Thursday, November 5th, 2009.
PS-Prep and business continuity standards
by Paul Kirvan
The US Department of Homeland Security recently announced its intention to propose three business continuity standards for adoption as part of its Public Sector Preparedness (PS-Prep) program.
The three standards address similar aspects of the same issue: keeping businesses operational and resilient. The US standard NFPA 1600 when introduced had an emergency management focus but subsequently added a business continuity and disaster recovery component. The British Standard BS 25999, Parts 1 and 2 was designed exclusively for business continuity - not disaster recovery - and features a ‘management system’ approach to coordinating all elements of a business continuity program. This approach is consistent with many global standards, particularly those from the International Organization for Standardization (ISO), but rarely seen in US standards. The ASIS document (SPC.1-2009) is a curious choice because ASIS and the British Standards Institution (BSI), which authored BS 25999, have been quietly collaborating on a new US business continuity standard for about a year. ASIS also created a business continuity guideline back in 2005, parts of which can be found in the existing ASIS document (SPC.1-2009). The ASIS document also endorses the Plan-Do-Check Act (PDCA) model which is found in many ISO standards, as well as BS 25999, so in that regard it differs from most existing US standards. (Interestingly, the 2010 version of NFPA 1600 is expected to include a PDCA component.)
The government's choice of NFPA 1600 and BS 25999 was expected; the ASIS document was not. This raises some important questions: What happens when the new ASIS/BSI standard is released? Will ASIS withdraw its existing standard (SPC.1-2009) in favor of the new one? What happens to the PS-Prep program when this happens? In all fairness, ASIS and BSI seem to be leading the pack in standards development for business continuity. Perhaps the government decided to make its call with the understanding (and expectation) that the selected standards will change/evolve over time.
Compliance with any or all of these standards will be relatively easy, assuming an organization has a documented business continuity plan/program in place. Where most US organizations will fail in an audit (assuming the proposed standards are approved) is in the lack of a management system (e.g., PDCA) approach to overall program management. A review of the three documents shows that there is plenty of overlap in terms of processes and controls.
By the way, several standards for IT disaster recovery are available. Among them are the National Institute of Standards and Technology (NIST) SP 800-34, BSI’s BS 25777 and ISO 24762. I believe the government ought to include at least one of these standards in its thinking, since so much of what we do in business depends on the uninterrupted availability of technology.
Systems
