2 minute read
Support
records in areas you maybe don’t keep records at the moment, a good example often being meeting minutes. Meetings happen and things are discussed, and decisions are made but the auditor won’t just accept your word for it. The auditor will want to see the minutes. Other examples could be training records – who was trained to do what and when? Business continuity tests – what was tested, by whom, when and what was the outcome?
All of this sounds rather onerous, a lot of hassle. True, it can mean more work at least in the short term. But doing business continuity according to the ISO22301 standard is about doing it right. You will be taking advantage of the knowledge of a wide variety of experienced people who have come together to define the best way to create a BCMS that works; people from all over the world in a wide variety of industries and organizations large and small.
From our experience what often happens during the process of implementing an international standard such as ISO22301 is that initially you will put things in place because the standard says you will. Some of the requirements may seem unnecessary or over the top. But gradually you will start to see why they are included and the difference it makes to your organization. After a period of time you will begin to implement procedures and methods that go further than the requirements of the standard because you can see that they would be useful and will provide better protection for your organization. You’ll start to see that it’s about becoming more proactive in everything you do and in the long term this reduces the number of reactive activities necessary. In simple terms, you’ll start to “get it” (but be patient, it can take a while!).
But in the meantime, you’ll need to create some of that “documented information”. And that’s where the CertiKit ISO22301 Toolkit comes in….
1.2 The CertiKit ISO22301 Toolkit
When looking at business continuity the emphasis is usually on “The Plan”. This is the document (or documents) that will tell everyone what to do in an emergency, how to handle a crisis and keep the business running. And it’s right that this should be the main focus; it is, after all, the main deliverable of the whole business continuity idea.
In a perfect world we would just create The Plan, based on our perfect knowledge of the business and nothing would ever change. The Plan would be accurate at all times, never need improving and everyone would know how to use it.
But we live in a far from perfect world where things can and do change on a regular basis, we don’t know everything about the business, people come and go from the organization and our definition of what’s important moves all the time.
So, the ISO22301 standard proposes that we don’t just need a plan; we need a Business Continuity Management System or BCMS. The function of the BCMS is to wrap itself around the plan and ensure (among other things) that:
