Friday, 24 October 2014
Business continuity and information security – a good fit?
As you can see this is a very loaded question from the senior management who are typically fed up with too many rules, regulations and standards trying to govern their lives. Also, whilst they want to adhere to all applicable regulations and standards they want some optimisation of their costs in implementation.
My typical answer to this is as follows: "If your emphasis is on service management please combine ISO 9001:2008 and ISO 20000:2011. In fact implement only one standard and ignore the other. If your emphasis is on information security and business continuity please combine ISO 27001:2013 (ISMS) and ISO 22301:2012 (BCMS) implementation."
From historical perspective both ISO 27001 and ISO 22301 have emerged from British Standards and have a sort of a common past. Leaving that aside, information security, as the pundits drum into us, is all about confidentiality, integrity and availability of information. Business continuity, on the other hand, is about availability (of information or business) in case of a disaster. In companies where information is business, these two standards merge quite well.
All this however, has to start with scope of the ISMS/BCMS. What is the context of the organisation that is planning to implement the BCMS/ISMS and does the context match in both cases? If the context matches we have a winner and we can choose to implement both management systems together with a common project plan/team. Typically, BCMS and ISMS (at least in mature organisations), come under the ‘Risk Department’ organisationally. If this is not the case, it would be worthwhile to make organisational changes before commencing implementation of BCMS/ISMS.
In my address at the BCI World Conference and Exhibition, I will be looking at this from a practical perspective to explain how we can implement BCMS and ISMS together along with common features of both the standards.
So …happy interactions!
Ramesh Ramani will be discussing 'Business continuity and information security – a good fit?' on day one of the BCI World Conference and Exhibition on Wednesday 5th November. You will find him in seminar room 3 starting at 9.20.
- Resource-based contingency planning – an alternati...
- Becoming certified to ISO22301 - what NOT to do! (...
- Developing simple recovery plans for key processes...
- A case study of the integration of ERM and BCM as ...
- Business continuity: human resources as powerbroke...
- Business continuity and information security – a g...
- Genoa: The city where maths kills people
- Business continuity vs risk management
- Deriving X factors to support your BCM programme
- Design and implementation of a business continuity...
- ISO22301 certification at the UK's Houses of Parli...
- Think you're an expert in business continuity?
- ▼ October (12)
- ► 2013 (59)