ISO 27001 & BS 25999

They are both essential elements of business continuity, and they sound quite similar. But their purpose is quite different.

What is RTO?

So, what does RTO mean? BS 25999-2, a leading business continuity standard, defines RTO as “…target time set for resumption of product, service or activity delivery after an incident”.

This actually means that RTO is crucial when implementing business continuity in a company – calculating how quickly you need to recover will determine what kind of preparations are necessary. For example, if RTO is 2 hours, then you need to invest quite a lot of money in a disaster recovery center, telecommunications, automated systems, etc. – because you want to be able to achieve full recovery in only 2 hours. However, if your RTO is 2 weeks, then the required investment will be much lower because you will have enough time to acquire resources after an incident has occurred.

RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy. See also this article Five Tips for Successful Business Impact Analysis to learn more about RTO and BIA.

What is RPO?

Recovery point objective is a totally different thing – according to Wikipedia, RPO is “… the maximum tolerable period in which data might be lost”. As this is quite difficult to grasp right away, I like to use this example instead – ask yourself how much data you can afford to lose? If you are filling in a database with various kinds of information, is it tolerable to lose 1 hour of work, 2 hours or maybe 2 days? If you are writing a lengthy document, can you afford to lose 4 hours of your work, the whole day or perhaps you could bear if you lost your whole week’s job?

This number of hours or days is the RPO. Recovery Point Objective is crucial for determining one element of business continuity strategy – the frequency of backup. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in a big danger, but if you do it every 1 hour, it might cost you too much.

So, what’s the difference?

The difference is in the purpose – RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency. They are not directly related – you could have RTO of 24 hours and RPO of 1 hour, or RTO of 2 hours and RPO of 12 hours.

But let me emphasize what is even more important: what do RTO and RPO have in common? They are both crucial for business impact analysis and for business continuity management. Without determining them properly, you would be just guessing – and guessing is the best way to ensure you never recover from a disaster.

You can also check out our Business Impact Analysis Questionnaire which describes how to gather all information necessary for RTO and RPO (commercially sold document template).

I’ve met quite a few companies considering how to start their ISO 27001 / BS 25999 project, with quite different approaches – some are convinced they can do it completely on their own (with no prior ISO 27001 knowledge), while others thought they can do it with the help of a consultant only.

They are both wrong.

Road map for ISO 27001 / BS 25999 implementation

There is one thing you definitely need for the implementation – knowledge. By knowledge I mean the know-how of the implementation process, so that you don’t get stuck and  waste time on irrelevant issues, while forgetting the important ones. What you need are the guidelines for implementation, as well as knowledge on how to implement all the pieces of the puzzle.

This is why it isn’t possible to implement these standards with just your existing knowledge base, and it is very rare to find companies who already have experienced ISO 27001 / BS 25999 implementers.

Of course, one way to get around this is to hire a consultant. But this is not the only way – I’ll address that later.

Hiring an ISO 27001 / BS 25999 consultant – pro’s and con’s

The biggest benefit of a consultant is that he/she is going to get you through the implementation process much quicker than if you did it on your own (provided that the consultant has sufficient knowledge). A consultant should provide you with tips & tricks for each step in the implementation process, check the documentation, train your employees, etc. He/she could also run interviews with your employees, write the documentation, and process the results (e.g. during risk assessment).

A major drawback of hiring a consultant is that most small (but also medium-sized) organizations cannot afford one – consultants tend to charge large fees and cannot guarantee the successful implementation. Besides, the more work is done by a consultant, the less will be done by your employees, therefore less knowledge and skills will be passed on to your organization.

Then there is also the issue of confidentiality – the consultant will learn everything you do from the inside (including your vulnerabilities and controls that are in place), so if you didn’t check this person thoroughly, he/she could become quite a significant threat.

Finally, there is the question of quality – too many times I met “experts” who claimed they implemented these standards many times, but didn’t know e.g. how to run the risk assessment; or what is the purpose of business impact analysis.

Implementation without a consultant

Consultants are not the only source of knowledge – you can also choose the option to implement the standards with your employees by providing them appropriate training and support.

Here are some ideas on how to obtain the knowledge:

• Send your employees to trainings – read How to learn about ISO 27001 and BS 25999-2 for more info
• Get the best practices through documentation templates
• Purchase the literature – there are various books and other publications available on the Internet

If you start implementing the standards on your own, it is probably going to take longer than if you did it with a consultant. But, it is going to be cheaper, and most probably your employees will learn better what certification entails, and what their responsibilities will be – because they will be forced to consider every step very carefully.

So, the answer to the initial question is: no – a consultant is not mandatory for your implementation (although quite often it is the best solution). However, the implementation knowledge is mandatory – without it, don’t expect to finish your ISO 27001 / BS 25999 project soon, if at all.

You can also check out our online mentoring service called Guidance & Review (commercial service).

This is probably the second most common question I hear about ISO 27001 and BS 25999 (the first one is How much does it cost?). Well, the answer is not really encouraging – most of the people I speak to expect it to be a few months. But this is not realistic – the reality is closer to one year.

Of course, you can always produce 50 documents in a matter of days claiming you are compliant with ISO 27001, but this is not what I’m writing here about. I’m writing about the implementation that makes sense, i.e. that produces results – a lower number of incidents, higher efficiency, cost savings etc.

Time needed for ‘Plan’ and ‘Do’ phases

Your main implementation effort will be spent on the Plan and Do phases, i.e. the first two mandatory phases in which the risk assessment/business impact analysis is being done and in which all the controls (including business continuity plans) are being implemented.

The duration of implementation for these two phases depends primarily on the size of the organization:

• Smaller organizations (up to 50 employees) usually implement the standard in up to 8 months
• Mid-size organizations (up to 500 employees) usually implement the standard in 8 to 12 months
• Large organizations (500 employees and more) – implementation usually lasts 12 to 15 months

One note here – in my experience, the companies that drag such projects for too long (e.g. small companies for more than 12 months), usually never finish the project – in such organizations there is never enough recognition of the importance of ISO 27001 or BS 25999, so human or financial resources dedicated to such a project are never sufficient.

When speaking about implementation time, it is worth mentioning here that the work on ISO 27001 / BS 25999 doesn’t stop with Plan and Do phase – these management systems need to be maintained and improved (phases Check and Act), meaning that the work on information security and business continuity is not one-off, but continuous. However, the effort for maintaining and improving the system is not as great as in the first two phases.

Things that will speed up your implementation

The duration mentioned above depends of course on many factors, but generally the following factors will speed up the implementation:

• If you run the implementation as a project – if you know exactly what are the objectives, who is responsible for what, if the resources are available and what are the deliverables, you will not only speed up the process but also increase your chances of a successful outcome.
• If you already have ISO 9001 or some other management system – ISO 27001 and BS 25999-2 are not that different from other management systems, so you can use some of the existing procedures and processes and save probably 20% to 30% of your time.
• If you already have many security/business continuity policies and procedures already in place – chances are that your existing documentation will be acceptable for ISO 27001/BS 25999 and it will decrease your implementation time; not only that, you will already have an understanding in your organization about what information security / business continuity is all about.
• Having the appropriate documentation templates – here I don’t mean any documentation templates, but the templates in your language, appropriate for the size of your company, and made specifically for the purpose of ISO 27001/BS 25999. (Another note here – free templates downloaded from the Internet are not going to speed up your process because you’ll need considerable time for their customization.)
• Having the knowledge – you can obtain the knowledge either through literature, in-person courses, online courses (that’s our specialty!), or by hiring a consultant; without knowledge not only will your project last much longer, but you’ll probably never finish it.
• Last but certainly not least – the support of your management. If you don’t get their support in terms of money and human resources, your project will actually last quite short – it will be finished even before it begins.

So the point is – the implementation of standards like these does take quite a lot of time, so you need to make sure you do it with some purpose in mind. If implementation is done superficially or without clear objectives, you’ll not only lose time but miss an opportunity to help your company improve and grow.

And of course, you can decrease the implementation time – if you plan your project carefully.

Having a business continuity plan is nice, but if you don’t know when and how to start using it, the money you’ve invested in it was spent in vain. Even worse, you’ll likely lose quite a lot of money because your business operations will be disrupted.

What is a business continuity plan?

Before going into the activation procedures, let me go through some of the basics of business continuity plans. BS 25999-2 standard defines a business continuity plan as a “documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefined level”. (Click here to read more about BS 25999-2).

Therefore, a business continuity plan is not a single procedure or a single document. It usually consists of at least two parts: (1) incident response plan, and (2) recovery plan. An incident response plan is a procedure that clearly defines what to do immediately after an incident occurred – e.g. how to evacuate the building, who to call for help, how to contain the incident etc.

The purpose of the recovery plan is to resume business critical activities within the recovery time objective. It is activated right after the incident response plan, and can be used e.g. to recover the ICT infrastructure (also called “disaster recovery plans”), to recover production sites, to recover business processes in a service company, etc.

Since the business continuity plan consists of several parts, each of these parts is activated separately – here I’ll focus only on the two parts mentioned earlier.

Activation of incident response plan(s)

Well, the activation of this one is quite obvious. If anyone notices fire, an explosive device, flood in the basement or malicious code, he or she should notify someone immediately. Now, who is it they are going to call? In case of a smaller company, there is usually one responsible person who must be notified in case of any incident; however, in larger companies there could be more people responsible – e.g. one person for all IT related incidents, and one person for all non-IT related incidents.

It is up to them to activate the appropriate incident response plan – the company should have quite different incident response plans for e.g. fire as opposed to a threat letter.

Activation of recovery plan(s)

At first thought, it is not so obvious who should activate them. But good practice says that recovery plans should be activated by top level management dealing with crisis – usually it is the Crisis Manager. Such a decision should be made by a high level authority because it could prove quite costly to activate the recovery plan if there was no reason for it – e.g. someone at a lower level might panic and initiate transportation to the alternative site, which could prove quite unnecessary. But also someone who is not informed about the whole picture of the crisis could wait too long to make such a decision, which could prove even more expensive.

Therefore, the decision to activate certain (or all) recovery plans must be made by the Crisis Manager (or similar) – the criteria for activation are based on an estimate whether the disruption of business activities caused by the incident is going the last longer than the RTO (Recovery Time Objective). If so, then an appropriate recovery plan must be activated.

The question which recovery plan to activate is rather simple – if, for example, the whole company is affected by the incident, then all the recovery plans must be activated; however, if only one department is affected, then only the recovery plan for that department must be activated.

Emergency preparedness

Of course, for all this to work, it is not enough to write nice activation procedures – it is essential that those activation procedures are customized to the company’s situation, that they are remembered by all employees involved, and that they are practiced. If they are just a theoretical document which no one has seen for 2 or 3 years, then it is hard to expect employees to observe such procedures. It is true that preparing for an emergency is quite a wide topic that must include exercising and testing of all elements of the business continuity plan, but sadly, activation procedures are very often neglected in this respect.

Once again, for your business continuity plan to work, you need good activation procedures. But good activation procedures are useless if no one knows about them.

More and more often people ask me how to deal with cloud computing in the context of ISO 27001 and BS 25999. My answer is: use common sense.

Their dilemma is quite understandable – these standards were written before cloud computing was such a big issue, and there is no particular focus on cloud computing in any of them. To make things worse, the outages of cloud computing providers cause serious problems to other Internet-based businesses, as was the recent case with Amazon Web Services (for more info on AWS and ISO 27001 read Does ISO 27001 mean that information is 100% secure?).

Therefore, their point is: since we cannot control information in cloud computing, the security of information in such cases is only a dead letter.

New concept?

I would disagree on that. The point is – cloud computing is nothing else but outsourcing (of your information archiving and/or processing).

And you already do outsource other activities which could endanger the security of your information – your software is usually developed externally, you may have external suppliers which maintain your hardware and software assets (sometimes with remote access to your network), most probably you do have some kind of external maintenance staff on-site (if nothing else for the infrastructure), almost certainly you do have consultants and/or auditors on-site (who do know the vulnerabilities of your company) and you probably do have cleaning staff outsourced (and they do have access to most of the facilities when no one else is present).

Therefore, I would say that although cloud computing is a new technological opportunity, the main issue of outsourcing remains as before – how much can you trust your outsourcing partner?

Common sense

This is where you need to apply your common sense, or to put it in the wording of ISO 27001 and BS 25999-2 – you need to apply risk assessment to find out what the potential risks are, and then you need to choose your partner wisely and apply necessary security controls to mitigate those risks.

In its control A.6.2.1 ISO 27001 requires to identify “… risks to the organization’s information and information processing facilities from business processes involving external parties”, and A.6.2.3 requires to address security issues in agreements that “… shall cover all relevant security requirements”; there also various other controls specifying information backup (A.10.5.1), access control (A.11), classification (A.7.2.1) etc. In clause 4.1.1 BS 25999-2 requires to “…identify all dependencies relevant to the critical activities, including suppliers and outsource partners”, in clause 4.1.2 “…understand the threats and vulnerabilities … including those provided by suppliers and outsource partners”, and in clause 4.2 “…determine how it will recover each critical activity … including products and services provided by suppliers and outsourcing partners”.

So what can you do to decrease the risk of cloud computing? Here are a few very basic tips:

• Do a thorough check on the potential provider – not only its performance record, but also the background of its management, have they implemented the information security and business continuity policies and procedures, financial stability, legal risks etc.
• Write very specific security clauses in your agreement with the provider, where the biggest emphasis will be on issues that have raised the highest concerns during risk assessment.
• Keep a backup copy of your information locally – although a cloud computing provider will (probably) do regular backup, it is always a good idea to have direct control of your information. (e.g. banking regulators in some countries have imposed regulations to local banks to keep the backup copy inside the country specifically because of this risk.)
• Develop your strategy on how to return the information processing/archiving back to your company (re-insourcing) in case of problems with your cloud computing provider – you should know exactly which steps are needed, as well as which resources.
• An exit strategy might also be to have an alternative cloud computing provider standing by, ready to jump in if your existing partner performs badly.
• Perform regular checks of your provider to find out whether they are complying with the security clauses in the agreement.

Of course, most of the things mentioned here will seem impossible for a smaller company. But in such a case, would you really give them your important information without having any guarantees? Sometimes you are better off with no cloud computing – this is something your management needs to decide: they have to weigh out the balance between the cost & convenience and the risks.

Manage your risks

I’m not trying to say here that the risks of cloud computing are the same as other outsourcing risks, because they are not – cloud computing usually brings higher risks. I’m also not trying to say that ISO 27001 and BS 25999-2 (soon to become ISO 22301) do not have to be more specific about cloud computing, because they do. I also think that the legislation will have to address this issue very quickly.

What I’m trying to say here is that although the risks related to cloud computing are high, it doesn’t mean they cannot be mitigated. Therefore, use your common sense when choosing your cloud computing provider – if you don’t trust your provider fully, then don’t entrust them with your sensitive information.

Does it make sense to implement business continuity in smaller companies? Why would they need something as costly as this if the owner of the business has all the necessary information in his/her head?

Let me start with a story I heard recently – a small company (involved in the sales of various equipment to a large customer base) has been robbed – the thief broke into their office during the night and stole all the computers together with other valuable stuff. The problem is – the owner of this company backed up the data, but saved that backup on another computer in the same office. Very soon the company went bankrupt – they simply weren’t able to recover key information about their business.

This is a classic example of the syndrome “It is not going to happen to me” that the majority of small companies have.

Business continuity framework

Does this mean that small businesses need to invest in costly disaster recovery locations with high-availability equipment? Certainly not.

In some cases business continuity is really not needed because the owner of the business does have all the information in his/her head, but such cases are very rare – how many of those don’t have a laptop with various kinds of important information? Just thinking about how to make this information available in case of a disaster is already part of a business continuity effort.

Owners of small businesses need to think carefully about which information (and other resources) are important for their business, how to ensure that such information and other resources are available in case of a disaster, and which steps are needed to recover business activities in case a disaster occurs. These steps are nothing else but performing business impact analysis, business continuity strategy, and business continuity plans, like any larger company would do when implementing business continuity. All these are described in a leading business continuity standard – BS 25999-2.

How to prepare

Now the difference between small and the large businesses is in the complexity and the price of the preparations small companies need to do for business continuity:

• Backup of electronic data – small businesses can use some of the tools that backup the data from their computers almost instantly to the cloud. Of course, due care has to be taken that all the necessary data is included.
• Backup of paper-based documents – small businesses are now in a position to eliminate paper-based documents almost completely from their daily operations and transfer everything to electronic form; for rare cases where paper-based documents must exist, they can be scanned for the purposes of business continuity.
• Alternative office locations – in most cases it will be enough that employees continue business operations from their homes – the prerequisite would be that they have an Internet connection, laptops/PCs and passwords. If working from home is not appropriate, a hotel room can always be rented in less than an hour.
• Hardware – unless there is a special kind of computer used for a business, it is very easy to find an alternative – usually there is a private computer at home, or one can be borrowed from a relative; or one can be purchased at the computer shop next door.
• Workforce – now, this is probably the most difficult one – let’s suppose that an employee is not available, and he is the only one who knows certain information (e.g. administrative passwords, steps that need to be taken in an important project, etc.) – for such cases, the preparation would be to document all this information, so that it can be used without that employee being present. The other case would be if an employee is missing and no one else would have the time or the skills to do her job – in such case the preparation would be to identify upfront who would be available for hiring on a short notice to fulfill the missing employee’s job; of course, the key here is to identify someone with the right skills/qualifications.

To conclude: there is no difference between large organizations and small with regard to business continuity framework – they both have to think in detail what preparations they need to perform in order to survive a disaster. The difference is in the level of preparations – smaller businesses can make it with very little investment.

Have you ever found yourself in a situation where you have been given the task to write a security policy or a procedure? But you don’t want your document to end up like so many others – gathering dust in some forgotten drawer? Here are some thoughts that might help you…

The steps I’m about to present to you are designed based on my experience with various kinds of clients, large and small, government or private, for-profit or non-profit – I find these steps applicable to all of them. Actually, these steps are applicable to any kind of policies and procedures, not only those related to ISO 27001 or BS 25999-2.

1 Study the requirements

First you have to study very carefully various requirements – is there a legislation which requires something to be put in writing? Or maybe a contract with your client? Or some other high level policy that already exists in your organization (perhaps a corporate standard)? And of course the requirements from ISO 27001 or BS 25999-2 if you want to comply to those standards.

2 Take into account the results of your risk assessment

Your risk assessment will determine which issues you have to address in your document, but also to which degree – for instance, you may need to decide whether you will classify your information according to its confidentiality, and if so, whether you need two, three or four levels of confidentiality.

This step may not be relevant in this form if your policy or procedure is not related to information security or business continuity. However, risk management principles are applicable to other areas as well – quality management (ISO 9001), environmental management (ISO 14001), etc. For instance, in ISO 9001 you have to determine to which extent a process is crucial for your quality management and accordingly to decide whether you will document it or not.

3 Optimize and align your document(s)

An important thing to consider is the total number of documents – are you going to write ten 1-page documents or one 10-page document? It is much easier to manage one document, especially if the target group of readers is the same. (Just don’t create a single 100-page document.)

Moreover, you have to be careful to align your document with other documents – the issues you are defining may be already partially defined in another document. In such case, it may not be necessary to write a new document, maybe only expand the existing one.

If you are writing a new document about an issue that is already mentioned in another document, be sure to avoid redundancy – to describe the same issue in both documents. Later it would become a nightmare to maintain those documents; it’s much better that one document makes a reference to another, without repeating the same stuff.

4 Structure your document

You also need to take care that you observe your corporate rules for formatting the document – you already may have a template with pre-defined fonts, headers, footers etc.

If you already implemented ISO 27001 or BS 25999-2 (or any other management standard), you’ll need to observe a procedure for document control – such a procedure defines not only the format of the document, but also the rules for its approval, distribution etc.

5 Write your document

The rule of the thumb is – the smaller the organization and the smaller the risks, the less complex your document will be. There is nothing more useless than deciding to write a lengthy document no one is going to read – you have to understand that reading the document takes time, and the level of one’s attention is inversely proportional to the number of lines in your document.

One good technique to overcome the resistance of other employees to this document (no one likes change, especially if that means something like an obligation to change passwords on a regular basis) is to involve them in writing or commenting this document – this way they will understand why it is necessary.

6 Get your document approved

This step is rather self-evident, but its underlying importance is this – if you are not a high ranking manager in your company, you won’t have the power to enforce this document.

This is why someone with such a position has to understand it, approve it, and actively require its implementation. Sounds easy, but believe me – it is not. This step (and the next one) are the ones where implementation most often fails.

7 Training and awareness of your employees

This step is probably the most important, but sadly it is one that is very often forgotten. As mentioned before, employees are tired of constant changes, and they surely won’t welcome another one especially if it means more work for them.

Therefore, it is very important to explain to your employees why such a policy or procedure is necessary – why it is good not only for the company, but also for themselves.

Sometimes training will be necessary – it would be wrong to assume that everyone possesses the skills to implement new activities. For you, who wrote this document, it may seem easy and self-evident, but for them it may seem like brain surgery.

End of story?

If you thought you’ve reached the end of your document-implementation story, you’re wrong – the journey has just begun. It is not enough to have a perfect policy or procedure that everyone just loves, you also need to maintain it.

Someone has to take care this document is up-to-date and improved, or else no one is going to observe it anymore – and that someone is usually the same person who has written it. Not only that, someone has to measure if such a document has fulfilled its purpose – again, it may be you.

As you may have noticed reading this article, it is not enough to have a nice template for a successful policy or procedure – what is needed is a systematic approach to its implementation. And in doing so do not forget the most important fact: the document is not an end in itself – it is only a tool to enable your activities and processes to run smoothly. Don’t let the opposite happen – that such a document makes these activities and processes run with more difficulty.

According to various sources, the leading business continuity standard BS 25999-2 will be replaced by an international standard ISO 22301 by the end of 2011. This kind of transition is normal – the same thing happens with most management standards, for instance with ISO 27001 when in 2005 it succeeded BS 7799-2. So what are the main changes that ISO 22301 will bring when compared to BS 25999-2?

One important note here – since ISO 22301 hasn’t been published yet, the final version of the standard still doesn’t exist, so some of the things I’ve written here may not exist in the final version. I am using a draft version published in February 2011 on the BSi Draft Review website.

ISO 22301 will have this title: ISO 22301, Societal security – Business continuity management systems – Requirements. Although “Societal security” may sound a little strange in relation to business continuity, here is how ISO defines it: “… standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, amongst all interested parties.”

At first sight, it is obvious that the structure of ISO 22301 is very different from BS 25999-2, although all the basic elements of BS 25999-2 still do exist in ISO 22301.

Let’s take a deeper look.

Similarities…

The biggest similarity is that all core business continuity elements in BS 25999-2 will be present in ISO 22301 too: business continuity policy, business impact analysis, risk assessment, business continuity strategy (in ISO 22301 it will be called “business continuity options”), business continuity plans, exercising and testing etc.

Business impact analysis will probably be broken down in several clauses, demanding more precision. The requirements for business continuity plans, including response procedures and recovery plans, are much more detailed too – e.g. the communication part.

The management part of BS 25999-2 will also be transferred to the new standard – document control, internal audit, management review, corrective and preventive actions, human resources management etc. (by the way, these elements exist in all other management standards – ISO 9001, ISO 14001, ISO 27001…).

However the documentation will be called “documented information”, and preventive actions will be called “actions to address issues and concerns”.

… and differences

Plan-Do-Check-Act (PDCA) model is even less clearly stated in ISO 22301 compared to BS 25999-2, although BS 25999-2 is not as clear in that respect as ISO 27001. However, in my view that won’t affect the clarity of the process through which the standard should be implemented since the main sections of the standard are organized in a rather logical way.

ISO 22301 will obviously put much greater emphasis on setting the objectives, monitoring performance and metrics – therefore bringing business continuity much closer to top management way of thinking.

Following that line, ISO 22301 puts clearer expectations on management and summarizes them in a single section.

ISO 22301 will resolve one of the shortcomings of BS 25999-2, and will require much more careful planning for and preparing the resources needed for ensuring business continuity – those requirements are now extended and more clearly structured.

Finally, what will be different about ISO 22301, being an international standard, is that certification bodies will push certification against this standard much harder, so it will gain its popularity much faster.

As a conclusion, all the basic elements of BS 25999-2 will probably be present in ISO 22301 too, only ISO 22301 will be more precise and more demanding. Organizations that have already implemented BS 25999-2, and want to “upgrade” to ISO 22301, will have to pay more attention to detail and will have to invest more time into preparing and maintaining their system. On the other hand, ISO 22301 will certainly help them raise their level of resilience and their level of credibility – the same thing that ISO 27001 did 6 years ago when it replaced BS 7799-2.

Training is certainly one of the best ways to facilitate your ISO 27001 and BS 25999-2 implementation. As there are more and more types of courses available, I’ll try to explain their benefits and the differences between them.

The first is the list of in-person courses – these courses are still prevalent, but steadily losing share in favour of online courses (explained at the end of this article).

ISO 27001 or BS 25999-2 Lead Auditor Course

This is the most popular course for either ISO 27001 or BS 25999-2 – it lasts 5 days, and finishes with a written exam. The exam is quite difficult, so one could consider that this is the top course for those two standards. If you do pass the exam, you can become an auditor for a certification body, but that is not its main benefit – it is the most useful for professionals implementing the standards because it gives an excellent overview of the standards and provides in-depth explanations of what the certification auditors will ask for at the certification audit. Therefore, it is useful for both auditors and implementers.

The target audience for this course are professionals with moderate or significant experience in information security, business continuity, auditing or IT. You should choose only accredited courses (e.g. by IRCA – irca.org).

ISO 27001 or BS 25999-2 Lead Implementer Course

This course is somewhat similar to, but not so popular as ISO 27001 or BS 25999-2 Lead Auditor Course. The difference is that it focuses on implementation techniques rather than auditing techniques – therefore, if the certification is not your concern, you may find this course more suitable.

Here the target audience is similar – professionals with moderate or significant experience in information security, business continuity or IT.

ISO 27001 or BS 25999-2 Internal Auditor Course

This course is a “light” version of ISO 27001 or BS 25999-2 Lead Auditor Course – it usually lasts 2 or 3 days, could be with or without an exam, and the content is a condensed version of Lead Auditor Course. The main difference is that with this course you cannot pursue a career as an auditor in a certification body; however, if you want to get a systematic introduction to the world of ISO 27001 or BS 25999-2 or you plan to be an internal auditor in your company, this course is the right choice for you.

The target audience are professionals with little or moderate experience in information security, business continuity or IT.

ISO 27001 or BS 25999-2 Foundation Course / Introduction Course

These courses usually last for one or two days – their purpose is not to teach you about auditing or implementation techniques, but to give you an overview of the requirements and implementation issues. If you don’t have a lot of time to spare and you want to know what you company will be experiencing during implementation, do think about one of these courses.

The target audience are members of the management, or professionals with no experience in information security or business continuity.

Other information security / business continuity courses

You may have heard of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP) – although I consider these courses very useful for your information security or business continuity career, they are not directly relevant to ISO 27001 or BS 25999-2. Therefore, you should attend CISA, CISM and/or CISSP after you complete courses directly related to the two standards.

Online courses

In addition to the above mentioned in-person courses, online courses (either in the form of e-learning or live webinars) are becoming increasingly popular, partly because of the lower costs – no travelling expenses, no lost time away from office. There are more and more vendors on the Internet, offering more and more quality content (including our Information Security & Business Continuity Academy) – you can find courses lasting from 1 hour (e.g. free webinars) to a few weeks (e.g. e-learning courses).

The main benefit of online courses is that you can receive more relevant knowledge in a shorter period of time and for less money, although the question of real effectiveness of such courses still remains unanswered.

But, regardless of which form or type of course you take, be sure about one thing – the return on investment will show very quickly.

Your management has given you the task to implement business continuity, but you’re not really sure how to do it? Although it is not an easy task, you can use the BS 25999-2 methodology to make your life easier – here are the main steps necessary to implement this standard:

1. Obtain management support

Although this is not a mandatory step in BS 25999-2, this is certainly the crucial step in the beginning – if the management does not understand the benefits of business continuity and is not committed to this project, your project is most probably going to fail.

2. Treat it as a project

It will take quite a lot of time and resources to set up your business continuity management system (BCMS) – you have to define clearly what needs to be done, in which timeframe, and what are the roles in project implementation. In other words, you have to apply project management methods.

3. Define objectives and scope; write down a BCM Policy

You have to define what is it you want to achieve with the BCMS – compliance, decreasing the level of risk, requirements of your customers/partners etc. You also have to define what you are going to include in your BCMS – the whole organization, or just a part of it. For instance, you may decide that you are going to include only your data centre if you are providing hosting services to your customers. All of these have to be documented in the BCM Policy.

4. Defining roles and responsibilities for BCMS

Because the BCMS is going to become a permanent activity in your organization, you have to define clear responsibilities for it, especially for the “sponsor” of the BCMS (someone accountable for the BCMS but not engaged in day-to-day BCMS activities) and “BCM coordinator”, “BCM manager” or something similar to it – one or more persons with active duties regarding the BCMS. It is the best to document these roles and responsibilities in your BCM Policy.

5. Implement mandatory procedures

BS 25999-2 requires the following four mandatory procedures to be implemented: document and records control, internal audit, preventive and corrective actions – these procedures are actually the foundation of your management system, similarly to ISO 27001 or ISO 9001.

6. Perform business impact analysis and risk assessment

Through business impact analysis you have to indentify the critical activities, their maximum tolerable period of disruption, the dependencies of those critical activities (including dependencies to suppliers and outsourcing partners), and set recovery time objectives.

By doing the risk assessment you actually find out what could be the causes to the disruption of your critical activities – those could be natural, but also man-made activities (either malicious or accidental). You would also need to do risk treatment, which means you need to decide how to decrease the possibility of something going wrong. Unfortunately, the risk assessment and treatment are not very well defined in this standard, so you might take a look at ISO 27001 which describes them in more detail.

7. Determining the business continuity strategy

Before you proceed with writing business continuity plans, you actually have to determine which resources you will need for resuming your critical activities – which people, locations, data, hardware, software, suppliers, outsourcing partners etc.

The business continuity strategy has to determine not only what you need, but also how you are going to provide those resources.

8. Developing incident management plans and business continuity plans

The purpose of incident management plans is to describe how you are going to respond directly to the occurrence of an incident (e.g. fire, earthquake, bomb threat, power failure etc.) in order to prevent it to spread, and to try to decrease its direct effects.

On the other hand, the purpose of business continuity plans is to describe how you are going to recover your critical activities – how you are going to put all the resources you have prepared into action. This means you have to describe who is going to do what, in which time, using which data and technology, in order to put your organization back into operation.

All of these plans have to be described in detail, because they must be executed even in case the main personnel is not available – therefore, they have to be written in such a way that somebody else would be able to execute them.

9. Training and awareness

You need to define the level of competence needed for the execution of business continuity plans in case of disruption, and then train all the personnel (both employees and external partners) to reach this level of competence.

However, this is not enough – you also need to explain to your personnel why BCM is necessary. Let’s face it – your business continuity plans will be used maybe only once in a life time, so most people consider it as a waste of time. Therefore, you have to explain to them why such a thing must exist. (See also How to deal with BCM sceptics)

10. BCMS exercising

If you thought you have written your plans perfectly, you are probably wrong – it is almost impossible to write a plan with no errors right at the beginning. This is why exercising is a mandatory part of BCMS – you have to test your plans in a situation that more or less resembles a real disruption. Only then will you find out what you planned well, and what you didn’t.

11. Maintaining and reviewing the BCMS

Another way to keep your BCMS up-to-date is by defining the intervals at which you will review your business continuity plans, but also other arrangements (e.g. contracts with suppliers and outsourcing partners, training and awareness etc.). There are all sorts of changes in the environment that are threatening your documentation to become obsolete – it is enough for an employee to leave the company to have an unusable telephone number in a plan if that person had a role in the BCMS.

It is also mandatory to perform post-incident review if an incident really occurred – the purpose is to find out how the organization really reacted – did it follow the plans or not.

12. Internal audit

The purpose of internal audit is to find out if there is something wrong, in an objective manner – the internal auditor should be a person who can find out if something is done wrong within your BCMS in order to correct it. If done properly, internal audit could be one of the best ways to improve your BCMS. (Read Dilemmas with ISO 27001 & BS 25999-2 internal auditors)

13. Management review

As said before, it is very important to get your management involved in the project – management review is designed exactly for that. The standard requires the management to examine all the relevant facts about BCM and decide whether it has fulfilled its purpose. Once that is done, the management has to decide which improvements must be made.

14. Preventive and corrective actions

The best thing would be to prevent mistakes (or in terms of BS 25999, the “non-conformities”) from happening – this is what the preventive actions are used for – they are a systematic way of correcting things before a problem occurs. Similar to preventive actions, there are also corrective actions which resolve the problem that has already occurred.

Now the question is – why would you use BS 25999-2? Although it is (still) not an international standard, it is the most popular standard for business continuity worldwide – the abovementioned steps are designed by the best business continuity experts, so if you want to implement the best accepted practices for business continuity, you have to look no further.

Here you can download the diagram of BS 25999-2 implementation process showing all these steps together with the required documentation (registration required).