Transitioning the Business Continuity Management System from BS 25999 to ISO 22301 – a tested approach

With the publication of ISO22301 earlier this year, organisations certified to BS25999 have until 1 June 2014 to transition to the new standard. Organisations that are not certified however, but already have a Business Continuity Management System (BCMS) in place, will need to make sure that their existing system is in-line with the new standard. It will be to their benefit to pursue certification to the ISO22301 standard.

One area that may prove challenging is the new requirement on measuring BCMS performance, which says, “The procedures for monitoring performance shall provide for the setting of performance metrics appropriate to the needs of the organisation.”

The idea is a simple one that is familiar to ISO9001 quality engineers across the world: Accurate measurements are the best way of improving management system performance.

So how are organisations to meet this requirement in the business continuity context?

One approach to answer the above question is to adopt Basili’s Goal-Question-Metric Paradigm (GQM). This was originally developed to help software engineers to decide what to measure in order to improve their software development processes. In essence, to answer the above question we will:

  • define a goal
  • identify questions which will help us determine progress towards our goal
  • identify metrics which will quantitatively answer our questions

For example, in the context of business continuity management, the GQM paradigm can be applied as follows:

  • Goal: In a Disruptive Incident, recover customer database quickly enough not to inconvenience customers
  • Question: Can we recover customer database to defined Recovery Point Objective within defined Recovery Time Objective?
  • Metric: In exercises, measure time from start of Disruptive Event to achievement of Recovery Point Objective and compare with Recovery Time Objective

Or another example:

  • Goal: Create a Business Continuity Awareness culture throughout our organisation
  • Question: How many of our people are aware of the Business Continuity Policy, their contribution to the effectiveness of the BCMS (including the benefits of improved BCMS performance), the implications of not conforming with the BCMS requirements and their own role in disruptive incidents?
  • Metric: Measure the number of people who have attended all BCMS training events and passed the associated exams designated for their role and compare with the total number of people assigned the same role

Such measurements would enable the Business Continuity Manager to report to management review information.

Some examples of what the report might contain:

  • In an exercise scenario of electric power loss, the standby generators have enabled the customer database to be restored to the defined RPO within the defined RTO of one hour. However, another exercise involving a flood scenario showed that the customer database could only be restored to the defined RPO after three hours. This is because the standby generators were flooded, so the primary data centre went offline and, since the flood hampered transportation, it took two hours to get essential staff to the secondary data centre site.
  • Twenty engineers have vital roles in incident management, of whom fifteen have attended all required BC classes and passed their exams. The incident and business continuity management plans require a minimum of ten engineers to be available at the same time; an extended incident (several days) would place avoidable stress upon these fifteen engineers and it is strongly recommended that the full strength of twenty engineers be achieved within one month. 
  • Supervisors have a critical role in incident managers, being the people who initially trigger a BC response. We have twelve supervisors operating a shift system, and only three have attended BC training and passed the exam. Should a disruptive incident occur, there is a 75% likelihood that the business continuity arrangements will fail and avoidable damage to client services and our reputation will be incurred.

When we revised the IT Governance ISO22301 BCMS Implementation Toolkit to reflect the changes from BS25999 to ISO22301, we used GQM to develop guidance on defining measurements that should help an organisation measure its effectiveness in meeting its BC objectives. To put it light-heartedly:

  • Goal: Help IT Governance clients to implement a BCMS conformant with ISO22301 in an accelerated fashion (or to adapt a BS 25999-certified BCMS to ISO22301)
  • Question: What should an organisation do in order to satisfy clause 9.1 Monitoring, measurement, analysis and evaluation?
  • Metric: Show how to define performance metrics that relate to business continuity objectives that are measurable (clause 6.2.c), and to the processes, plans and resources that are used in their achievement.

Request a demo of the toolkit from www.itgovernance.co.uk/download/demos/ISO22301-toolit.htm.

For professional advice on ISO22301 implementation and compliance contact IT Governance on 0845 070 1750 or by email to servicecentre@itgovernance.co.uk.