ASIS International and BSI released a joint American National Standard, Business Continuity Management Systems: Requirements with Guidance for Use (ANSI/ASIS/BSI BCM.1-2010).
If you follow the business continuity standards scene, you know that some of the best standards in play come from Australia and New Zealand. In keeping with that tradition, Standards Australia recently released a draft version of its three-part Australian and New Zealand Standards for Business Continuity Management.
The following is a sequence of emails between the editor and Ian Clark, FBCI, a consultant and former board member of the Business Continuity Institute based in New Zealand. The discussion centers around the joint ASIS/BSI effort to develop a new U.S. standard for business continuity.
It’s now tomorrow in this part of the world and I can assure you that you’ll still be waiting for anything from ASIS regarding the BCM standard.
Since the teleconference call we, who have a global presence that extends beyond Maine to Malibu have heard absolutely nothing, zip, zero, nada, diddly squat.
Either we have to burn the carbon miles to attend in person otherwise we are just regarded as a rubber stamping exercise because we’ve been fed so little information that interest has waned.
Global means global. The key discipline in BCM is always going to be communication and that’s one thing that is sorely lacking from the ASIS head shed!
I see that there has been a release from them of an Organizational Resilience standard – funny document as it appears very similar to the ISO PAS 22399 … Hmmm?
(To view the new ASIS resilience standard, please click here. -Ed)
The joint ASIS/BSI standard effort has moved very slowly to date. Certainly there are good intentions. Among the problems is that there are too many consultants in the mix, each with his/her opinions about how things should be regarding BCM. The working group leadership has had difficulties keeping the consultants in line. Hence, very little has been accomplished. For example, the last conference call (20 March) was scheduled for 90 minutes. The only thing that was accomplished in that time was to agree that another conference call was needed!
Personally, I’d sooner see ASIS and BSI drop the whole thing, but there’s the issue of whose standard replaces NFPA 1600, which itself is being updated for a 2010 release. It’s odd that the BSI, which heavily promotes BS 25999 in this country, is also keen to partner with ASIS to build yet another standard. (And ASIS recently unveiled a new resilience standard that can be used in BCM.) There’s also the issue of private sector preparedness and the government’s (FEMA in particular) desire to create a certification process for BCM in the states. Based on the two open meetings to date, FEMA is no closer to launching a BC certification process than it was a year or two ago.
I believe the ASIS/BSI effort will soldier on for a few more months, with an outcome (whatever that may be) probably in the fall of 2009. Unless the existing working group can focus on the task at hand, and not try to encourage individual visions of BCM, there is little likelihood we will see any results from the ASIS/BSI effort.
A view from the “Far side of the World” would indicate that:
BSI got involved to protect its investment in BS25999 and BS25777 as it does provide a practical framework for BCM and IT/SCM. It also would indicate that the philosophy behind BCM was not subverted by the US viewpoint that business continuity management is merely IT disaster recovery on steroids – a view that I expressed in Continuity Central some time ago. One item of feedback showed the arrogance and ignorance prevalent in the U.S. when the respondent indicated that an IT Services Company only needed to focus on IT/DR as a Business Continuity strategy – such twaddle!
Too many consultants! A view that I have is that some are really worth their weight in gold to companies when they focus on the business issues, not the minutiae of detail as to how the exercise is conducted (like scenario-based planning versus business-needs planning and scenario-based exercising). Some are really pushing the structure of the word consultant: “Con” as in artist and “Sultant” as in insulting the intelligence of the organization.
I agree that BS25999-2 is a bit thin on detail as to how to conduct or rate an organization’s BCM program. However, my view is that this is essential as it relies upon the honesty and integrity of the assessor or lead auditor to interpret what is offered for certification is a practical approach to fit the organization’s business needs, aspirations and growth. Certification auditing demands a high degree of interpretative skill, professional integrity, business acumen and knowledge of the business sector where the organization operates. Use BS25999-2 as a framework, not a “Noddy guide to a tick in the box” exercise. If certification was that simple everyone would be on the bandwagon and it would seriously detract from the value of having certification.
Have any of the detractors of BS25999-2 ever attempted a certification audit for ISO9000 or ISO 27001? If they had they’d not be whining so loudly and get back in their “ConSultant” box. I’m really going through the hoops at present to try and get certification as a lead auditor. Since (the BCI Symposium in) Amsterdam I’ve had so much correspondence asking how, when, where, etc. to gain this certification. The BSI states the following in the lead auditor qualification:
Who Should Attend?
· Existing lead auditors in other schemes
· Business continuity professionals (BCI, DRII)
· Business Continuity Managers
· IT Managers
· Information Security Professionals
· Internal and external auditors responsible for auditing business continuity practices
I think I do fit the criteria – but the nearest course is in India! It will be cheaper for me to travel to the U.K. and do the course there as BSI Management Systems in Australia just doesn’t have a clue, yet they are trying to promote 25999 in the Australasia region.
Biggest problem with BCM: there are far too many risk management folks protecting their patch and reinventing themselves with business or organizational RESILIENCE tags! What is not realized is that people like myself and my peers have been using the “resilience” tag for years – even before the PAS56 days! In the U.S. there are far too many people who love the ambiguity of NFPA1600. And there are those IT security people who think that BCM is worthy of a section in ISO27001; then BCM belongs to the information security folks. You’ve only got to look as the CISSP viewpoint to understand why this misinformation proliferates! Have these people ever bothered to READ the standard where it states categorically that IT security management is a supporting function of an organization’s BCM? With the advent of BS25777 they will find themselves further down the responsibility chain in supporting the ICT Service Continuity Management function which in turn supports the organization’s BCM function.
I think it would be more accurate stating that snails on steroids move faster.
Seems like the working group is infested with too many people with vested interests and a narrow viewpoint that they alone have the right way for BCM when in fact they’re mostly mired in the IT world rather than the real world.
Such a group needs more ‘BIG PICTURE” thinkers who can see the whole depth and breadth of what BUSINESS needs. It needs ideas and practical recommendations, not more hardware and software!
Question: How many ICT projects deliver business benefits versus enhanced CVs for the development team?
One question that I’ve successfully used at project risk meetings: What will be the business impact should this project succeed in delivering what it is designed to do? To date this has generated more debate than reams of backout plans and contingency plans prior to implementation. Perhaps I am putting a different viewpoint on the age old statement: 90% of IT projects kicked off are doomed to fail.
In such constrained economic times we cannot bask in the above attitude. If you’re going to fail – fail gloriously!
Perhaps a short discussion among fellow practitioners and peers to formulate a job description for a Business Continuity Manager would prove interesting.
Tuesday’s (4/7/09) meeting of the ASIS/BSI U.S. standard working committee resulted in the decision to organize a small editorial team to review all the proposed revisions and compile them into an updated working standard document. The editorial team has not yet been selected, but should be announced soon.
Having participated in this effort from its beginning, one wonders if the standard being contemplated here will ever appear. The only way forward may be to build a suitable working document with a small group of people, rather than a larger group with many conflicting interests. Otherwise it may be that the effort, however noble, dies a natural death and those of us in the profession can return to meaningful work. Either that, or trying to find a job!
ASIS International has released its second American National Standard: ASIS SPC.1-2009: Organizational Resilience: Security, Preparedness and Continuity Management Systems — Requirements with Guidance for Use. According to the organization the new standard “provides a comprehensive management framework to anticipate, prevent if possible, and prepare for and respond to a disruptive incident.”
Ten competencies or six for business continuity? Depending on whose materials you’re reading, either can be correct. The Business Continuity Institute recently published a new document which provides more detail on its six certification standards for professional practitioners.
The Business Continuity Institute recently announced the release of an updated version of its business continuity Good Practice Guidelines. Designated as GPG2008-2, the latest version of the GPG is considered an interim update. The BCI plans to publish a completely rewritten version in 2010.
As part of its on-going cooperation with the National Fire Protection Association (NFPA), DRI International is currently requesting that business continuity professionals holding DRI certification submit comments on the 2010 edition of NFPA 1600. The comment period closes March 6, 2009.
Tags: Business Continuity, Business continuity standards, Disaster Recovery, Disaster Recovery Institute International DRII, emergency management, National Fire Protection Association, NFPA, NFPA 1600
The Business Continuity Institute recently released a new document which provides additional detail on its six certification standards for professional practitioners.
“Development of the 2010 edition of NFPA 1600, “Standard on Disaster/Emergency Management and Business Continuity Programs” is well underway with an expected publication date of April 2010. NFPA’s Technical Committee on Emergency Management and Business Continuity completed work on the initial draft of the 2010 edition at its August, 2008 meeting.
The new draft version of National Fire Protection Association NFPA 1600:2010 is available for review and comment.
This is the first edition of CSA Z1600 and is available for purchase from IT Governance. This new (Autumn 2008) Canadian standard outlines the requirements for a comprehensive emergency management and business continuity program.