Dyson College of Arts and Sciences
Issue link: http://dysoncollege.uberflip.com/i/128987
version is due sometime in early 2013, it is still not available in February. Eventually, this version of the BCM ISO standard will allow organizations to voluntarily demonstrate compliance. This will also serve to support any subsequent BC certifications. An ISO standard is a crucial standard. A sufficient number of organizations and individuals participated in writing it, testing it, and validating it. Most often companies that neglect such standards (because there is no mandate to conform to them, or because there is no pressure from customers and/or partners) will sooner or later feel the consequences of their negligence. The existing draft of the ISO 22301 introduces the PDCA (plan-do-check-act) cycle in the first section and describes the scope of the plan in the second section. Then, and as in most ISO standards, the third section includes the normative reference before defining in the fourth section the terms and definitions used. The fifth section describes an understanding of the organization, its needs, and the scope of the management system relative to the business. The next sections, from six to eleven respectively, present the leadership, planning, support, operation of the BCMS, performance evaluation, and continuous improvement. Live It Day by Day? We cannot help but notice that in disasters in the last decade, businesses have been lost, often without the possibility to recover them. While the availability of standards and regulations for security planning and auditing have been very useful in protecting our computing environments, we find ourselves helpless when it comes to the planning of business continuity and disaster recovery. In particular, the ISO 27000 family and NIST 800 series have been very valuable in achieving our security objectives. Unfortunately, when it comes to business continuity and disaster recovery, we remain very vulnerable to natural and/or manmade catastrophes and undesired incidents. No organization nowadays is immune from business disruptions. These disruptions may be caused by internet-based attacks, natural disasters, man-made incidents, or technological failures. Financial losses and social consequences may be unbearable. Only those organizations that have implemented adequate safeguards to deter the agents producing the business disruptions, detect them, prevent them, and correct their effects have a chance to survive those business disruptions (CNET News, 2004; Software Engineering Institute, 2012; Continuity Forum; Computer Security Institute, 2007; Resilience, 2011). A business can be disrupted in many different ways. Depending on the criticality of the business components that have been hit, the losses can be of any size. While some business components fully recover, others may be only partially recovered or may be lost for good. Also, while some corrective and recovery activities can be easy, quick, and inexpensive, other such activities can be very difficult, slow, and very costly. It is difficult to accurately determine business losses following a business disruption. In order to estimate the effects of disruption events on business assets, you have to know a lot more than the specifications of the affected business assets. Business losses are not only financial, but also social, technical, operational, ethical and legal. You need to be very familiar with the organization's strategic plan, business mission and vision, and strategic objectives and values. The literature provides many taxonomies (Continuity Forum; Resilience, 2011) that organize the disruptive agents into classes in terms of a variety of discrimination parameters. In this article, we present a simple taxonomy of business disruptive agents 57