Flying the flag
Written by Christopher Andrews
Management standards have become a topic of much debate. Christopher Andrews tracks the progress of the most popular risk standards at home and away
Perhaps as one positive consequence of years of IRA threat, the UK has become adept at risk management and business continuity planning. Indeed, when it comes to business continuity, the gold standard in, well, standards, is the UK's BS 25999 which has gained international recognition and seen take-up in over 100 countries and counting.
In August 2007, the then US president George W Bush signed into existence Public Law 110-53 to implement the recommendations of the 9/11 Commission. Title IX of that law addresses private sector preparedness, and defines business continuity provisions to be carried out by the Department of Homeland Security (DHS). Part of this is the establishment of an 'accreditation and certification' programme to provide organisations with a roadmap for strengthening preparedness, response, recovery and the ability to continue operations.
The DHS had been looking at a number of existing standards on which to base this, and it appears that one of the recommended options will be BS 25999 (which is worth noting is the only auditable standard in the stable). But why? What is it about 25999 that has lead to the US adopting it as one of its official, recommended standards? There are obviously others worth considering, but these simply aren't getting the same level of recognition. Perhaps keeping it relatively simple, straightforward and non-prescriptive has been key to its global success.
"There was never anything new in the standard when it came out, it's just good sense and it's the sort of thing that good practitioners have been doing for many years. It's also very practical because it doesn't necessarily take a great deal of intellectual prowess to read it," offers Ron Miller, managing consultant at SunGard Availability Services. "It's aimed at a very wide readership so any organisation of any size in any sector conceivably should be able to put it to use." This is probably the case because the document was actually written by business continuity practitioners. As David Adamson, committee manager risk, business continuity management and security at BSI points out: "When they sat down and wrote it they had a lot of experience behind them and knew what was required for a really effective standard. Input from those at the coal face was hugely important - in addition to those representing constituencies who brought a wider but not necessarily as detailed perspective. So we definitely had the right people around the table."
It may seem like odd timing for the DHS to decide on this particular standard, particularly one of foreign origin. Not only is ANSI (the American National Standards Institute) working with BSI to develop a new US standard, but there is also a new international standard on the cards. ISO 22301 is expected for 2011, and it could be argued that rather than companies adopting 25999 and then having to go through the entire certification process all over again a short while later, the DHS should hold off. This isn't really the case though, because it looks like the ISO is pretty much going to be 25999 in international clothing. "The scope, contents and outline of the ISO proposal were based on 25999," says Adamson.
And assuming this remains the case throughout development "what's likely to happen is that ISO 22301 would include all of the principles and requirements in 25999. In this case, it is possible 25999 would be withdrawn. For those organisations that adopted 25999, it would be a simple transition to the ISO and they will have a benefited from the good practices in 25999 for years." This means that for organisations certified to 25999, or those already aligning or complying with it, they will have a two or three year jump on what's published internationally. So the DHS is thinking clearly here. That's assuming the ISO doesn't stray too far from the tenets of 25999, in which case it would be unlikely that 25999 would be withdrawn, and the DHS might have to have a rethink as to whether 22301, or 25999, is its standard of choice.
Either way, according to Miller, take up of 25999 is already underway in the US, despite DHS guidelines. "There are a number of US organisations I have dealings with that have decided they can't hang around waiting for a US standard. There's already a good English language standard they can use that's likely to become an international standard anyway, so they might as well get on with adopting it. So there is a ground swell."
CHALLENGES OF ADOPTION
This ground swell will most likely flatten out in the light of Article IX, so should US organisations, or any organisations for that matter, be concerned about the difficulties of adoption? "I think sometimes there's a bit of a myth that some of these standards are very tough and exacting, but it's really a very practical document and it should be relatively easy for most organisations to at least put the code of practice in place," says Miller.
"It's something that organisations can implement without a huge investment in time and documentation. If they want to become certified, that may need some more investment and resources and time and effort and all the rest of it. But you can actually use the guidance contained in the code of practice to put things in place that are perfectly sensible and really don't present huge challenges to organisations."
For organisations that are going for certification, Miller says the key is to look at the code of practice, make sure you are doing all the things contained within it, and then document them. And document them again. "Because when you make the transition into [BS 25999-2], taking certification, it's like show and tell at school. The auditors will say 'ok you say you're doing these things, prove it'. And the way that they seek evidence is documentation. It may sound very boring and pedantic, but that's what they do." Another thing to be aware of is that 25999, or achieving certification for any standard for that matter, is not just putting a certificate on the wall and forgetting about it; it's not a one-off exercise.
"Because it is a management system, that in itself is a hurdle for a lot of organisations," says Adamson. "It's not really just continuity. So they have to have a continuity plan in place but they have to have a management system in place. And that's a little bit of a hurdle. It's not rocket science, but a management system is a system to make sure you achieve your objectives. That's it. But it means that it's not a random one-off activity, it's a PDCA (plan-do-check-act) activity."
IT'S NOT ALL ROSES
So it looks like British business continuity planning is certainly a picture of success, but the picture is not entirely rosy. Kevin Brear, senior manager, business continuity practice protection group at Deloitte, is the first to praise British standards, and says that business continuity planning has indeed come leaps and bounds. However, he says: "There are examples of organisations in the financial sector [which have done good work in their business continuity planning] but those organisations have still been affected by risk management issues and have found themselves placed in very difficult circumstances as a result of what has been suggested to be risk management framework failures. Which is partly what business continuity is supposed to help assist and establish."
Of course, no one could have predicted the scale of catastrophe in the financial markets, but isn't that what business continuity planning is for in the first place? To account for the unexpected? "Business continuity is supposed to provide organisations with the tools to face these crises. That's one of the things that it says it does within the standard. However, whether the firms choose to use their business continuity tools to try and deal with the crisis or whether they just keep it at board level or whatever, that's a matter for the individual organisations.
"One of the things I find interesting around business continuity is the assumption that the organisation putting business continuity in place is a well run organisation to start with. Well that's a very big assumption I would suggest. Going back to some of the big finance houses that have had issues that assumption has been proven to be false." And this really goes back to simply having a certificate on the wall, or following through with the organisational necessities for having that certificate in the first place. Business continuity apparently falls down in the face of unchecked greed, and hopefully the US companies that begin adopting BS 25999 will bear this in mind.
CASE IN POINT
PageOne provides critical messaging communications to the corporate and public sectors, so information security is of obvious importance to it. The company is currently working towards certification in BS 25999, having already achieved ISO 14001, the environmental management standard, and of particular relevance, ISO 27001 for information security.
Clair Cawley, the company's marketing director, says the process for achieving 27001 took about 12 months, and while they had a large number of the necessary processes in place already, they decided to go for the ISO to demonstrate how serious they were about investing in security controls and protecting customer interests. "I think the important thing with any of these standards is that it's not just something that you do once, it's continuous," she says. "You are proving that you have got your systems to a particular level which is an acceptable international benchmark for security management. But it's then continuing with that, it's regular audits to make sure you're keeping up to date with what's happening out in the environment. And I think that is perhaps something that people don't realise when they embark on this. It's not just a case of getting a certificate and sticking it on the wall. It provides that benchmark but it is something that is always improving." And the major challenges of getting certified? "I suppose in some respects there weren't any major challenges. It was just in terms of different departments that were involved and the logistics of making sure everyone was involved and aware of the process."
And, says Cawley, going through that process provided benefits beyond the recognition of certification. "I think it provides a more disciplined approach to information security, risk management, compliance management, there are a lot of different areas from that. It's a framework with which to move forward."