Standards for Security and Fire Safety

Security and fire safety will continue to be at the forefront of the public consciousness in 2019. Questions are being asked more frequently than ever before as to how people, properties and assets can be best protected. All purchasers, from domestic to commercial and community environments, should be confident that companies delivering security and fire safety services are working to the highest standards.

In a demand-driven market, consumers will ask for proof of competence as part of their selection criteria, those providers leading the way will be in a position to visibly demonstrate their competence and operate to a set of recognised standards serving as a benchmark for working practices.

Developing codes of practice

As a certification body, a user-centric approach forms the basis for developing standards and codes of practice. For example, our recently upgraded code of practice, NCP 104.3 (based on BS EN 62676-4 requirements), for the design, installation and maintenance of CCTV systems is a case in point.

The Code interprets British and international Standards and takes a structured approach, ensuring the design and installation of video surveillance systems are undertaken while assessing operational risks and with the full engagement of client and users. Companies working to this and other user-centric standards are creating a successful framework for their business, facilitating best practice.

Understanding latest technology is critical to a sustainable future for any business today, both in countering threats such as cyber and in bringing benefits of enhanced security arrangements often driving efficiency within the business itself.

Those security providers continually developing stronger working relationships between their own teams, law enforcement agencies and the local community, as well as keeping abreast of new technologies, latest codes of practice, industry standards and ways of working will be best placed to tackle threats and help keep people and property safe.

The post Can standards help to protect people, properties and assets in 2019? appeared first on City Security Magazine.

Need for security standards

Security and fire safety have moved squarely into the public consciousness in response to recent events.

Questions are being asked about how buyers and consumers, be they householders, commercial organisations or government bodies, can be confident that companies delivering security and fire safety services are working to the highest standards.

As a result of the changing security landscape, useful guidance documents have been developed, such as the NaCTSO publication from 2016 outlining options for the private sector to enhance their security at a time of raised threat levels. www.gov.uk/government/uploads/system/uploads/attachment_data/file/575923/National_Stakeholder_Menu_of_Tactical_Options.pdf  provides a best practice framework for how society as a whole (the security services, the community and private security companies) can work together to combat the threats we all face.

Such guidance, typified by the NaCTSO publication, although important in raising awareness and galvanising a broader audience, cannot be considered in any way a standard, as it doesn’t address supplier competence.

Determining high levels of professionalism requires a benchmark for working practice. In the case of the security and fire sectors, there are recognised standards that govern the design, installation and maintenance of fire safety systems, CCTV systems, access control and intruder alarms, as well as the provision of key holding and guarding services and alarm receiving centres. The full gamut of security services has specific standards to which operational practice can be audited.  Industry experts who write the standards are supported by input from certification bodies such as the National Security Inspectorate (NSI). We play an important role in ensuring that the standards are effective and that adoption of standards by service providers adds value to the users of services who can be confident that the standards have teeth, and are robust benchmarks against which to test businesses for compliance.

Why choose a certificated contractor?

Independently assessed organisations hold certification (i.e. approval) demonstrating   their integrity, competence and professionalism to consumers and buyers of services. In a demand-driven market, consumers seeking proof of competence select suppliers able to demonstrate capability to meet the required standards.

Choosing an organisation holding certification gives the confidence of knowing the organisation has been regularly audited by an independent third party certification body, and approval from such bodies is a clear signal to buyers about commitment to quality and compliance with standards.

What to consider

There are several aspects that buyers should consider as part of the supplier selection process:

1) Does their prospective supplier hold appropriate approval for the service being offered?

Anyone selecting a supplier should make sure that the organisation holds the relevant certification in relation to the services that are to be procured. The competences required to install an alarm system are very different to those for event stewarding, for example. This is easily checked with the certification body itself if there is any doubt as to the validity.

2) Is the approval granted based on a regular independent audit?

To maintain certification, an organisation is subject to ongoing regular annual or twice- yearly audits. Improvement notices form part of the output from audits when an auditor identifies certain processes, training or customer service procedures that are not completely compliant. These are subject to root cause analysis and monitored for effective, corrective action. This is a cycle of continuous improvement that would be difficult to prove otherwise. Service providers risk losing approval if they are unable to adapt to achieve compliance.

3)  Has the approval been granted by an independent UKAS-accredited certification body?

UKAS Accreditation demonstrates competence, impartiality and performance capability on the part of the certification body. In short, UKAS ‘checks the checkers’ with regular rigorous audits. Check for the UKAS logo being displayed. You can learn more about UKAS’s activities here www.youtube.com/watch?v=gBQV2A-M45c.

With regard to the ‘people’-related guarding services, such as key holding or close protection for example, the Security Industry Authority (SIA) Licence, mandatory for every individual, checks for criminal records, evidence of training and competence. Over and above individual licensing, the SIA’s Approved Contractor Scheme (ACS), and schemes demanding compliance with British Standards such as NSI’s Guarding Gold, provide in varying degrees, rigour over the activities of security services providers.

Food for thought

The standards for the fire and security services themselves are of course important, but increasingly, what has an impact is the corporate (with a small c) management framework, i.e. how the business itself is managed. This includes quality management, environmental management and health and safety, which are also subject to standards – ISO 9001 being probably the most commonly recognised. Working to these standards is playing a part in raising the levels of professionalism in the security sector. NSI has long realised the importance of joining-up the assessment of the management system alongside technical or product standards.  This has a significant benefit to the approved company, not only because they are assessed as part of an integrated audit regime, but equally because the context for improvement notices is borne out of audit teams rooted in the fire safety and security sectors.

Formally recognised standards are a way of raising the levels of professionalism, but only when effectively implemented. Ongoing verification of compliance through independent, competent auditing and assessment means service providers can signal their ongoing integrity, competence and professionalism to both their clients and the community at large.

Max Linneman

Head of Certification Services, National Security Inspectorate (NSI)

ww.nsi.org.uk

The post Security standards: understanding certification value appeared first on City Security Magazine.

Security standards can help you minimize risk, reduce insurance premiums and stay on the right side of the law, but do you know what’s available and how standards work?

Here we provide an overview of the full range of British and international security standards and outline why they can be such useful tools for security professionals.

What is a standard?

It’s simply a document written by subject experts which distils and codifies best practice. Standards have been written covering pretty much everything you can think of – from how to test forged steel eyebolts to the ethical hazards of robotics. Along the way a large number of standards have been written on security issues. These standards – written with the help of security professionals and experts from a number of industry perspectives – are a way for everyone in the sector to check and prove they are doing things in the best way possible. Security standards cover three broad areas: electronic security products, security management systems and security services.

Standards on electronic security products

If you’re responsible for a CCTV system do you know exactly how to oversee it? There are three standards covering different aspects of their management and operation, from how to commission and install systems to how network video systems should interact with web-based services.

So called “remote centres” – also known as Alarm Receiving Centres (ARCs) – have their own British Standard (BS 8591) which gives recommendations on how to plan, build and operate both manned and unmanned ARCs. There are also “access control” standards which cover things like the performance requirements and methods of test for electronic security systems.

Last in this category are standards on alarm systems. They give guidance on how systems should be commissioned, installed and maintained, as well as how alarm verification methods can be applied.

Within the “alarm systems” range there are yet more standards on transmission equipment and networks, and on security system components. These cover topics such as a specification for secure sheathed cables for interconnecting wiring, and requirements for active infrared beam detectors.

Security management systems

Another category of security standards deal with security management systems. These standards are designed to help organizations identify opportunities to do things more effectively and more efficiently and thereby – in some circumstances – gain competitive advantage.

There are three key security management systems standards. BS 16000 clarifies the basic principles of security management. BS EN 16747 covers maritime and port security services (the “BS” means published by BSI in English in the UK, the “EN” tells you it’s a European standard produced under the auspices of CEN (Comité Européen de Normalisation)). Finally BS ISO 18788 is an international standard on the requirements of a management system for private security operations for application in areas of low governance or high risk, otherwise known as “complex environments”.

Security services

Security services standards include codes of practice for lone workers, the use of dogs for security, contracted security consultancy, guarding services, the provision of investigative services, vacant property protection services and keyholding services.

Lone workers are an area of particular focus because such individuals are at what the standard defines as “environmental risk”, as well as “people risk”. The standard recommends how to provide safety, security and reassurance for lone working employees.

The standards on security dogs (BS 8517) has two parts: the first for general purpose patrol and guarding dogs, the second for “detection dogs” – sometimes called “sniffer dogs”– which are trained to use their senses to detect substances such as firearms, munitions, explosives, illegal drugs, blood or even cadavers.

Finally, the British Standard on the provision of investigative services (BS 102000) offers recommendations on the conduct, management, staffing and operational accountability of private investigation services.

What standards can do

Why should security professionals use standards? Partly because they provide the most authoritative and comprehensive information available. They’re also regularly reviewed and updated to stay relevant and current. And partly because standards are a considerable help with regulatory compliance.

Standards are also trusted. If you can demonstrate that you or your products meet the requirements of a standard, it gives you a lot of credibility. That’s really important in security where service providers and manufacturers need to establish that they’re operating with integrity. Standards are also hugely useful to organizations which are buying security equipment and services.

For example, BS 7984 provides recommendations for keyholding and response services. Its provisions cover all the bases in terms of how such services should be managed, staffed and operated, from who to hire and how they should be trained, to how potential evidence of security breaches should be preserved.

The standard is valuable to anyone buying such services as it tells them what to look out for to ensure their keys are in safe hands. Meanwhile operators adhering to the guidance in the standard will not only know they’re doing the best possible job, but – perhaps even more importantly – that they’re meeting their obligations under the Security Industry Act 2001.

A standard such as BS 7984 is therefore incredibly useful to all concerned. Like all formal standards it provides a roadmap that everyone can rely on. It means there’s no need to guess what’s good, no need to risk non-compliance and no need for trial and error. And in the realm of security, that’s surely critical.

Beverley Webb

Lead Programme Manager

Defence and Security Governance and Resilience Sector, BSI British Standards

www.shop.bsigroup.com

The post Why standards are so important to security professionals appeared first on City Security Magazine.

UK residents conducted 6.8 million trips abroad for business in 2014.

Business travel – a fact of life for many organisations

In the modern day workplace which is highly influenced by globalisation and expansion, there are numerous strategic and/or operational reasons why personnel have to travel for business. Consequently, it has become very common for employees to travel as part of their job.

United Kingdom residents, for example, conducted 6.8 million trips abroad for business in 2014. These can range from a company director attending a board meeting, to a low-level employee travelling to perform a service.

Why focus on travel security?

There are several factors driving contemporary travel risk management. These include organisations ensuring that they are complying with duty of care principles, avoiding criminal liability, ensuring business continuity, preventing reputational damage and demonstrating positive corporate social responsibly. More specifically, there are several types of risk related to business travel, including the risk to personnel, risk to reputation, risk to data/equipment, legal risk, financial risk, and risk to productivity/trip effectiveness. The most important of these risks is the health, safety and security risk to personnel.

Research and developments

Due to the ever increasing scrutiny of failures by the media, legal entities and the government, when studying for a master’s degree at Loughborough University, I embarked on a dissertation project to determine the maturity of contemporary organisations’ travel security risk management practices. In order to evaluate this, the research project, entitled ‘Flying by the Seat of their Pants’ methodically analysed core components of the practice: stakeholder identification and ownership, risk assessment and promulgation, policies and procedures and evaluation.

The research methodology comprised a literature review and empirical research based on a mixed methods approach. Quantitative data was produced using an online questionnaire, distributed to 240 recognised security and human resource professionals as well as business leaders, by various highly regarded institutes and associations. Qualitative data was produced from semi-structured interviews with the representatives responsible for the practice employed in three large multi-national organisations.

In short – what did the research highlight?

The research indicated that there is a significant gap in the literature on travel security management, and that what is available is predominantly provided by practitioners linked to commercial enterprises in the context of duty of care and/or corporate social responsibility.

The empirical findings suggested that, in strategic terms, responsibility for security whilst travelling on business was considered to be shared (50/50) between the traveller and the organisation. Stakeholder involvement in the practice was very much dependent on the contextual influence of an organisation’s size, industry and operating location. Varied business departments were reported to manage the function, and commonly with no ownership of the function.

It was generally considered that organisations provided poor or only adequate planning and protection for travelling personnel.

Critical components of the practice were not being implemented, with survey respondents highlighting their organisations’ failure to employ the following measures:

• Travel security policy and associated procedures (34%)
• Pre-trip advisory or briefing (33%)
• Security specific training (58%)
• Compulsory pre-trip authorisation procedure (29%)
• Active traveller tracking (55%)
• Dynamic security updates (35%).

So where does this leave us?

The research project goes a long way to demonstrating that this important business function is still in its infancy in terms of development. The findings suggest that the practice needs to be addressed strategically, with a person accountable assigned, preferably from a security department, to design and implement a proactive and robust travel security risk management programme.

The research highlighted the immediate market need for a business travel security standard, in order to develop the generally informal, ad hoc and somewhat reactive practice many organisations are currently adopting, and developing this to being a more formal, structured and proactive risk management practice.

The author, as a representative of the Security Institute, proposed these findings to the British Standards Institute and work is currently underway to bring to the market a new travel safety and security specific standard which will enable organisations of all sizes (especially those without dedicated security departments) to effectively manage the function.

Gian-Rico Luzzi MSyI

Security Institute, Standards Special Interest Group

www.security-institute.org

The post Business travel: a security risk to personnel appeared first on City Security Magazine.

Earlier in 2014 the introduction of business licensing was postponed. The Home Office has made clear its continued commitment to a new regulatory regime and the SIA has continued to work closely with the Home Office to clarify the position as soon as possible. Any changes will be subject to at least three months’ notice of their introduction and initial application date and a further six months’ notice of the enforcement date.

In this article, I want to remind people why the SIA and many in the industry think that business licensing is important for the future of the industry and for public safety and worth the cost of the change.

The Story so Far

Although the introduction of regulation to the private security industry was far from smooth, few in the industry or law enforcement will deny that licensing individuals and introducing the ACS quality hallmark scheme have changed and benefitted private security across the UK and improved public safety.

Currently there are around 380,000 licences held by 342,000 individuals. Every one of these has been checked to ensure that they have the relevant qualification and are “fit and proper”: that we have checked their identity, any criminality and their right to work in the UK. The number of active licences has levelled off in recent years, reflecting a compliance level of 98% of those working in the industry.

Active licences and individuals

The ACS hallmark currently has over 750 members reflecting every sector and size of business and accounting for about two thirds of all regulated activity. ACS supports our responsibility for the development of standards across the industry. It allows security providers to evidence their commitment and quality and, for buyers of security, is an easily recognised accreditation of good practice.

The scheme remains buoyant, but membership is levelling off, perhaps because those companies prepared to voluntarily commit to quality are now already in the scheme.

Equally important is our enforcement work against those who do not comply. Since 2003, some 70,000 people have been excluded from working in the security industry; either by refusing them a licence or revoking their licences because they are no longer suitable to work in the industry. For ACS, we have withdrawn over 100 accreditations from companies that have failed to maintain the required standard. We also ensure prosecution where appropriate and these are reported on our website www.sia.homeoffice.gov.uk

A good regulator

We try to work with the minimum of burden on the legitimate individuals and businesses we regulate – every £1000 that we spend requires about four and a half individuals to pay their three-year licence fee.

We have streamlined our licensing processes (we now deal with 80% of licence applications in less than 15 days; applications can now be made through the Post Office and renewals dealt with by phone, online or through employers). The cost of regulation is nearly £10 million a year lower than in 2009, allowing a reduction in licence and ACS fees in 2012.

The impact of organised crime

Organised crime is widespread in the sector – in 2013, we had nearly 180 individual intelligence reports linking organised crime groups to the industry. This reflects an underlying problem for all legitimate businesses. Organised crime disrupts legitimate businesses not just through threats – although this does happen – but also by distorting the market. Such businesses do not pay tax, do not operate under standard constraints and undermine legitimate businesses. They also affect the industry’s reputation. Driven by our intelligence, we work closely with enforcement partners including the police, the National Crime Agency, HM Revenue & Customs, and the Home Office to support work against organised crime. The absence of a business licence regime limits our overall effectiveness in this area.

The impact of poor standards

Currently there are few barriers to a business entering the industry, bringing with them poor practices and offering uncompetitive prices. This also affects legitimate business activity. Such companies also exploit their workers and their customers, again undermining margins and the reputation of the legitimate business and putting the public at risk. The industry depends on its people and a key risk to the public is lack of quality, consistency and experience from those who work in the sector and provide an important service. We have ACS companies of all sizes and sectors; good quality should not be an optional extra.

The future – Business licensing

The introduction of business licensing for security companies will help to address these negative elements for the benefit of the legitimate industry – recently we have supported action against two companies that has resulted in around £6m of business being transferred from criminal to legitimate businesses. It will enhance the overall reputation of the industry and support intelligent buyers. It will also allow the industry the opportunity to further develop its people and professional standards.

Business licensing will require change, but it will bring real benefits, creating a level entry requirement for new and established businesses, ensuring a minimum standard of quality and helping to address the problems of organised crime. We will do this within the current regulatory cost framework. Most importantly, business licensing will lead to safer arrangements for the public and better protection from crime.

Bill Butler Chief Executive, Security Industry Authority (at time of writing)

www.sia.homeoffice.gov.uk

The post SIA licencing: regulating private security in 2014 appeared first on City Security Magazine.

More than six million people in the UK work either in isolation or without direct supervision, often in places or circumstances that put them at potential risk.

However, given the wide range of solutions currently available to protect lone workers, choosing a supplier can be difficult. Patrick Dealtry, Chairman of the Lone Worker Steering Group of the British Security Industry Association (BSIA), explains what to look for in a quality supplier.

A wide variety of organisations in a range of sectors employ people whose jobs require them to work or operate alone, either regularly or occasionally. Almost by definition, lone working can be both intimidating and at times dangerous, so the protection of lone workers involves a twofold approach; not only to provide safeguards but also to offer reassurance to the people involved.

The nature of this work means that many are required to travel alone, often in busy city-centre locations, and often after dark, leaving them particularly at risk. To address these important issues, the security industry has worked with the police and end-users to develop a combination of practice, technology and standards capable of providing an effective, and cost-effective, solution to the risks.

The development of technology and practice in the field has focused on encouraging and enabling lone workers to assess the risks they might be facing and provide them with the means both to summon aid in an emergency and collect information that can be used in evidence, if necessary.

This has led to the creation of a myriad of lone worker devices equipped with mobile phone technology that connect employees quickly and discreetly with an emergency response system that has direct links to the Police. A number of products are commercially available, including miniature devices that resemble ID holders. However, the range of choice currently on offer means that many employers are unsure where to start when sourcing quality lone worker solutions.

A security standard (BS8484)

Enter British Standard 8484 (BS8484), the Code of Practice for the provision of Lone Worker Services, which has been a key element of the security industry’s work to create such solutions. BS8484 is employed by all BSIA members in the field and forms the basis for police response to lone worker systems.

James Kelly, Chief Executive of the BSIA, comments, “The BSIA’s Lone Worker Steering Group recommends that companies choose lone worker systems that are compliant to British Standard 8484, which is the Code of Practice for the provision of Lone Worker Services. BS8484 is the basis on which Police respond to lone worker systems, so it’s important for employers to choose a supplier who works to these standards.”

Choosing a solution that is compliant to BS8484 through audit ensures that at-risk employees are provided with the best and most cost-effective level of protection if they get into trouble, and also gives organisations the best level of protection against litigation and legislation.

The standard has 3 main parts:

Part 4 – the company providing the service must be stable, properly financed, insured, have effective information security and competent to provide such services.

Part 5 – all devices used as personal safety alarms must meet the functional requirements of the standard.  This enables an operator to verify the alarm as genuine, establish the situation and the location before passing the relevant information to the appropriate response service in a timely manner.

Part 6 – refers to the Alarm Receiving Centre (ARC) which is where the alarm is received, verified and a response request sent to the appropriate service – usually the Emergency Services. ARCS must meet BS5979 Category 2 for Alarm Receiving Centres as well as BS8484 Part 6.

Ensuring police response

Implementation has ensured that requests for police response are properly verified, originate with approved ARCs and contain the right information. The result is a minimum of false alarms which justifies the commitment by the Police to provide an ‘immediate’ response where possible.

The Police manage alarms and approval for the ‘immediate’ level of response through their Security Systems Policy by the issue of a URN (Unique Reference Number). For Lone Worker alarms, the policy demands that all links in the chain are complete before a URN is issued to an ARC, i.e. the provider, the device and the ARC are all accredited to the appropriate part of the standard. This is partly in force now but will be fully in force by the end of July 2012.

Implementation of the standard of course benefits the Police. But more importantly it also provides less tangible benefits for vulnerable employees and their employers, concerning staff attitudes to their employer. It has been shown that employers who show proper concern for their at-risk staff can reduce staff absence through sickness and stress and improve staff retention. Because they feel safer with adequate precautions and training, staff are more effective in implementing company policy in difficult situations. In addition such services have been shown to allow staff to work alone where in the past double manning has been required.

Additional services provided by some service providers, based on Lone Worker devices, provide real benefit to the issue of staff management.

Expert guidance

The BSIA has also published two associated guides, which provide both employers and lone workers themselves with easy-to-follow advice.

‘Lone Workers – An Employer’s Guide’ informs employers about what to look for when sourcing a supplier. The guide covers the employers’ responsibilities to its lone workers, as well as specific criteria for selecting technology, monitoring services and providers, including the possession of quality management systems such as ISO 9001 and the delivery of appropriate training.

‘Lone Workers – An Employers Guide’ can be downloaded free by visiting www.bsia.co.uk/publications, and searching for form number 288.

For employees whose role requires them to work alone, the BSIA has produced a separate guide, ‘Lone Workers – An Employee’s Guide’, which can be downloaded free by visiting the BSIA’s website and searching for form number 284.

British Security Industry Association (BSIA)

To find out more about the BSIA and the work of its members, or to find a reputable supplier of lone worker devices near you, visit the Association’s website at www.bsia.co.uk

The post British Standard 8484 (BS8484) for Lone Workers appeared first on City Security Magazine.

Low level crime affects us all and it can be very upsetting in nature to the victim.

Losing a wallet or handbag, a briefcase or a laptop can be distressing, but can also have consequences for security and identity fraud if not swiftly dealt with. Often these items are removed from us at social events and when one is relaxing after a hard day at the office – our guard can be down and crooks are adept at exploiting our vulnerabilities.

Impact of financial austerity

From 2014 onwards, law enforcement resources will be at a premium. Financial austerity measures will bite hard and some low-level crime events may be given lower priority as manpower and facilities are stretched. A system which makes reporting and recording of such crime events simple, low cost and autonomous should be welcomed by all involved – except for the perpetrators!

The police service will not have to attend, take statements or collect video imagery evidence from the scene – it will all be sent to them. When faced with overwhelming visual evidence many thieves will simply give a guilty plea, thus saving huge amounts of court time and money. Indeed, video images should nowadays be seen alongside other key evidence sources such as DNA and fingerprints. There are strict rules and standards for how these latter sources are handled – similar handrails and procedures will be needed for Facewatch evidence handling and disposal.

Standard certifications

The NSI is the premier certification body (CB) in the UK security and fire sector. NSI’s expertise covers alarm systems, access control, CCTV and alarm receiving centres (ARCs) which essentially require certification in order to achieve police response to alarm activation. NSI’s manned guarding audit domain includes such disciplines as static site security, close protection services, door supervision, cash and valuables in transit (CViT) as well as key-holding and security screening.

Facewatch

The relationship between Facewatch and NSI is therefore logical and symbiotic. Both strive to help defeat the criminal and support the police. Both see the value of technology, especially when that technology is packaged into a system which supports and strengthens the legal process. Both want to see better quality of CCTV imagery than is provided by some systems currently in service.

So the first and most elemental linkage will see the development of an e-learning course package directed towards a variety of key Facewatch stakeholders. In conjunction with e-learning 24/7, on-line training will be made available to all those who will operate the system from the very end-user who interfaces with the victim through to the police officer who ultimately processes the report and begins the search for the criminal. This training is a key element in confidence building and ensuring a common standard of operation across geographical and operational boundaries.

Next, NSI and Facewatch are working towards the production of a code of practice for the system which will bring discipline, alignment and provide the glue which will hold the system together and give it further credibility in the eyes of the judicial authorities. The linkage of technology, standards, creativity and certification is a most powerful model and we are confident that Facewatch will make a major contribution to crime reduction and successful prosecution as it is rolled out across an ever increasing user base.

Jeff Little

Chief Executive

NSI

www.nsi.org.uk

The post Facewatch work to ensure security standards appeared first on City Security Magazine.

In May 2012, the International Standardisation Organisation (ISO) published ISO 22301 – Business continuity management systems – Requirements. Although this standard was long in the making the response has been very positive – and with the promise of ISO 22313 – Business continuity management – Guidance – before the end of this year, it seems it was worth the wait.

ISO 22301 blends the requirements from several national standards, including those from the USA, Japan, Singapore, Canada and Australia. The similarity with BS 25999-2, however, is most evident. A comparison of the BS and ISO standards reveals little difference in the requirements. And in Clause 8 of the ISO, where the business continuity programme requirements reside, the text is identical in many places.

The similarities and differences

For organisations already certified or aligned to BS 25999 and considering ISO 22301, the alignment between the two standards will be good news. However, the similarity in principles, requirements, and terms means that BSI will withdraw BS 25999-2 in November 2012. Fortunately, the UK Accreditation Service (UKAS) has already announced a two year transition plan which should enable organisations to obtain accredited certification to ISO 22301 during the course of their normal (or surveillance) visits. UKAS will not issue certification or renewals to BS 25999-2 after May 2014.

For organisations that want guidance, ISO 22313 is due to be published in December 2012. The public consultation ended in May and the feedback was very positive. It will undergo further revision based on the comments and so should be an excellent companion to ISO 22301 but it could also be used as a stand alone document.

Together, these standards will help organisations understand and implement a BC management system as well as help the BCM community continue to grow. Upon publication of ISO 22301, many countries confirmed that they will adopt ISO 22301 and several countries (including the UK) immediately announced they will withdraw their national standards. This will prevent confusion by reducing the number of BCM standards and is a credit to the international experts who developed ISO 22301.

While the requirements are very similar in the BS and ISO, there is a significant difference in the format of the ISO standards. From 2012, ISO requires all new management system standards to use common terminology, headings and text. A management system is a framework for managing and improving the organisation’s policies, procedures and processes. This concept can be difficult for organisations not familiar with a “management systems approach”. And if an organisation subscribes to more than one management system standard, it may be frustrating (and costly) if the requirements for the systems are not aligned. For these reasons, ISO developed the common headings, text, and terms.

Positive response to changes to standards

In general, the effort to align management system standards has been well received from all quarters. It’s a combination of the popular Plan Do Check Act (PDCA) method used in standards such as ISO 14000 on Environment and ISO 27000 on IT Security – and the “Process Approach” used in ISO 9000 on Quality. The headings in ISO 22301 include: Terminology; Understanding the organisation (and its context); Leadership; Planning; Support; Operation; Performance evaluation; and Improvement. The common text accompanying the headings is clear and succinct. Because all management system standards eventually need to use this format, by being one of the first standards to adopt it, ISO 22301 can easily integrate with other standards in future. The business continuity management requirements in BS 25999-2 are mirrored in ISO 22301 and include: conducting a business impact analysis; business continuity strategy; protection and mitigation; incident response structure; business continuity plans; recovery; and exercising and testing.

As with all requirement standards, ISO 22301 is concise and includes many “shall” statements. Fortunately, the guidance, ISO 22313, does a good job clarifying the intent of the requirements and providing explanations and examples. There is a direct correlation between the clauses in the requirements and guidance. And while ISO 22313 provides more information, it does not add any additional concepts (or requirements) that are not already in ISO 22301.

What does this mean for the Code of Practice?

But what happens to BS 25999-1, Business continuity management: Code of Practice? If the ISO guidance had the same content as BS 25999-1, it would likely be withdrawn along with BS 25999-2, the requirements. But since publishing the Code of Practice in 2005, the BSI committee responsible for BCM, has been very busy and published several more continuity standards in response to gaps in the flagship standards. Publications on crisis management, human aspects of continuity, exercising and testing, supply chain continuity, and recovery management expand on areas in BS 25999-1 and are current. One standard, BS 25777 – ICT continuity management – has already come and gone as it was used in the development of ISO/IEC 27031 on ICT continuity management – and is now withdrawn. It’s possible that the BSI additional guidance will be used in ISO in future but as ISO have a much longer development time, the BSI Code of practice and related guidance documents will remain available to those who need them for the foreseeable future.

Given the availability and quality of additional guidance, it is possible that BS 25999-1: Code of practice will be revised to include the most current available information. Regardless, with the release of ISO 22301 and imminent publication of ISO 22313, BCM practitioners and organisations finally have international consensus on what constitutes good BCM practice and will soon have the additional guidance to build a better business continuity programme.

David Adamson, Committee manager at BSI (at time of writing)

The post Updates to Business Continuity Standards appeared first on City Security Magazine.