ISO 27001 & BS 25999

Having a business continuity plan is nice, but if you don’t know when and how to start using it, the money you’ve invested in it was spent in vain. Even worse, you’ll likely lose quite a lot of money because your business operations will be disrupted.

What is a business continuity plan?

Before going into the activation procedures, let me go through some of the basics of business continuity plans. BS 25999-2 standard defines a business continuity plan as a “documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefined level”. (Click here to read more about BS 25999-2).

Therefore, a business continuity plan is not a single procedure or a single document. It usually consists of at least two parts: (1) incident response plan, and (2) recovery plan. An incident response plan is a procedure that clearly defines what to do immediately after an incident occurred – e.g. how to evacuate the building, who to call for help, how to contain the incident etc.

The purpose of the recovery plan is to resume business critical activities within the recovery time objective. It is activated right after the incident response plan, and can be used e.g. to recover the ICT infrastructure (also called “disaster recovery plans”), to recover production sites, to recover business processes in a service company, etc.

Since the business continuity plan consists of several parts, each of these parts is activated separately – here I’ll focus only on the two parts mentioned earlier.

Activation of incident response plan(s)

Well, the activation of this one is quite obvious. If anyone notices fire, an explosive device, flood in the basement or malicious code, he or she should notify someone immediately. Now, who is it they are going to call? In case of a smaller company, there is usually one responsible person who must be notified in case of any incident; however, in larger companies there could be more people responsible – e.g. one person for all IT related incidents, and one person for all non-IT related incidents.

It is up to them to activate the appropriate incident response plan – the company should have quite different incident response plans for e.g. fire as opposed to a threat letter.

Activation of recovery plan(s)

At first thought, it is not so obvious who should activate them. But good practice says that recovery plans should be activated by top level management dealing with crisis – usually it is the Crisis Manager. Such a decision should be made by a high level authority because it could prove quite costly to activate the recovery plan if there was no reason for it – e.g. someone at a lower level might panic and initiate transportation to the alternative site, which could prove quite unnecessary. But also someone who is not informed about the whole picture of the crisis could wait too long to make such a decision, which could prove even more expensive.

Therefore, the decision to activate certain (or all) recovery plans must be made by the Crisis Manager (or similar) – the criteria for activation are based on an estimate whether the disruption of business activities caused by the incident is going the last longer than the RTO (Recovery Time Objective). If so, then an appropriate recovery plan must be activated.

The question which recovery plan to activate is rather simple – if, for example, the whole company is affected by the incident, then all the recovery plans must be activated; however, if only one department is affected, then only the recovery plan for that department must be activated.

Emergency preparedness

Of course, for all this to work, it is not enough to write nice activation procedures – it is essential that those activation procedures are customized to the company’s situation, that they are remembered by all employees involved, and that they are practiced. If they are just a theoretical document which no one has seen for 2 or 3 years, then it is hard to expect employees to observe such procedures. It is true that preparing for an emergency is quite a wide topic that must include exercising and testing of all elements of the business continuity plan, but sadly, activation procedures are very often neglected in this respect.

Once again, for your business continuity plan to work, you need good activation procedures. But good activation procedures are useless if no one knows about them.

Does it make sense to implement business continuity in smaller companies? Why would they need something as costly as this if the owner of the business has all the necessary information in his/her head?

Let me start with a story I heard recently – a small company (involved in the sales of various equipment to a large customer base) has been robbed – the thief broke into their office during the night and stole all the computers together with other valuable stuff. The problem is – the owner of this company backed up the data, but saved that backup on another computer in the same office. Very soon the company went bankrupt – they simply weren’t able to recover key information about their business.

This is a classic example of the syndrome “It is not going to happen to me” that the majority of small companies have.

Business continuity framework

Does this mean that small businesses need to invest in costly disaster recovery locations with high-availability equipment? Certainly not.

In some cases business continuity is really not needed because the owner of the business does have all the information in his/her head, but such cases are very rare – how many of those don’t have a laptop with various kinds of important information? Just thinking about how to make this information available in case of a disaster is already part of a business continuity effort.

Owners of small businesses need to think carefully about which information (and other resources) are important for their business, how to ensure that such information and other resources are available in case of a disaster, and which steps are needed to recover business activities in case a disaster occurs. These steps are nothing else but performing business impact analysis, business continuity strategy, and business continuity plans, like any larger company would do when implementing business continuity. All these are described in a leading business continuity standard – BS 25999-2.

How to prepare

Now the difference between small and the large businesses is in the complexity and the price of the preparations small companies need to do for business continuity:

• Backup of electronic data – small businesses can use some of the tools that backup the data from their computers almost instantly to the cloud. Of course, due care has to be taken that all the necessary data is included.
• Backup of paper-based documents – small businesses are now in a position to eliminate paper-based documents almost completely from their daily operations and transfer everything to electronic form; for rare cases where paper-based documents must exist, they can be scanned for the purposes of business continuity.
• Alternative office locations – in most cases it will be enough that employees continue business operations from their homes – the prerequisite would be that they have an Internet connection, laptops/PCs and passwords. If working from home is not appropriate, a hotel room can always be rented in less than an hour.
• Hardware – unless there is a special kind of computer used for a business, it is very easy to find an alternative – usually there is a private computer at home, or one can be borrowed from a relative; or one can be purchased at the computer shop next door.
• Workforce – now, this is probably the most difficult one – let’s suppose that an employee is not available, and he is the only one who knows certain information (e.g. administrative passwords, steps that need to be taken in an important project, etc.) – for such cases, the preparation would be to document all this information, so that it can be used without that employee being present. The other case would be if an employee is missing and no one else would have the time or the skills to do her job – in such case the preparation would be to identify upfront who would be available for hiring on a short notice to fulfill the missing employee’s job; of course, the key here is to identify someone with the right skills/qualifications.

To conclude: there is no difference between large organizations and small with regard to business continuity framework – they both have to think in detail what preparations they need to perform in order to survive a disaster. The difference is in the level of preparations – smaller businesses can make it with very little investment.

Your management has given you the task to implement business continuity, but you’re not really sure how to do it? Although it is not an easy task, you can use the BS 25999-2 methodology to make your life easier – here are the main steps necessary to implement this standard:

1. Obtain management support

Although this is not a mandatory step in BS 25999-2, this is certainly the crucial step in the beginning – if the management does not understand the benefits of business continuity and is not committed to this project, your project is most probably going to fail.

2. Treat it as a project

It will take quite a lot of time and resources to set up your business continuity management system (BCMS) – you have to define clearly what needs to be done, in which timeframe, and what are the roles in project implementation. In other words, you have to apply project management methods.

3. Define objectives and scope; write down a BCM Policy

You have to define what is it you want to achieve with the BCMS – compliance, decreasing the level of risk, requirements of your customers/partners etc. You also have to define what you are going to include in your BCMS – the whole organization, or just a part of it. For instance, you may decide that you are going to include only your data centre if you are providing hosting services to your customers. All of these have to be documented in the BCM Policy.

4. Defining roles and responsibilities for BCMS

Because the BCMS is going to become a permanent activity in your organization, you have to define clear responsibilities for it, especially for the “sponsor” of the BCMS (someone accountable for the BCMS but not engaged in day-to-day BCMS activities) and “BCM coordinator”, “BCM manager” or something similar to it – one or more persons with active duties regarding the BCMS. It is the best to document these roles and responsibilities in your BCM Policy.

5. Implement mandatory procedures

BS 25999-2 requires the following four mandatory procedures to be implemented: document and records control, internal audit, preventive and corrective actions – these procedures are actually the foundation of your management system, similarly to ISO 27001 or ISO 9001.

6. Perform business impact analysis and risk assessment

Through business impact analysis you have to indentify the critical activities, their maximum tolerable period of disruption, the dependencies of those critical activities (including dependencies to suppliers and outsourcing partners), and set recovery time objectives.

By doing the risk assessment you actually find out what could be the causes to the disruption of your critical activities – those could be natural, but also man-made activities (either malicious or accidental). You would also need to do risk treatment, which means you need to decide how to decrease the possibility of something going wrong. Unfortunately, the risk assessment and treatment are not very well defined in this standard, so you might take a look at ISO 27001 which describes them in more detail.

7. Determining the business continuity strategy

Before you proceed with writing business continuity plans, you actually have to determine which resources you will need for resuming your critical activities – which people, locations, data, hardware, software, suppliers, outsourcing partners etc.

The business continuity strategy has to determine not only what you need, but also how you are going to provide those resources.

8. Developing incident management plans and business continuity plans

The purpose of incident management plans is to describe how you are going to respond directly to the occurrence of an incident (e.g. fire, earthquake, bomb threat, power failure etc.) in order to prevent it to spread, and to try to decrease its direct effects.

On the other hand, the purpose of business continuity plans is to describe how you are going to recover your critical activities – how you are going to put all the resources you have prepared into action. This means you have to describe who is going to do what, in which time, using which data and technology, in order to put your organization back into operation.

All of these plans have to be described in detail, because they must be executed even in case the main personnel is not available – therefore, they have to be written in such a way that somebody else would be able to execute them.

9. Training and awareness

You need to define the level of competence needed for the execution of business continuity plans in case of disruption, and then train all the personnel (both employees and external partners) to reach this level of competence.

However, this is not enough – you also need to explain to your personnel why BCM is necessary. Let’s face it – your business continuity plans will be used maybe only once in a life time, so most people consider it as a waste of time. Therefore, you have to explain to them why such a thing must exist. (See also How to deal with BCM sceptics)

10. BCMS exercising

If you thought you have written your plans perfectly, you are probably wrong – it is almost impossible to write a plan with no errors right at the beginning. This is why exercising is a mandatory part of BCMS – you have to test your plans in a situation that more or less resembles a real disruption. Only then will you find out what you planned well, and what you didn’t.

11. Maintaining and reviewing the BCMS

Another way to keep your BCMS up-to-date is by defining the intervals at which you will review your business continuity plans, but also other arrangements (e.g. contracts with suppliers and outsourcing partners, training and awareness etc.). There are all sorts of changes in the environment that are threatening your documentation to become obsolete – it is enough for an employee to leave the company to have an unusable telephone number in a plan if that person had a role in the BCMS.

It is also mandatory to perform post-incident review if an incident really occurred – the purpose is to find out how the organization really reacted – did it follow the plans or not.

12. Internal audit

The purpose of internal audit is to find out if there is something wrong, in an objective manner – the internal auditor should be a person who can find out if something is done wrong within your BCMS in order to correct it. If done properly, internal audit could be one of the best ways to improve your BCMS. (Read Dilemmas with ISO 27001 & BS 25999-2 internal auditors)

13. Management review

As said before, it is very important to get your management involved in the project – management review is designed exactly for that. The standard requires the management to examine all the relevant facts about BCM and decide whether it has fulfilled its purpose. Once that is done, the management has to decide which improvements must be made.

14. Preventive and corrective actions

The best thing would be to prevent mistakes (or in terms of BS 25999, the “non-conformities”) from happening – this is what the preventive actions are used for – they are a systematic way of correcting things before a problem occurs. Similar to preventive actions, there are also corrective actions which resolve the problem that has already occurred.

Now the question is – why would you use BS 25999-2? Although it is (still) not an international standard, it is the most popular standard for business continuity worldwide – the abovementioned steps are designed by the best business continuity experts, so if you want to implement the best accepted practices for business continuity, you have to look no further.

Here you can download the diagram of BS 25999-2 implementation process showing all these steps together with the required documentation (registration required).

Has it ever happened to you that your management has given you the responsibility to implement business continuity just because you are in the IT department? Why is business continuity usually identified with information technology?

This is probably because business continuity has its roots in disaster recovery, and disaster recovery basically is all about information technology. Twenty or thirty years ago business continuity (BC) did not exist as a concept, but disaster recovery (DR) did – the main concern was how to save the data if a disaster occurred. At that time it was very popular to purchase expensive equipment and place it at a remote location so that all the important data of an organization would be preserved if, for instance, an earthquake would occur. Not only preserved, but also that the data would be processed with more or less the same capacity as if it was at the main location.

But after a while it was realized – what use would there be of the data if there were no business operations to use such data? This was how the business continuity idea was born – it’s purpose is to enable the business to keep going on, even if in case of a major disruption.

Definitions

Let’s take a look at the definitions – business continuity is the “strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level” (BS 25999-2:2007), while disaster recovery is “the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster” (Wikipedia.org).

As you can see from the definitions, the emphasis in DR is on technology, while in BC it is on business operations. Therefore, disaster recovery is part of business continuity – you might consider it as one of the main enablers of business operations, or the technological part of business continuity.

However, you may have noticed something else too – the definition of BC is quoted from BS 25999-2, the leading standard on business continuity management, while the definition of DR is quoted from Wikipedia – actually, “business continuity” is an official term recognized in standards, while “disaster recovery” is not.

Implications for implementation

So why is it a bad idea for an IT department to implement business continuity for the whole organization? Because business continuity is primarily a business issue, not an IT issue. If the IT department was implementing business continuity for the whole organization, it would neither be able to define the criticality of business activities, nor the criticality of information. Further, it is a question whether it would achieve commitment from the business parts of the organization.

The best way to organize the implementation of BC is for the business side to lead such a project – this is how you would achieve greater awareness and acceptance of all parts of the organization. The IT department should play its role in such a project – a key role – to prepare disaster recovery plans.

Have you ever heard something like “It can’t be done”, “It has no use”, or “It’s useless if a major disaster occurs”? If you implemented business continuity management, you probably did. Naturally, such an attitude would not help your project, so here are some suggestions how to handle such people.

“If a major disaster occurs, we won’t be able to do anything”

This is probably the most common one. Well, they may be right, unless you really prepared your business continuity strategy and business continuity plans taking into account all the possible scenarios – if you did that, then you can explain to them that you have prepared an alternative site which is distant enough to withstand any kind of disaster, that you’ve made a backup copy of data, that there is a replacement for any employee in the company, that you have alternative suppliers for any critical service etc.

“If a nuclear war breaks out, it won’t work”

Well, unless you are a military supplier, it wouldn’t matter, would it? Basically, in this kind of catastrophic scenarios, your business probably wouldn’t have a purpose anymore.

“It has no use”

Just pray you’ll never have to use business continuity. Even without mentioning the well-known examples like 9/11 or Hurricane Katrina, it is enough to ask – have you ever experienced a power outage? Or did your server break down? Or maybe a PC with important data on it? Have you ever heard of a building that burned down completely? It is enough to read newspaper headlines to understand that those things can happen to anyone.

“We will do this only to satisfy the auditor”

Wrong priority. If you do it properly, you’ll protect yourself, and as a consequence your auditor will be happy.

“We can’t foresee all the incidents”

This is true, at least in the beginning. But if you perform your risk assessment right, use literature and various resources, and review the assessment regularly, the chances are that in time you’ll be able to take into account all the possible risks. Once you know them, you can prepare your response.

“In case of emergency, people will start looking after their families, not after the business”

True also. Who wouldn’t call his/her family first to see if they are all right in case of an earthquake? But if you plan very carefully who can go home right after an incident occurs and who must stay and resolve the situation, and if you take care of the family of the employees that must stay (e.g. by assigning some other employees to this task), then you’ve probably solved this problem.

“People will react irrationally in crisis situations”

Definitely true. But if you train your employees (and suppliers/partners) regularly, and if you exercise your business continuity plans, they will get used to stressful situations, and will probably respond in the right way if such situations occurs.

If you already implemented similar projects, you know how awareness is important – if your co-workers do not recognize the purpose of such projects, you will experience great difficulties with implementation. Not to mention that your project might altogether fail – this is why you need to consider awareness raising in advance.

If you started implementing business continuity management, probably the biggest challenge you are facing is writing the business continuity plans.

Why is it so difficult? Well, you have to think of various scenarios under which a disaster (or other kind of disruption of business activities) can occur, and you have to think of a way how to handle such exceptionally rare but potentially catastrophic incidents.

The problems that people who write such plans usually have include what the plan should contain (what are the main elements), how long (how detailed) it should be, what steps to include etc.

One of the best solutions to all these dilemmas is using the BS 25999-2 standard, which together with BS 25999-1 defines a framework as to how the plans should be written.

According to those standards, the business continuity plans should consist of (1) incident response plan, and (2) recovery plans. An incident response plan is usually a single plan written for the whole organization, and describes what has to be done immediately after a disaster occurs – reducing the effects of the incident, communicating to emergency services, evacuating the building, gathering at assembly points, organizing transport to alternative locations etc.

Recovery plans are usually written separately for each critical activity, and the steps to be included in the recovery plans are usually the following: when and how to communicate with various stakeholders (employees and their families, shareholders, customers, partners, government bodies, public media etc.), how to assemble the team, how to recover the infrastructure, how to check whether the applications are functioning and whether the access rights are appropriate, how to check which data is missing or has been corrupted by the disaster, how to recover the data, and how to decide when the recovery is completed so that normal operations can begin.

Disaster recovery plans (the recovery plans of ICT infrastructure) are the ones to be written with great care because they should describe how to set each system running within the recovery time objective of a particular critical activity. This is usually done by writing a detailed recovery plan for each system to be recovered.

The rule of the thumb says that the level of details in all these plans should be such that other employees (or external staff) should be able to execute the plan if the people working with that critical activity are not available. Therefore, use common sense when writing the plans – they should be understandable to anyone, not just you.

In my experience, the biggest challenge when writing these plans is that employees have to face something completely different, something they never had to think about. To overcome such a problem it is best to organize a workshop where, with or without a moderator, they could share their views about what would happen if… , how to react when…, etc.

The truth is, the mere fact that your employees have started thinking about business continuity is 50% of the job done – with such an approach, the results of business continuity planning will be much better.

You are thinking about implementing the business continuity management/BS 25999-2 standard? But then you hear it will cost you a lot? It probably will cost you, but not necessarily as much as you thought – this you can solve with good business continuity strategy.

Business continuity strategy, as defined in BS 25999-2 standard, is an “approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption”. Therefore, the point is to prepare yourself in the best possible manner to counteract a disaster if such would occur. This preparation can include organizational measures (drawing up plans, making contracts with suppliers/partners, exercising, reviewing, awareness raising, etc.), and measures including investment in equipment, infrastructure etc.

Time is a very important factor in recovery – if you do not recover your business in time, you will probably lose your customers and consequently lose your business as well. So the business continuity strategy must set the recovery time objective (RTO) for each of your critical activities, whereas RTO can be different for each of those.

One important consideration: the shorter the RTO, the bigger the investment you will need – for instance, if you want to recover your data centre in less than one hour, you will have to invest in an alternative location almost the same equipment as in the primary location; on the other hand, if you want to recover your data centre in two weeks, the investment will be much lower because it would be enough to store the backup tapes at the alternative location, allowing you two weeks to obtain the necessary equipment. All this means that your RTO must not be too long, but not too short either.

Once the RTO is set, you will still need to make some investment; however, with a good business continuity strategy you will be able to decrease that investment, while still being able to recover your critical activities within the recovery time objective. Here are some examples:

• you might not need your own data centre at an alternative location – in most countries you can rent such a location from a specialized company, which means you don’t need to invest in infrastructure, maybe not even in equipment or software,
• you might not need offices at an alternative location – employees who do not have to meet customers face-to-face can work from their homes,
• you might not need an alternative location at all if you have other business units at different locations which could take over the critical activities affected by the disaster,
• you might not need to purchase equipment in advance if you can find the supplier that could guarantee the delivery of equipment within your RTO,
• etc.

In all these examples you will need to increase your organizational capabilities, but if you want to save some money, it sure is something worth thinking about.

At first glance, information security and business continuity don’t have much in common – some would add that the only similarity is that they are both about IT.

Information security management is best defined in the International standard ISO/IEC 27001, while business continuity management is defined in the British standard BS 25999-2 – therefore, if we want to compare these two topics, the wisest thing to do is to take a look at what these two standards have to say.

First of all, IT is an important part of both ISO 27001 and BS 25999-2, but by no means are those two standards about IT only – the emphasis is on business processes & assets, and associated risks. It is true that IT is the main tool to process the data, but the fact remains that the biggest risks are connected to both malicious and unintentional activities of people. Therefore, the risks associated with information security or business continuity cannot be resolved by information technology only – it is much more important to define the organization, processes and responsibilities within the organization.

But what is essentially information security? ISO 27001 defines it as “preservation of confidentiality, integrity and availability of information”. On the other hand, BS 25999-2 defines business continuity as “strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level”.

The two don’t seem very much alike. However, there is one thing which makes them very similar – availability. The focus of both information security and business continuity is to keep information available to those who need it – in that respect, Annex A of ISO 27001 offers some controls dedicated solely to business continuity.

Further, both standards require carrying out the risk assessment, in order to identify potential problems related to information; both standards require document management, conducting internal audits, management reviews, and corrective and preventive actions. It means that if you already have documentation for ISO 27001, you can use those same procedures for BS 25999-2 (with only minor adjustments).

What are the differences? The main difference is in the level of detail. ISO 27001 covers a much wider area, and is therefore not very precise when it comes to business continuity; on the other hand, BS 25999-2 describes in detail how to perform business impact analysis, how to define business continuity strategy, or what the contents of business continuity plans shall be etc.

To conclude – the point here is that you can think of business continuity as part of information security. The practical use of it is that when it comes to implementation of business continuity in the context of ISO 27001, it is best to use BS 25999-2 as a guideline.