Fall World 2014

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 27, Issue 3

Full Contents Now Available!

Auditing Today’s Business Continuity Management Systems

Auditors of information systems, information security systems, and it governance or business continuity professionals may be interested in adding to their professional qualifications by becoming an auditor of business continuity management systems. Never heard of this designation? That’s because it is a new requirement that is an outcome of US legislation enacted as way to increase the preparedness of the private sector. It is called PS Prep Certification.

What is Private Sector Preparedness (PS Prep)?

In 2001, the USA Patriot Act identified the importance of protecting critical infrastructure in the United States. It also focused on the importance of protecting key resources essential to the minimal operations of the economy or government that are publically or privately controlled.

The National Infrastructure Protection Plan (NIPP) was developed as an output of the act to be a unifying structure for the government and the private sector and to improve the protection and resiliency of critical infrastructure and key resources.

On August 2, 2007, Public Law 110-53 was enacted and documented in a report titled, “Implementing Recommendations of the 9/11 Commission 2007 Act – Comprehensive Summary of Public Law 110-53.” For a full copy of this report visit http://intelligence.senate.gov/laws/pl11053.pdf.

Title IX of this law focuses on Private Sector Preparedness (PS Prep) and identifies a program for encouraging the private sector to voluntarily participate in being certified under PS Prep to demonstrate that they are prepared to manage risks and have increased the resiliency of the organization.

With more than 80 percent of the US critical infrastructure owned and controlled by the private sector, this law is vital to ensuring the private sector is prepared to provide its goods and services under all conditions.

Under Title IX, the administrator and the assistant secretary for infrastructure protection was assigned to develop recommendations to assist or foster action by the private sector to increase their resilience.

Section 524 assigned the development of the Voluntary Private Section Preparedness Accreditation and Certification Program (PS Prep) to the American National Accreditation Board (ANAB).

PS-Prep is a partnership between DHS, FEMA, and the private sector that enables private entities to receive emergency preparedness certification from a DHS accreditation system created in coordination with the private sector.

http://www.fema.gov/privatesector/preparedness/

What are the PS Prep Standards?

In June 2010, three standards were identified and accepted for compliance:

1. ASIS SPC. 1-2009-Organizational Resilience: Security Preparedness, and Continuity Management Systems- Requirements with Guidance for Use. (Download for Free at http://webstore.ansi.org/RecordDetail.aspx?sku=ASIS+SPC.1-2009.)

2. British Standard 25999-2:2007- Business Continuity Management. (Download at cost at http://www.bsiamerica.com/en-us/Assessment-and-Certificationservices/Management-systems/Standards-and-schemes/BS-25999?gclid=CMfGrLHXw6ICFQE_bAodIFCInw.)

3. National Fire Protection Association1600 - 2010 -Standard on Disaster/Emergency Management and Business Continuity Programs. (Download for Free http://www.nfpa.org/assets/files/PDF/NFPA16002010.pdf)

“Private organizations across the country-from businesses to universities to non-profit organizations- have a vital role to play in bolstering our disaster preparedness and response capabilities,” said Secretary Janet Napolitano. “These new standards will provide our private sector partners with the tools they need to enhance the readiness and resiliency of our nation.”

PS-Prep will raise the level of private sector preparedness through a number of means, including:

1. Establishing a system for DHS to adopt private sector preparedness standards;

2. Encouraging creation of those standards;

3. Developing a method for a private sector entity to obtain a certification of conformity with a particular DHS-adopted private sector standard, and encouraging such certification; and

4. Making preparedness standards adopted by DHS more widely available.

Why Should my Business Become Certified?


Certification helps you to demonstrate to your stakeholders that your business is run effectively and that it will continue to do so in the event of a disruption.

The process of achieving and maintaining the business continuity management (BCM) certification also helps ensure that you are continually improving and refining your BCM activities. The regular assessment process will also improve staff responsibility, commitment and motivation.

Certification improves overall performance, removes uncertainty and widens market opportunities. It will prove to your customers that you can be trusted to deliver. Certification to one or more of the three standards creates an opportunity to reduce the burdens of internal and external audits from your key customers.

Despite all these internal reasons, the reason for many companies will be that a major customer requires some evidence of competent BCM performance.

If this is your reason then don’t panic; BCM isn’t as complicated or as difficult as you might think. Also you don’t have to be an expert in any of the other management systems such as ISO 9001 (quality management systems) or ISO 14001 (environmental management systems) – the BCM system can be implemented alone.

However because it follows the simple “plan, do, check, act” cycle of other management systems if you are already a user of ISO 9001 and/or ISO 14001 then getting started with the BCM system will be very familiar to you.

How can my Organization Become Certified?

Title IX also identified the process for private sector organizations to become certified. Small businesses (at this time the criteria as to what is a small business under the law has yet to be determined) are allowed to use a first party self-declaration of conformity to one or more of the standards. What the requirements for first party self declaration of conformity will be is still to be determined.

All other organizations are required to use third-party certification by an ANAB accredited certifying body.

It is important that your organization hires an ANAB accredited certifying body to conduct the third-party audit for certification. The certifying bodies have had to complete rigorous training to ensure that they are competent to conduct the certifying audits.

For an up to date listing of those certifying bodies currently applying for accreditation by ANAB and for other information about PS Prep, visit http://www.anab.org/accreditation/preparedness.aspx

How Can I Help my Organization to Prepare for Third-Party Certification?


It is important that before your organization applies for third-party certification from an ANAB approved certifying body, that your organization is ready.

The first decision that needs to be made is which standard or standards should your organization be certified to? To answer this question you will want to review each of the 3 standards to determine which one is best aligned to the program you already have in place.

Professionals who wish to prepare organizations for PS Prep Certification should consider completing a training course. There are several options in the marketplace:

1. ASIS International: Organizational Resilience: Implementing and Auditing and the ASIS American National Standard. This three-day course teaches the ASIS SPC.1 Standard. For more information, download the brochure. https://www.asisonline.org/images/store/programs/2011_Org_Resilience_Education_Flyer.pdf

2. Business Continuity Institute: BS 25999 Lead Auditor. This five-day course teaches the BS 25999 standard. For more information, download the brochure. http://www.bsigroup.ca/en-ca/training/course-areas/BCM/BS25999-LA/

3. DRI International: BCLE-AUD – Certified Business Continuity Auditor. This five-day course explores different standards, laws and regulations. For more information, download the brochure. https://www.drii.org/education/course_desc.php?courseeventid=405&courseid=55

4. The International Consortium for Organizational Resilience: ICOR offers two courses:

a. BCM 5000: Auditing BCM Programs for PS Prep Certification. This five-day prepares auditors to be able to audit a BCMS against all 3 PS Prep standards. http://www.theicor.org/art/pdfs/courses/bcm5000.pdf

b. BCM 4050: Business Continuity Maturity Model Assessor’s Training. This two-day course prepares BC professionals to use the BCMM® as an internal audit tool for PS Prep certification preparation. http://www.theicor.org/art/pdfs/courses/bcm4050.pdf

What Should you do Now?

Now is a good time to learn more about the three standards and to talk to senior management and your auditing leadership about PS Prep and how your organization might benefit from PS Prep certification.

It is expected that by Sept. 2011, third-party auditors will be ready to begin conducting audits of the private sector. Will your company be one of the first certified?

Lynnda M. Nelson, president of The International Consortium for Organizational Resilience (IOCR), manages the day-to-day operations of ICOR’s education program. Nelson is also a professor for Norwich University’s Masters of Business Continuity Degree Program (MSBC).