Disaster Recovery and Business Continuity Planning - Where to start?

Hi Richard

I am going to use ISO 22301 as the framework. I have got a few books to read up about it: auditing business continuity management plans - assess and improve your performance against ISO 22301 and business continuity management systems - implementation and certification to ISO 22301 but neither gives me good examples of the risk assessment, what a policy looks like, bia etc.

Sue

I'll share a project plan I'm using for you to better understand the activities and efforts involved from your end and the client.

Don't worry, what you can't find in the books, the Cove can pitch in.

I'll be back.


Richard

As promised, I have attached a BCMS Project Plan here: (broken link removed)

Thanks for that Richard - do you have a template of your gap analysis report that I could look at trying to implement here?

Thanks

Sue

Hi Sue.

I don't see how a gap analysis report could benefit you at this point. If I share with a report from a client with most of the mandatory requirements in-place, it would just be tick mark or "Compliant" on the particular requirement of ISO 22301.

Where are you with your implementation? Let me know where you've hit quagmire.

Add: check the sample implementation plan and let me know where you are.

Regards,
Richard

Hi Richard

I am at the beginning gathering data. The reason i asked for gap analysis report was to see what I needed to put in place and work backwards. So for example I need to list the regulatory, contractual and other requirements from employees, to media, to clients etc but I am not sure how that document should look and what exactly I need to put into it. Do I list all employees or can i just refer them to the org chart?

I need to see templates so that I can see what can be setout. I have looked online and to buy templates it is really expensive so hoping people on here can help me instead.

Sue

Sue:

A "gap analysis" isn't something anyone else can give you, except for someone - like a consultant - who performs such an analysis. There are 3 types of gap which need to be understood, compared to a standard like ISO 22301, for example:

Something ISO 22301 requires and you have, but it's not formal, or part of a system.

Something ISO 22301 requires and you have never done

Something which ISO 22301 requires and you have done, in some manner, but it hasn't worked well.

You have to understand these 3 "gaps", with your management, to plan to close the gaps - if certification is an option (or even just self declared compliance).

They are unique to your organization, so some other organization will be different.

Also, there's a good reason why help costs! If it is credible, someone put a lot of their expertise into creating such templates etc. You're paying for that. But, beware! You may be simply charged for something which isn't worthwhile, and is just a set of documents which is supposed to meet ISO 22301 (or similar) and isn't really created with any knowledge of HOW to implement. Choose carefully!

Hi,

Is the US NFPA1600 Standard on Disaster/Emergency Management and Business Continuity Programs comparable to the ISO standard?

Johnnymo62 said:

Hi,

Is the US NFPA1600 Standard on Disaster/Emergency Management and Business Continuity Programs comparable to the ISO standard?

Click to expand...

Somewhat. Under the DHS's "PS-Prep" certification, BS 25999, HFPA 1600 and ASIS SPC-1 were available for implementation/certification. However, they are not the same and have somewhat different application(s) - continuity vs "resilience". Since ISO 22301 has basically replaced BS 25999, this gap has widened somewhat.

Hello Richard,

I would like to use the ISO 22301. Can you please provide some guidance and point me in the right directions to get material and templates?
Thanks
Yolanda