Business Continuity, Disaster Recovery & ISO22301

The UK Companies Act 2006 gave statutory status to what has long been a common law duty of company directors worldwide: to exercise due care in relation to their companies. Specifically, directors must "exercise reasonable care, skill and diligence" (s.174).

The board of directors must ensure that the organisation has developed and tested business continuity and disaster recovery plans mitigating all risks facing the organisation.

These pages provide an introduction to these subjects and their associated standards.

ISO 22301 (ISO22301) - The Business Continuity Standard

Launched in May 2012, ISO 22301 sets out the requirements for a Business Continuity Management System. ISO22301 replaced the British BS25999-2 standard.

All organisations face business continuity risks. Did you know that:

80% of organisations with a well-planned and implemented business continuity plan are likely to survive a major business discontinuity.
Only 20% of those without a business continuity plan are likely to survive.
Over 90% of organisations that suffer a significant data loss are not in business two years later.
The Chartered Management Institutes 2012 report "Planning for the worst" indicates that 39% of organisations still don't have a business continuity plan.
The same report stated that 81 per cent of managers whose organisations activated a business continuity plan in the last 12 months agreed that it effectively reduced disruption.
'Backup' is not the same as a business continuity plan, and terrorism should be specifically addressed.

ISO 22301 Training

What to find out more? IT Governance offers ISO22301 Training. Available at foundation and 'lead implementer' level, by the end of the course you will be prepared to plan and implement an ISO22301 compliant Business Continuity

BS 25999 - Business Continuity

BS 25999 (which replaced PAS56 on 27 November 2006) was the Best Practice Standard for business continuity plans, and has now been replaced by ISO 22301.

For more information, please browse our selection of Business Continuity Planning Books, available as ebooks and in paper format.

Additionally, our team of expert Business Continuity consultants are able to offer effective and cost-efficient solutions to any problems you may have. Visit our Business Continuity Consultancy services page for more.

ISO27031 - ICT Continuity Best Practice

ISO27031 provides recommendations specifically for ICT (information commmunications technology) continuity management within the overall business continuity framework provided by BS25999.

ISO27031 makes BS25999 relevant to information and communications technology. Of course, it can also be used on a standalone basis should an organisation wish to tackle ICT continuity management specifically.

Purchase the ISO27031 standard here.

Civil Contingencies and Business Continuity Planning

In the UK, the Civil Contingencies Act 2004 sets out specific requirements for public bodies.

It imposes a series of duties on local bodies in England and Wales, Scotland and Northern Ireland (known as "Category 1 Responders"). These include the duty to assess the risk of an emergency occurring and to maintain plans for the purposes of responding to an emergency.

The range of Category 1 responders is broader than the range of local bodies which were subject to earlier legislation (which has now been repealed). It includes certain bodies with functions which relate to health, the Environment Agency and the Secretary of State responsible for maritime and coastal emergency responses. The Act also provides a mechanism to impose duties on other local bodies ("Category 2 responders") to co-operate with, and to provide information to, Category 1 responders in connection with their civil protection duties.

Business Continuity Planning

Business continuity planning (BCP) involves the processes and procedures for the development, testing and maintenance of plans that will enable an organisation to continue operating during and after a disaster.

Plans are typically designed to cope with incidents affecting all the organization's business-critical processes and activities, from failure of a single server, all the way through to complete loss of a major facility. BCP is a response to an enterprise level risk assessment.

Disaster Recovery Planning

Disaster Recovery Planning (DRP) usually takes place within the BCP framework. DRPs are usually relatively technical and will focus on the recovery of specific operations, functions, sites, services or applications. A single BCP might contain or refer to a number of DRPs. Best Practice for Disaster Recovery is set out in ISO/IEC 24762.

The business continuity management lifecycle usually includes a series of steps:

risk assessment
business impact analysis (BIA)
plan development
documentation
testing
maintenance.

This process is described in Business Continuity Planning - a Step-by-Step Guide, as well as a selection of other authorative books available from this site.

Efficient communication is key for all BC and DR professionals who are working on a project together. Business Continuity and BS25999: A Combined Glossary provides a common vocabulary for business continuity, listing hundreds of terms and definitions directly sourced from highly authoritative sources, including: Disaster Recovery Institute, Business Continuity Institute, ISO27001, BS7799-3:2006 and ISO20000 and many others.