The creators of isology®

Today’s guest is Alex Street, from EMCOR UK a world leading Facilities Management Company. EMCOR are the epitome of high standards, in fact EMCOR are certified to 8, yes 8 ISO Standards, which is pretty impressive.  Though we are just going to focus on one in particular that is extremely topical at the moment – Business Continuity.  Mel first met Alex when EMCOR engaged in our services to implement the Information Security standard and also ISO 22301 the business continuity standard 4 years ago.  The company has gone from strength to strength over the years, so Alex is joining us today to discuss ISO 22301 and how the system is helping them to not just survive, but thrive during these difficult times.

Some highlights:

• EMCOR adopted the early BS 25999 and later migrated to ISO 22301 after drive from customers as well as natural progression to the updated version

• Recognized the benefits of having a robust Business Continuity Management system in place

• Went through the process of a Gap Analysis and Business Impact Analysis to identify where the system needed to be addressed and built on. This led to the review of objectives and business continuity plans in accordance with 22301’s more detailed requirements.

• A key focus should be training and awareness for all staff once plans have been agreed – so that everyone knows what their role is in any given situation.

• Keep up with testing and auditing of the Business Continuity plans to ensure they run smoothly and are still applicable in execution

• EMCOR had been monitoring the COVID-19 situation as early as December and since February 2020 – had been having meetings with Executive teams (Gold and Silver) to discuss next steps. Thanks to ISO 22301, they’d already had tested processes in place for moving towards remote working.

• A consistent approach to all areas of Operation is key – from ground level to executive

• Communication and collaboration with supply chain and customers – ask them if you could be doing anything more to help

• Support your own supply chain – Taking the current situation into account, everyone is in the same boat so help where you can

• It can take a live incident to fully test a Business Continuity plan – take lessons learned from live events forward. Actively work to continually improve your system.

• Alex’s helpful tip: ‘Don’t get caught out’ – The standard is there to help but you need to put the work and effort in to make it work for you. ‘The benefits far outweigh the risks of not having an effective Business continuity management system in place’

Further resources:

To Learn more about EMCOR, visit their website HERE

Free standards available from BSI HERE

Need assistance with ISO 22301? We’d be happy to help

We also have an Introduction to ISO 22301 E-learning course available HERE. Use discount code: ISO2230110 for 10% until the end of July 2020.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Although it is good news that we are returning to work – Are you confident that you’ve fulifilled your duty of care as an employer?  As an employee are you confident that your company is managing your return to work safely?

Over the coming months its important that we know the health status of our workforce in realtime.  However, that is easier said than done, or is it?

One of our clients for many years, Riskex have been in the health and safety software space for many years, and are now offering free of charge their COVID-19 Health Assessment. 

ISO Show takeaways:-

• How Riskex has grown from success to success
• How ‘Fit 2 work’ only takes 5 minutes to set up for your company, ad only takes 30 seconds for an employee to complete.
• How does ‘Fit 2 work’ keep you informed and manage your workforce safely.
• Benefits of tracking your employees Health and safety in relation to COVID-19
• How can businesses me more resilient and achieve compliance
• Potential COVID-19 mitigation cases against employees and how to prevent legal claims.
• How Assessnet fits with ISO Standards – a simple method for supporting compliance.
• How to get FREE access to ‘Fit 2 work’

You can learn more about Riskex’s Fit 2 work tool HERE

To learn more about Riskex and their full range of services, visit their website.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Join Rachel Churchman, Managing Consultant this week as she explains a the key changes to ISO 22301 :2019. Here are the show highlights:

October 2019, the ISO 22301 Standard was updated (previously ISO 22301:2012 with minor amends in 2014).

• On the whole that standard is more streamlined and a lot of repetition has been removed from the standard.  In addition, it aligns far more closely with other standards.

• Structure has remained the same although it has now been better aligned with Annex SL (previously some minor deviations).

• Now takes a broader approach from strategy-based to solution-based – The ISO 22301:2019 standard requires organisations to not only develop high-level strategies to ensure business continuity, but also to define solutions to handle specific risks and impacts relevant to continuity.

• This is the most significant change for top management because the identification of required resources is now related to solutions, not strategies. Defining resources in terms of strategies is not as precise as when you define them in terms of the solutions, which greatly affects the budget planning for the BCMS.
• Managing changes to the BCMS – is now a mandatory clause (previously just implied throughout the Standard).   This  new requirement of ISO 22301:2019 requires organizations to make changes in the BCMS in a planned manner, which can be achieved by considering:
  • the purpose of the change and its consequences
  • how the integrity of the Business Continuity Management System is impacted by the change
  • the resources available to perform the change
• the definition or change of responsibilities and authoritiesIt should be noted that in a number of areas the new standard is significantly less detailed and prescriptive than its predecessor – (i.e. Context and Scope clauses are now in alignment with other ISO standards where previously these clause were very prescriptive for ISO 22301).

• Clause 6.1.2 now makes it clear that the risks (and opportunities) that need to be addressed relate to the effectiveness of the BCMS, as opposed to the risks of disruption, which are addressed by Clause 8.2.3. The same relationship is intended in other standards (such as ISO 27001).
• The requirements for conducting the business impact analysis (BIA) are now clearer. The relationship between unacceptable impact, maximum tolerable period of disruption and prioritized timeframes for activity resumption is defined as well as using the BIA to identify ‘prioritized activities’. It should be noted that there is no specific requirement with the 2019 version to document the BIA process.
• Evaluation of BC documentation and capabilities specifically requires the suitability, adequacy and effectiveness of BIAs and risk assessments to be evaluated. This was previously only an implicit requirement in the name of effectiveness, but points to the key role played by BIAs and risk assessments (so having them documented is a good thing).

• The concept of minimum activity levels has shifted from the need to identify minimum levels of products and services to minimum acceptable levels of activity, the linking of which is implicit, to the minimum acceptable capacity of resumed activities.

• One of the criticisms from users of ISO 22301:2012 was the lack of a detailed requirement around the need for an organization to manage its supply chain’s own business continuity capabilities. There is now a requirement to ensure that outsourced processes and the supply chain are controlled.

• From an exercise and test perspective that is now direct reference to validating continuity strategies and solutions (rather than simply BC arrangements)

If your organization’s currently certified to ISO 22301:2012 we anticipate you will have three years to transition to ISO 22301:2019 and after 30 October 2022 certificate for ISO 22301:2012 will no longer be valid*.

BSI are noting that they  will continue to deliver audits against ISO 22301:2012 until 30 April 2021 to allow you time to get your system updated and aligned to ISO 22301:2019.

Further resources:

Free standards available from BSI HERE

Need assistance with ISO 22301? We’d be happy to help

We also have an Introduction to ISO 22301 E-learning course available HERE. Use discount code: ISO2230110 for 10% until the end of July 2020.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Continuing the ISO 22301 Steps to Success series, we look at how you can engage your staff while implementing and testing the Business Continuity Management System (BCMS). It’s important to review the effectiveness of the whole BCMS to ensure it’s going to deliver the resilience we require as a business.  This is achieved through internal audit of the management system.

There is far greater focus on communication and awareness within both internal and external audits for this standard.  You are creating a system that we hope we never have to invoke, and the effectiveness of the response relies on staff understanding their role and the procedures to follow when the worst happens.  Therefore, undertaking more in-depth awareness interviews during the internal audits will provide far more value and reassurance that the required awareness is in place.

As with any standard, there is also the requirement to take corrective action for any issues raised.

Lastly, you need to undertake the holistic review of the BCMS.  This is achieved through the Management Review Process that reviews all the key inputs and interactions into the management system and analyses effectiveness and any potential need for change.  It also reviews objectives and progress made, results of internal audits, supplier performance etc.  Very similar to other ISO management Systems standards.

Join us next week as we discuss the changes made to ISO 22301:2018.

Need assistance with ISO 22301? We’d be happy to help

We also have an Introduction to ISO 22301 E-learning course available HERE. Use discount code: ISO2230110 for 10% until the end of July 2020.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

As anyone who has experience of business continuity – i.e. the current Covid-19 pandemic – will understand is that effective communication is absolutely vital to ensure an effective response.

Planning for how you will communicate, who will communicate, when you will communicate and pre-drafted message for reasonably foreseeable events can make or break an effective BCP response. 

Awareness of the BCP and the part they play within the plan is critical for your staff.  Therefore, there’s a requirement to undertake awareness training for staff -both those that have a role to play, and those that are simply required to follow orders given.

And we mustn’t forget the additional training that may be required for ‘deputies’ within a response plan. 

People can react differently to that expected in an emergency situation, so it’s vital that staff are aware of how they will be made aware of a BCP event, and what role they play within in.  If they have a role to play, they need to have additional training on the specific response plan so that it’s followed should it ever be invoked. 

Part of this awareness training and reinforcement can be supported by ‘exercising’ and ‘testing’ the plan as a team.  This is an effective way of walking through the theoretical, taking the time to consider various scenarios and making informed decisions within a calm environment.  This can prevent knee-jerk or incorrect decisions being made during the time of an actual response.  Exercising and testing can and should also involve any key interested parties outside of the organisation in order to stress-test their ability to support the business in times of crisis.  Any lessons learnt from exercises, tests or actual BCP events should always be followed up from a lessons learnt point of view to ensure that response plans are updated in line with any changes or issues not previously considered – and then they need to be re-communicated in the business.

Join us next week as we discuss how to engage staff with your BCP effectively.

Need assistance with ISO 22301? We’d be happy to help

We also have an Introduction to ISO 22301 E-learning course available HERE. Use discount code: ISO2230110 for 10% until the end of July 2020.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Welcome to the first part of our ISO 22301 Steps to Success series. Business continuity provides a basis for planning to ensure your long-term survivability following a disruptive event. ISO 22301 identifies the fundamentals of business continuity management and provides a basis for understanding, developing and implementing business continuity management within your organisation.

Rachel Churchman explains the process of creating a Business Continuity Management system, here are some highlights:-

Understanding what’s in place already from a resilience perspective.  A gap analysis also helps us to understand the business and the different activities and aspects that need to be considered as part of the wider BCP.  Also, a great opportunity to meet the team and look to identify key ‘Champions’ in the business.  Look to source these from different levels and areas – Top Management, Finance, HR, Legal, Comms/Marketing, Customer support, Operations, Procurement etc.

Undertaking a Context Review enables us to understand the wider internal and external issues that can impact the business – positively and negatively.  It also starts to review these interested parties that may need to get involved with our BCP – for example Key Suppliers on whom we may have a dependency.

Risks and opportunities identified here can then be captured and progressed through the development of key BCP objectives and improvement plans.

Business Impact Assessment and risk assessment is at the heart of the BCP.  It requires us to look at the activities we undertake that enable us to effectively run our business.  By reviewing these key activities, and then fully understanding what the potential risks are that may disrupt our ability to perform, we can start to understand where we may need a ‘Plan B’ – effectively our Business Continuity strategy and plans.

An effective BIA will look at activities and what they support in terms of services and other departments, what the impact of disruption will have on the business (i.e. reputation, financial penalties, legal compliance, revenue etc), and look to define what our maximum period of disruption may be.  It also looks to understand what we need to recover our position is a disaster struck – e.g. Back up data.

It also gets us look at our dependencies – internally and externally.  Understanding our supply chain and where they fit into our BCP is fundamental to effective BCP response.  If we rely on a key supplier – are we checking whet Their BCP arrangements are?

lastly – we need to understand any contractual obligations we have that are linked to BCP.  We need to ensure our own BCP can support these. 

Once we have undertaken our BIA and risk assessment, we are then in a position to develop our Business Continuity Management system to include our Business Continuity Plan and supporting response plans.

Response plans will look to cover any assumptions made in the plan, responsibilities (including who can invoke and stand down a  response), the business recovery objectives (including Recovery Time Objective and Recovery Point Objectives), Who/What is impacted (directly and indirectly), Recovery Strategy at a high level, communication requirements.  It will then ideally walk through the plan for the following stages – Emergency Phase (incident reported), Recovery Phase (response strategy and plan),  and Restoration Phase (return to normal operations).

We also need to consider communication procedures and mechanisms that will be invoked during a BCP incident.   For instance, who might be responsible for speaking to the media?

Join us next week in part 2 of the Steps to Success series as we discuss how to communicate your BCP effectively.

Need assistance with ISO 22301? We’d be happy to help!

We have an Introduction to ISO 22301 E-Learning course available HERE. Use Code ISO2230110 to get 10% off your purchase.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

When I first launched the ISO Show in 2019 to dispel myths and share tips on ISO Standards, my plan was to make the podcasts evergreen – so they could be timeless in theory and listened to at any point in time.  However, I’m recording this in March 2020, just over a year since we launched the ISO Show and sadly a pandemic – the coronavirus has broken out globally, with over 110,000 reported cases across 95 countries.  So I thought it would be helpful to share with you some guidance to try and minimise business disruption caused by the Coronavirus through Business Continuity Planning (known as BCP).

How does this relate to ISO Standards? Well there is an ISO Standard for Business Continuity Standard ISO 22301 (formerly a British Standard BS 25999).   However, our ISO Show this week is not about ISO 22301, but How to create a Pandemic (Coronavirus) BCP. In fact, we provide you with a Pandemic Coronavirus Business Continuity Plan template for FREE.

As a founder and owner of Blackmores, a consultancy which implement ISO 22301 I felt we had a duty to share guidance on COVID-19 business resilience .  So, I’d like to thank Rachel Churchman, one of our Business Continuity Consultants for sharing with us a Pandemic Business Continuity Plan.

Many businesses have BCP’s, and these are typically scenario based – identifying scenarios that jeopardise the ability for you to run your business in the usual way.  In BCP terms this is called (BAU). i.e. loss of power, loss of staff members, inability to access your building – so something that would have an impact of the continuity of the services or product that you deliver.

The next step is to carry out a BIA (Business Impact Analysis) to determine the impact in an event from a financial, operational or reputational perspective.  This then enables you to create a BCP for a particular scenario – which is what I’m sharing on the ISO Show.  To request the FREE PANDEMIC (COVID-19) BUSINESS CONTINUITY PLAN, simply contact us at www.blackmoresuk.com.

The Pandemic BCP also includes useful sources of reference material, and guidance on Preventative measures, awareness and responsibilities. We’ve included a ‘Guidance on hand hygiene and use of Face Masks’ as an example of this. Feel free to add any other guides that would be helpful for your business.

The BCP helps to minimise the potential impact on your company and helps define the information employees will find helpful. This will be different in all companies but in the sample provided we cover:

• Summary
• Background
• Introduction
• Aim
• Reference Material
• Objectives
• Potential Impact
• Roles and Responsibilities

For supporting information check out:-

FREE copy an example Pandemic Business Continuity Plan – just contact us at enquiries@blackmoresuk.com

Want to learn more about ISO 22301? Take a look at our Steps to Success.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Tony Bennett, Senior Information Security Executive shares his journey on achieving certification to ISO 9001 (Quality), ISO 27001 (Information Security) and ISO 22301 (Business Continuity) in one hit!

Kingsley Napley, is an internationally recognised Law firm based in central London.  To exceed clients’ expectations, they decided to develop their systems to meet the requirements of these leading international standards.  Tony worked in collaboration with Rachel Churchman of Blackmores to support the delivery of the project, and bring together all the requirements of the standard into one holistic framework.  This led to gaining a greater understanding of the organisations operations, risks and strengths, which led to the creation of a ‘Best Practice’ Framework.  As the first Law Firm in the UK to achieve certification to all three standards as an integrated management system, Kingsley Napley are clearly demonstrating how to raise standards within their profession.

As an experienced Information Security professional, in this weeks’ ISO Show Podcast, Tony shares invaluable guidance on:-

• Why Quality, Information Security and Business Continuity is so crucial in the legal sector
• How he delivered the project within 12 months
• The drivers behind implementing all three standards as an integrated management system
• Explains how the assessment was actually an enjoyable experience!
• Key tips on overcoming obstacles and challenges – Communication, communication, communication!
• How leadership plays such an important role in the success of initiating change management
• Specific advice for those in the legal sector who may wish to raise their standards and achieve certification

For further Information on Kingsley Napley and their journey on achieving certification, visit their website.

For support with achieving ISO 9001, IS0 27001 and ISO 22301, see our Steps to Success.

For a FREE consultation Contact Us

For further information on the Standards:

ISO 9001 Quality Management

ISO 27001 Information Security Management

ISO 22301 Business Continuity

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
• Also available on Spotify and YouTube