Thursday, 30 October 2014

Becoming certified to ISO22301 - what NOT to do! (Why auditors get grumpy!)

Tip number 1: The lack of a regular supply of good quality biscuits is the first non-conformity!

Looking forward to my presentation at 13:10hrs on November 6th in seminar room 2 of the free exhibition part of this year’s BCI World Conference and Exhibition. I realise that there are many BC practitioners who, although practiced in the creation and maintenance of a Business Continuity Management System (BCMS), have yet to seek certification to a standard. Additionally I recognise that others may have only assisted in achieving certification and even those though certified constantly struggle with a stream of nonconformities found by external auditors and which if left unresolved threaten the organisations certification.

During the past three years I have been working as an externally contracted assessor and ‘Technical Specialist’ with one of the top assessment organisations in the world who, via audit, assess companies for the suitability of their BCMS for certification to initially the BS25999:2006 standard and subsequently its replacement ISO22301:2012. Over this time I have been fortunate to audit the BCMS of around 100 companies by pre-assessments, Stage 1, Stage 2 and Continuous Assessment Visits (CAV’s).

Fellow practitioners sometimes ask me if I get bored with assessing to the same standard day after day. Fortunately this is not a problem as although the same standard no BCMS is alike and understanding the multiple ways of constructing a BCMS compliant with the standard has been fascinating and provides me with continuous opportunities for my own personal development, sometimes by observing good practice but unfortunately all too often from seeing practices which fail to meet the basic requirements.

I should make it clear, and possibly surprising for those who know me, that I am a big supporter of the 22301 standard. Now it is by no means the perfect standard, if indeed that could ever be achieved. However, I am someone who began in this business when training courses, good practice guides and the words “Business Continuity Management System” were things of the future and, to be frank, “making it up as we went along” was the name of the game. As a result it is in my view great to have a common structure around which to create a Business Continuity Management System. Now of course we need to improve it.

So what will I be presenting? Will it be the secret formula which all Business Continuity practitioners seek to create the perfect BCMS? Will it be the best way to smooth the ego of your auditor to the point where they are purring over your perfect creation? Only one way to find out, be there, oh and bring a biscuit or two.

Colin Ive has been a Member of the Business Continuity Institute since 2001 and is a qualified Lead Auditor for ISO9001, ISO22301 & ISO28000. He is a regular presenter at European & USA Business Continuity and Business Resilience Conferences and a contributing author to both the ‘BCI Good Practice Guide for Business Continuity Planning’ and the acclaimed ‘Business Continuity for Dummies’, in addition to numerous articles.

Colin will be discussing ISO22301 further on day two of the BCI World Conference and Exhibition on Thursday 6th November. You will find him in seminar room 2 starting at 13.10.

No comments:

Post a Comment