Standards ensure consistency while adopting a specific business continuity methodology. Following guidelines and prescribed procedures also give organizations the luxury of quick turnaround times.
Business continuity standards broadly encompass the following aspects:
- Quickly establishing resource requirements for restoring operations as well as keeping them operational
- Recovery procedures that are prioritized based on criticality of operations
- Protecting employees, resources and assets from legal scrutiny by providing valid evidence of preventive, response and restoration measures.
- Designing plans at an organizational level that can be integrated across organizations to leverage a consolidated response as and when required.
Many have the misconception that ISO standards are relevant only in the case of big corporations. Budgetary constraints might be a deterrent in the case of some ISO standards. But others, the ISO 22301 in particular, are agnostic as far as organizational size is concerned. And regardless of the sector to which the organization belongs, the ISO 22301 standard is just as effective.
The following three are the most commonly referred to ISO standards when organizations design a business continuity capability.
ISO 22301 – This standard provides a framework for response strategies and recovery measures through a documented management system. Activities include planning, design, execution, operability facilitation, supervision, evaluation, maintenance and periodic improvements.
ISO 22313 – This standard is an extension of the ISO 22301 and illustrates specific clauses from a regulatory perspective.
ISO 27001 – Information security management systems (ISMS) are the focus area of this ISO standard. Activities include design, execution, maintenance and creating a culture of ongoing improvement.
Other standards relevant to business continuity planning include:
ISO 22300 Societal Security – Protocols for using consistent terms and definitions while addressing societal security related issues.
ISO 22320 – This standard describes incident response prerequisites along with a foundational orientation towards command and control, operational information and collaboration with incident response entities.
ISO 31000 – This is a generic risk management framework that can be applied to any organization regardless of nature, type or complexity of operations. Risk treatment and efficient resource allocation are among the highlighted topics.
ISO 27000 – This consists of a collection of regulatory norms relevant to ISMS. Information systems security is a focus area under this standard, including financial data, employee profiles, customer details and third party databases.
ISO 28000 – This business continuity standard outlines the prerequisites for a security management system from a supply chain management perspective.
ISO 9004 – Quality management techniques are used to assist enterprises achieve their resiliency objectives.
Business continuity standards are largely dictated by the regulatory norms that are active in the country of operations. For instance, all hazards owing fire related incidents such as safety, damage to assets, loss of property and many more are collated under the National Fire Protection Association (NFPA).
NFPA 1600 – This business continuity standard is a reference publication on how to plan for, confront and restore operations after disasters.
NFPA 72 – The need for improving emergency communications is constantly on the rise. This standard summarizes the best practices for implementing fire detection, signaling, alarm, mass notification, weather management and other such notification systems to alert business continuity teams of imminent threats.
However, it should be noted that the scope of the NFPA standards does not cover establishing the veracity of information that is gathered.
Disasters
