What is a Business Continuity Plan?

Every business is subject to an outage, this crisis could be due to outages resulting in site, people, ICT, and suppliers (not exhaustive). Having a Business Continuity Plan (BCP) ensures that a business can respond and recover within an agreed period using a structured and tested plan.

What is the difference between BCP and BCMS?

BCPs are one or more plans, BCMS is a governance framework that ensures BCPs are aligned to business objectives and are updated, tested and continually improved, even if there has been no incident.

ISO 22301 is the standard for Business Continuity Management System. Business entities across the world use it as a reference for implementing and improving their BCMS.

How does an organization implement ISO 22301?

Using a step-by-step approach that involves:Creating a BCMS forum Identifying mission-critical activities Gap analysis on current capabilities of response and restoration Documenting and developing plans for restoration in 2 or more layers Testing those plans

How often should a Business Continuity Plan be updated?

Business Continuity Plans as and when a business or the threat scenario changes. change in business dynamics, which can include changes in business model, legal and regulatory environment, recent cyber security incidents changes in the organization structure, new technology being developed or being introduced if nothing changes, we recommend at least an annual table top exercise should be conducted by all stakeholders coming together for one hour and discussing all scenarios.

What is the difference between business continuity plan testing and cyber security incident response?

Both cyber security incident response and BCP testing aim to address the common issue, i.e. will this plan work during a crisis? On the scoping side, BCP is more holistic involving business goals and business objectives, whereas cyber security is more IT/ICT centric. However, if your business is Technical services dependent entirely on automation, there may not be many differences between the two.

Why MTPOD is such a critical number for BCP design?

MTPOD helps in designing recovery time objective (RTO) - which is used for designing the Business continuity plan, even if minimum services are delivered.

What is the benefit of ISO 22301 certification?

It is an endorsement of a successful BCMS program by an accredited certification body that independently verified that all the iso 22301 requirements have been achieved. For most organizations, certification is a marketing tool and adds to their brand image and reputation.

How assured an organization be about their BCP once they are iso 22301 certified?

ISO 22301 implementation and certification is a governance framework, which needs to be updated and regularly tested. In terms of percentage, it could be close to 99%, which means if all elements of the BCMS have been addressed then the chances of failure (in this case not being able to restore) is less than 1%. 1% is the element of complete surprise.

BCMS ISO 22301 Consultant, Business Continuity Consultant, BCP DR Consultant, ISO 22301 Certification Consultant

Overview

We assist clients in implementing their Business Continuity Management System (BCMS) leading to successful ISO 22301 certification.
The journey involves Coral ISO 22301 certification consultants taking a client through a 6-phase plan that includes understanding the client's business, their products and services, continuity objectives, business impact analysis, risk assessments, documentation of individual plans for restoration and recovery, testing, measurement and audit.
With 20 years of ISO 22301 business continuity practice, our methodology has been successfully implemented in businesses of all sizes and sectors, across the globe. Whether your business is 24-7, and cannot tolerate even a single minute of an outage, or a startup in AI-ML-Data Science, SAAS, PAAS, IAAS provider, product developer or customer, or brick-and-mortar local or global business, we have implemented BCMS in fairly all industry sectors.
We consider that your business continuity maturity is as good as it has been tested, so we focus a lot of emphasis on ensuring that our clients have tested their documented plans in multiple ways.
Contact us today to get started

Start your Business Continuity Implementation Journey Now!

BCMS – ISO 22301 Consulting Engagement Phases

Here is a brief overview of al the phases involved in implementing Business Continuity Management System (BCMS) – ISO 22301 certification.

Phase I - Understanding Business, and Products and Services

Every client is unique with its business model, products and services, customers and business and continuity objectives.
Identifying mission-critical services that are revenue-generating is the primary goal of this phase.
The BCMS-ISO 22301 implementation journey starts with this phase as it provides them to define prioritization of what is truly critical.
This is where values like maximum tolerable period of disruption (MTPD), and recovery time objective (RTO) at the enterprise level are defined.

Phase II - Business Impact Analysis and Risk Assessment

Based upon the outcome of phase 1, a more detailed functional level Business impact analysis (BIA), and Risk Assessment (RA) is performed.
Business Impact Analysis results in determining how fast (or slow) a team needs to be recovered
Risk Assessment is the art and science of assessing current capacity, capability and readiness to achieve the objective within the agreed MTPOD/RTO.
How comprehensive is the BIA and risk assessment? We perform a 4-phase outage scenario that applies to determine the degree of recovery capability that results in providing a client with an unparalleled perspective of their continuity readiness.
This is where business continuity risks are identified, which need to be treated.

Phase III - Continuity Planning and Documentation

Based on the outputs of the previous two phases and the mandatory requirements of ISO 22301, detailed documentation is designed, discussed and deliberated with management and functional representatives.
Depending upon the organization, the planning could cover both ‘known events’ and unknown ‘black swan’ events.
Every team in the scope undergoes documentation on business impact analysis, Maximum tolerable period of disruption (MTPD), RTO and RPO determination, business continuity risk assessment, individual plans related to four strategic outage scenarios, and testing methodology.

Phase IV - BCP Testing

The business continuity plan is as good as it has been tested. With this approach in mind, our iso 22301 consultants will hand-hold clients to perform testing of their documented plans to the optimum level.
This involves management, functional, operational and recovery and response teams.
Plans are evaluated against RTO to determine the success or failure of the test, and loopholes identified are addressed as part of the overall BCMS risk and governance program.

Phase V - Internal Audit and Management Review

In this phase, Coral ISO 22301 Certification consultants will audit the effectiveness of the implemented processes
This includes team-wise and system-wise BIA, RA, documented plans, and testing of plans.
A formal report is published for review by the management.
We facilitate reviews with the management to ensure that the initial business continuity/ISO 22301 requirement objectives and goals are achieved.

Summary

At this stage:

As a result of undergoing these phases, Coral has implemented for a client an operational ISO 22301 Business continuity management system (BCMS) that includes people, processes, technology and ongoing measurements.
Every team in scope has visibility of their documented plans, that has been tested.
At this stage, the organization is ready to invite external iso 22301 certification body to certify them for ISO 27001 certification

Phase VI - External Certification Support

Chosen external certification body audit performs ISO 22301 certification in two phases:

Stage 1 – Documentation Review, and
Stage 2 - Implementation Verification

With the two phases completed, the certification body issues an ISO 22301 certificate.
Finally, upon receiving their ISO 22301 certificates, the clients are officially ISO 22301 certified.

Questions?

Seek a one to one session with our Principal Consultant, who will answer your questions to get started.

We support you in all phases to help you achieve ISO 22301 certification. Upon successful completion an ISO 22301 certificate is issued which has a validity of 3 years subject to annual surveillance.

Start your Business Continuity Implementation Journey Now!

Business Continuity Management System (BCMS) - ISO 22301 - Frequently Asked Questions

What is a Business Continuity Plan?

Every business is subject to an outage, this crisis could be due to outages resulting in site, people, ICT, and suppliers (not exhaustive). Having a Business Continuity Plan (BCP) ensures that a business can respond and recover within an agreed period using a structured and tested plan
What is the difference between BCP and BCMS?

BCPs are one or more plans, BCMS is a governance framework that ensures BCPs are aligned to business objectives and are updated, tested and continually improved, even if there has been no incident.
What is ISO 22301?

ISO 22301 is the standard for Business Continuity Management System. Business entities across the world use it as a reference for implementing and improving their BCMS.
How does an organization implement ISO 22301?
Using a step-by-step approach that involves:
- Creating a BCMS forum
- Identifying mission-critical activities
- Gap analysis on current capabilities of response and restoration
- Documenting and developing plans for restoration in 2 or more layers
- Testing those plans
How often should a Business Continuity Plan be updated?
Business Continuity Plans as and when a business or the threat scenario changes.
- change in business dynamics, which can include changes in business model, legal and regulatory environment, recent cyber security incidents
- changes in the organization structure, new technology being developed or being introduced
- if nothing changes, we recommend at least an annual table top exercise should be conducted by all stakeholders coming together for one hour and discussing all scenarios.
What is the difference between business continuity plan testing and cyber security incident response?

Both cyber security incident response and BCP testing aim to address the common issue, i.e. will this plan work during a crisis? On the scoping side, BCP is more holistic involving business goals and business objectives, whereas cyber security is more IT/ICT centric. However, if your business is Technical services dependent entirely on automation, there may not be many differences between the two.
Why MTPOD is such a critical number for BCP design?

MTPOD helps in designing recovery time objective (RTO) - which is used for designing the Business continuity plan, even if minimum services are delivered.
What is the benefit of ISO 22301 certification?

It is an endorsement of a successful BCMS program by an accredited certification body that independently verified that all the iso 22301 requirements have been achieved. For most organizations, certification is a marketing tool and adds to their brand image and reputation.
How assured an organization be about their BCP once they are iso 22301 certified?

ISO 22301 implementation and certification is a governance framework, which needs to be updated and regularly tested. In terms of percentage, it could be close to 99%, which means if all elements of the BCMS have been addressed then the chances of failure (in this case not being able to restore) is less than 1%. 1% is the element of complete surprise.