If you look around for standards to follow today you could end up finding many that to varying degrees, cover Business Continuity Management (BCM). Some will lead you more down a path that is technology specific, some will be more related to security and some will be process based but still, they all contain some element of BCM. For example there is COBit (Technology), BSI 25999 (BCM), ISO 17779 (Security), ITIL (IT Service Continuity Management).
Depending upon your organization you may choose one of these to follow to build your programs or to satisfy an executive who wants to meet a specific standard so that auditors – internal or external – can get off his back; so he can check a box on a report and say that the company follows “X” Standard. This isn’t necessarily the best way to go.
With so many standards to choose from, it can become confusing as to what parts of the standard to adapt to the organization and which aspects don’t apply at all. That’s why it is usually best to take what is appropriate from ALL standards and adopt them to your organization. If you adopt all that is good, or best (as in Best Practices) then your organization will have a stronger robust program that meets the corporate objectives of the program and the executive sponsor.
When we make cakes or follow a recipe, often we amend some of the ingredients slightly to match our own tastes. So we’re taking the best of what we like in the recipe and adding our personal favourites – our best flavours – and incorporating them into the mix, taking out those ingredients we don’t have a fondness for. Thus, when the final cake, chicken dish or soup – or any other dish – is completed, it contains the best of everything we know and like.
A BCM program should be the same way. Take what is best in everything you think will address your company needs and then incorporate them into a solid program; it becomes your standard. A standard based on what is best in all BCM standards, which in the end will give you company a program that works for it, not works for an auditor.
A quick word about auditors; they shouldn’t hold you to their standards or to their favourite standard. If you have identified what it is you do and follow – a bit of this and bit of that – then they should be auditing you on that and nothing else. To audit you on things you don’t do would not be fair to anyone. Of course, an auditor is expected to make suggestions on how you can improve what you do but tell you what you do or how to do it.
I won’t get into more detail here but don’t let someone pigeon hole your organization into following one standard when you may find it necessary to incorporate components of many standards. This goes for vendors as well.
Often when an organization is working with a vendor to build their BCM program, people who are part of that corporation will tell you they follow ‘best practices’ but what they are really doing is following their own methodology and what you to follow it as well. Be wary; following a vendor’s methodology means sales and opportunities for them, not you. Make sure know what you need and then incorporate that into your program. If what you believe to be a good standard incorporates aspects of vendors, auditors, BSI 25999 and other standards, then by all means utilize them to the best of your ability to make the most robust BCM program that can be developed.
Just be careful not to fall into a single standard and find that what you wanted to get out of the standard may not work in all areas of the program. Don’t get stuck in a rut with one standard, spread your wings and encompass all standards; you’ll eventually find all the components you need for a great program.