In July 2024, A logic error in an update for CrowdStrike’s Falcon software caused 8.5 million windows computers to crash. While a fix was pushed out shortly after, the nature of the error meant that a full recovery of all effected machines took weeks to complete.
Many businesses were caught up in the disruption, regardless of if this affected them directly or by proxy due to affected suppliers. So, what can businesses learn from this?
Today, Ian Battersby and Steve Mason discuss the aftermath of the CrowdStrike crash, the importance of good business continuity and what actions all businesses should take to ensure they are prepared in the event of an IT incident.
You’ll learn
- What happened following the CrowdStrike crash?
- How long did it take businesses to recover?
- Which ISO management system standards would this impact?
- How can you use your Management System to address the affects of an IT incident?
- How would this change your understanding of the needs and expectations of interested parties?
- How do risk assessments factor in where IT incidents are concerned?
Resources
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:05] Episode summary: Ian Battersby is joined by Steve Mason to discuss the recent CrowdStrike crash, the implications on your Management system and business continuity lessons learned that you can apply ahead of any potential future incidents.
[03:00] What happened following the CrowdStrike crash?– In short, An update to CrowdStrike’s Falcon software brought down computer systems globally.
8.5 million windows systems, which in reality is less than 1% of windows systems, were affected as a result of this error.
Even still, the damage could still be felt from key pillars of our societal infrastructure, with a lot of hospitals and transportation like trains and airlines being the worst affected.
[04:45] How long did it take CrowdStrike to issue a fix? – CrowdStrike fixed the issue in about 30 minutes, but this didn’t mean that computers affected would be automatically fixed.
In many cases applying the fix meant that engineers had to go on site to many different locations which is both time consuming and costly. In some cases Microsoft said that some computers might need as many as 15 reboots to clear the problem.
So, a fix that many were hoping would solve the issue ended up taking a few weeks to fully resolve as not everyone has IT or tech support in the field to issue a manual reboot.
A lot of businesses were caught out as they don’t factor this into their recovery time, some assuming that an issue like this is guaranteed to be fixed within 48 hours, which is not something you can promise. You need to be realistic when filling out a Business Impact Assessment (BIA).
[07:55] How do you know in advance if an outage will need physical intervention to resolve? – There is a lesson to be learnt from this most recent issue. You need to take a look at your current business continuity plans and ask yourself:
- What systems to you use?
- How reliable are the third-party applications that you use?
- If an issue like this to reoccur, how would it affect us?
- Do we have the necessary resource to fix it? i.e. staff on site if needed?
Third-parties will have a lot of clients, some may even prioritise those that pay a more premium package, so you can’t always count on them for a quick fix.
[09:10] How does this impact out businesses in terms of our management standards? – When we begin to analyse how this has impacted our management systems, we can’t afford to say ‘We don’t use CrowdStrike therefore it did not impact us’ – it may have impacted your suppliers or your customers. Even if there was zero impact, lessons can be learned from this event for all companies.
Standards that were directly affected by the outage were:
- ISO 22301 – Business Continuity: Recovery times RPO and RTO; BIA; Risk Assessments
- ISO 27001 – Information Security: Risk Assessment; Likelihood; Severity; BCP; ICT readiness
- ISO 20000-1 – IT Service Management; Risk Assessment of service delivery; Service continuity; Service Availability
Remember, our management systems should reflect reality and not aspiration
[11:30] How do we use our Management Systems to navigate a path of corrective action and continual improvement? – First and foremost an event like this must be raised as an Incident – in this case it would no doubt have been a Major Incident for some companies. This incident will typically be recorded in the company’s system for capturing non-conformities or continual improvement.
You could liken this to how ISO 45001 requires you to report accidents and incidents.
From the Incident a plan can be created which should include changes to be considered or made to the management system.
The Incident should lead us to conducting a lessons learned activity to determine where changes and improvements need to be made.
We are directed in all standards to Understanding the Organisation and its context
The key requirement here is to determine the internal and external issues that can impact your management system, and prevent it from being effective. Whatever method a company uses for this, perhaps a SWOT and PESTLE; the CrowdStrike/Microsoft Outage should be included in this analysis as a threat and/or Technical issue.
[15:15] What are the lessons learned from our supply chain? – In many ISO Standards, such as ISO 9001 and ISO 27001, there is a requirement to review your suppliers and the effectiveness of the service they’re delivering.
So you could send them an e-mail to ask how they have dealt with the issue, what actions did they take and how long did it take to fully restore services.
This is a collaborative process that you can factor into your own risk assessments, as you can make a better judgement on future risk level if you are privy to their recovery plans.
Many people still think of that requirement only in relation to goods and products. i.e. has my order been delivered ect. However, it relates to services such as IT infrastructure as well. You rely on that service, so evaluate how well it’s being delivered.
[17:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.
[19:50] Once you have established lessons learnt, what’s next? – The Standards provide a logical path to work through.
One of the first steps is to conduct a SWOT and PESTLE, and doing so after a major incident is recommended, as your threats and weaknesses may have changed as a result.
Do not simply put the sole blame on a third-party who an incident may of originated from. This is about your response and recovery, your plans coming into effect to deal with the situation, not about who is at fault.
One such finding may be your lack of business continuity plans, in which case, looking at implementing aspects of ISO 22301 may be an action to consider.
It’s also important to note down any positives from the incident too. You may have dealt with something very fast, communicated the issue effectively and worked with clients to ensure that their level of service was minimally impacted.
If a team dealt with a situation particularly well, they should be recognised for that, as it really does go a long way.
[23:55] The importance of revisiting your SWOT and PESTLE: These exercises shouldn’t just be a one time thing. You should be addressing these after incidents and any major changes within the business.
Ideally, you should be looking at these in all your meetings, as many actions may need to be escalated to a strategic level.
If you’d like to learn about how one of our clients embraced SWOT and PESTLE, and used it to their advantage, check out episode 53.
[25:20] How has our understanding of the needs and expectations of Interested Parties been changed? – How has the Outage impacted the needs and expectations of interested parties? Understanding this might lead companies to ask questions about the robustness and effectiveness of different parts of the management system:
- Risk Assessment
- BIA for BCP
- Recovery Plans
- DR plans
- Service Continuity
[27:50] What should you be considering with your risks assessments? – Risk Assessments, if they follow the traditional methodology, with have Likelihood and Impact/Severity scores an in the light of this outage, and any event, the likelihood and Impact scores should be updated.
If a company has set the likelihood as ‘once every 5 years’ it should seriously consider changing this to ‘once every 6 months’ or ‘once every year’ to understand if this poses any new risks to the business. The likelihood score would of course be updated every year until it has recovered to ‘once every 5 years’.
The impact is important to look at. If a company has been impacted by this outage, what has it cost the company to recover – talk to finance and other departments to understand the cost and change the scoring accordingly.
[33:20] Why should a business carry out a risks assessment as part of lessons learnt? – Our risk assessments are not a one-off, but should be living documents that reflect the status of threats to the business. In ISO 27001 there is a statement to identify the ‘Consequences of unintended changes,’ and it could be argued that an Outage on the level of the CrowdStrike/Microsoft outage was an ‘unintended change that led to consequences in many businesses.
So, use your risk assessments as live tools to report on the reality facing the organisation.
Similarly, BIA assessments for BCP should be reviewed to determine if the assumed impact reflects the real impact; also look at the recovery plans to see if they are effective.
If a recovery plan has stated that this type of incident could be recovered in 48 hours, and in reality it has taken 2 weeks, it means that recovery times in terms of RPO and RTO should be reviewed.
Remember – your management system should reflect reality and not aspiration.
If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
According to the ISO Survey, there’s been a 82.9% increase in worldwide ISO 22301 certificates issued following 2020.
Business Continuity is a must have for businesses who want to ensure long-term survivability following a disruptive event. Many turn to ISO 22301 to help put a framework in place, including today’s guest – Lifelong Learner.
However, what usually takes businesses a minimum of 6 months, Lifelong Learner managed to accomplish in just 4 months across an international organisation! That is no small part due to the tremendous effort of Lifelong Learner’s Manager of Information Security, Governance, Risk and Compliance, Lauren Taylor.
Lauren joins Mel on this weeks’ episode to share her journey and explains the challenges associated with implementing a Business Continuity Management System in just 4 months.
You’ll learn
- Who are Lifelong Learner?
- Why did they decide to Implement ISO 22301?
- What did they learn from implementing ISO 22301?
- What was the biggest challenge with Implementation?
- What are the benefits of implementing ISO 22301?
Resources
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:05] Episode summary: Today Mel is joined by guest Lauren Taylor who is the Manager of Information Security, Governance, Risk and Compliance at Lifelong Learner Holdings LLC.
Lifelong Learner and it’s brands represent a fusion of comprehensive workforce solutions, with a human-first focus of changing lives through assessment. This includes helping people advance in educational and career aspirations, earning or maintaining licensing or certifications, or providing the tools to develop future leaders.
Lauren has helped Lifelong Learner accomplish a massive milestone, and that’s the implementation of the Business Continuity Standard ISO 22301 across an international organisation, which she managed to do in just 4 months! She’s here to share her journey and lessons learned from implementing ISO 22301.
[03:30] Not many people know this about Lauren – She had previously trained to be a mental health counsellor.
[04:05] Who are Lifelong Learner LLC? – Lifelong Learner is the parent company of two subsidiaries:
PSI Testing Excellence: a leading provider of assessment solutions for the licensing and certification markets, to Educational Testing Services.
Talogy: A market leader in the talent management space whose core purpose is helping organizations achieve their potential. They manage the talent management side of the business. So what they’ll do is they’ll put together psychometric tests that help companies find the right person for the right job, and will assist with skills development.
[05:00] Adding to Lifelong Learner’s ISO Collection: Lifelong Learner already have an impressive ISO Library, being certified to:
- ISO 9001 – Quality Management
- ISO 14001 – Environmental Management
- ISO 27001 – Information Security Management
[05:20] What was the main driver behind obtaining ISO 22301? – The main driver, as with most companies, is usually a client contractor requirement, but business continuity has been something that we’ve wanted to look further into for a while, just because there’s elements of ISO 27001 that cover the business continuity.
While we were able to get through the audits with what we had, we just felt that it just needed a little bit more building out. Business Continuity is a requirement in part of ISO 27001, but for Stakeholders that want assurance that a business has robust business continuity plans in place, ISO 22301 is the next step.
[06:10] The Implementation Timeline – In October 2023, we began with the context workshop where we could kind of get a better idea of the scope of the management system.
This was followed by a number of SWOT and PESTLE workshops to help identify what the perceived risks would be.
Next came the Business Impact Analysis (BIA) – So essentially what you’re needing to find out from these workshops is, the core activities that each of the teams perform on the day-to-day basis. You also need to understand what their systems are that they use, if they have any dependencies, and essentially it all comes down to understanding that if the business cannot perform those activities, what would be the impact overtime if those activities were to stop.
Once you have all that information, the next step was to map it across into a risk assessment, which really helps you to understand the granular risks to your business when it comes to business continuity planning.
This risk assessment helped to highlight some weaknesses that we hadn’t considered before, and gave us a point in the right direction as to what we needed to work on to bridge those gaps.
Next was the creation and revamping of documentation inline with ISO 22301 requirements. Thankfully, due to the other ISO’s we hold, we already had a lot in place. Same goes for Internal Audits, so this was more a case of integrating ISO 22301 into our existing Management System.
Once we had all the documentation, we conducted a ransomware test exercise, which we also documented all the findings from. Then we were we were ready for stage 1!
[09:15] What were the biggest gaps Lifelong Leaner needed to address?: Following the BIA and Risk Assessment, we were able to see where we needed response plans because business continuity is always your Plan B. So in our minds, we had an idea of what kind of response plans we would need in terms of i.e. a malware response plan, a ransomware response plan, those sorts of things. But until we actually looked at the BIA we released we needed a few more.
[10:25] What difference did addressing those gaps make? – For us it was understanding the real risks to our business.
We already had ISO 27001 in place, and we figured if there were to be another pandemic for example, that we’d be covered. However, it wasn’t until we did those exercises did we realise that there was a lot we could improve on.
[13:25] What did Lauren learn from Implementing ISO 22301? – How much people underestimate the importance of a good business impact analysis.
After going through this in a very, very short space of time, I realised that it is actually the driving force behind a good business continuity management system.
Also, it highlighted just how many people believe business continuity is just all about IT and physical security, they completely loft out the human element.
An example of this is having a single point of failure, which is where if somebody left there would be a gap.
[14:40] What benefits have Lifelong Learner experienced since implementing ISO 22301? – Lauren has noticed that more clients are requesting to see their Business Continuity Plans.
It’s helped with the introduction of the latest ISO 27001:2022 controls – as these too also focus on elements of business continuity.
[15:50] Lauren’s top tips for implementing ISO 22301 – Definitely give yourself longer than 4 months!
Logically think about how everything links together, the clauses all have purpose and flow in a logical pattern to help create a Management System.
Your Management Review can be your best friend. It’s your opportunity to really engage with senior management and help them understand what your risks are to the business, how your internal audit is coming along, how you manage your nonconformities and it can be all neatly wrapped up in that nice management review bow.
[18:00] Lauren’s book recommendation – The Matthew Perry Autobiography, Friends, Lovers and the Big Terrible Thing.
[19:30] Lauren’s favorite quote – “You catch more flies with honey than vinegar.”
If You’d like to learn more about Lifelong Learner, check out their website.
If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely news ones were added to keep up with new and emerging technology.
One of the new controls added under the organisational category, is something called threat intelligence. But what does this mean exactly?
Steve Mason joins us again today to delve deeper into threat intelligence to explain what it is, gives examples of the different types and shares some tools and activities that will help you develop threat intelligence
You’ll learn
- What is threat intelligence?
- What does threat intelligence actually do?
- The different types of threat intelligence
- What tools can you implement to help with threat intelligence?
- What activities can you do to help develop threat intelligence?
Resources
In this episode, we talk about:
[01:19] The definition and purpose of threat intelligence
[03:01] Threat intelligence doesn’t have to factor into your scope and context – you can integrate findings in later
[03:50] Threat intelligence is about being aware of not only internal threats, but global threats that could impact your business
[04:50] Threat intelligence is not only about IT (i.e. viruses)
[05:19] That being said – cyber threats are still a big factor. So ensure you have tools, training and measures in place to reduce cyber attacks and breaches.
[06:30] Types of Threat intelligence, including: Cyber, Strategic and Tactical
[07:58] What threat intelligence actually does – Firstly ensure that you are collecting relevant data. That data can be analysed and used to reduce risk, to help you be proactive instead of reactive to threats.
[09:51] Threat intelligence is very appliable to Business Continuity (ISO 22301)
[10:35] The different types of tools you could consider, including: Security information and event management (SIEM) and CSOC – Cyber Security Operation Centres
[12:30] Types of threat intelligence activities you can do. This includes: Establishing objectives, collection of information from selected sources, analysing information to understand how it relates and is meaningful to the business and communicating information to relevant individuals.
[15:10] Ensure your threat intelligence is dynamic – and use it to inform and update your Risk Assessments at regular intervals
[16:30] Threat intelligence works with the Plan-Do-Act-Check cycle that is commonly seen in most ISO’s
[17:10] Threat intelligence can be used by any business regardless of any ISO certification you may or may not have.
[18:05] Keep an eye out for our ISO 27001:2022 migration support offering!
Download our ISO 27002 changes Quick Guide here:
Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Today’s guest is Alex Street, from EMCOR UK a world leading Facilities Management Company. EMCOR are the epitome of high standards, in fact EMCOR are certified to 8, yes 8 ISO Standards, which is pretty impressive. Though we are just going to focus on one in particular that is extremely topical at the moment – Business Continuity. Mel first met Alex when EMCOR engaged in our services to implement the Information Security standard and also ISO 22301 the business continuity standard 4 years ago. The company has gone from strength to strength over the years, so Alex is joining us today to discuss ISO 22301 and how the system is helping them to not just survive, but thrive during these difficult times.
Some highlights:
- EMCOR adopted the early BS 25999 and later migrated to ISO 22301 after drive from customers as well as natural progression to the updated version
- Recognized the benefits of having a robust Business Continuity Management system in place
- Went through the process of a Gap Analysis and Business Impact Analysis to identify where the system needed to be addressed and built on. This led to the review of objectives and business continuity plans in accordance with 22301’s more detailed requirements.
- A key focus should be training and awareness for all staff once plans have been agreed – so that everyone knows what their role is in any given situation.
- Keep up with testing and auditing of the Business Continuity plans to ensure they run smoothly and are still applicable in execution
- EMCOR had been monitoring the COVID-19 situation as early as December and since February 2020 – had been having meetings with Executive teams (Gold and Silver) to discuss next steps. Thanks to ISO 22301, they’d already had tested processes in place for moving towards remote working.
- A consistent approach to all areas of Operation is key – from ground level to executive
- Communication and collaboration with supply chain and customers – ask them if you could be doing anything more to help
- Support your own supply chain – Taking the current situation into account, everyone is in the same boat so help where you can
- It can take a live incident to fully test a Business Continuity plan – take lessons learned from live events forward. Actively work to continually improve your system.
- Alex’s helpful tip: ‘Don’t get caught out’ – The standard is there to help but you need to put the work and effort in to make it work for you. ‘The benefits far outweigh the risks of not having an effective Business continuity management system in place’
Further resources:
To Learn more about EMCOR, visit their website HERE
Free standards available from BSI HERE
Need assistance with ISO 22301? We’d be happy to help
We also have an Introduction to ISO 22301 E-learning course available HERE. Use discount code: ISO2230110 for 10% until the end of July 2020.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Although it is good news that we are returning to work – Are you confident that you’ve fulifilled your duty of care as an employer? As an employee are you confident that your company is managing your return to work safely?
Over the coming months its important that we know the health status of our workforce in realtime. However, that is easier said than done, or is it?
One of our clients for many years, Riskex have been in the health and safety software space for many years, and are now offering free of charge their COVID-19 Health Assessment.
ISO Show takeaways:-
- How Riskex has grown from success to success
- How ‘Fit 2 work’ only takes 5 minutes to set up for your company, ad only takes 30 seconds for an employee to complete.
- How does ‘Fit 2 work’ keep you informed and manage your workforce safely.
- Benefits of tracking your employees Health and safety in relation to COVID-19
- How can businesses me more resilient and achieve compliance
- Potential COVID-19 mitigation cases against employees and how to prevent legal claims.
- How Assessnet fits with ISO Standards – a simple method for supporting compliance.
- How to get FREE access to ‘Fit 2 work’
You can learn more about Riskex’s Fit 2 work tool HERE
To learn more about Riskex and their full range of services, visit their website.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Join Rachel Churchman, Managing Consultant this week as she explains a the key changes to ISO 22301 :2019. Here are the show highlights:
October 2019, the ISO 22301 Standard was updated (previously ISO 22301:2012 with minor amends in 2014).
- On the whole that standard is more streamlined and a lot of repetition has been removed from the standard. In addition, it aligns far more closely with other standards.
- Structure has remained the same although it has now been better aligned with Annex SL (previously some minor deviations).
- Now takes a broader approach from strategy-based to solution-based – The ISO 22301:2019 standard requires organisations to not only develop high-level strategies to ensure business continuity, but also to define solutions to handle specific risks and impacts relevant to continuity.
- This is the most significant change for top management because the identification of required resources is now related to solutions, not strategies. Defining resources in terms of strategies is not as precise as when you define them in terms of the solutions, which greatly affects the budget planning for the BCMS.
- Managing changes to the BCMS – is now a
mandatory clause (previously just implied throughout the Standard). This
new requirement of ISO 22301:2019 requires organizations to make changes
in the BCMS in a planned manner, which can be achieved by considering:
- the purpose of the change and its consequences
- how the integrity of the Business Continuity Management System is impacted by the change
- the resources available to perform the change
- the definition or change of responsibilities and authoritiesIt should be noted that in a number of areas the new standard is significantly less detailed and prescriptive than its predecessor – (i.e. Context and Scope clauses are now in alignment with other ISO standards where previously these clause were very prescriptive for ISO 22301).
- Clause 6.1.2 now makes it clear that the risks (and opportunities) that need to be addressed relate to the effectiveness of the BCMS, as opposed to the risks of disruption, which are addressed by Clause 8.2.3. The same relationship is intended in other standards (such as ISO 27001).
- The requirements for conducting the business impact analysis (BIA) are now clearer. The relationship between unacceptable impact, maximum tolerable period of disruption and prioritized timeframes for activity resumption is defined as well as using the BIA to identify ‘prioritized activities’. It should be noted that there is no specific requirement with the 2019 version to document the BIA process.
- Evaluation of BC documentation and capabilities specifically requires the suitability, adequacy and effectiveness of BIAs and risk assessments to be evaluated. This was previously only an implicit requirement in the name of effectiveness, but points to the key role played by BIAs and risk assessments (so having them documented is a good thing).
- The concept of minimum activity levels has shifted from the need to identify minimum levels of products and services to minimum acceptable levels of activity, the linking of which is implicit, to the minimum acceptable capacity of resumed activities.
- One of the criticisms from users of ISO 22301:2012 was the lack of a detailed requirement around the need for an organization to manage its supply chain’s own business continuity capabilities. There is now a requirement to ensure that outsourced processes and the supply chain are controlled.
- From an exercise and test perspective that is now direct reference to validating continuity strategies and solutions (rather than simply BC arrangements)
If your organization’s currently certified to ISO 22301:2012 we anticipate you will have three years to transition to ISO 22301:2019 and after 30 October 2022 certificate for ISO 22301:2012 will no longer be valid*.
BSI are noting that they will continue to deliver audits against ISO 22301:2012 until 30 April 2021 to allow you time to get your system updated and aligned to ISO 22301:2019.
Further resources:
Free standards available from BSI HERE
Need assistance with ISO 22301? We’d be happy to help
We also have an Introduction to ISO 22301 E-learning course available HERE. Use discount code: ISO2230110 for 10% until the end of July 2020.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Continuing the ISO 22301 Steps to Success series, we look at how you can engage your staff while implementing and testing the Business Continuity Management System (BCMS). It’s important to review the effectiveness of the whole BCMS to ensure it’s going to deliver the resilience we require as a business. This is achieved through internal audit of the management system.
There is far greater focus on communication and awareness within both internal and external audits for this standard. You are creating a system that we hope we never have to invoke, and the effectiveness of the response relies on staff understanding their role and the procedures to follow when the worst happens. Therefore, undertaking more in-depth awareness interviews during the internal audits will provide far more value and reassurance that the required awareness is in place.
As with any standard, there is also the requirement to take corrective action for any issues raised.
Lastly, you need to undertake the holistic review of the BCMS. This is achieved through the Management Review Process that reviews all the key inputs and interactions into the management system and analyses effectiveness and any potential need for change. It also reviews objectives and progress made, results of internal audits, supplier performance etc. Very similar to other ISO management Systems standards.
Join us next week as we discuss the changes made to ISO 22301:2018.
Need assistance with ISO 22301? We’d be happy to help
We also have an Introduction to ISO 22301 E-learning course available HERE. Use discount code: ISO2230110 for 10% until the end of July 2020.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
As anyone who has experience of business continuity – i.e. the current Covid-19 pandemic – will understand is that effective communication is absolutely vital to ensure an effective response.
Planning for how you will communicate, who will communicate, when you will communicate and pre-drafted message for reasonably foreseeable events can make or break an effective BCP response.
Awareness of the BCP and the part they play within the plan is critical for your staff. Therefore, there’s a requirement to undertake awareness training for staff -both those that have a role to play, and those that are simply required to follow orders given.
And we mustn’t forget the additional training that may be required for ‘deputies’ within a response plan.
People can react differently to that expected in an emergency situation, so it’s vital that staff are aware of how they will be made aware of a BCP event, and what role they play within in. If they have a role to play, they need to have additional training on the specific response plan so that it’s followed should it ever be invoked.
Part of this awareness training and reinforcement can be supported by ‘exercising’ and ‘testing’ the plan as a team. This is an effective way of walking through the theoretical, taking the time to consider various scenarios and making informed decisions within a calm environment. This can prevent knee-jerk or incorrect decisions being made during the time of an actual response. Exercising and testing can and should also involve any key interested parties outside of the organisation in order to stress-test their ability to support the business in times of crisis. Any lessons learnt from exercises, tests or actual BCP events should always be followed up from a lessons learnt point of view to ensure that response plans are updated in line with any changes or issues not previously considered – and then they need to be re-communicated in the business.
Join us next week as we discuss how to engage staff with your BCP effectively.
Need assistance with ISO 22301? We’d be happy to help
We also have an Introduction to ISO 22301 E-learning course available HERE. Use discount code: ISO2230110 for 10% until the end of July 2020.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Welcome to the first part of our ISO 22301 Steps to Success series. Business continuity provides a basis for planning to ensure your long-term survivability following a disruptive event. ISO 22301 identifies the fundamentals of business continuity management and provides a basis for understanding, developing and implementing business continuity management within your organisation.
Rachel Churchman explains the process of creating a Business Continuity Management system, here are some highlights:-
Understanding what’s in place already from a resilience perspective. A gap analysis also helps us to understand the business and the different activities and aspects that need to be considered as part of the wider BCP. Also, a great opportunity to meet the team and look to identify key ‘Champions’ in the business. Look to source these from different levels and areas – Top Management, Finance, HR, Legal, Comms/Marketing, Customer support, Operations, Procurement etc.
Undertaking a Context Review enables us to understand the wider internal and external issues that can impact the business – positively and negatively. It also starts to review these interested parties that may need to get involved with our BCP – for example Key Suppliers on whom we may have a dependency.
Risks and opportunities identified here can then be captured and progressed through the development of key BCP objectives and improvement plans.
Business Impact Assessment and risk assessment is at the heart of the BCP. It requires us to look at the activities we undertake that enable us to effectively run our business. By reviewing these key activities, and then fully understanding what the potential risks are that may disrupt our ability to perform, we can start to understand where we may need a ‘Plan B’ – effectively our Business Continuity strategy and plans.
An effective BIA will look at activities and what they support in terms of services and other departments, what the impact of disruption will have on the business (i.e. reputation, financial penalties, legal compliance, revenue etc), and look to define what our maximum period of disruption may be. It also looks to understand what we need to recover our position is a disaster struck – e.g. Back up data.
It also gets us look at our dependencies – internally and externally. Understanding our supply chain and where they fit into our BCP is fundamental to effective BCP response. If we rely on a key supplier – are we checking whet Their BCP arrangements are?
lastly – we need to understand any contractual obligations we have that are linked to BCP. We need to ensure our own BCP can support these.
Once we have undertaken our BIA and risk assessment, we are then in a position to develop our Business Continuity Management system to include our Business Continuity Plan and supporting response plans.
Response plans will look to cover any assumptions made in the plan, responsibilities (including who can invoke and stand down a response), the business recovery objectives (including Recovery Time Objective and Recovery Point Objectives), Who/What is impacted (directly and indirectly), Recovery Strategy at a high level, communication requirements. It will then ideally walk through the plan for the following stages – Emergency Phase (incident reported), Recovery Phase (response strategy and plan), and Restoration Phase (return to normal operations).
We also need to consider communication procedures and mechanisms that will be invoked during a BCP incident. For instance, who might be responsible for speaking to the media?
Join us next week in part 2 of the Steps to Success series as we discuss how to communicate your BCP effectively.
Need assistance with ISO 22301? We’d be happy to help!
We have an Introduction to ISO 22301 E-Learning course available HERE. Use Code ISO2230110 to get 10% off your purchase.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
What is Business Continuity Management and what are the benefits of ISO 22301?
Whist many businesses have adapted to remote working, in some industries such as manufacturing or construction they now looking at ways to try to return to some type of ‘business as usual’.
One standard that is completely focused on resuming operations to get back to ‘business as usual, is ISO 22301, the Business Continuity Standard. This standard is very much about minimising damage to a business and planning for business recovery as swiftly as possible.
So, what is Business Continuity Management?
Business Continuity Management involves the recovery or continuation of business activities in the event of any business disruption. COVID-19 is a prime example of a situation that is pretty much affecting all businesses globally.
By having a holistic Business Continuity Management System (BCMS) in place will not only help your organisation recover from disasters, it will also prevent the reputational damage that can arise from any operational outages, missed deadlines, upset customers, or direct financial loss.
ISO 22301 provides a comprehensive set of controls based on Business Continuity ‘Best practice’ from across the world.
The BCMS should also include Risk Assessment (RA) and Business Impact Analysis (BIA), which are an inherent part of ISO 22301 and an essential component to identifying prioritised activities, dependences and resources supporting their key products and services, as well as what the impact of their failure would be on the organisation.
What are the benefits of ISO 22301?
Protection and recovery of business critical functions and processes
- Identification and understanding of the most valuable and critical business processes and the impact of disruption.
- Timely and orderly responses to incidents and business disruptions to continue business operations at an acceptable pre-defined level as promises in contract or agreement
- Demonstrate credible responses through scenario-base exercising
- Increase the survival chance of both the organisation and employees jobs and other dependents.
- Increased levels of resilience and recovery capability, and the continued survival of the organisation
Financial
- Improved risk profile when renewing your insurance policy, resulting in reduced insurance premiums.
- Significantly reduced financial impact of incidents, disruption or even under disaster.
- Provides evidence to support financial claims.
Reputational
- Advantage gained over less resilient competitors.
- Reputation maintained, or even improved, through demonstrating a professional approach to managing disruption.
- Positive message communicated to the media and stakeholders in crisis conditions.
Demonstrates leadership commitment to resilience
- Demonstrate management commitment in overall risk management with visible evidence to stakeholders.
- Encourages clear communications on what employees need to do to recover from an incident and supports cross-department and cross-organisation coordination.
- Compliance with the expectations of regulators, insurers, business partners and other key stakeholders.
What are the options when it comes to improving business resilience during COVID-19 and other business disruptors your company may face?
- Buy a copy of ISO 22301:2019 and review your business against the requirements and develop a business continuity system accordingly.
- Partner with a Business Continuity specialist such as Blackmores and work in collaboration with your partner to complete a Gap Analysis, Risk Assessment, Business Impact Analysis, Business Continuity Documentation and possibly a compliance audit.
- Partner with a training provider to bring more knowledge on the subject in-house – this could be eLearning, BCP workshops or certification body auditor training.
- If you are serious about demonstrating how resilient you are as an organisation, consider certification to ISO 22301 with a UKAS Accredited certification body.
Further resources:
Further information on ISO 22301
Further information on ISO 22313
For a copy of our example BIA, simply contact us: enquiries@blackmoresuk.com
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
I think it’s important to acknowledge the reality that we all face right now whilst in the midst of a global pandemic, both as individuals, families and businesses. Sadly, there is very little that we can control about the situation, other than staying at home and follow the governments guidelines to reduce the disease spreading and deaths increasing.
However, what we can control if how we respond to our situation, and to try and embrace this period of isolation as an opportunity, because we have to quit literally stop our normal way of working and living. So, this enables us to objectively reassess what is working in our business and what isn’t.
Which brings me onto the topic for today – Making remote working work.
So how do you make remote working work for you? Well it partly comes down to the tech, but if you’ve got the confidence in yourself and ability to communicate, its actually really easy.
So how did we go about it? Well, we sent out a communication to all clients that all our services were to be delivered remotely. We then provided training for the Team and created one of our internal WOW’s which is Way of Working, we put it to the test, each employee had to test Microsoft Teams and off we went, rocking and rolling out remote way of working.
We then published a ‘Remote Working Guide’ for our clients, so they knew exactly what to expect.
What to expect
we utilise Microsoft Teams which is available to everyone at the click of a link. As long as you have a Wi-Fi connection, then work can be carried out remotely which is the same as if we were together in a physical environment.
We are able to deliver ALL of our services remotely including the implementation of systems compliant to ISO Standards and ISO Support Plan services. This includes, but is not limited to:- –
- Internal audits
- Certification body support i.e. Annual Surveillance, re-certification and assessments
- Updating your policies and procedures
- Facilitation of Workshops i.e. H & S, Environmental, Information Security and Business Continuity
- Training and awareness sessions;
- Gap Analysis
- Facilitating/chairing Management Review Meetings/information
- Reviewing and updating legal registers
The only possible limitations for remote working include –
- Certain risk based ‘site’ audits where we have to observe the physical work environment and assets.
However, whilst there are a few limitations, Blackmores is able to offer alternative methods to continue work –
- ‘Model Checklists’ for physical security or environmental or health and safety walk rounds can be supplied for you to undertake, with photographs taken. Alter-natively, a remote audit could be undertaken using a mobile phone so that the camera can be used to record the ‘walk’.
- If you have a camera available you can video the aspects we need to observe i.e. Fire exits, storage of chemicals. This can either be via a live stream or recording on a device i.e. mobile phone, webcam.
The benefits of remote working
- Productive method of working – well organised agenda.
- Reduces your company environmental footprint.
- Reduces our environmental footprint.
- Allows several people to attend the remote audit/workshop/meeting to reduce travel time and avoids accommodating additional people to reduce meeting space.
- You can work from the comfort of your own location i.e. office/remote/home at a time to suit you.
- Enables you to carry on with other work/activities when we are not directly on-line i.e. report writing/lunch break/updating documents.
- The sessions can be recorded if required and used for future reference i.e. Training employees.
- Reduced paperwork – all evidence is shown online.
For a free copy of our Remote Working Guide, simply contact us at enquiries@blackmoresuk.com
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
When I first launched the ISO Show in 2019 to dispel myths and share tips on ISO Standards, my plan was to make the podcasts evergreen – so they could be timeless in theory and listened to at any point in time. However, I’m recording this in March 2020, just over a year since we launched the ISO Show and sadly a pandemic – the coronavirus has broken out globally, with over 110,000 reported cases across 95 countries. So I thought it would be helpful to share with you some guidance to try and minimise business disruption caused by the Coronavirus through Business Continuity Planning (known as BCP).
How does this relate to ISO Standards? Well there is an ISO Standard for Business Continuity Standard ISO 22301 (formerly a British Standard BS 25999). However, our ISO Show this week is not about ISO 22301, but How to create a Pandemic (Coronavirus) BCP. In fact, we provide you with a Pandemic Coronavirus Business Continuity Plan template for FREE.
As a founder and owner of Blackmores, a consultancy which implement ISO 22301 I felt we had a duty to share guidance on COVID-19 business resilience . So, I’d like to thank Rachel Churchman, one of our Business Continuity Consultants for sharing with us a Pandemic Business Continuity Plan.
Many businesses have BCP’s, and these are typically scenario based – identifying scenarios that jeopardise the ability for you to run your business in the usual way. In BCP terms this is called (BAU). i.e. loss of power, loss of staff members, inability to access your building – so something that would have an impact of the continuity of the services or product that you deliver.
The next step is to carry out a BIA (Business Impact Analysis) to determine the impact in an event from a financial, operational or reputational perspective. This then enables you to create a BCP for a particular scenario – which is what I’m sharing on the ISO Show. To request the FREE PANDEMIC (COVID-19) BUSINESS CONTINUITY PLAN, simply contact us at www.blackmoresuk.com.
The Pandemic BCP also includes useful sources of reference material, and guidance on Preventative measures, awareness and responsibilities. We’ve included a ‘Guidance on hand hygiene and use of Face Masks’ as an example of this. Feel free to add any other guides that would be helpful for your business.
The BCP helps to minimise the potential impact on your company and helps define the information employees will find helpful. This will be different in all companies but in the sample provided we cover:
- Summary
- Background
- Introduction
- Aim
- Reference Material
- Objectives
- Potential Impact
- Roles and Responsibilities
For supporting information check out:-
FREE copy an example Pandemic Business Continuity Plan – just contact us at enquiries@blackmoresuk.com
Want to learn more about ISO 22301? Take a look at our Steps to Success.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
The 2016 BCI Horizon Scan, written in collaboration between the Business Continuity Institute and BSI, has revealed some interesting results for perceived risks and threats to business.
Once again, perception of risks to business continuity for 2016 remain focused on information security and the performance and reliance on suppliers.
Top 10 Threats Identified:
- Cyber Attack
- Data Breach
- Unplanned IT & Telecom Outages
- Act of Terrorism
- Security Incident
- Interruption to utility supply chain
- Supply chain disruption
- Adverse Weather
- Availability of talents/key skills
- Health and Safety Incident
568 responding companies from 74 countries
This shows that cyber-attacks continue to dominate the threat landscape and organisations are getting increasingly concerned about its potential for damage given the increased sophistication of hostile elements.
The results also showed a third of the organisations do not use trend analysis results at all with access being a key barrier. This is a key weakness which impacts on building resilience across the whole organisation.
*Figures and content taken from http://www.thebci.org/index.php/download-the-bci-horizon-scan-report-2016
By implementing recognised and effective management system standards such as ISO22301 (Business Continuity) and ISO27001 (Information Security), organisations can mitigate and look at reducing the impact of the majority (if not all) of the top 10 defined risks and threats, and implement response plans to control disruption should a risk be realised.
Our 7 Steps to Success
The Blackmores ISO Roadmap is a proven path to go from idea to launching your ISO Management System.
Whether you choose to work with one of our ISO Consultants, our isologists, or work your own way through the process on our isology Hub, we’re certain you’ll achieve certification in no time!
What our clients have to say
Trusted by leading organisations across all sectors, we support companies of all sizes in any location.
Listen to our Podcast
Welcome to the ISO Show podcast, dispelling myths and sharing tips for success to improve your business with ISO Standards. Join us to hear interviews with successful business leaders as they share their ISO journey with you.
Get top tips via audio master classes “ISO Steps to Success” on the most popular ISO Standards.