ISO 22301 - How different is it from BS 25999? - 4
Testing of BCMS, which is ‘BCM Exercising’ in BS 25999 and ‘Exercising and Testing’ in ISO 22301 has not changed much. It was a disappointment in BS 25999 and it is a disappointment in ISO 22301.
Both the standards want us to conduct tests that are consistent with the scope and objectives of BCMS and based on appropriate scenarios. Really? We were going to test if our senior management could bungee jump without a rope! There are vague generalities where we need to ensure that the tests are risk free and the reports contain outcomes, recommendations and actions to implement.
If you are implementing business continuity in your organization, look elsewhere for tips and tricks on how to test it. I believe testing is covered better in SS540. You can refer to some of the elaborate areas of testing that are suggested there.
My belief is that for an organization to be certified on a business continuity standard, you need to have some tests that are mandatory. Tests like emergency evacuation, or data backup and restoration tests should probably have been considered as mandatory in ISO 22301, but sadly, they are missing.
There is a subsection in ISO 22301, ‘Evaluation of Business Continuity Procedures’. You are expected to evaluate your business continuity procedures. How? By doing periodic reviews, exercising, testing and post incident reporting. This part does not add any specific value and could have been mentioned in the exercising and testing section itself. The post incident review section of BS 25999, section 126.96.36.199, has lost its importance and finds fleeting mention in this section. I consider post incident reviews to be very important and feel they should not have been sidelined.
The internal audit, management review and ‘Improvements’ (Corrective and Preventive actions) sections have minor improvements with a few points added in some parts. Generally a small improvement over BS 25999, though nothing to write home about.
The run and maintain part of the BCMS, which an organization has to implement continuously leaves a lot to be desired. Any new standard coming up in business continuity should definitely consider this. More focus on exercising, reviewing and improving a BCMS will add a lot of value to ISO 22301. (Also, it will help an auditor have some findings in a surveillance audit.)
To summarize, there are some improvements in ISO 22301 over BS 25999, but nothing drastic. Most of the lacunae of BS 25999 get carried over to ISO 22301.
For those seeking to setup a BCMS, use the relevant parts of ISO 22301. It will help you setup your BCMS in a structured manner. For exercising, testing and maintaining, look elsewhere if you need detailed steps. If you are an auditor, you will need to spend time on the exercising part to ensure that the organization has really thought through the testing and exercising bit. You can refer to ISO 22301 straight for records on how the BCMS is set up.