ISO 27001 & ISO 22301

A new business continuity standard (ISO 22301) was published very recently, so I’ve decided to compare this new standard with the old BS 25999-2 standard.

Feel free to add comments below!

__

Click here to learn more:

• What is ISO 22301?
• Free webinar – What’s new in ISO 22301: How to make a transition from BS 25999-2

—

They are both essential elements of business continuity, and they sound quite similar. But their purpose is quite different.

What is RTO?

So, what does RTO mean? BS 25999-2, a leading business continuity standard, defines RTO as “…target time set for resumption of product, service or activity delivery after an incident”.

This actually means that RTO is crucial when implementing business continuity in a company – calculating how quickly you need to recover will determine what kind of preparations are necessary. For example, if RTO is 2 hours, then you need to invest quite a lot of money in a disaster recovery center, telecommunications, automated systems, etc. – because you want to be able to achieve full recovery in only 2 hours. However, if your RTO is 2 weeks, then the required investment will be much lower because you will have enough time to acquire resources after an incident has occurred.

RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy. See also this article Five Tips for Successful Business Impact Analysis to learn more about RTO and BIA.

What is RPO?

Recovery point objective is a totally different thing – according to Wikipedia, RPO is “… the maximum tolerable period in which data might be lost”. As this is quite difficult to grasp right away, I like to use this example instead – ask yourself how much data you can afford to lose? If you are filling in a database with various kinds of information, is it tolerable to lose 1 hour of work, 2 hours or maybe 2 days? If you are writing a lengthy document, can you afford to lose 4 hours of your work, the whole day or perhaps you could bear if you lost your whole week’s job?

This number of hours or days is the RPO. Recovery Point Objective is crucial for determining one element of business continuity strategy – the frequency of backup. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in a big danger, but if you do it every 1 hour, it might cost you too much.

So, what’s the difference?

The difference is in the purpose – RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency. They are not directly related – you could have RTO of 24 hours and RPO of 1 hour, or RTO of 2 hours and RPO of 12 hours.

But let me emphasize what is even more important: what do RTO and RPO have in common? They are both crucial for business impact analysis and for business continuity management. Without determining them properly, you would be just guessing – and guessing is the best way to ensure you never recover from a disaster.

You can also check out our Business Impact Analysis Questionnaire which describes how to gather all information necessary for RTO and RPO (commercially sold document template).

I’ve met quite a few companies considering how to start their ISO 27001 / BS 25999 project, with quite different approaches – some are convinced they can do it completely on their own (with no prior ISO 27001 knowledge), while others thought they can do it with the help of a consultant only.

They are both wrong.

Road map for ISO 27001 / BS 25999 implementation

There is one thing you definitely need for the implementation – knowledge. By knowledge I mean the know-how of the implementation process, so that you don’t get stuck and  waste time on irrelevant issues, while forgetting the important ones. What you need are the guidelines for implementation, as well as knowledge on how to implement all the pieces of the puzzle.

This is why it isn’t possible to implement these standards with just your existing knowledge base, and it is very rare to find companies who already have experienced ISO 27001 / BS 25999 implementers.

Of course, one way to get around this is to hire a consultant. But this is not the only way – I’ll address that later.

Hiring an ISO 27001 / BS 25999 consultant – pro’s and con’s

The biggest benefit of a consultant is that he/she is going to get you through the implementation process much quicker than if you did it on your own (provided that the consultant has sufficient knowledge). A consultant should provide you with tips & tricks for each step in the implementation process, check the documentation, train your employees, etc. He/she could also run interviews with your employees, write the documentation, and process the results (e.g. during risk assessment).

A major drawback of hiring a consultant is that most small (but also medium-sized) organizations cannot afford one – consultants tend to charge large fees and cannot guarantee the successful implementation. Besides, the more work is done by a consultant, the less will be done by your employees, therefore less knowledge and skills will be passed on to your organization.

Then there is also the issue of confidentiality – the consultant will learn everything you do from the inside (including your vulnerabilities and controls that are in place), so if you didn’t check this person thoroughly, he/she could become quite a significant threat.

Finally, there is the question of quality – too many times I met “experts” who claimed they implemented these standards many times, but didn’t know e.g. how to run the risk assessment; or what is the purpose of business impact analysis.

Implementation without a consultant

Consultants are not the only source of knowledge – you can also choose the option to implement the standards with your employees by providing them appropriate training and support.

Here are some ideas on how to obtain the knowledge:

• Send your employees to trainings – read How to learn about ISO 27001 and BS 25999-2 for more info
• Get the best practices through documentation templates
• Purchase the literature – there are various books and other publications available on the Internet

If you start implementing the standards on your own, it is probably going to take longer than if you did it with a consultant. But, it is going to be cheaper, and most probably your employees will learn better what certification entails, and what their responsibilities will be – because they will be forced to consider every step very carefully.

So, the answer to the initial question is: no – a consultant is not mandatory for your implementation (although quite often it is the best solution). However, the implementation knowledge is mandatory – without it, don’t expect to finish your ISO 27001 / BS 25999 project soon, if at all.

You can also check out our online mentoring service called Guidance & Review (commercial service).

This is probably the second most common question I hear about ISO 27001 and BS 25999 (the first one is How much does it cost?). Well, the answer is not really encouraging – most of the people I speak to expect it to be a few months. But this is not realistic – the reality is closer to one year.

Of course, you can always produce 50 documents in a matter of days claiming you are compliant with ISO 27001, but this is not what I’m writing here about. I’m writing about the implementation that makes sense, i.e. that produces results – a lower number of incidents, higher efficiency, cost savings etc.

Time needed for ‘Plan’ and ‘Do’ phases

Your main implementation effort will be spent on the Plan and Do phases, i.e. the first two mandatory phases in which the risk assessment/business impact analysis is being done and in which all the controls (including business continuity plans) are being implemented.

The duration of implementation for these two phases depends primarily on the size of the organization:

• Smaller organizations (up to 50 employees) usually implement the standard in up to 8 months
• Mid-size organizations (up to 500 employees) usually implement the standard in 8 to 12 months
• Large organizations (500 employees and more) – implementation usually lasts 12 to 15 months

One note here – in my experience, the companies that drag such projects for too long (e.g. small companies for more than 12 months), usually never finish the project – in such organizations there is never enough recognition of the importance of ISO 27001 or BS 25999, so human or financial resources dedicated to such a project are never sufficient.

When speaking about implementation time, it is worth mentioning here that the work on ISO 27001 / BS 25999 doesn’t stop with Plan and Do phase – these management systems need to be maintained and improved (phases Check and Act), meaning that the work on information security and business continuity is not one-off, but continuous. However, the effort for maintaining and improving the system is not as great as in the first two phases.

Things that will speed up your implementation

The duration mentioned above depends of course on many factors, but generally the following factors will speed up the implementation:

• If you run the implementation as a project – if you know exactly what are the objectives, who is responsible for what, if the resources are available and what are the deliverables, you will not only speed up the process but also increase your chances of a successful outcome.
• If you already have ISO 9001 or some other management system – ISO 27001 and BS 25999-2 are not that different from other management systems, so you can use some of the existing procedures and processes and save probably 20% to 30% of your time.
• If you already have many security/business continuity policies and procedures already in place – chances are that your existing documentation will be acceptable for ISO 27001/BS 25999 and it will decrease your implementation time; not only that, you will already have an understanding in your organization about what information security / business continuity is all about.
• Having the appropriate documentation templates – here I don’t mean any documentation templates, but the templates in your language, appropriate for the size of your company, and made specifically for the purpose of ISO 27001/BS 25999. (Another note here – free templates downloaded from the Internet are not going to speed up your process because you’ll need considerable time for their customization.)
• Having the knowledge – you can obtain the knowledge either through literature, in-person courses, online courses (that’s our specialty!), or by hiring a consultant; without knowledge not only will your project last much longer, but you’ll probably never finish it.
• Last but certainly not least – the support of your management. If you don’t get their support in terms of money and human resources, your project will actually last quite short – it will be finished even before it begins.

So the point is – the implementation of standards like these does take quite a lot of time, so you need to make sure you do it with some purpose in mind. If implementation is done superficially or without clear objectives, you’ll not only lose time but miss an opportunity to help your company improve and grow.

And of course, you can decrease the implementation time – if you plan your project carefully.

Click here to access Free Calculator – Duration of ISO 27001/ISO 22301 Implementation.

Having a business continuity plan is nice, but if you don’t know when and how to start using it, the money you’ve invested in it was spent in vain. Even worse, you’ll likely lose quite a lot of money because your business operations will be disrupted.

What is a business continuity plan?

Before going into the activation procedures, let me go through some of the basics of business continuity plans. BS 25999-2 standard defines a business continuity plan as a “documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefined level”. (Click here to read more about BS 25999-2).

Therefore, a business continuity plan is not a single procedure or a single document. It usually consists of at least two parts: (1) incident response plan, and (2) recovery plan. An incident response plan is a procedure that clearly defines what to do immediately after an incident occurred – e.g. how to evacuate the building, who to call for help, how to contain the incident etc.

The purpose of the recovery plan is to resume business critical activities within the recovery time objective. It is activated right after the incident response plan, and can be used e.g. to recover the ICT infrastructure (also called “disaster recovery plans”), to recover production sites, to recover business processes in a service company, etc.

Since the business continuity plan consists of several parts, each of these parts is activated separately – here I’ll focus only on the two parts mentioned earlier.

Activation of incident response plan(s)

Well, the activation of this one is quite obvious. If anyone notices fire, an explosive device, flood in the basement or malicious code, he or she should notify someone immediately. Now, who is it they are going to call? In case of a smaller company, there is usually one responsible person who must be notified in case of any incident; however, in larger companies there could be more people responsible – e.g. one person for all IT related incidents, and one person for all non-IT related incidents.

It is up to them to activate the appropriate incident response plan – the company should have quite different incident response plans for e.g. fire as opposed to a threat letter.

Activation of recovery plan(s)

At first thought, it is not so obvious who should activate them. But good practice says that recovery plans should be activated by top level management dealing with crisis – usually it is the Crisis Manager. Such a decision should be made by a high level authority because it could prove quite costly to activate the recovery plan if there was no reason for it – e.g. someone at a lower level might panic and initiate transportation to the alternative site, which could prove quite unnecessary. But also someone who is not informed about the whole picture of the crisis could wait too long to make such a decision, which could prove even more expensive.

Therefore, the decision to activate certain (or all) recovery plans must be made by the Crisis Manager (or similar) – the criteria for activation are based on an estimate whether the disruption of business activities caused by the incident is going the last longer than the RTO (Recovery Time Objective). If so, then an appropriate recovery plan must be activated.

The question which recovery plan to activate is rather simple – if, for example, the whole company is affected by the incident, then all the recovery plans must be activated; however, if only one department is affected, then only the recovery plan for that department must be activated.

Emergency preparedness

Of course, for all this to work, it is not enough to write nice activation procedures – it is essential that those activation procedures are customized to the company’s situation, that they are remembered by all employees involved, and that they are practiced. If they are just a theoretical document which no one has seen for 2 or 3 years, then it is hard to expect employees to observe such procedures. It is true that preparing for an emergency is quite a wide topic that must include exercising and testing of all elements of the business continuity plan, but sadly, activation procedures are very often neglected in this respect.

Once again, for your business continuity plan to work, you need good activation procedures. But good activation procedures are useless if no one knows about them.

You can also check out our webinar BS 25999-2 Foundations Part 3: Business Continuity Planning which explains how to write incident response plans and recovery plans (commercially sold training).