What standards for business continuity aid in compliance?

Governance, risk and compliance are important factors to business leaders. Of these three criteria, compliance is important because it can be validated and demonstrated. The number of standards and regulations companies have to address has grown steadily in the past 20 years. The ability to demonstrate compliance by meeting specific standards for business continuity, disaster recovery and cybersecurity has become a competitive advantage.

For example, an increasing number of organizations want to see hard evidence that a potential business partner is compliant with specific standards, such as ISO 9000 (quality management). ISO standards are created by the International Organization for Standardization, a nongovernmental entity with representatives from over 160 countries. Because of their prevalence, ISO standards are widely used in many areas of IT.

More organizations are beginning to require evidence that companies are compliant with standards for business continuity, such as ISO 22301:2019, NFPA 1600 from the National Fire Protection Association or those found in the Business Continuity Planning booklet from the Federal Financial Institutions Examination Council. Compliance with such standards clearly demonstrates that organizations value their partners' ability to stay running when faced with a disruptive event.

The following steps can be used to determine that a cybersecurity strategy or business continuity/disaster recovery (BC/DR) plan is in compliance with today's standards:

• Identify the standards and regulations for which compliance is needed.
• Read and understand the standards and regulations.
• Assess the current state of the organization with regard to the standards and regulations.
• Pinpoint where changes need to be made to achieve compliance.
• Determine the resources and funding needed to make changes needed for compliance.
• Make the changes that have been identified.
• Validate and document that the required level of compliance has been achieved using either internal or external auditors.

Perhaps the most important activity is documenting activities that demonstrate that you meet compliance standards for business continuity, disaster recovery and cybersecurity. These typically include policies and procedures, as they provide real evidence that the organization has made the effort to achieve compliance.

Once an organization has achieved and demonstrated its compliance with BC/DR and cybersecurity standards and regulations, compliance must be periodically reviewed and recertified. This should be performed annually. Along with ISO 22301:2019, standards for business continuity include ISO 22316:2017 and the rest of the ISO 223xx series. Cybersecurity compliance may be determined with the ISO/IEC 27000 series. Evidence of compliance with standards and regulations is often realized as certificates that can be framed and displayed where customers can see them.