Internal Audit – Protecting Your Investment in ISO 22301

Part of Avalution’s Conforming to ISO 22301 Series

This perspective takes a look at Clause 9.2, ISO 22301’s requirement for internal audit, defined as an independent assessment that provides management with feedback regarding the performance of the management system. The content found in this perspective is specifically based on lessons learned from our ISO 22301 certification audit (which Avalution completed successfully in the Spring of 2013). Continue reading

Why Documentation Is So Much More Than Just Documents

Part of Avalution’s Conforming to ISO 22301 Series

This perspective takes a look at ISO 22301’s requirement for documentation, which includes documented processes and procedures, as well as evidence of business continuity planning execution.  The content found in this perspective is specifically based on lessons learned from our ISO 22301 certification audit (which Avalution completed successfully in the spring of 2013). Continue reading

How to Perform Effective Management Reviews

Part of Avalution’s Conforming to ISO 22301 Series

This perspective takes a look at one element of Clause 9.3, the management review (a process that Avalution feels is one of the most valuable elements of ISO 22301). Continue reading

Does Your Business Continuity Management System Have “Issues”?

Part of Avalution’s Conforming to ISO 22301 Series

ISO 22301 is the first standard to employ the new ISO format for management systems standards, which involves a considerable amount of “templatized” management system content across ten clauses.  Because this format, language, and many of the requirements are new to most business continuity professionals, it’s important to review and consider the intent associated with some of the content and concepts. Continue reading

Implementing ISO 22301: The Business Continuity Management System Standard

Implementing ISO 22301Today we announced the release of a new white paper, Implementing ISO 22301: The Business Continuity Management System Standard, co-authored by Brian Zawada, Avalution’s Director of Consulting and the Chairman and Head of U.S. Delegation to ISO Technical Committee 223 (the group charged with developing ISO 22301), and Greg Marbais, a Consultant at Avalution. Continue reading

ISO 22301’s Relationship to BS 25999-2 and Other Standards

Similar to other management systems standards, ISO 22301 is based on the ‘Plan-Do-Check-Act’ model that seeks to improve – in a continual manner – the effectiveness of the organization’s performance through proficient planning, implementation, supervision, review and maintenance.

As such, it is only proper that we discuss the relationship of ISO 22301 with other management systems standards.  The following summary offers a high-level comparison between ISO 22301 and another widely-adopted management systems standard, British Standard (BS) 25999-2 (2007).  Continue reading

ISO 22301 – Misconceptions and Clarifications

Guest Post by Barry Cardoza, CBCP
Original Publish Date: September 2012 (before ISO 22313 was published)

For those who had hoped (as I had) that the final version of the International Organization for Standardization’s ISO 22301 would be the comprehensive and very detailed replacement for BS 25999 parts 1 and 2, giving clear instructions regarding how to actually create the elements of a Business Continuity Program, it is definitely not that.  In reality, it is replacing BS 25999-2, which will no longer be published after November of 2012, and it does provide very valuable guidance for an organization as it relates to the elements of a best practice-oriented business continuity management system; it’s just “different” in its purpose and scope than what many business continuity professionals might have expected. Continue reading

Why You Should Pay Attention to Business Continuity Standards (Even If You Aren’t Seeking Certification)

Standards…ugh! Even though the business continuity profession appears to be paying some attention to the topics of standards development and organizational certification, you may be tempted to skip over these articles and ignore the opportunity to review new or revised standards when released (especially if you feel organizational certification isn’t right for your organization). However, many reasons exist as to why all organizations (and BC practitioners) should not only pay attention to standards, but also seek opportunities to incorporate applicable elements of them into their programs to improve performance and enhance credibility. Continue reading

Using ISO 27031 to Guide IT Disaster Recovery Alignment with ISO 22301

CompassMany organizations struggle to define the best method to meet business expectations regarding information technology (IT) recovery. ISO 27031 provides guidance to business continuity and IT disaster recovery professionals on how to plan for IT continuity and recovery as part of a more comprehensive business continuity management system (BCMS). The standard helps IT personnel identify the requirements for Information and Communication Technology (ICT) and implement strategies to reduce the risk of disruption, as well as recognize, respond to and recover from a disruption to ICT. Continue reading

How to Determine Risk Appetite in the Context of Business Continuity

The introduction of ISO 22301 (Societal security – Requirements – Business continuity management system) more closely aligns business continuity to the broader risk management discipline.  A major contributor to this alignment is the standard’s requirement to understand the organization’s “risk appetite” (a term not used in BS 25999).  Continue reading