• Menu
  • Skip to right header navigation
  • Skip to main content
  • Skip to secondary navigation
  • Skip to footer

Before Header

About Us | Articles | Free Resources | Podcast | YouTube Channel

Contact Us Subscribe

Bryghtpath

Business Continuity and Crisis Management Consultants

  • Start
        • Start your Resilience Journey

          Moving your organization – or your career – forward on your resilience journey can be a difficult and scary proposition.  Often, we find that prospective clients aren’t quite sure where to start.

          To help you along your journey, we’ve outlined below four curated collections geared towards momentum-building action and advice perfectly paired with your organization’s current stage of resilience.

        • I want to learn more about Resilience

        • We’re just getting started with our resilience program

        • We’re seeking to optimize & mature our resilience program

        • I’m a Resilience Professional seeking to further develop my skills

  • Company
        • About Bryghtpath

        • Our Core Values

        • Meet our Team

        • About Bryghtpath
          • Case Studies & Results
          • Certifications and Awards
          • Contact Bryghtpath
          • Contract Vehicles
          • Media & Professional Appearances
          • Our Clients
          • Our Proven Process
          • Security & Compliance
          • Strategic Partners
          • Work with Us
  • Capabilities
        • Our Capabilities
        • We help your organization strategically navigate uncertainty and disruption.

        • Case Studies & Results

        • Business Continuity as a Service

        • Business Continuity
          • Business Continuity - Overview
          • Business Continuity as a Service (BCaaS)
          • Business Continuity Software
          • Coaching
          • IT Disaster Recovery
          • Resiliency Diagnosis®️
        • Crisis Management
          • Crisis Management - Overview
          • Crisis Communications
          • Crisis Exercises
          • Cyber Crisis Exercises
          • Cyber Incident Response Planning
          • Crisis Playbook®️
          • Global Security Operations Center (GSOC)
          • Resiliency Diagnosis®️
        • Other Capabilities
          • Intelligence & Global Security Consulting
          • Speaking
          • Training
  • Courses & Training
        • Courses & Training

          We’ve created a number of free and premium courses that have helped thousands improve their skills, build more resilient organizations, and lead through organizations through difficult critical moments successfully.

        • Coaching
          • 1-on-1 Coaching Call
          • Private Backchannel
          • Private Coaching Program
        • Free Intro Courses
          • Overview
          • Business Continuity 101
          • Crisis Communications 101
          • Crisis Management 101
        • Premium Courses
          • Overview
          • Custom Training
          • 5-Day Business Continuity Accelerator
          • Communicating in the Critical Moment
          • Crisis Management Academy®️
          • Preparing for Careers in Resilience
  • Expertise
        • Our Expertise
        • Here at Bryghtpath, in our core values, we state that we are humbly confident in our resiliency expertise.

          We write, publish, speak, and train others constantly – striving to share our thought leadership publicly to advance our industry and exercise our curiosity by interacting with other leaders in our practice domains.

        • Ultimate Guide to Business Continuity

        • Ultimate Guide to Crisis Management

        • Case Studies & Results

        • Free Resources & Frameworks
          • Overview - Free Resources
          • Bryghtpath Frameworks
            • Bryghtpath Business Continuity Lifecycle
            • Bryghtpath Crisis Management Framework
            • Bryghtpath Exercise Maturity Model
            • Bryghtpath Global Security Framework
            • Bryghtpath Long-Term Recovery Framework
            • Bryghtpath Professional Reading List
            • Bryghtpath Workplace Violence & Threat Management Toolkit
          • Resiliency Professionals Facebook Group
          • Resource Library
          • Webinars & Videos
          • Whitepapers & Reports
        • Our Thoughts & Insights
          • Articles
          • Lead Through Disruption. Stay Ahead with Bryghtpath.
          • Managing Uncertainty Podcast
          • Media & Professional Appearances
          • YouTube Channel
        • Whitepapers & Reports
          • Global Security Operations Centers & Resilience
          • Managing the Whole Crisis: The Ransomware Challenge
          • Mastering Uncertainty: Strengthening Organizational Resilience
          • Social Activism Campaigns
          • The Resilience Roadmap: 250 Ways to Fortify your Business against Disruption
  • Industries
        • Our Industry Expertise

          Bryghtpath has extensive experience in a number of industries working with clients of all sizes, geographical locations, and business models. As a team, we possess, deep global operating experience on every continent around the world.

        • Industries Overview

        • Case Studies

        • Start your Journey

        • Education

          Education Icon
        • Finance

          Financial Services 800x800
        • Government

          Government Icon
        • Healthcare

          Healthcare Icon 800x800
        • Hospitality & Leisure

          Hospitality & Leisure Industry Icon 800x800
        • Life Sciences

          Life Sciences 800x800
        • Logistics

          Transportation & Logistics Industry Icon 800x800
        • Manufacturing

          Manufacturing Industry Icon 800x800
        • Non-Profits

          Non-Profit Industry Icon 800x800
        • Retail

          Retail Industry Icon 800x800
        • Tech & Media

          Communications Industry Icon 800x800
        • Utilities

          Power & Utilities Icon
  • Products
        • Our Products

          College Classroom - Mature Teacher
        • Crisis Playbook™️

        • Exercise in a Box™️

        • Exercise in a Day™️

        • Books
          • From Panic to Poise: Crisis Management in the Modern World
          • The Continuity Code: Mastering Business Resilience
        • Crisis Playbook™️
          • Overview
          • Active Shooter Plan
          • Emergency Response Guide
          • Fatality
          • Food/Product Recall
          • Protest
          • Violent Attack
        • Maturity Models
          • Overview
          • ASIS Workplace Violence and Active Assailant
          • FFEIC Maturity Model – Business Continuity
          • ISO 22301 – Business Continuity
          • ISO 22361 – Crisis Management
          • ISO 27031 - IT Disaster Recovery
          • NIST 800-53 Contingency Planning Maturity Model
        • Templates & More
          • After-Action Process & Templates
          • Awareness Collateral
          • Business Continuity Plan Templates
          • Crisis Management Plan Templates
          • Disaster Recovery Plan Templates
          • Job Descriptions
  •  

Mobile Menu

  • Start
  • Company
    • About Bryghtpath
      • Case Studies & Results
      • Certifications and Awards
      • Contact Bryghtpath
      • Contract Vehicles
      • Media & Professional Appearances
      • Our Clients
      • Our Proven Process
      • Security & Compliance
      • Strategic Partners
      • Work with Us
  • Capabilities
    • Our Capabilities
    • Business Continuity
      • Business Continuity – Overview
      • Business Continuity as a Service (BCaaS)
      • Business Continuity Software
      • Coaching
      • IT Disaster Recovery
      • Resiliency Diagnosis®️
    • Crisis Management
      • Crisis Management – Overview
      • Crisis Communications
      • Crisis Exercises
      • Cyber Crisis Exercises
      • Cyber Incident Response Planning
      • Crisis Playbook®️
      • Global Security Operations Center (GSOC)
      • Resiliency Diagnosis®️
    • Other Capabilities
      • Intelligence & Global Security Consulting
      • Speaking
      • Training
  • Courses & Training
    • Coaching
      • 1-on-1 Coaching Call
      • Private Backchannel
      • Private Coaching Program
    • Free Intro Courses
      • Overview
      • Business Continuity 101
      • Crisis Communications 101
      • Crisis Management 101
    • Premium Courses
      • Overview
      • Custom Training
      • 5-Day Business Continuity Accelerator
      • Communicating in the Critical Moment
      • Crisis Management Academy®️
      • Preparing for Careers in Resilience
  • Expertise
    • Our Expertise
    • Our Thoughts & Insights
      • Articles
      • Lead Through Disruption. Stay Ahead with Bryghtpath.
      • Managing Uncertainty Podcast
      • Media & Professional Appearances
      • YouTube Channel
    • Free Resources & Frameworks
      • Overview – Free Resources
      • Bryghtpath Frameworks
        • Bryghtpath Business Continuity Lifecycle
        • Bryghtpath Crisis Management Framework
        • Bryghtpath Exercise Maturity Model
        • Bryghtpath Global Security Framework
        • Bryghtpath Long-Term Recovery Framework
        • Bryghtpath Professional Reading List
        • Bryghtpath Workplace Violence & Threat Management Toolkit
      • Resiliency Professionals Facebook Group
      • Resource Library
      • Webinars & Videos
      • Whitepapers & Reports
    • Whitepapers & Reports
      • Global Security Operations Centers & Resilience
      • Managing the Whole Crisis: The Ransomware Challenge
      • Mastering Uncertainty: Strengthening Organizational Resilience
      • Social Activism Campaigns
      • The Resilience Roadmap: 250 Ways to Fortify your Business against Disruption
  • Industries
  • Products
    • Books
      • From Panic to Poise: Crisis Management in the Modern World
      • The Continuity Code: Mastering Business Resilience
    • Crisis Playbook™️
      • Overview
      • Active Shooter Plan
      • Emergency Response Guide
      • Fatality
      • Food/Product Recall
      • Protest
      • Violent Attack
    • Maturity Models
      • Overview
      • ASIS Workplace Violence and Active Assailant
      • FFEIC Maturity Model – Business Continuity
      • ISO 22301 – Business Continuity
      • ISO 22361 – Crisis Management
      • ISO 27031 – IT Disaster Recovery
      • NIST 800-53 Contingency Planning Maturity Model
    • Templates & More
      • After-Action Process & Templates
      • Awareness Collateral
      • Business Continuity Plan Templates
      • Crisis Management Plan Templates
      • Disaster Recovery Plan Templates
      • Job Descriptions
  •  

Business Continuity Standards: How each can help you

You are here: Home / Business Continuity / Business Continuity Standards: How each can help you

September 30, 2021 By //  by Bryan Strawser

No matter how much business experience you have or how long you’ve studied risk and resilience in your businesses, creating a business continuity program can seem daunting. But internationally recognized guidelines exist to help you build the right program for your organization’s unique situation.

This article provides you with all the essentials you need to understand each guideline to decide which one works best for you.

These guidelines save you from reinventing the business continuity program wheel by describing what your program needs. The guidelines share many common elements, such as calling for top leadership support, risk assessments, and business impact analyses. In general, these standards are adaptable to large and small organizations in any industry. They are also not prescriptive—they describe what you need to do, not how you should do it. All of them reinforce the same broad business continuity goals:

  • Reduce the risk of disruption
  • Support continuity of business
  • Reassure customers and stakeholders

55PYF1zh8YmiSN6UHi93ua5YfKk_41ALYKoBM6U2_xDgZDu6q-VC9bzeLTUoX0_3qnFVxmg1MON7Y_u7Mo1FHQ=s0 Business Continuity Standards:  How each can help you

NFPA 1600 Standard on Continuity, Emergency, and Crisis Management

National Fire Protection Agency (NFPA) 1600 is a U.S. emergency planning specification that has also become globally accepted. NFPA was the first of the business continuity standards to appear after 9/11. The United States Department of Homeland Security adopted the standard that the NFPA site calls “as a voluntary consensus standard for emergency preparedness.” Likewise, the 9/11 Commission report recognized NFPA 1600 as the national preparedness standard.

Despite such endorsements, NFPA 1600 is still a guideline, not a requirement. It includes nine chapters on business continuity program management, planning, implementation, training, exercises and tests, and program improvement. Annex B provides checklists for ongoing self-evaluation.

With its emergency planning focus, 1600 includes guidelines for setting up emergency operations centers and dealing with casualties. It briefly outlines the need for employee assistance, such as temporary or long-term housing, food, and mental health support.

The 2019 version adds a discussion of the importance of crisis management communication, including securing a reliable emergency communication system, and Annex J discusses social media management in a crisis.

A component not included in other guidelines is Annex H, Personal and/or Family Preparedness. This annex acknowledges that worrying about the safety and wellbeing of family distracts people from their work. The annex provides suggestions for how organizations can train their employees to ensure family safety. “A plan must ensure employees and their families and pets are prepared for self-sufficiency for a minimum of three (3) days.” The annex adds a comprehensive list of important information and documents that every individual should copy and store in a safe place and add to their emergency go-bag.

Want to learn more about Business Continuity?

Our Ultimate Guide to Business Continuity contains everything you need to know about business continuity.

You’ll learn what it is, why it’s important to your organization, how to develop a business continuity program, how to establish roles & responsibilities for your program, how to get buy-in from your executives, how to execute your Business Impact Analysis (BIA) and Business Continuity Plans, and how to integrate with your Crisis Management strategy.

We’ll also provide some perspectives on how to get help with your program and where to go to learn more about Business Continuity.

Read our Ultimate Guide to Business Continuity

ISO 22301 Security and resilience — Business continuity management systems — Requirements

The International Standards Organization or ISO is a global institution that researches and creates industry and other standards. All its specifications are voluntary. ISO can’t enforce these or any other standards. ISO simply provides guidelines for what you should do.

In 2012 ISO released the first document in its ISO 22300 societal security series, ISO 22301, the business continuity planning standard. As with NPFA, large and small, and for-profit and not–for-profit organizations can benefit from the guidelines. In summary, the guideline requires these elements for a business continuity program:

  • Working with the company management to get the entire team on the same page regarding business continuity planning.
  • Identifying essential individuals, groups, teams, or company employees for specific functions and roles in the program.
  • Creating a communication plan, particularly for large company shareholders.
  • Defining the primary responsibilities and rules for business continuity.
  • Assessing risks to the business, including ways to prevent or limit the damage for specific risks.
  • Conducting a business impact analysis for different scenarios. This step is key for identifying the functions that a company must maintain in emergencies.
  • Developing a system for record control and maintaining important documents in different emergencies, such as setting up a backup system or printing out physical copies of important documents.
  • Evaluating information and then developing a business continuity plan.
  • Creating a long-term business continuity program to implement different elements of the plan and prepare for potential disasters.
  • Training employees or the management team to implement the program.
  • Raising awareness about risk management.
  • Maintaining important documentation or paperwork.
  • Testing and reviewing the strategy.
  • Internal auditing or having a third party from the company check the system.
  • Adjusting the plan of action.
  • Getting the management team involved to review the process.

In addition, ISO 22301 provides a voluntary certification component, which offers accreditation that an organization’s business continuity program complies with the 22301 specifications. Again, certification is not mandatory, but in some instances, such as winning government contracts, certification may be a business condition.

At Bryghtpath, we typically utilize ISO 22301 as the basis for our Business Continuity Program Evaluations.

ISO 22317 Guidelines for Business Impact Analysis (BIA)

ISO 22317 is the second document published in the ISO 22300 societal security series. The guide is the “how-to” part of the ISO 22301 business impact analysis (BIA) specification. It describes step-by-step how to conduct a business impact analysis or how disruptions can affect an organization’s proper functioning and profitability. ISO 22317 includes these steps for creating a BIA:

  • Identify activities that support how a business provides products and services.
  • Assess how not producing those products and performing those services will impact the organization over time.
  • Set priorities and timeframes for resuming business at a minimum acceptable level.
  • Identify the connection and dependencies between the supporting resources for the impacted business activities.
  • Provide ongoing review to ensure continual improvement of the organization’s BIA.
  • Guide the organization in planning, conducting, and reporting on BIA.
  • Assist the organization in its BIA in a consistent manner reflecting good practices. ISOs are all about agreed and “good” practices.
  • Open the door to proper coordination between BIA and the overarching business continuity program.

You can use 22317 as a stand-alone guide for preparing a BIA or with ISO 22301.

ASIS Business Continuity Guideline – A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery

Published by ASIS International, an association of security practitioners, the ASIS Business Continuity Guideline is, as it says, a step-by-step, detailed outline for approaching business continuity. Although perhaps less well-known and therefore less commonly adapted, the plain language makes it an accessible reference.

One interesting assertion in the introductory paragraphs is that “Personnel used for crisis management should be assigned to perform these roles as part of their normal duties and not be expected to perform them on a voluntary basis.”

The ASIS guide includes a section on common business continuity terminology, which business continuity newbies may appreciate. The document’s substance lies in numbered sections and subsections that succinctly detail what you need to do to plan and execute a business continuity program. The major sections consist of Readiness, Prevention, Response, Resumption/Recovery, Training/Testing, and Evaluating and Maintenance. ASIS includes a high-level checklist outlining the high-level steps for approaching business continuity planning.

ASIS echoes other guidelines in calling for management support, a BC policy and a plan. It adds detail on how to conduct a risk assessment, includes an example assessment chart, and describes how to determine risk. There’s also a good discussion of how to calculate the maximum allowable outage and recovery times.

The Recovery section includes an interesting elaboration on how to recognize a crisis. Warnings about natural disasters seem obvious, but cash flow and legislative changes are more subtle.

A unique aspect is an emphasis on crisis communication, both internal and external. It discusses how to convey a message: be honest about what you know and what you don’t know. It also emphasizes that you must prepare ahead of time for crisis communications, including creating templates and determining fast distribution means, such as the internet, intranet, or telephone hotline.

The ASIS guideline also highlights the “Human Element,” as they call it, declaring that “[p]eople are the most important aspect of any BCP.” Managing and caring for people in a crisis includes deciding before an emergency how to account for staff, notify next-of-kin of any issues, assign a family representative to help families deal with severe injuries or death, provide counseling, financial support, and more.

Although the technical-document formatting and frequent use of “shall” in ISO 22301 and NFPA 1600 may make you reluctant to consult them, both standards contain valuable, clearly expressed ideas on building a solid business continuity system. However, the layout and detail in ASIS make it a good choice for someone completely new to business continuity. Depending on your industry, you might favor one of these guidelines over another. But each has unique resources that you can dip into as needed.

Unique Resources in Business Continuity Standards

ISO 22301, NFPA 1600, and the ASIS Business Continuity Guideline contain similar guidance for creating researching and writing policy and plans, and conducting business continuity training.

The table below lists some of the unique supplemental resources available in these documents.

Resource Type Guideline Document Resource Type Guideline Document
Business Continuity Planning Checklists ASIS Business Continuity Guideline Appendix A; NFPA 1600 Annex B Types of Risk That Could Impact a Business and sample risk matrix ASIS Business Continuity Guideline Section 11.1.2a
Terminology ASIS Business Continuity Guideline Section 10.0 Business Impact Analysis step-by-step ASIS Business Continuity Guideline Section 11.1.3 to 11.1.3d
Small Business Preparedness Guide with Resources and Checklist NFPA 1600 Annex C Crisis Communication ASIS Business Continuity Guideline Section 11.3.6
Personal and Family Preparedness NFPA 1600 Annex H Test and Exercise Scenarios, scenarios, roles and participants ASIS Business Continuity Guideline Section 12.1.2g, hi, and i
Access and Functional Needs Guideline (including for non-native English-speaking populations, pregnant women, persons experiencing homelessness, and more). NFPA 1600 Annex I
Social Media in Emergencies (case studies, planning guidelines, including staffing, content, demographic considerations) NFPA 1600 Annex J
Emergency Communications: Public Alerts and Warnings in Disaster Response (including definitions of alerts and warnings, and different notification methods) NFPA 1600 Annex K

It’s worth noting that, except for ISO 22317, these guidelines are available for free online at the very least for the duration of the COVID-19 pandemic.

Can we help you?

Do you need advice or guidance in your business continuity program or determining which industry standard might be the best fit for you?  We’ve built the processes and programs for many Fortune 500, complex non-profit, and public sector organizations. Learn more about our approach to Business Continuity in our Ultimate Guide to Business Continuity.

We can help. Read more about our Business Continuity services, or contact us today!

Category: Business ContinuityTag: asis business continuity, bc standards, Bryan Strawser, bryghtpath, bryghtpath llc, Business Continuity, business continuity consultant, business continuity management, business continuity standards, iso 22301, iso 22317, nfpa 1600

About Bryan Strawser

Bryan Strawser is Founder, Principal, and Chief Executive at Bryghtpath LLC, a strategic advisory firm he founded in 2014. He has more than twenty-five years of experience in the areas of, business continuity, disaster recovery, crisis management, enterprise risk, intelligence, and crisis communications.

At Bryghtpath, Bryan leads a team of experts that offer strategic counsel and support to the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption.

Learn more about Bryan at this link.

Previous Post: « Plan-Do-Check-Act and your Business Continuity Program
Next Post: What is Resilience? »

Footer

Contact

BRYGHTPATH LLC
+1.612.235.6435

PO Box 131416
Saint Paul, MN 55113
USA


contact@bryghtpath.com

  • Facebook
  • LinkedIn
  • RSS
  • Twitter
  • YouTube

Our Capabilities

  • Business Continuity
    • Business Continuity as a Service (BCaaS)
    • Business Continuity Software
    • Coaching
    • IT Disaster Recovery Consulting Services
    • Resiliency Diagnosis®️
  • Crisis Communications
  • Crisis Management
    • Crisis Exercises
    • Cyber Crisis Exercises
    • Cyber Incident Response Planning
    • Global Security Operations Center (GSOC)
  • Speaking
  • Training

Our Free Courses

Business Continuity 101

Crisis Communications 101

Crisis Management 101

Our Premium Courses

5-Day Business Continuity Accelerator

Communicating in the Critical Moment

Crisis Management Academy®️

Preparing for Careers in Resilience

Our Products

After-Action Templates

Books

Business Continuity Plan Templates

Communications & Awareness Collateral Packages

Crisis Plan Templates

Crisis Playbook®

Disaster Recovery Templates

Exercise in a Box®

Exercise in a Day®

Maturity Models

Ready-Made Crisis Plans

Resilience Job Descriptions

Pre-made Processes & Templates

Site Footer

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.


Bryghtpath®, Crisis Management Academy®, Crisis Playbook®, Exercise in a Box®, Exercise in a Day®, Resiliency Diagnosis®, Resilience Operating Model™
and their respective logos are registered trademarks of Bryghtpath LLC in the United States and other countries.


About Bryghtpath LLC | Disclaimer | Privacy | Status Page | Terms of Use

Proudly powered by Mai Theme, the Genesis Framework, and Wordpress.