Q: What is business continuity management?
A: BCM (business continuity management) is the way organizations manage and respond to risks. The aim is to allow mission-critical functions to continue operating in the event of disruptions. This includes anything from bad weather to cyber attacks.
BCM also helps organizations return to ‘business as usual’ promptly and with as little trouble as possible after a disruption.
Q: How does business continuity work?
A: Organizations can achieve effective business continuity by implementing a BCMS (business continuity management system). The international standard ISO 22301 describes best practice for a BCMS. It involves developing BCPs (business continuity plans) to manage and protect against identified risks. Additionally, it goes hand in hand with ISO 22313 which provides guidance on how to implement a BCMS that meets the requirements of ISO 22301.
Q: Why should I certify to ISO 22301?
A: ISO 22301 sets out the requirements for a BCMS and is considered the only credible framework for effective BCM.
Organizations that certify to the Standard can:
- Prove to existing and potential clients that they have an effective BCMS that will enable continued service delivery in the event of an incident.
- Obtain an independent opinion about the effectiveness of their business continuity management program, thereby providing assurance to stakeholders and the board.
- Accredited certification involves regular reviews and internal audits of the BCMS to make sure it functions as it should and continually improves.
- Meet regulatory requirements. The EU General Data Protection Regulation (GDPR) and the NIS Directive state that organizations must implement incident response capabilities. Certification to ISO 22301 provides a best practice approach to business continuity.
Q: What’s the difference between disaster recovery and BCM?
A: Whereas BCM makes sure that an organization can continue to function while recovering from a disruption, disaster recovery is the process of returning a business or organization to a state of normality.
The two are closely linked. Disaster recovery usually takes place within a BCMS, outlining the technicalities of recovering specific operations, functions, sites, services or applications. A single business continuity plan might contain or refer to a number of disaster recovery plans.
Q: What’s the most important part of a BCMS?
A: Making sure you’ve correctly identified the risks you face. If you plan for incidents that have little chance of occurring, you will be wasting time and resources. It would be even worse if you failed to identify a threat that came to pass, because you would have no way to manage the situation.