Dyson College of Arts and Sciences
Issue link: http://dysoncollege.uberflip.com/i/128987
Even though there are national business continuity standards that have been around for some time for testing and adoption, a standard approach to business continuity has been awaited for many years. We are still expecting standard ISO 22301 that will provide the needed specifications to develop business continuity and disaster recovery plans (IDG Connect). ISO 22302 is expected to be available for publication in late 2011 or early in 2012. In the meantime, we propose a comprehensive business continuity and disaster recovery planning methodology that organizations can adapt to plan and manage business continuity. Publicly Available Specification 56 (PAS 56) was the first known process adopted in the United Kingdom in 2003, leading to a standard for business continuity planning. It consisted of a set of guidelines recommended by the information technology (IT) and business expert community as best practices for the improvement of businesses continuity management. The Basel ii Accord and the pressing United Kingdom regulations increase the pressure on the business community to produce an acceptable business continuity standard. The power of business and its flexible capabilities seem to be too distant and dispersed among suppliers, partners, and other nodes in the supply chain. This dispersion of resources can make it difficult for those resources to regroup and synchronize, thus losing the required resilience needed for business continuity. The PAS 56 intended to 1) provide clear definitions for the processes, principles, and the terminology needed in business continuity management, 2) to introduce a generic framework for incident detection and response, and 3) to specify and document useful business continuity evaluation techniques. While PAS 56 relied on corporate governance, management support and responsibilities, and accountability, the guidelines are meant for business and IT experts in charge of defining, developing, implementing, and maintaining the business continuity management plan. Of course, as with any new set of guidelines, the PAS 56 had deficiencies. The British Standards Institute (BSI) needed to test and retest the guidelines for validity and completeness. Major problems with the PAS 56 related to imposing routine live tests where incidents are created and the disaster recovery and business continuity operations are evaluated. These live testing activities may be counterproductive for large companies for which great business losses may be realized. The BSI organized a national committee on risk management for which business continuity was a subcommittee. The PAS 56 led to the BS 25999 standard for business continuity management. The BSI partnered with the Business Continuity Institute (BCI) and invited others to participate in developing the new guide for business continuity. This standard has now replaced the previous PAS 56. The BS 25999 consists of two parts: 1) BS 25999-1: Code of Practice based heavily on the PAS 56 literature; and 2) BS 25999-2: Specification, which describes the business continuity management specifications against which certification may be sought. Following the BS 25999, the time has come to internationalize the British standard by turning it into an ISO standard of business continuity. The new name given to the BS 25999 is ISO 22301 and it is entitled "Societal Security—Preparedness and Continuity Management Systems—Requirements." It was intended to specify the requirements for setting up and managing an effective Business Continuity Management System (BCMS). Even though this new BCM standard is currently only available as a draft and the final 56