"These are my standards. If you don't like them, I have others."
This paraphrase of a Marxist pronouncement (Groucho, of course) seems to apply to business continuity management (BCM). It would be excellent to have a unified, consistent approach to the business continuity discipline, but what we have instead is a plethora of overlapping and somewhat contradictory statements, standards, guidelines and methodologies all purporting to be the One True Path to Enlightenment (or, at least, to recoverability). To wit, there are the following:
- The International Organization for Standardization's (ISO) 27001/2 Information technology -- Security techniques -- Code of practice for information security management: The de facto Bible of information security, which includes a chapter on business continuity management.
- The British Standards Institution's (BSI) BS 25999: A self-professed standard, written at a high level and rather vaguely. It is a code of practice and a set of specifications for certification, similar to ISO 27001/2.
- The Business Continuity Institute's (BCI) Good Practice Guidelines: A lengthy explication on six principles of good practice, aligned with the steps of developing a plan. BCI intends to align it with BS 25999 in 2010.
- The Disaster Recovery Institute International's Professional Practices for Business Continuity Planners: More of an outline of best practices than a standard, but since it is used for certification it takes on the weight of one.
- The American National Standard Institute's Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use. This one purports to align with ISO 27001/2 and other ISO standards but in fact looks very much like BS 25999. It should not be confused with the previous national standard based on NFPA 1600, which is very much like the Canadian CSA Z1600 … aw, heck, it's too confusing to explain.
Questions unasked and unanswered
It is therefore reasonable to ask whether, with so many standards to choose among, are business continuity management standards necessary at all? This is difficult to answer directly because behind the smoke screen of conflicting standards there are some very real questions left unanswered (or the answers are just assumed).
For example, is BCM a subset of industrial security or information security, or is it a discipline that stands on its own? Does a standard apply to a concept -- the continuity of business operations -- or to a particular activity, i.e., the creation and maintenance of business continuity plans? What is the relevance of BCM to other disciplines such as the aforementioned security but also to IT, strategic planning and risk management?
And then there is the big question, unasked, unanswered and unanswerable: If a business continuity plan is developed in compliance with any and all standards, will it work when it is needed? As much as one would like to believe that the answer is yes, the positive cannot be proven. The fact that a plan enables an organization to recover from Disaster 1 does not necessarily mean that it will recover from Catastrophe 2. And if the answer to the big question is no, then what is the value of any standard in the first place? The fact is, no one can demonstrate that a plan that adheres to the various standards is any likelier to succeed than one that does not.
What do standards do?
But is that the true test of a standard? We need to consider why standards are created at all. ISO's website says that "Standards ensure desirable characteristics of products and services such as quality, environmental friendliness, safety, reliability, efficiency and interchangeability -- and at an economical cost." Do BCM standards foster these attributes (leaving aside environmental friendliness)? As argued above, they do not do so directly, but it does seem that the BCM standards, taken together, do achieve most of these goals.
The standards all, to a greater or lesser degree, say the same things: understand the organization's needs; develop a strategy that meets those needs; document the strategy in actionable plans; implement, train, test and maintain the plans. Thus, it is the processes of creation of governance, and not the resulting plans, that are the subject of the standards. It is not that the plans are standardized and therefore better plans. Rather, business continuity plans developed in a standard manner are more likely to have higher quality, reliability and the rest of ISO's attributes because they take into account the successes -- and the failures -- of those who have developed such plans in the past.
Business continuity management standards and certification
The greatest benefit of BCM standards is that they serve as a point of reference. The fortunes of many organizations are linked to those of their product and service providers as well as to those of their customers. In this network of interlocked interests, the failure of one has repercussions for many. Thus, following standard practice and being certified as doing so may be a part of the glue that will hold an extended enterprise together. Global opinion is converging on BS 25999 as the primary BCM standard, not least because BSI offers independent certification of compliance with it.
Thus, an organization can develop a business continuity plan and a governance structure to maintain and improve over time, following or not following any standard as it pleases. Business partners wanting assurance that an organization's recovery plans are likely, not guaranteed, to work in an emergency can gain such assurance only by an audit process. This sort of an audit may be performed directly, but there are constraints on the number of vendors that any one organization can audit, to say nothing of the vendors' reluctance to have all their customers at their doors demanding to come in and inspect the joint. Certified compliance with a standard accomplishes the audit for the company. The certifying organization acts as a stand-in for all those seeking assurance and does so by measuring the audited organization's process, which by implication should provide a measure of certainty about the company's recoverability.
Now, "a measure of certainty" is hardly complete assurance, but it may be the best that all involved are ever going to get. If it reduces friction among business partners, raises the level of resilience across enterprises and fosters commerce, then it is not such a bad thing. Quite a good one, in fact.
To return to the question of the necessity of BCM standards, it seems then that the standards, by themselves, are not necessary and may not even be useful. But demonstrated compliance with a standard is extremely useful, and a globally recognized standard used for consistent measurement is necessary to that end.
Steven Ross, MBCP, CISSP, CISA, is founder and principle at Risk Masters Inc. Let us know what you think about the story; email firstname.lastname@example.org.