ISO 22301 Evaluating "Business Continuity Procedures"

Adapting the RPC Model of Organizational Recoverability to help meet ISO 22301 requirements "implementing... measures for... an organization's overall capability to manage disruptive incidents, monitoring and reviewing the... effectiveness of the BCMS... continual improvement based on objective measurement" Section 0.1 The heart of your continuity plans lives in Section 8.4 of the ISO standard And section 9.1.2 calls specifically for the "Evaluation of business continuity procedures" Heads-up: There's not much direction in the standard for what these should look like. ISO 22301 "emphasizes the importance" of measurement So... This section calls for you to set up and maintain procedures for: Do you have your measures and evaluation tools ready to go for all your business continuity plans? ISO 22301, section 9.1.2 1. Incident response 2. Warning and communication 3. Service continuity or recovery 4. New normal recovery The RPC Model can be of help... The RPC Model says that an organization (unit, department, service, etc.) needs three things to be able to recover from a significant physical or staffing loss. RESOURCES PROCEDURES COMPETENCIES Any group will need resources to use, procedures to respond, and competencies to perform under adverse conditions. David Lindstedt In ISO 22301 language: Resources: "all assets, people, skills, information, technology,... premises, and supplies and information..." Procedure: "specified way to carry out an activity or process" Competence: "ability to apply knowledge and skills to achieve intended results" And the fewer of these three RPC factors that are ready-to-go at time of disaster, the more costly the recovery will be. These three RPC factors constitute the elements of recoverability So, how does this help us with ISO's requirement 9.1.2 to evaluate business continuity procedures? Because each of the three RPC factor can be measured each of the four procedures can be evaluated. (here's how...) The more elements you have ready-at-hand at time of disaster, the more recoverable you are. Let's take each of the four business continuity procedures in order: 4. New normal recovery Let's just ignore this last one for now, OK? The standard doesn't pay much attention to new normal recovery (just one sentence). Using three sets of questions, we can evaluate each department's incident response procedures ...and questions like these... [resources] "What percentage of needed software and applications will be available to those responding to the incident?" [procedures] "What percentage of responders know how to prioritize all response activities and restoration of services?" [competencies] "What percentage of responders have been threatened by, or directly experienced, external crises?" ...we get an evaluation like this. Resources = 53% Procedures = 27% Competencies = 62% Department X incident response preparedness = 47.3% To evaluate communications procedures, we could use the three RPC factors just like we did for incident response. For the continuity or recovery of services, again, we can use the RPC factors for evaluation. YET: Communication: 1. Is included in both the incident response structure and the business continuity plans* 2. Incorporates several pre-incident steps ...it might be best to consider communication as "just" one factor (albeit an important one) among many. We could choose to do this for a combination of all services, or for each individual service (depending on the needed level of precision). Putting it all together, evaluation results for Section 9.1.2 of ISO 22301 might look something like this: Resources = 80% Procedures = 55% Competencies = 85% Help Desk recovery preparedness = 73.3% *Section 8.4.2.f and 8.4.4.d & f So... Evaluation of preparedness of an individual service might look like this: Benefits: Gap analysis for improved preparedness Initial baseline for future progress Quantitative measures for auditors and stakeholders (And Creative Commons licensed for anyone's use...) For worksheet sets and step-by-step instructions, visit our commercial website: Evaluation of Business Continuity Procedures In other words, you must evaluate the effectiveness of all your business continuity plans and procedures. Using a framework like this... There are basically two options for evaluating communications. Option One: Option Two: David Lindstedt -- 07/06/12 David Lindstedt -- 07/06/12 David Lindstedt -- 07/06/12 Besides, what are costs of NOT being prepared? 1. Incident response 2. Warning and communication 3. Service continuity or recovery readinessanalytics.com https://itunes.apple.com/us/course/preparedness-recoverability/id570648662 Also visit the free iTunes University course