Over the last year and a half we have met a number of organizations that thought they were prepared for BS 25999 certification, only to find key issues when BSI’s auditors arrived. As a result, we have compiled the following four myths and an important truth regarding BS 25999 certification.
Myth 1: BS 25999 certifies the effectiveness of my business continuity program
Having an effective program is an important part of certification, but it’s also much more than that. Remember that the concept behind BS 25999 is the development and implementation of a recurring, process-driven business continuity management system (BCMS). Although this concept is relatively new to business continuity professionals, it’s based on many of the principles found in the quality management system (QMS) concept. Management system certifications don’t certify capability per se; rather, they certify the process used to achieve the desired outcome. BS 25999 certification works the same way. This BCMS certification demonstrates that the organization is systematically identifying business continuity requirements, establishing management approved priorities and response strategies, and continuously improving the operation of the system. Performing the activities noted in BS 25999-2 will certainly improve the effectiveness of the program, but just having an effective program that does not address the requirements found in BS 25999-2 will NOT get you certified. You must demonstrate that your program is effective and aligned to the BCMS processes and activities noted within the standard.
Myth 2: Auditors will understand why it doesn’t make sense to include an element of the standard in our organization’s program
It doesn’t matter if your organization elected not to perform a business impact analysis, risk assessment or exercises – with or without justification. These are all REQUIRED elements of the BS 25999 BCMS – and therefore they are required for certification. Regardless of how logical it may seem to skip an activity mandated in BS 25999-2, you will not be certified until they are all completed and documented. Some may see this as reason to avoid certification, but in reality, these requirements are what force organizations out of their old, often ineffective approaches. These activities don’t have to be burdensome or time consuming. Avalution can help you figure out a way to accomplish these in a way that is efficient and makes sense for your organization.
Myth 3: Informal documentation satisfies our internal auditors, it should be fine for the BSI auditors
Auditors consider discipline and organization as key indicators of the overall quality of a process. Sloppy or informal documentation will invite much greater scrutiny. In general, here are a few dos and don’ts specific to documentation:
DO: Include an approval and revision table on every piece of documentation the BCMS produces.
DO: Formally approve (and retain evidence of) each document describing or demonstrating performance of a mandatory element of the BCMS.
DO: Maintain a central repository of official documents and their corresponding approvals.
DON’T: Fumble for documentation or approvals when meeting with auditors. Have it ready, know its content and understand how it aligns to the BS 25999 standard.
DO: Establish a set of standard operating procedures, ideally organized in a structure similar to BS 25999-2. This method of organization helps auditors understand how your organization implemented the standard.
Myth 4: My industry-leading business continuity software will enable our certification
There are two issues associated with this myth:
- Every single business continuity software product can cause issues with your certification effort if not configured properly. NO software will ensure compliance. Why? Because all tools allow a system administrator to turn off approval requirements, hide critical fields and skip appropriate documentation.
- Even when configured properly, many leading business continuity software products require significant manual work arounds to achieve compliance. For example, one of the market-leading business continuity software products has two major flaws: * By default, the most recent continuity plan is returned to the user (even if it has unapproved changes), as opposed to the approved version. Some work arounds exist for this issue, but they require the business continuity group to initiate every plan approval, which requires significant time. * There is no way to identify changes to a plan between revisions. This is a specific BS 25999 requirement (section 3.4.3 c). As a result, plan owners are being forced to manually document a summary of their changes since the last approval. The business continuity group then has to review each plan after approval to confirm the summary was completed.
In both of these cases, the organization was eventually certified, but the software hindered the effort instead of helping. Other business continuity software products have similar limitations, so it’s up to the business continuity team to understand if their software will help or hurt their certification goals, and implement customizations or manual processes as needed.
1 Important Truth: Organizations receive tremendous value from the certification process
Certification is still new to our profession, especially in North America where certifications have just reached double digits. However, the organizations we have witnessed pursue and achieve certification receive value far in excess of the costs. Two examples include:
The manufacturing organization that started its business continuity program at the same time it began the certification process achieved clarity regarding its priorities immediately. The standard guided them in developing a business continuity capability that aligned to customer and other internal requirements, and once certified, they were rewarded by their most significant customer continuing to sole source their key product.
The financial services organization with a significant number of business continuity staff and a considerable number of recurring business continuity activities had very little in the way of a demonstrable, integrated response capability. This organization also lacked an effective business impact analysis (BIA) that clearly articulated the business risk associated with a business interruption and what was needed in terms of effective business continuity strategies. Management was somewhat disconnected from the process and slowly began to question the investment. This situation was deep seeded and would not have changed if the organization wasn’t committed to achieving BS 25999 certification and truly demonstrating it’s commitment to business continuity. As a result, management has become more engaged, the BIA is beginning to articulate how recovery objectives align to business impact and the underlying organizational strategy, and stakeholders beyond the business continuity department are being held accountable for managing business continuity risk.
These are real benefits. More importantly, they are benefits that many, many business continuity organizations are in need of today. How would certification (or alignment to a management system-oriented standard) benefit your business continuity capability?