Business Continuity, Disaster Recovery and ISO22301
The UK Companies Act 2006 gave statutory status to what has long been a common law duty of company directors worldwide: to exercise due care in relation to their companies. Specifically, directors must “exercise reasonable care, skill and diligence” (s.174).
The board of directors must ensure that the organisation has developed and tested business continuity and disaster recovery plans mitigating all risks facing the organisation. These pages provide an introduction to these subjects and their associated standards.
ISO 22301 (ISO22301) – The business continuity standard
Launched in May 2012, ISO 22301 sets out the requirements for a business continuity management system (BCMS). ISO22301 replaced the British BS25999-2 standard.
All organisations face business continuity risks. Did you know that:
- 80% of organisations with a well-planned and implemented business continuity plan are likely to survive a major business discontinuity?
- Only 20% of those without a business continuity plan are likely to survive?
- Over 90% of organisations that suffer a significant data loss are not in business two years later?
- 20% of the respondents do not know the financial impact of a five-day disruption or outage?*
- Backup is not the same as a business continuity plan, and terrorism should be specifically addressed?
- Despite a rise in cyber threats, 36% of organisations report that they do not address cyber terrorism in their BCM program and related plans?*
- 42% of organisations now report using international standard ISO 22301 to support their BCM program?*
* The 2013-2014 KPMG Business Continuity Management Program Benchmarking Study
ISO 22301 training
Our ISO22301 Learning Pathway provides structured progression from foundation to advanced level, covering the knowledge and skills to plan, implement and audit an ISO22301-compliant BCMS.
ISO27031 – ICT continuity best practice
ISO27031 provides recommendations specifically for ICT (information and communications technology) continuity management within the overall business continuity framework provided by ISO22301. ISO27031 makes ISO22301 relevant to information and communications technology. Of course, it can also be used on a standalone basis should an organisation wish to tackle ICT continuity management specifically.
Civil contingencies and business continuity planning
In the UK, the Civil Contingencies Act 2004 sets out specific requirements for public bodies. It imposes a series of duties on local bodies in England and Wales, Scotland and Northern Ireland (known as “Category 1 responders”). These include the duty to assess the risk of an emergency occurring and to maintain plans for the purposes of responding to an emergency.
The range of Category 1 responders is broader than the range of local bodies that were subject to earlier legislation, which has now been repealed. It includes certain bodies with functions relating to health, the Environment Agency and the Secretary of State responsible for maritime and coastal emergency responses. The Act also provides a mechanism to impose duties on other local bodies (“Category 2 responders”), to cooperate with, and to provide information to, Category 1 responders in connection with their civil protection duties.
Business continuity planning
Business continuity planning (BCP) involves the processes and procedures for the development, testing and maintenance of plans that will enable an organisation to continue operating during and after a disaster.
Plans are typically designed to cope with incidents affecting all of the organisation’s business-critical processes and activities, from failure of a single server all the way through to complete loss of a major facility. BCP is a response to an enterprise-level risk assessment.
Disaster recovery planning
Disaster recovery planning (DRP) usually takes place within the BCP framework. Disaster recovery plans are often relatively technical and will focus on the recovery of specific operations, functions, sites, services or applications. A single BCP might contain or refer to a number of disaster recovery plans. Best practice for disaster recovery is set out in ISO/IEC 22301.
The business continuity management lifecycle usually includes a series of steps:
- risk assessment
- business impact analysis (BIA)
- plan development