. Australia has very closely linked their ideas of business continuity to risk management and their own risk management standards. For obvious reasons, Japan has always focused very much on the emergency response - the big national disasters - and we saw that last year of course. They're all starting from perhaps different points, although we perhaps all wanted to get to the same point.
What's pleasing to me is actually how good it is. I did at times wonder if these four or five different starting points could get to a common view that everyone could accept and that made sense. But I'm very pleased with it, and I think it's now giving us a great opportunity to move forward in a global way with a common set of standards and a common set of understanding.
FIELD: You used the word compromise and often in a compromise nobody is happy with the end result, yet you say you're pleased with what you see here. Is that so?
BIRD: I think no one's ever 100-percent happy with any ISO standard, and obviously that might sound a little bit of a controversial thing to say, but it's the nature of trying to get international consensus that everyone has particular points at which they're sticking points they don't want to give up. They're determined to actually defend them. In fact, that can be a danger to some ISO standards where they become rather bland because anything that's too controversial gets taken out.
Actually, I think the reverse has happened with this standard in the sense that it's perhaps become wider than the risk-based Australian standard or a purely business-based U.K. one or the wider emergency-preparedness one in the States. They've got a bit of everything in there, and I think actually they have done the job very well. You have to give congratulations to the technical committee that has worked very hard to get that together.
Changes for Business Continuity Professionals
FIELD: As you see this standard adopted, what major changes do you see impacting business continuity professionals and how they do their jobs?
BIRD: You could argue that if business continuity professionals are doing their job well, then there shouldn't be too many changes. There's a fundamental change for those organizations that have done good business continuity in terms of putting a process in place where they've actually gone through what we would call the business continuity lifecycle, but they haven't actually brought it into their management system concepts within their organization. Those organizations that have already adopted management system standards, developing quality information security environment and management, will be quite familiar with the requirements of a management system standard.
Those that haven't and those that think they have a good business continuity program in place, there are aspects of documentation or validation and replication or proof of the way that you're able to demonstrate that your program's constantly developing and improving. But they are common to all management system standards, and which some business continuity practitioners aren't so familiar with.
I guess that's the issue. It isn't asking them to do business continuity management in a different way to the way that they've done it before. If the way they've done it before is successful and delivers what's required by that organization, that's fine, but the standard's actually trying to get you to a formal way so that it's embedded into the organization, it isn't dependent on key individuals and it won't go away when people leave because it's actually something that management has bought into. I think that's the learning experience for some business continuity practitioners that haven't experienced a formal management system standard before.
Guidance for Less Mature Organizations
FIELD: As you know, there's a different level of maturity in different organizations when it comes to business continuity. For those that are less mature, how will this standard help organizations improve their business continuity programs?
BIRD: To me, the important thing about any business continuity program - and this is true whether we have a standard or whether we have just a good practice and guidelines - the thing that makes the difference in terms of it working or not is the level that you've got a commitment in from your top management. For those organizations that are perhaps struggling a little, moving towards the standard would help very much in that it would demonstrate the need to have that commitment and that understanding from top management. There are a lot of business continuity people that find it very difficult to get that communication, to get that buy-in and to get that involvement from top management.
Frankly, the fact that there's an international standard, the fact that the subject is now clearly understood as a proper and serious management discipline, and the fact that, unlike some of the more technical standards that float around, this standard does require very clear management commitment and management buy-in in the process. To me, I think that's a big boost to people trying to get the ear of the executives and to get the resources they need to get their programs moving. I think that can help them.
A second question is we need to help them very much understand business continuity management and the precise details of how you go about it and what projects you should put in place and how you should manage them. It works, but there are many other sources of information to help people, their own good practice guidelines. It's overlap territory. But what the standard will do is focus on that need for the top management support.
Advice on the ISO Standard
FIELD: As you said at the top of our conversation, you're spending a lot of time on the road these days talking about business continuity issues. As you get out to different regions of the world and talk to professionals, what advice do you offer to them so they can get their arms around the ISO standard and really be prepared to adhere to it as it gets rolled out and becomes a part of our culture?
BIRD: I think you have to welcome it in the sense that in an ideal world that would be where we would like it to go. We perhaps have to be a little bit cautious in looking at where we are. In the U.S., for example, with the pre-approved standards from PS-Prep and the ISO standard to my knowledge is not as yet added into that, and I don't know if it will be. There are other national standards in Singapore and Australia certainly that I have no knowledge of whether or not they're going to drop their national standard and concentrate on the ISO. I think they may eventually do so, but certainly not immediately.
Where I do have some more direct day-to-day knowledge is in the U.K. I think they're pretty clear that the British standard BS 25999 will be replaced by the ISO standard, but you're still going to have a number of different standards floating around and you're going to have, frankly, the standards-agnostic people who actually feel that they know very well how to do business continuity. They have an approach that works for their business and they don't need 80 standards to be applied. I think having a standard is very, very good from the point of view of being able to demonstrate the seriousness of our profession and the fact that it's actually being taken on board across the world, but I think it's going to be some time before vast numbers of companies are going to necessarily be complying exactly with the ISO standard, and probably even less before they start formally going for the certification process. I think you just have to cautiously welcome it and say it's a step in the right direction, but I still think they have quite a distance to go to get that buy-in that would be really beneficial.
Getting the Buy-In
FIELD: What's it going to take to get that buy-in?
BIRD: Frankly, what it would take to get the buy-in is in some ways a better means of being able to convince the top executives of companies that business continuity is critical to their business missions and then as a profession, as an industry and as a discipline. I've been doing this for 25 years and I think that's an area where we've made progress. But we haven't done as well at getting our messages through to the top levels. Ultimately, the only way that any discipline of this type is really going to take off is if it's all in at the C-level, at the C-suite executives who really see the value. And in my institute, there have been lots of surveys in this field, and we find that there's not that much understanding that business continuity is more than just dealing with an IT disaster or a fire at a building. The concept of actually seeing business continuity as supporting value, protecting reputation, protecting brand and protecting performance is one we've still got a long way to go.
But I think the standard is one step on the road. I think [it's also] a better presentation, better understanding of the messages and issues, and just generally more high-quality and well-motivated people actually joining the business continuity profession and actually passing that message around. I find that in the places I go, I'm very, very well received and people are very supportive of the message. And I think that's really happening around the world and perhaps that's going to be a reverse impetus to us in the U.K., the U.S. and what we consider the more developed business continuity countries because there's so much now happening in Asia and there's so much new thinking happening in parts of Africa even. I'm finding in South Africa and Nigeria lots and lots of interest. South America is starting to get very interested in the subject. And Japan, India and China, as we'd expect, [there's] a lot of interest.
Perhaps it's going to come back on us and it's not going to be us trying to say to the world this is a good practice but the world coming back to us and adding very much to the conversation. This isn't an easy sell. This has taken a lot of years to get where we are. It's probably going to take a few more years to get everyone bought in, but I think we're definitely going in the right direction.