https://www.techtarget.com/searchdisasterrecovery/tip/ISO-and-FFIEC-business-continuity-standards-compared
If you're a business continuity professional, there are two standards at the top of your list when building and updating a BC plan: The International Organization for Standardization's ISO 22301:2019 Security and resilience -- Business continuity management systems -- Requirements and the Federal Financial Institutions Examination Council's Business Continuity Management handbook.
At a fundamental level, both documents provide a detailed outline of the components of a business continuity management system (BCMS) or plan. The ISO standard is higher level because it specifies requirements for a BCMS, while the Federal Financial Institutions Examination Council (FFIEC) standard provides more actionable detail for preparing BC plans. The ISO standard addresses all kinds of businesses, while the FFIEC standard is optimized for banks and other financial institutions, though it can also be used effectively in non-financial applications.
Both standards have companion documents that provide additional value to BC professionals. ISO 22313:2020 Societal security -- Business continuity management systems -- Guidance provides additional details on the requirements stated in ISO 22301:2019. The FFIEC also publishes a work program that helps professionals prepare for the business continuity program examination the FFIEC administers. Both documents provide valuable details and guidance for preparing BC plans and performing related activities such as risk assessments, business impact analyses and tabletop exercises.
From an audit perspective, both business continuity standards can serve as audit controls and can be formatted into audit worksheets. In addition, the FFIEC work program is structured so that each requirement includes a series of questions that organizations can use as both audit controls and also for performing gap analyses. This is a very important value of both standards and their companion documents.
The FFIEC handbook is optimized for banks and other financial institutions, while the ISO standard can be used for almost any vertical market. Financial organizations can focus on the FFIEC standard and use the ISO standard as an available backup. By contrast, non-financial organizations can effectively use either standard for planning, review and auditing. The FFIEC work program can also serve as a useful gap assessment tool.
The two business continuity standards are structured differently but still address the same fundamental issues. The FFIEC document includes financial industry-specific situations, such as payment systems, liquidity considerations and preparing for national and regional financial industry exercises. The FFIEC also discusses recovery of data centers, which is an important consideration for financial organizations.
Each standard and its companion documents provide useful information for preparing BC plans and for organizing a BCMS. Best practices for effectively using either standard include the following:
Both ISO 22301:2019 and the FFIEC BC handbook provide detailed information on business continuity standards and the associated requirements. Their companion documents provide useful guidance and knowledge to support the standards and their frameworks. If possible, the best strategy is to have both sets available to ensure you cover all the bases.
You can find more information on ISO standards on the organization's website or from the American National Standards Institute. The FFIEC handbook is free to download from the FFIEC's website.
24 Aug 2020