Alan Calder on IT Governance, information security & ISO 27001

I came across an interesting post on Ireland’s Security Watch blog making the topical connection between bird flu scares and business continuity planning. It rightly points out that a disaster can strike from unlikely sources when you least expect it.

BCP is a very topical subject generally, given the recent introduction of the BS25999 standard. This finally provides a way for organisations to PROVE that they have a robust plan in place to ensure that their business can withstand adverse events. With our increasingly global and interdependent supply chains, more and more organisations are coming under pressure to reassure their major customers and business partners that they are a safe bet.

To help organisations get to grips with the new Standard and the competitive advantage that being certificated represents, we have just published several new books:

* We have brought out a second edition of Disaster Recovery & Business Continuity, a quick guide for small organisations and busy executives. This is based on last year’s successful book but updated to reflect the particular requirements of the new BS25999 Standard.
* For people needing a quick introductory overview of business continuity management we have launched a new BS25999 Pocket Guide. This sets out all the key facts and is a great tool for organisations that are implementing, or set to implement, a business continuity plan and management system. If you need to share practical knowledge between many project team members this is also a very cost effective way of doing it.
* Lastly, to support the take-up of the new Standard we have launched Business Continuity and BS25999: A Combined Glossary. No previous glossary has adequately addressed the full range of terms likely to be useful to a business continuity practitioner. In this book, we have drawn not only from BS25999 but also a wide range of related standards and frameworks, including ITIL and ISO27001, to create a standardised set of terms that should enable professionals to conduct global conversations based on a shared understanding.

One of the most worrying things I encounter time and again is how seldom growing businesses have proper disaster recovery plans in place. Statistically, few businesses that suffer a major data loss or business interruption survive for more than a year afterwards, and small businesses are the most vulnerable as they simply don´t have the resources to bounce back.

The issue for business owners, and also senior executives from larger enterprises, is usually a lack of time to learn about the subject from scratch. People know it is important, but as they don´t know where to start they procrastinate – which is fine until one morning their business is on the line.

I´m pleased to say that we have just launched a new book that I really believe could come to the rescue of such companies. ‘Disaster Recovery & Business Continuity’ is written specifically as a quick guide for small businesses and time poor executives who need to master the key facts in a hurry. It summarises best practice in a clear and jargon-free manner, meaning that readers can quickly get the right measures implemented in their own business.

Each of its 16 chapters is written in a Question & Answer format with real world examples providing helpful illustration throughout. Further resources are provided in the appendices, including templates, checklists and information on training. The book’s contents are applicable to organisations based anywhere in the world.

The book is priced at just £29.95/US$59.25/€44.52 and is available online here and in leading bookshops. It is considerably cheaper than a full scale business interruption, so there can be no excuses for not getting your house in order at last!

The British Standards Institute has found a significant improvement in companies’ business continuity planning in the past 12 months. However, of the 100 FTSE-250 firms interviewed, “Only 45% … had comprehensive plans in place for a supply chain failure, and 21% of companies said they required all suppliers to have business continuity plans in place.”

Nobody should kid themselves that this can remain the case: any company is potentially vulnerable to a continuity failure if a supplier lets them down. For that reason, expect to see suppliers increasingly called upon to prove that they have measures in place to ensure their dependability. This will be one of the main drivers for the growth of ISO 27001 certification in the next five years. Companies that have it will prosper; companies that don’t will get left behind.

Buncefield, as Grainne Gilmore makes clear in a Times article today, is a wake up call for all those businesses - large and small - that don’t already have fully thought-through and tested business continuity, disaster recovery and contingency plans.

Directors and top management are responsible for the survival of their businesses. Identifying and planning to deal with the full range of potential risks is a fundamental part of that responsibility.

It’s too late to start preparing when disaster strikes - today, when nothing looks as though it’s about to happen, is the best time to start. And our business continuity web page is the best place to make that start.