ISO 27001 & BS 25999

I noticed that many people running ISO 27001 projects who have downloaded documentation templates think “I have the templates now – the rest is easy. I’ll write a few documents, show them to auditor, and it’ll be over in a few days”.

Unfortunately, it’s not that easy. Here’s why:

1. Writing the documentation requires time and effort

You shouldn’t write the documents just for the auditor to read them – you should write them because you want to define some rules for your organization.

But if you want your documentation to be useful, you have to adapt it to the realistic needs of your company. It probably doesn’t make sense to create a rule to change passwords every month, but it might make sense to change it every 3 or every 6 months – so you have to find out what is appropriate for your level or risks and for your organization.

Further, some documents are rather complex, and require certain knowledge to write them – for example, to perform the risk assessment first you need to write the Risk assessment methodology. If such a methodology is not suited for your organization, your employees doing the risk assessment may end up spending an enormous amount of time, to eventually realize that you could have done it in a much quicker and more efficient way. On the other hand, you may choose to take shortcuts, and by doing so omit some of the requirements of ISO 27001 with the result of failure at the certification.

So you need to invest time and effort in your education, and in the analysis of your company.

2. Documentation without implementation is nothing

Once you finish writing, you realize the documentation doesn’t make any sense if those rules are not really applied in your organization. In other words, having perfect documents alone isn’t going to raise your level of security.

But the problem is – if you want to implement new rules, you have to change habits in your organization. And changing habits isn’t easy, especially if it means restricting the freedom that employees enjoyed until now (and this is what security rules usually do). Taking again the example of password policy – if no such rule existed before and suddenly you ask your employees to change passwords every 3 months, they certainly won’t be happy. Moreover, they will look for ways to avoid such a rule.

So, besides making sure this rules makes sense from a security point of view, you have to explain to your employees why it is necessary, and in case of some more complex rules you will have to explain how to do it. These are called awareness and training programs, without which you will have high chances that your employees will simply reject such a change. And these programs also require time and effort.

3. Maintenance is often neglected

Most of the companies that have completed the documentation and implemented all the rules and processes, start forgetting about the documentation – new issues keep occurring that change how things are done, but that fact is not reflected in documentation. As a consequence, more and more people notice that documents are not useable anymore, and this in turn results in less and less people adhering to them.

This happens if no one is in charge of documentation maintenance – good practice says that for each document an ‘owner’ should be designated, a person who is responsible for keeping it up-to-date. But again – this requires time and effort.

Therefore, purchasing your documentation templates is not the end of your information security journey – it is just the beginning.

You can also check out our series of video tutorials for ISO 27001 implementation which explain how to fill in the documentation templates (commercially sold videos).

Very often when I deliver free webinars on the topic of ISO 27001 certification, I notice that quite many people expect help with their personal certification related to ISO 27001 while the webinar is focused on certification of organizations.

This kind of misunderstanding is not entirely unexpected since many certifications in the security domain (e.g. CISSP, CISA, CISM) are focused on the certification of persons, and have nothing to do with organizations.

So, is ISO 27001 certification intended for organizations or persons? Actually, both.

Certification of organizations

ISO 27001 is a management standard that was initially designed for the certification of organizations. The system works like this: companies (or any other type of organization) develop their Information Security Management System (ISMS) which consists of policies, procedures, people, technology, etc. and then invite a certification body to check our whether their ISMS is compliant with the standard – this check is done during the so-called certification audit.

If the certification audit is successful, the certification body will issue a certificate which will state that the organization in question is compliant with ISO 27001.

In this case the employees working at that organization are not certified, although it has been confirmed they behave according to the standard. To read more about certification of organizations read this article Becoming ISO 27001 certified – How to prepare for certification audit.

Certification of persons

However, the whole industry related to ISO standards (certification bodies, consultants, training institutions, etc.) soon realized that if there are no qualified employees who would develop and maintain the management system, the whole concept would fail.

Therefore, very much like ISO 9001, ISO 14001 and other management standards, various trainings have been developed for individuals that need to get education for ISO 27001. There are now dozens of different trainings for individuals lasting from a few hours to a few weeks – for an overview read this article: How to learn about ISO 27001 and BS 25999-2. The most recognized trainings are ISO 27001 Lead Auditor Course and ISO 27001 Lead Implementer Course, but only for the former an internationally recognized certificate is issued (under the accreditation of institutions like IRCA or RABQSA).

This way the individuals that attend the training and pass the exam obtain the certificate that is issued to their name. But even if all the employees at a company were certified, this still doesn’t mean that the company itself would get the certificate – there is quite a big difference between certification of persons and organizations.

So ISO 27001 does offer various possibilities for certification, unlike any other standard in the security domain. The best, of course, would be to pursue both certifications – certify your personnel so that they can help your organization develop and maintain an adequate level of security, and certify your company so that the training of the individuals is done systematically and according to realistic security needs.

You can also check out our series of ISO 27001 webinars that will teach you the basics of ISO 27001.

Many readers of this blog asked me to present a real-life experience of ISO 27001 implementation in a company. Since I would be too subjective if I started writing my own impressions, I decided to interview my clients – Dragomir Perica and Ivancica Ljubic from Dabar informatika d.o.o., a company specialized in banking software development, with presence in South East Europe.

Q: Why did you start the ISO 27001 project?

A: The first reason is because the Croatian National Bank (regulator of the banking market) required us to do it – to comply with the best security standards. The second reason is that we wanted to do it because it makes perfect sense in our case – we wanted to brush up things in our company. For example, among other things, we are promoting security features to our clients, so it is important for us to act in the same fashion; besides, our IT personnel needs to perform a lot of tasks, so it is important to define rules to avoid the situations where big problems could occur.

Q: What were you most afraid of when you started the project?

A: How much time  it would take, how much the existing system would be useable, and overhead. Regarding the time, we were afraid of how much time our team would need to invest in such an implementation, and how much time we (the top management) would need to spend on it. We were also afraid of the gaps we would find between what we have already developed against what the standard requires. Maybe the greatest concern was that the standard requires quite a few documents, so the challenge was how to align those documents with our way of doing business, without getting new and unnecessary tasks – we had this negative experience with ISO 9001 implementation, where we had to write some documents because of the standard itself, with no practical use.

Q: So did ISO 27001 bring you the overhead?

A: No, or to be more precise – the overhead is considerably lower than with ISO 9001. In the case of ISO 27001 we have managed to avoid it because we have set the processes and the documentation in a useful way.

Q: What were the greatest problems in the ISO 27001 implementation?

A: Not knowing the scope of what ISO 27001 really requires – what we were expected to do; or in other words – we didn’t know whether we were going to build a skyscraper, or a small family house. We also didn’t expect the theoretical approach required for the risk assessment, we lost quite a lot of time on it – until then we always dealt with the practical things, we never had to consider security on a conceptual level. As a consequence, in the beginning we didn’t do the risk assessment right.

Q: Why didn’t the risk assessment start well?

A: Not to go into details, let’s just say that we (the top management) didn’t pay enough attention to it – obviously, such a process couldn’t be done without our direct involvement because we were the only ones with a broader picture of the company, and we could make some crucial decisions.

Actually, we feel the whole project started moving much more smoothly after we started investing more time into it. Besides, during the project we understood that it really doesn’t make sense to skip the steps you suggested to us – e.g. it doesn’t make sense to implement controls before the risk assessment is done properly. We realized this after we skipped some steps and lost sight of the process.

Q: Do you think it would be better to let a consultant write the whole documentation, or should the company’s employees run the project and write the documentation themselves?

A: An outsider – a consultant or anyone else – cannot do it. Because then such documentation would be only superficial and we would never start living with it. Someone from the outside cannot know precisely how things work in a company, what is good and what is bad.

Although, since we had no experience in such a project, we wouldn’t be able to finish it without outside help – we liked your approach where you were guiding us through all the steps, and it was us who managed the project and the documentation. It was a good experience to have someone with a fresh eye to help us fill in all the gaps.

Q: What was the greatest surprise in the project?

A: Actually, there was none – we knew we had to formalize our system and that is what we have done.

Q: Which part of the project required the largest investment?

A: Involvement of the top management. We had to invest some time into this project, which means we had to postpone some other activities; on the other hand, if we hadn’t  got involved, the project would have lasted much longer and therefore the cost would have been even higher. The investment in an alternative/backup location would have been the greatest, but since we already did it 2 years ago, almost no new equipment was needed for this project.

Q: What is your greatest challenge now that the implementation project is finished?

A: Having to live with this system. For example, we have 5 new young employees, who have no experience in security – we have to teach them to operate according to the standard. And that is difficult – it is much easier to explain it to someone with 20 years of experience, but when young people need to start working with all these documents, it is a great challenge that they do not experience it as a prison sentence.

Q: How to achieve that?

A: Continuing training. They will eventually become very good – after 6 months they will know it as well, if not better, than people who have worked with these documents for 15 years. They will learn how to work properly, but it takes quite a lot of time.

Q: When you draw the line, do you think ISO 27001 implementation has paid off?

A: Definitely. It has paid off because we found our own mistakes and corrected them. We are now much more satisfied with ourselves and with the work we do. Also, we have regular audits from our clients (banks) – when they come, we have nothing to be afraid of. A real stress relief.

You can also check out our ISO 27001 Online Mentoring (commercially sold online service).

Many people think that just by attending the ISO 27001 Lead Auditor Course they have become the ISO 27001 Lead Auditor. Well, this is not entirely true.

This article will show the steps you need to take if you want to work as an auditor for a certification body. If you want to work as an internal auditor, you basically do not need the Lead Auditor Course or anything else mentioned here – you can perform internal audits by just proving you have enough experience and knowledge. To learn more about internal audits read this article Dilemmas with ISO 27001 & BS 25999-2 internal auditors.

Steps for becoming the ISO 27001 Lead Auditor

So, if you want to become lead auditor, here is what ISO 27006 (standard that defines the requirements for certification bodies) requires:

1. Prior experience – You need to have at least four years of experience in information technology, of which at least two years on a job related to information security.
2. Pass the exam – The ISO 27001 Lead Auditor Course lasts 5 days, and on the fifth day you need to pass the written exam. Therefore, you need to invest considerable effort, not only by studying for the exam but also for attending the full 5 days of the course (if you miss a single day you will not be permitted to take the exam).
3. Find a certification body – You need to find a certification body which needs an ISO 27001 certification auditor – that may prove to be a difficult task, since most of the certification bodies already have their auditors.
4. Go through training – When you find the certification body which is interested, this doesn’t mean you’ll start auditing tomorrow – ISO 27006 requires you to go through a trainee program (or similar) during which you will attend real certification audits (done by more experienced colleagues) where you will learn how to perform such audits. Usually, this trainee period lasts 20 audit days after which you’ll be entitled to perform ISMS audits as part of the audit team.
5. Gain audit experience – To become the ISO 27001 Lead Auditor, i.e. to lead a team of auditors performing ISO 27001 audit, you need to have experience in at least three complete ISMS audits.

After you finish all these steps, you will be able to perform the ISMS audits as the team leader. So, the ISO 27001 Lead Auditor Course is just the beginning of your journey…

You can also check out our ISO 27001 Lead Auditor Course preparation training – a webinar which describes the details of the course and helps you prepare for the exam (commercially sold online training).

I’ve met quite a few companies considering how to start their ISO 27001 / BS 25999 project, with quite different approaches – some are convinced they can do it completely on their own (with no prior ISO 27001 knowledge), while others thought they can do it with the help of a consultant only.

They are both wrong.

Road map for ISO 27001 / BS 25999 implementation

There is one thing you definitely need for the implementation – knowledge. By knowledge I mean the know-how of the implementation process, so that you don’t get stuck and  waste time on irrelevant issues, while forgetting the important ones. What you need are the guidelines for implementation, as well as knowledge on how to implement all the pieces of the puzzle.

This is why it isn’t possible to implement these standards with just your existing knowledge base, and it is very rare to find companies who already have experienced ISO 27001 / BS 25999 implementers.

Of course, one way to get around this is to hire a consultant. But this is not the only way – I’ll address that later.

Hiring an ISO 27001 / BS 25999 consultant – pro’s and con’s

The biggest benefit of a consultant is that he/she is going to get you through the implementation process much quicker than if you did it on your own (provided that the consultant has sufficient knowledge). A consultant should provide you with tips & tricks for each step in the implementation process, check the documentation, train your employees, etc. He/she could also run interviews with your employees, write the documentation, and process the results (e.g. during risk assessment).

A major drawback of hiring a consultant is that most small (but also medium-sized) organizations cannot afford one – consultants tend to charge large fees and cannot guarantee the successful implementation. Besides, the more work is done by a consultant, the less will be done by your employees, therefore less knowledge and skills will be passed on to your organization.

Then there is also the issue of confidentiality – the consultant will learn everything you do from the inside (including your vulnerabilities and controls that are in place), so if you didn’t check this person thoroughly, he/she could become quite a significant threat.

Finally, there is the question of quality – too many times I met “experts” who claimed they implemented these standards many times, but didn’t know e.g. how to run the risk assessment; or what is the purpose of business impact analysis.

Implementation without a consultant

Consultants are not the only source of knowledge – you can also choose the option to implement the standards with your employees by providing them appropriate training and support.

Here are some ideas on how to obtain the knowledge:

• Send your employees to trainings – read How to learn about ISO 27001 and BS 25999-2 for more info
• Get the best practices through documentation templates
• Purchase the literature – there are various books and other publications available on the Internet

If you start implementing the standards on your own, it is probably going to take longer than if you did it with a consultant. But, it is going to be cheaper, and most probably your employees will learn better what certification entails, and what their responsibilities will be – because they will be forced to consider every step very carefully.

So, the answer to the initial question is: no – a consultant is not mandatory for your implementation (although quite often it is the best solution). However, the implementation knowledge is mandatory – without it, don’t expect to finish your ISO 27001 / BS 25999 project soon, if at all.

You can also check out our online mentoring service called Guidance & Review (commercial service).

Having a business continuity plan is nice, but if you don’t know when and how to start using it, the money you’ve invested in it was spent in vain. Even worse, you’ll likely lose quite a lot of money because your business operations will be disrupted.

What is a business continuity plan?

Before going into the activation procedures, let me go through some of the basics of business continuity plans. BS 25999-2 standard defines a business continuity plan as a “documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefined level”. (Click here to read more about BS 25999-2).

Therefore, a business continuity plan is not a single procedure or a single document. It usually consists of at least two parts: (1) incident response plan, and (2) recovery plan. An incident response plan is a procedure that clearly defines what to do immediately after an incident occurred – e.g. how to evacuate the building, who to call for help, how to contain the incident etc.

The purpose of the recovery plan is to resume business critical activities within the recovery time objective. It is activated right after the incident response plan, and can be used e.g. to recover the ICT infrastructure (also called “disaster recovery plans”), to recover production sites, to recover business processes in a service company, etc.

Since the business continuity plan consists of several parts, each of these parts is activated separately – here I’ll focus only on the two parts mentioned earlier.

Activation of incident response plan(s)

Well, the activation of this one is quite obvious. If anyone notices fire, an explosive device, flood in the basement or malicious code, he or she should notify someone immediately. Now, who is it they are going to call? In case of a smaller company, there is usually one responsible person who must be notified in case of any incident; however, in larger companies there could be more people responsible – e.g. one person for all IT related incidents, and one person for all non-IT related incidents.

It is up to them to activate the appropriate incident response plan – the company should have quite different incident response plans for e.g. fire as opposed to a threat letter.

Activation of recovery plan(s)

At first thought, it is not so obvious who should activate them. But good practice says that recovery plans should be activated by top level management dealing with crisis – usually it is the Crisis Manager. Such a decision should be made by a high level authority because it could prove quite costly to activate the recovery plan if there was no reason for it – e.g. someone at a lower level might panic and initiate transportation to the alternative site, which could prove quite unnecessary. But also someone who is not informed about the whole picture of the crisis could wait too long to make such a decision, which could prove even more expensive.

Therefore, the decision to activate certain (or all) recovery plans must be made by the Crisis Manager (or similar) – the criteria for activation are based on an estimate whether the disruption of business activities caused by the incident is going the last longer than the RTO (Recovery Time Objective). If so, then an appropriate recovery plan must be activated.

The question which recovery plan to activate is rather simple – if, for example, the whole company is affected by the incident, then all the recovery plans must be activated; however, if only one department is affected, then only the recovery plan for that department must be activated.

Emergency preparedness

Of course, for all this to work, it is not enough to write nice activation procedures – it is essential that those activation procedures are customized to the company’s situation, that they are remembered by all employees involved, and that they are practiced. If they are just a theoretical document which no one has seen for 2 or 3 years, then it is hard to expect employees to observe such procedures. It is true that preparing for an emergency is quite a wide topic that must include exercising and testing of all elements of the business continuity plan, but sadly, activation procedures are very often neglected in this respect.

Once again, for your business continuity plan to work, you need good activation procedures. But good activation procedures are useless if no one knows about them.

You can also check out our webinar BS 25999-2 Foundations Part 3: Business Continuity Planning which explains how to write incident response plans and recovery plans (commercially sold training).

This is usually one of the first questions I receive from the potential client. To their disappointment, I cannot give them the exact figure right away – here is why.

First of all, the total cost of implementation will depend on the size of your organization (or the size of the business unit(s) that will be included in the ISO 27001 scope), the level of criticality of information (for instance, information in banks is considered more critical and demands a higher level of protection), the technology the organization is using (for instance, the data centers tend to have higher costs because of their complex systems), and the legislation requirements (usually the financial and government sectors are heavily regulated with regards to information security).

Second, you won’t be able to calculate the exact costs before you know which level of protection you need – first you have to perform risk assessment, because such analysis will tell you which security measures are required.

When you know the results of risk assessment, you will have to take into account the following costs:

1. The cost of literature and training

Implementation of ISO 27001 requires changes in your organization, and requires new skills. You can prepare your employees by buying various books on the subject and/or sending them to courses (in-person or online) – the duration of these courses varies from 1 to 5 days (read How to learn about ISO 27001 and BS 25999-2).

And don’t forget to buy the ISO 27001 standard itself – too often I run across companies implementing the standard without actually seeing it.

2. The cost of external assistance

Unfortunately, training your employees is not enough. If you don’t have a project manager with deep experience in ISO 27001 implementation, you’ll need someone who does have such knowledge – you can either hire a consultant or get some online alternative (this is what we do at Information Security & Business Continuity Academy).

The greatest value of someone with experience helping you with this kind of project is that you won’t end up in dead end streets – spending months and months doing activities that are not really necessary or developing tons of documentation not required by the standard. And that really costs.

However, be careful here – do not expect the consultant to do the whole implementation for you – ISO 27001 can be implemented by your employees only.

3. The cost of technology

It might seem funny, but most companies I’ve worked with did not need a big investment in hardware, software or anything similar – all these things already existed. The biggest challenge was usually how to use existing technology in a more secure way.

However, you do need to plan such investment if it proves to be necessary.

4. The cost of employees’ time

The standard isn’t going to implement itself, neither can it be implemented by a consultant only (f you hire one). Your employees have to spend some time figuring out where the risks are, how to improve existing procedures and policies or implement new ones, they have to take some time to train themselves for new responsibilities and for adapting to new rules.

5. The cost of certification

If you want to obtain public proof that you have complied with ISO 27001, the certification body will have to do a certification audit – the cost will depend on the number of man days they will spend doing the job, ranging from under 10 man days for smaller companies up to a few dozen man days for larger organizations. The cost of man day depends on the local market.

You have to be very careful not to underestimate the true cost of ISO 27001 project – if you do, your management will start looking at your project in a negative light. On the other hand, forecasting all costs correctly will show your level of professionalism; and don’t forget – you always have to present both the cost and the benefits – read Four key benefits of ISO 27001 implementation.

You can also check out our video tutorial How To Set Up ISO 27001 Project – Writing the Project Plan which explains how to plan the ISO 27001 project (commercially sold video).

Training is certainly one of the best ways to facilitate your ISO 27001 and BS 25999-2 implementation. As there are more and more types of courses available, I’ll try to explain their benefits and the differences between them.

The first is the list of in-person courses – these courses are still prevalent, but steadily losing share in favour of online courses (explained at the end of this article).

ISO 27001 or BS 25999-2 Lead Auditor Course

This is the most popular course for either ISO 27001 or BS 25999-2 – it lasts 5 days, and finishes with a written exam. The exam is quite difficult, so one could consider that this is the top course for those two standards. If you do pass the exam, you can become an auditor for a certification body, but that is not its main benefit – it is the most useful for professionals implementing the standards because it gives an excellent overview of the standards and provides in-depth explanations of what the certification auditors will ask for at the certification audit. Therefore, it is useful for both auditors and implementers.

The target audience for this course are professionals with moderate or significant experience in information security, business continuity, auditing or IT. You should choose only accredited courses (e.g. by IRCA – irca.org).

ISO 27001 or BS 25999-2 Lead Implementer Course

This course is somewhat similar to, but not so popular as ISO 27001 or BS 25999-2 Lead Auditor Course. The difference is that it focuses on implementation techniques rather than auditing techniques – therefore, if the certification is not your concern, you may find this course more suitable.

Here the target audience is similar – professionals with moderate or significant experience in information security, business continuity or IT.

ISO 27001 or BS 25999-2 Internal Auditor Course

This course is a “light” version of ISO 27001 or BS 25999-2 Lead Auditor Course – it usually lasts 2 or 3 days, could be with or without an exam, and the content is a condensed version of Lead Auditor Course. The main difference is that with this course you cannot pursue a career as an auditor in a certification body; however, if you want to get a systematic introduction to the world of ISO 27001 or BS 25999-2 or you plan to be an internal auditor in your company, this course is the right choice for you.

The target audience are professionals with little or moderate experience in information security, business continuity or IT.

ISO 27001 or BS 25999-2 Foundation Course / Introduction Course

These courses usually last for one or two days – their purpose is not to teach you about auditing or implementation techniques, but to give you an overview of the requirements and implementation issues. If you don’t have a lot of time to spare and you want to know what you company will be experiencing during implementation, do think about one of these courses.

The target audience are members of the management, or professionals with no experience in information security or business continuity.

Other information security / business continuity courses

You may have heard of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP) – although I consider these courses very useful for your information security or business continuity career, they are not directly relevant to ISO 27001 or BS 25999-2. Therefore, you should attend CISA, CISM and/or CISSP after you complete courses directly related to the two standards.

Online courses

In addition to the above mentioned in-person courses, online courses (either in the form of e-learning or live webinars) are becoming increasingly popular, partly because of the lower costs – no travelling expenses, no lost time away from office. There are more and more vendors on the Internet, offering more and more quality content (including our Information Security & Business Continuity Academy) – you can find courses lasting from 1 hour (e.g. free webinars) to a few weeks (e.g. e-learning courses).

The main benefit of online courses is that you can receive more relevant knowledge in a shorter period of time and for less money, although the question of real effectiveness of such courses still remains unanswered.

But, regardless of which form or type of course you take, be sure about one thing – the return on investment will show very quickly.

You can also check out our series of ISO 27001 video tutorials which explain every step in ISO 27001 implementation (commercially sold videos).

Your management has given you the task to implement business continuity, but you’re not really sure how to do it? Although it is not an easy task, you can use the BS 25999-2 methodology to make your life easier – here are the main steps necessary to implement this standard:

1. Obtain management support

Although this is not a mandatory step in BS 25999-2, this is certainly the crucial step in the beginning – if the management does not understand the benefits of business continuity and is not committed to this project, your project is most probably going to fail.

2. Treat it as a project

It will take quite a lot of time and resources to set up your business continuity management system (BCMS) – you have to define clearly what needs to be done, in which timeframe, and what are the roles in project implementation. In other words, you have to apply project management methods.

3. Define objectives and scope; write down a BCM Policy

You have to define what is it you want to achieve with the BCMS – compliance, decreasing the level of risk, requirements of your customers/partners etc. You also have to define what you are going to include in your BCMS – the whole organization, or just a part of it. For instance, you may decide that you are going to include only your data centre if you are providing hosting services to your customers. All of these have to be documented in the BCM Policy.

4. Defining roles and responsibilities for BCMS

Because the BCMS is going to become a permanent activity in your organization, you have to define clear responsibilities for it, especially for the “sponsor” of the BCMS (someone accountable for the BCMS but not engaged in day-to-day BCMS activities) and “BCM coordinator”, “BCM manager” or something similar to it – one or more persons with active duties regarding the BCMS. It is the best to document these roles and responsibilities in your BCM Policy.

5. Implement mandatory procedures

BS 25999-2 requires the following four mandatory procedures to be implemented: document and records control, internal audit, preventive and corrective actions – these procedures are actually the foundation of your management system, similarly to ISO 27001 or ISO 9001.

6. Perform business impact analysis and risk assessment

Through business impact analysis you have to indentify the critical activities, their maximum tolerable period of disruption, the dependencies of those critical activities (including dependencies to suppliers and outsourcing partners), and set recovery time objectives.

By doing the risk assessment you actually find out what could be the causes to the disruption of your critical activities – those could be natural, but also man-made activities (either malicious or accidental). You would also need to do risk treatment, which means you need to decide how to decrease the possibility of something going wrong. Unfortunately, the risk assessment and treatment are not very well defined in this standard, so you might take a look at ISO 27001 which describes them in more detail.

7. Determining the business continuity strategy

Before you proceed with writing business continuity plans, you actually have to determine which resources you will need for resuming your critical activities – which people, locations, data, hardware, software, suppliers, outsourcing partners etc.

The business continuity strategy has to determine not only what you need, but also how you are going to provide those resources.

8. Developing incident management plans and business continuity plans

The purpose of incident management plans is to describe how you are going to respond directly to the occurrence of an incident (e.g. fire, earthquake, bomb threat, power failure etc.) in order to prevent it to spread, and to try to decrease its direct effects.

On the other hand, the purpose of business continuity plans is to describe how you are going to recover your critical activities – how you are going to put all the resources you have prepared into action. This means you have to describe who is going to do what, in which time, using which data and technology, in order to put your organization back into operation.

All of these plans have to be described in detail, because they must be executed even in case the main personnel is not available – therefore, they have to be written in such a way that somebody else would be able to execute them.

9. Training and awareness

You need to define the level of competence needed for the execution of business continuity plans in case of disruption, and then train all the personnel (both employees and external partners) to reach this level of competence.

However, this is not enough – you also need to explain to your personnel why BCM is necessary. Let’s face it – your business continuity plans will be used maybe only once in a life time, so most people consider it as a waste of time. Therefore, you have to explain to them why such a thing must exist. (See also How to deal with BCM sceptics)

10. BCMS exercising

If you thought you have written your plans perfectly, you are probably wrong – it is almost impossible to write a plan with no errors right at the beginning. This is why exercising is a mandatory part of BCMS – you have to test your plans in a situation that more or less resembles a real disruption. Only then will you find out what you planned well, and what you didn’t.

11. Maintaining and reviewing the BCMS

Another way to keep your BCMS up-to-date is by defining the intervals at which you will review your business continuity plans, but also other arrangements (e.g. contracts with suppliers and outsourcing partners, training and awareness etc.). There are all sorts of changes in the environment that are threatening your documentation to become obsolete – it is enough for an employee to leave the company to have an unusable telephone number in a plan if that person had a role in the BCMS.

It is also mandatory to perform post-incident review if an incident really occurred – the purpose is to find out how the organization really reacted – did it follow the plans or not.

12. Internal audit

The purpose of internal audit is to find out if there is something wrong, in an objective manner – the internal auditor should be a person who can find out if something is done wrong within your BCMS in order to correct it. If done properly, internal audit could be one of the best ways to improve your BCMS. (Read Dilemmas with ISO 27001 & BS 25999-2 internal auditors)

13. Management review

As said before, it is very important to get your management involved in the project – management review is designed exactly for that. The standard requires the management to examine all the relevant facts about BCM and decide whether it has fulfilled its purpose. Once that is done, the management has to decide which improvements must be made.

14. Preventive and corrective actions

The best thing would be to prevent mistakes (or in terms of BS 25999, the “non-conformities”) from happening – this is what the preventive actions are used for – they are a systematic way of correcting things before a problem occurs. Similar to preventive actions, there are also corrective actions which resolve the problem that has already occurred.

Now the question is – why would you use BS 25999-2? Although it is (still) not an international standard, it is the most popular standard for business continuity worldwide – the abovementioned steps are designed by the best business continuity experts, so if you want to implement the best accepted practices for business continuity, you have to look no further.

Here you can download the diagram of BS 25999-2 implementation process showing all these steps together with the required documentation (registration required).

Have you ever heard something like “It can’t be done”, “It has no use”, or “It’s useless if a major disaster occurs”? If you implemented business continuity management, you probably did. Naturally, such an attitude would not help your project, so here are some suggestions how to handle such people.

“If a major disaster occurs, we won’t be able to do anything”

This is probably the most common one. Well, they may be right, unless you really prepared your business continuity strategy and business continuity plans taking into account all the possible scenarios – if you did that, then you can explain to them that you have prepared an alternative site which is distant enough to withstand any kind of disaster, that you’ve made a backup copy of data, that there is a replacement for any employee in the company, that you have alternative suppliers for any critical service etc.

“If a nuclear war breaks out, it won’t work”

Well, unless you are a military supplier, it wouldn’t matter, would it? Basically, in this kind of catastrophic scenarios, your business probably wouldn’t have a purpose anymore.

“It has no use”

Just pray you’ll never have to use business continuity. Even without mentioning the well-known examples like 9/11 or Hurricane Katrina, it is enough to ask – have you ever experienced a power outage? Or did your server break down? Or maybe a PC with important data on it? Have you ever heard of a building that burned down completely? It is enough to read newspaper headlines to understand that those things can happen to anyone.

“We will do this only to satisfy the auditor”

Wrong priority. If you do it properly, you’ll protect yourself, and as a consequence your auditor will be happy.

“We can’t foresee all the incidents”

This is true, at least in the beginning. But if you perform your risk assessment right, use literature and various resources, and review the assessment regularly, the chances are that in time you’ll be able to take into account all the possible risks. Once you know them, you can prepare your response.

“In case of emergency, people will start looking after their families, not after the business”

True also. Who wouldn’t call his/her family first to see if they are all right in case of an earthquake? But if you plan very carefully who can go home right after an incident occurs and who must stay and resolve the situation, and if you take care of the family of the employees that must stay (e.g. by assigning some other employees to this task), then you’ve probably solved this problem.

“People will react irrationally in crisis situations”

Definitely true. But if you train your employees (and suppliers/partners) regularly, and if you exercise your business continuity plans, they will get used to stressful situations, and will probably respond in the right way if such situations occurs.

If you already implemented similar projects, you know how awareness is important – if your co-workers do not recognize the purpose of such projects, you will experience great difficulties with implementation. Not to mention that your project might altogether fail – this is why you need to consider awareness raising in advance.

You can also check out our webinar BS 25999-2 Foundations Part 2: Business Continuity Strategy which explains how to prepare for different disruption scenarios (commercially sold training).