Many organizations proposed business continuity methodologies, approaches, frameworks, or standards. The International Organization for Standardization (ISO) is one of the most well-known, which defined the ISO 22301:2019 standard of the business continuity management system (BCMS). The following verbal forms are used in the ISO standard. Similar keywords for use in RFCs to indicate requirement levels can be found in RFC 2119.
- “shall” indicates a requirement;
- “should” indicates a recommendation;
- “may” indicates a permission;
- “can” indicates a possibility or a capability.
Business Continuity Management System (BCMS)
ISO 22301:2019 “specifies the structure and requirements for implementing and maintaining a business continuity management system (BCMS) that develops business continuity appropriate to the amount and type of impact that the organization may or may not accept following a disruption… The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity. “
- Business continuity is the “capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.” (ISO 22300:2018)
- Management system is a “set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives.” (ISO 22301: 2019)
- Disruption is an “incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organization’s objectives.” (ISO 22300:2018)
- Incident is an “event that can be, or could lead to, a disruption, loss, emergency or crisis.” (ISO 22300:2018)
The Scope of Business Continuity Planning
The scope of BCP “CAN” be enterprise-wide to cover the enterprise as a whole. Even though it’s commonly agreed upon that BCPs “should” cover the organization as a whole, it’s not mandatory because of the limited resources owned by an organization.
Business Impact Analysis (BIA) and Risk Assessment
The ISC2 Certified Information Systems Security Professional Official Study Guide (OSG) introduces the business impact assessment as a wrapper process that includes risk assessment. However, ISO 22301 treats business impact analysis and risk assessment as different processes or steps. Clause 8.2.2 prescribes business impact analysis; clause 8.2.3 for risk assessment. The clause numbering may imply the sequence, but the standard adds a note that states risk assessment can be conducted before business impact analysis. To sum up, ISO 22301 doesn’t prescribe the sequence of business impact analysis and risk assessment.
Incident Response as Part of Business Continuity
Incident is an “event that can be, or could lead to, a disruption, loss, emergency or crisis.” An incident may become a disruption abruptly or gradually. The following diagram demonstrates the abrupt mode where service level drops down to zero; hence an incident becomes a disruption. However, it’s not uncommon that the service level goes down gradually. Incident response can contain and eradicate the situation and restore the service level so that disruption is prevented.
“The organization shall identify and document business continuity plans and procedures based on the output of the selected strategies and solutions. The procedures shall focus on the impact of incidents that potentially lead to disruption.” (Clause 8.4.1, ISO 22301:2019)