This perspective is the sixth in a series to discuss key elements of the ISO 22301 business continuity management system, including value-adding elements of the standard or requirements that could “trip up” an organization during the certification process.
Today we’re going to take a look at ISO 22301’s requirements for the establishment of an early warning network.
A key element of any business continuity professional’s job description is helping the organization execute its business continuity arrangements, or as ISO 22301 calls it in Clause 8.4.3, “detecting an incident” and then activating the response. Taken one step further, ISO 22301 calls out a number of specific response-related requirements related to early warning or incident detection that organizations must consider:
- “Assess the nature and extent of a disruptive incident and its potential impact”
(ISO 22301 – Clause 8.4.2)
- “Adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate” (ISO 22301 – Clause 7.4)
- The related requirement later in the standard reads: “Receiving, documenting and responding to any national or regional risk advisory system or equivalent” (ISO 22301 – Clause 8.4.3)
- “Facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate” (ISO 22301 – Clause 7.4)
The purpose of this article is to summarize the role of the business continuity professional in sourcing and using situational awareness-related information (internal and external) and what to do with the information upon receipt.
The business continuity professional has four specific planning and response roles as it relates to event-specific information (of note, the business continuity professional is not the only participant, but may lead, facilitate, or coordinate this process with others):
- Determine what type(s) of information the organization needs to respond effectively (e.g., we need information about trends in absenteeism)
- Identify sources of information that could help the organization learn of a potential disruption and perform the situation assessment (e.g., the New York City EOC RSS feed)
- Establish methods to get the information to the right people in the most timely manner possible (e.g., establish a Help Desk notification list for “Sev 1” availability events)
- Advise decision-makers to “activate” a crisis management / incident management team to assess the situation based on information received
Sources of Information
To better understand when a threat to the organization may result in disruption, the business continuity professional must ensure different sources of information reach the people that can “activate” the response (situation assessment) process.
ATTN: Advanced notice of a public demonstration (Source – RSS
feed from the County EOC) = potential facility inaccessibility
Potential sources of information may include:
What to Do With the Information (the Process)
As noted above, it’s the business continuity professional’s role to identify sources of information that could help provide advanced or immediate notice of a disruptive incident. The organization should also prepare to receive and use the information in a timely manner. For example, the Information Technology Help Desk should have a complete and up-to-date notification list that includes business continuity professionals and members of the crisis management team so the right people react when they learn of network, storage or application downtime. The same could be said of the security operations center when they learn of an event that could impact facility accessibility, or the information security team when they learn of a data breach.
Beyond the initial receipt of the information, the organization must develop a process to assess the information and use it to:
- Understand if the event could lead to a disruption;
- Determine “how bad is it”; and/or
- If it escalates (“how bad could it be”).
In other words, use the information to perform a situation assessment and then implement appropriate response and recovery procedures based on the outcomes of the assessment.
The business continuity professional often focuses a tremendous amount of time on performing analyses (risk assessment and business impact analysis), writing plans, and facilitating exercises. But failing to think ahead about obtaining threat and disruption-related information and the process to consume such information can lead to delays in responding and even recovering affected activities and resources. Team with others in your organization to identify the types of information your organization needs to respond, the specific sources of information, and the methods to respond when certain triggers or thresholds are (or may be) met.
In the meantime, don’t hesitate to reach out to us to discuss aligning to the standard or pursuing certification. We look forward to hearing from you!
Implementing ISO 22301: The Business Continuity Management Systems Standard
Avalution Consulting: Business Continuity Consulting