Any organization is exposed to incidents that can cause an activity stoppage and to be an obstacle to business continuity. Therefore, the need to establish plans with response actions that allow controlling these events and their effects through a Plan or Business Continuity Management System.
How can a Business Continuity Management System implementation help our company?
Having a Business Continuity Management System implemented allows the organization to have the ability to survive all those events that may have a negative impact and jeopardize the continuity of our activity: pandemics, cyberattacks, fires, earthquakes, floods, etc.
How can we develop a Business Continuity Management System?
As a common framework for action to implement and maintain a Business Continuity Management System, there is the ISO 22301standard, developed and published by the International Organization for Standardization (ISO). Main steps or phases for implementation:
- 1. To determine scope: it consists of identifying the organization’s business processes that we want to be considered in the BCMS.
- 2. To carry out a Business Impact Analysis (BIA) of each scope process, to determine the criticality of each. It contains the following aspects:
- Criticality determination: by studying the different types of impact (operational, financial, legal, reputational, etc.) that the interruption of the business process would have as time goes by;
- the necessary requirements, temporaries and of resources, for the continuity of activity and the return to normality: human resources, infrastructures, suppliers, services, machinery, used technologies, recovery times, maximum tolerable time of service drop, service recovery minimum levels, etc.
- 3. To carry out a Risk Analysis, consisting of:
- to determine potential threats to the assets to which the organization is exposed;
- to determine the risk level of each threat, evaluating its probability of occurrence and the impact it would cause if it occurred. A high risk should indicate that we are concerned about business continuity for that asset;
- to establish a Risk Treatment Plan, consisting of the implementation of controls, usually preventive, that helps to reduce the probability of the occurrence of threats.
- Based on the results of the Risk Analysis,identify possible crisis scenarios and establish the recovery strategy for each one of them.
- To create and to document detailed planes of response and recovery for the critical scenarios identified, including the steps to be taken since reporting the incident until returning to normal. Its aim is to avoid absence or improvised decision making that can make the situation worse or irreversible.
- To run tests and exercises of the response and recovery plans, to verify that they really work and are adequate. Reports will be made that include the results obtained and the incidents that have arisen.
- To carry out reviews and audits of our Management System to guarantee its maintenance, updating and establishment of corrective measures. With this we will achieve their continuous improvement
- Awareness: consists of implementing measures that promote staff awareness in the field of business continuity and knowledge of established plans.
Finally, with the implementation of a Business Continuity Management System, and regardless of the sector or size, any organization may be prepared to face with guarantees a security incident that may affect the development of its activities, providing greater security and response capacity to any eventuality. At GlobalSuite Solutions we offer the help and advice necessary for the implementation of a business continuity plan and the obtaining of its certification. In addition, we have the GlobalSuite® software, fully developed by our team, allows the implementation, management and maintenance of all the requirements demanded by the ISO 22301 standard in all types of organizations and sectors.
- How to use GlobalSuite® to manage your risks 31 August, 2022
- ISO 27036 – Information security for supplier relationships 11 August, 2022
- The Compliance Officer and the Compliance Committee 9 August, 2022