Cyber-attacks have topped the list of biggest threats to business for the second year in a row, followed closely by data threats and an unexpected IT/telecoms outage – according to the fifth annual Horizon Scan Report published by the Business Continuity Institute (BCI) in association with BSI (British Standards Institution). As these threats, coupled with a challenging and ever-changing business environment plague the worried minds of MDs and IT practitioners, it seems only feasible that companies would act quickly to prepare themselves for a disruption. But despite alarm bells, many companies are still uncertain about adopting a business continuity plan, sceptical about how it could make them any more resilient than usual. Studies suggest that 75% of companies without business continuity plans fail within three years after facing a disaster. Companies can no longer afford to ignore the need to protect their business with adequate and proactive backup plans. The world is evolving and as it becomes more digital, acts of terrorism are nowadays manifested in ransomware, malware, phishing and online fraud. Organisations need to understand that they too are vulnerable and increasingly susceptible to these threats. Organisations are not at liberty to take risks and wait for an incident to occur; they must invest in a business continuity plan to safeguard their future. According to the BCI Horizon Scan Report, 51% of businesses that are taking precautions to improve their chance of survival in the event of a major disruption rely on the adoption of ISO 22301 – the internationally recognised standard for business continuity. ISO 22301 specifies requirements to plan, establish, implement and monitor a Business Continuity Management System (BCMS). A BCMS is a holistic management process that provides a framework for building resilience to respond to threats. It adopts a more proactive approach than the basic reactive measures of a risk management strategy by understanding the culture of the company and identifying its weaknesses to pre-empt any open windows to disruption. ISO 22301 helps companies define their key business processes and the disruption that could result from any threats. It provides a comprehensive set of controls based on BCMS best practice, which covers the whole BCMS lifecycle. It defines the strategic and tactical capability of an organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level. The ISO 22301 process begins with a risk assessment (RA) where key business methods, systems, services and people are examined to identify external and internal threats. This phase is then followed by a Business Impact Analysis (BIA) which analyses the effect of interruptions to business operations. Together these processes improve the understanding of potential business disasters and how to develop contingency plans to combat them. Along with the broad adoption of ISO 22301, the BCI Horizon Scan Report revealed that standards exert increasing influence over resilience practice and help to provide supplier and customer assurance. ISO 22301 enhances a company’s reputation and gives them advantage over less resilient competitors. It also demonstrates due diligence and resilience to stakeholders and can improve a company’s risk profile, resulting in reduced insurance premiums. Most importantly, ISO 22301 is integral to safeguarding an organisation’s assets no matter what obstacles are thrown their way. The 2015 Business Continuity Trends & Challenges Survey conducted by Continuity Central found that the two biggest challenges holding back business continuity developments within companies are a lack of budget, funds and resources (35.6%) and the lack of commitment, buy-in and support from top management (16.4%). It is crucial for companies to consider the ramifications of going without a business continuity plan. The positive implications of adopting a BCMS significantly outweigh the perceived negative implications to do with associated costs, time and resources. Due to the nature of this information age and the ever-increasing threat of cybercrime it is now more important than ever for companies to devise business continuity plans to prepare for, respond to and mitigate the risks of major disruptions.
About the Author Ray Woodford is ISO 27001 Lead Auditor at SGS. He has a wealth of experience gathered from a vast range of roles carried out during 36 years in the IT business. Ray joined the SSC Team at SGS in 2012 and is the UK Product Manager for ISO 27001, ISO 22301 and ISO 20000. For the past three years with SGS Ray has been Lead Auditor for some of SGS’s major clients covering ISO 27001, C&CCC (Standard 55) and Adisa audits as well as carrying out an ISO 27001 Technical Review role for the past 18 months. Prior to joining SGS, Ray carried out a wide range of roles for Serco, Birmingham City Council and West Midlands County Council including ISO 27001 and ISO 9001 system implementation, Project Management, Bid Management, Due Diligence, Customer Service Management (Nottingham City and Lincolnshire County Council), Service Improvement Analysis, Quality and Information Security Consultancy, Incident Management, Risk Management and auditing ISO standards in the UK, Europe and Asia.