Business Continuity Management System Consulting Services (ISO 22301)
Readiness, Implementation, Testing, Audit and Program Management

Understanding of Business

• Understand products and services, which leads to differentiating between revenue-generating and support functions.
• Impact of outage both in revenue and non-revenue terms over a period of time.
• Conduct interviews with key stakeholders to gather insights on business operations, goals,and priorities.

Scoping for Certification

• Define the scope of the certification, including which key products and services need to be in scope. Ensure alignment of the scope with business objectives, risks, and stakeholder expectations.
• Establish boundaries for certification based on resources, operations, and available support.
• The scoping decision is an important part of the decision process, as this will eventually be certified.

Business Impact Analysis (BIA)

• Identify and prioritize critical business functions and the potential impact of disruptions on them.
• Develop metrics to measure the impact of disruptions on operations, financials, and stakeholders.
• Assist clients in defining the maximum tolerable period of disruption (MTPOD), an important business metric for defining the business continuity strategy.

Risk Assessment

• Business continuity risk assessment focuses on the organization’s ability to restore after an outage situation.
• An experienced BCP ISO 22301 consultant will identify the business continuity capability risks in technology, people roles and responsibilities, and site and even supplier-level risks.
• Propose mitigation strategies to address the identified risks and reduce their impact.

Writing Plans

• An experienced BCP consultant will define organization-specific plans to address both event-wise and outage-wise plans.
• Ensure plans include communication protocols, roles, and responsibilities during disruptions.
• Ensure plans ensure recovery within documented RTO and RPO targets.

Training People

• Develop training materials and programs based on the organization’s business continuity needs.
• Conduct workshops to educate employees on their roles in business continuity and disaster recovery.
• Ensure the training is ongoing and aligned with any updates or changes to the plans.

Testing the Plans

• The ‘proof is in the pudding’. The popular phrase applies to the testing of the Business continuity plan.
• An experienced BCP ISO 22301 consultant will perform a wide range of tests to ensure the BCP is successful.
• Plans can cover tabletop exercises, simulations, crisis role play or live drills to test the effectiveness of the plans.
• Identify weaknesses or gaps in the plans based on the testing results.
• Evaluate the organization’s ability to execute business continuity strategies under real-world conditions.
• The results of the plans are often used to further improve the business continuity strategy.

Internal Audits

• An ISO 22301 certification consultant will provide an independent Internal audit report for ISO 22301 requirements and how the organization has achieved them.
• Identify non-conformities or areas for improvement and develop corrective actions.
• Ensure the organization’s business continuity management system is continuously monitored and improved.

Supporting the Certification Process

• An ISO 22301 consultant will provide guidance and documentation to support the external audit process for ISO 22301 certification.
• Coordinate with the certification body and stakeholders to facilitate the audit.
• Address any findings or recommendations from the external audit and ensure timely resolution.

Every business is subject to an outage, this crisis could be due to outages resulting in site, people, ICT, and suppliers (not exhaustive). Having a Business Continuity Plan (BCP) ensures that a business can respond and recover within an agreed period using a structured and tested plan

BCPs are one or more plans, BCMS is a governance framework that ensures BCPs are aligned to business objectives and are updated, tested and continually improved, even if there has been no incident.

ISO 22301 is the standard for Business Continuity Management System. Business entities across the world use it as a reference for implementing and improving their BCMS.

Using a step-by-step approach that involves:

• Creating a BCMS forum
• Identifying mission-critical activities
• Gap analysis on current capabilities of response and restoration
• Documenting and developing plans for restoration in 2 or more layers
• Testing those plans

Business Continuity Plans as and when a business or the threat scenario changes.

• change in business dynamics, which can include changes in business model, legal and regulatory environment, recent cyber security incidents
• changes in the organization structure, new technology being developed or being introduced
• if nothing changes, we recommend at least an annual table top exercise should be conducted by all stakeholders coming together for one hour and discussing all scenarios.

Both cyber security incident response and BCP testing aim to address the common issue, i.e. will this plan work during a crisis? On the scoping side, BCP is more holistic involving business goals and business objectives, whereas cyber security is more IT/ICT centric. However, if your business is Technical services dependent entirely on automation, there may not be many differences between the two.

MTPOD helps in designing recovery time objective (RTO) - which is used for designing the Business continuity plan, even if minimum services are delivered.

It is an endorsement of a successful BCMS program by an accredited certification body that independently verified that all the iso 22301 requirements have been achieved. For most organizations, certification is a marketing tool and adds to their brand image and reputation.

ISO 22301 implementation and certification is a governance framework, which needs to be updated and regularly tested. In terms of percentage, it could be close to 99%, which means if all elements of the BCMS have been addressed then the chances of failure (in this case not being able to restore) is less than 1%. 1% is the element of complete surprise.