Pushing the pen
Written by Graham Buck
As an international standard for business continuity management is launched, Graham Buck asks how much benefit global standards actually offer
Just in time for the London Olympics the International Standards Organisation’s (ISO) new global standard for business continuity management, ISO 22301, was officially launched last month.
The British Standards Institution (BSI) used the occasion to again call for businesses to ensure they are prepared for social, political and economic threats such as strikes, supply chain disruption, political unrest and customer loss. “Our clients who have adopted an holistic approach to business continuity management reported an 82 per cent improvement in their speed of recovery from incidents and disruptions,” reported BSI chief executive Howard Kerr.
BSI’s five ‘top tips’ for embedding business continuity management in an organisation’s culture are:
•Ensuring the involvement and engagement of senior management in business continuity
•Regular exercising and testing to expose any gaps in the plan
•Undertaking a thorough risk assessment and business impact analysis that extends to all the organisation’s dependencies
•Implementing a systematic approach
•Following international best practice
The product of a lengthy gestation period, with input from experts around the world and its declared intent of taking forward the work of national standards bodies, ISO 22301 aims to be the accepted benchmark for driving improved standards of business continuity management. The BSI has given the new standard its blessing and from November it will officially withdraw its own standard, BS 25999.
“It’s good to have an internationally-agreed standard,” says Tim Cracknell, a partner of brokers JLT Speciality. “In some parts of the world advising clients that a standard is British in origin can either leave them nonplussed or act as a red rag to a bull.” However, he is realistic on the likely level of demand. “I’m not expecting demand to be the door to be beaten down.”
BS 25999 dates back to 2006 and appeared in two parts; the code of practice being published first in 2006 and certification – or “the boxes that need to be ticked for the auditor” – following a year later. Since then it has won an audience beyond the UK particularly in Europe and the Middle East, with some countries using it as a yardstick and adapting it as needed to produce local standards for business continuity. Perhaps inevitably it has also spawned competing business continuity management systems elsewhere in the world.
As an international standard, ISO 22301 bears many hallmarks of its UK predecessor, together with input from other national bodies such as the American National Standards Institute (ANSI) and Standards Australia. This, claims the BSI, enables “greater international consistency to be realised between national requirements and better meets the needs of global organisations”.
There are, however, concerns that as international standards must meet a consensus of varying opinions, their effectiveness can get diluted in the process.
“BS 25999 stands as the BSI’s most-purchased and most-downloaded standard ever,” says Rod Ratsma, head of the business continuity practice at Marsh. “It’s still a very good document and ISO 22310 doesn’t actually appear to add that much.”
The basic themes of both the old and new standards are as follows:
•Understanding the organisation’s needs and the necessity for establishing business continuity management policy and objectives
•Implementing and operating controls and measures for managing an organisation’s overall capability to manage disruptive incidents
•Monitoring and reviewing the performance and effectiveness of the business continuity management system
•Continual improvement based on objective measurement
The four stages are more succinctly expressed as the Plan-Do-Check-Act cycle’.
Ratsma believes that business standards continue to make a positive contribution, but recent years have seen them both proliferate and become more commercialised.
“Companies are putting business continuity management and also information security into effect because both are good business practice,” he says. “But the standards represent more a badge of achievement and less a driver for change. Certainly the banks show little interest in them.”
And while the code of practice, Part 1 of BS 25999, enjoys “a strong reputation” and is widely accepted as a good template for implementing business continuity management, Ratsma reports that Part 2 – certification – has been less successful with low take-up. “The process of certification is complicated and the scope of what can be certified is extremely flexible – or open to manipulation,” he observes.
A generic approach
Also part of the stable of international standards is ISO 27001, addressing information security. First introduced in 2005, an updated version is scheduled for summer 2013.
The aim of ISO 27001 is to demonstrate that an organisation “adheres to a baseline measure of information security which is enforced through continuous analysis and assessment and robust security policy reviews”.
This ISO standard also has a UK predecessor; BSI 7799 published back in 1995. David Fatscher, sector development manager for the BSI, says that it was developed at the behest of the DTI, which wanted a model for information security that brought together views from different industries, consumer groups and academia.
“So the first standard was borne out of a wide consultation process and was effectively a code of practice that addressed the question “what does good information security look like?” Part 2, an audit to prove that the code of practice was being followed, developed three years later,” he says. After building up traction beyond the UK, progression to an ISO global standard subsequently followed.
Fatscher says that ISO 27001 aims to be relatively generic to differentiate it from more specific standards; such as those dealing with a product and how it should perform.
“It’s deliberately technology-neutral, so it can be applied to different sectors and different types of company” he adds. “For example, if it referred to viruses prevalent at the time of publication then it would quickly become outdated. Likewise, certain vendor products may be ‘hot’ now, but out of date within a year.”
ISO 27001 is supplemented by ISO 27002 (formerly ISO 17799, itself adopted from BS 7799-1), which lists the various controls and measures to mitigate information security risk that an organisation will apply based on its own risk assessment.
While there has been a proliferation of standards relating to information security – Ratsma reports that no less than 186 have been issued – ISO 27001 remains the most recognised and widely-used according to Martin Tyley, head of KPMG’s information security practice.
“The rate of adoption is growing, with the number of organisations receiving certification doubling every three years,” he reports. “The current total is around 7,600, with around half of them in Japan.
“The UK figure is 500, which might seem low but compares with 200 just a few years ago. The figure can only continue to grow given that online financial crime costs Britain’s economy an estimated £27 billion per year. So we’re receiving an increasing number of enquiries from companies interested in certification.”
As Tyler notes, certification also carries the risk of becoming a box-ticking exercise without real improvement necessarily achieved – or the organisation even deepening its understanding of information security management.
“ISO 27001 won’t tell you much about hacktivism, advanced persistent threats – the term for state-sponsored espionage – or other newer risks,” he says.
“Where it is strong is in its push for continuous improvement. You devise a plan based on your risk, you implement controls, you monitor these controls regularly, you act on them as a when needed and then start again. It’s a continuing virtuous circle.”
Benefit or bandwagon?
The development of new standards in recent years has sparked concerns that commercialisation is beginning to take precedence over benefiting business. “It’s become something of a bandwagon,” suggests Ratsma. “BSI is an excellent organisation, but ultimately it’s not a charity and exists to make money – as does the ISO. Both of them charge for these things.”
However Fatscher says that recently-added standards are in response to demands for more sector-specific guidance. For example, ISO 27011 has been developed for the telecommunications industry, CAS(T) for telecom service providers (and has been adopted by companies bidding for government contracts) and ISO 27015 for financial services.
“ISO 27017 addresses cloud computing and is useful if you seek to gain competitive advantage as a cloud vendor,” adds Fatscher. “It doesn’t replace or dilute the message of ISO 27001 but supplements it.”
Ratsma cites some of the additional business continuity management standards that have joined BS 25999, such as BS 25777 for information and communication technology continuity and PAS 200 for crisis management. “There are a number of standards for supply chains and risk consulting – such as ISO 22399 for incident preparedness and ISO 24762 for information technology. This is confusing for a company seeking one overall standard for resilience,” he suggests.
The response of many organisations to this “plethora” of new standards has been one of disinterest, he adds. “More important drivers for instigating business continuity management and information security are the requirements of business owners, stakeholders and regulators.
Tyley also raises the question of whether a global standard is necessarily of benefit to all industries. “Certain sectors, such as financial services, have a well-established regulator with a keen eye and for an ISO to move at the same pace is challenging,” he points out.
“Others such as retail have a more diverse risk appetite. Some companies focus on quality and develop trust in the brand. But for others value is the priority, and they may even be ready to run the risk of some information loss.”