PL ANNING ISSUES

Integrated Approach to BCM System Design

By RAMA LINGESWARA SATYANARAYANA TAMMINEEDI, MBCI, CBCP, CISSP, CISA, PMP, ITIL

O
rganizations implementing a business continuity manage- monization and made it binding in 2012 with the publication of
ment (BCM) system based on ISO 22301 may find it pru- Annex SL (previously ISO Guide 83) of the Consolidated ISO
dent to adopt an integrated approach and incorporate into Supplement of the ISO/IEC Directives: All new ISO standards
the BCM system relevant concepts from other manage- defining requirements for management system and all necessary
ment systems that are in place in the organization. This revisions have to use a common structure (order of the sections),
article serves the following objectives: a common core text and the same terminology. According to chair
of the CQI standards panel Colin MacNee, this publication will
1. Identify the challenges in integration of one management system with
the other management systems.
have significant impact on ISO management system standards –
for writers, implementers, and auditors.
2. Highlight key considerations in integrating the relevant elements of
ISO 22301, the standard for business continuity management
the following management system standards with the BCM system
(BCM) is the first to be developed to this new structure. The
A. ISO 9001
new version of ISO/IEC 27001, the information security
B. OHSAS
management system standard, is set to be published
C. ISO 20000
later this year. The revision of other standards such as
D. ISO 27001
ISO 9001 and ISO 20000 in the new format will take
3. List the key steps of the integration approach. some years. Until then, integration of different manage-
Integration challenges ment systems will continue to remain complex.
The products and services of an organization are deliv- Integration of BCM system with other management
ered through a management system consisting of functions, pro- systems
cesses, and organizational resources. Many organizations utilize The international standard ISO/IEC 27013:2012 provides
different standards to manage different aspects of products and guidance on the integrated implementation of ISO/IEC 27001
services delivery such as ISO 9001 for quality, ISO 27001 for and ISO/IEC 20000-1.
information security, ISO 20000 for IT service management, ISO/IEC 27013:2012 standard focuses exclusively on the inte-
ISO 22301 for business continuity, and OHSAS for occupational grated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.
health and safety. This article adopts a BCM perspective and highlights key consid-
What makes integration of these systems challenging? erations in integrating the relevant elements of the management
First, in a majority of the cases, implementation of these man- systems with the BCM system.
agement systems took place progressively over a period of time Figure 1 below highlights the processes specific to the above
in response to the growing needs and expectations of the organi- standards, the processes that overlap, and the processes that are
zation as well as its stakeholders. identical among these standards.
Second, the order in which the management systems were
implemented was not based on a holistic design but based on the
organization’s expanding business needs.
Third, different business units champion the implementation
of different management systems: ISO 9001 by quality assurance
unit; ISO 27001 by information security unit/CISOs (chief infor-
mation security officer) office; ISO 20000 by IT service delivery
unit; ISO 22301 by business continuity and crisis management
unit; and OHSAS by administration or health, safety, and the
environment (HSE) unit.
Last, these standards presently do not use a common structure
(order of the sections) and the same terminology.
The need for integration of different management
systems
The diversity of the standards resulted in different interpreta-
tions and unnecessary effort duplication and overlap, making it
difficult for organizations to align, harmonize, and optimize their
management systems. ISO has also recognized the need for har- Figure 1: Comparison of concepts of some management systems relevant for BCM

64 DISASTER RECOVERY JOURNAL WINTER 2014 REPRINTED WITH PERMISSION OF DISASTER RECOVERY JOURNAL
Focus Areas: ISO 20000:
Each of the management systems has processes specific to it. The IT service management processes of incident manage-
For example the processes business impact analysis (BIA) and ment, availability management, IT service continuity manage-
strategies to continue products and services are specific to ISO ment (ITSCM), and capacity management can be leveraged in
22301. Similarly the processes occupational health and safety building a robust business continuity management (BCM) pro-
policy and hazard analysis are specific to OHSAS. gram.
n The incident management process can be used to restore normal
Shared Concepts: service operation as quickly as possible and minimize the adverse
The management systems address some similar processes and impact on business operations, thus ensuring that the best possible
activities, even though the details highlighted by each manage- levels of service quality and availability are maintained.
ment system vary based on its focus. It is pertinent to note that
n The availability management process can be used to manage
the scope and goals of the management systems are also different. availability and reliability of IT service and IT infrastructure as agreed
The key concepts the other identified management systems share service levels and to detect and eliminate single points of failure at
with ISO 22301 are listed below.  service and component levels.
ISO 9001: n The ITSCM process can be used to ensure that the required IT
Change management is the key concept from ISO 9001 stan- technical and service facilities (including computer systems, networks,
dard. Any change to BCM documentation, processes, and tech- applications, data repositories, telecommunications, environment,
nology should undergo a uniform change management procedure technical support, and service desk) can be resumed within the
based on ISO 9001. Similarly, the concepts of documentation, agreed recovery time objective (RTO) timetables.
metrics, and measurement of effectiveness can be leveraged to n The capacity management process can be used to prevent unwanted
design an effective BCM metrics program. system outages owing to overload by ensuring that cost-effective
IT capacity always exists and is matched to the current and future
OHSAS 18001: agreed needs of the business, in a timely manner.
People safety is the No. 1 priority in a disaster. Concepts relat-
ing to a people safety program, pandemic planning, safety inspec- ISO 27001:
tions, fire detection and suppression processes, fire exit drills, ISO 27001 provides a model for establishing, implementing,
and accident investigation procedures should be adopted from operating, monitoring, reviewing, maintaining, and improving
OHSAS 18001 Standard. an information security management system (ISMS) to protect

REPRINTED WITH PERMISSION OF DISASTER RECOVERY JOURNAL DISASTER RECOVERY JOURNAL WINTER 2014 65
information assets. Specific to BCM:
n The information classification scheme and access controls can be
used to identify critical information assets and their risks and protect
them to ensure their availability
n The technical vulnerability management controls can be used to
detect weaknesses and single points of failure of the systems and
applications
While ISO 27001 provides guidance to prevent an interrup-
tion in the first place, ISO 20000 provides guidance to manage
an interruption if it should occur in spite of an organization’s best
efforts to avoid it.
Common Concepts:
The management systems have certain identical concepts.
These common concepts can be defined in one management
system and used in all other management systems implemented
in an organization. The key common concepts include the fol-
lowing:
n continual improvement
n legal and regulatory compliance Figure 2: Key steps in integration approach

n management review Figure 3 below is a sample traceability matrix.

n Plan, Do, Check Act (PDCA)
n training and awareness
n documentation management
Integration Approach:
The key steps involved in integrating the management systems
with the BCM system are listed below.
1. Identify and review the individual elements of the existing Figure 3: Traceability Matrix (illustrative)
management systems.
Key Benefits of Integration
2. Discuss the overlap and differences in terminology of the existing
Integration of relevant elements of the management systems
management systems and co-relate them.
that are implemented in an organization provides several benefits:
3. Identify shared concepts in the existing management systems. n common and consistent understanding across the enterprise of key
4. Identify common concepts in the existing management systems. terms such as asset, incident, problem, risk, disaster, crisis, and hazard
5. Develop a traceability matrix. It helps in maintaining documented n enhanced efficiency of product and service delivery through simplified
traceability between the integrated BCM system and the other and unified processes
management systems. The traceability matrix (see Figure 3 below) n reduced cost of running the integrated BCM system
explicitly shows how the integrated management system conforms
n reduced implementation time due to the integrated development of
to the requirements of each of the standards. The key benefits of
processes common to the relevant standards
traceability matrix are:
a. ability to more easily demonstrate conformity in audits and reviews, and n elimination of unnecessary process duplication
b. ability to track which activities are necessary to demonstrate conformity n reduced compliance costs by taking a “fix once, comply many” approach
to each standard. to streamline internal and external audits and reduce expenditures.
6. Carry out impact analysis to assess the impact of integrating the Conclusion
relevant elements of the other existing management systems with the An integrated approach to management systems implemen-
BCM system on customers, services, technology, data, suppliers, and tation demonstrates good governance and results in operational
other parties.
efficiency and cost effectiveness. Organizations implement-
7. Draw an implementation plan detailing the phases and sequence ing integrated management systems will enhance their process
of activities to integrate the relevant elements of the other existing maturity and will be well positioned for adoption of the Unified
management systems with the BCM system. Compliance Framework (UCF). Though the article considered
8. Train the teams on the integration approach and the integrated BCM ISO 22301 and four other management systems for integration,
System. organizations might consider a different grouping of management
9. Implement the plan, document lessons learned, and incorporate them systems that fit together naturally in the organization context.
into the BCM system.
Figure 2 below summarizes the above key steps involved in
v
Rama Lingeswara Satyanarayana Tammineedi (Rama) has 26 years of
integrating the relevant elements of the other existing manage- IT experience including 12 years in information risk management. Rama is
ment systems with the BCM system. an MBA, MBCI, CBCP, CISSP, CISA, PMP, ISO 27001, and ITIL. Rama is
head of enterprise risk management practice in the global consulting prac-
tice of Tata Consultancy Services Limited, India.
66 DISASTER RECOVERY JOURNAL WINTER 2014 REPRINTED WITH PERMISSION OF DISASTER RECOVERY JOURNAL