Monday, May 7, 2012

The world has become a less safe place: according to the Aon 2012 Terrorism & Political Violence Map

Aon Risk Solutions is urging companies to ensure threats to business continuity are considered as 37 countries are downgraded in its recently published Aon 2012 Terrorism & Political Violence Map.

The continued effects of the global economic crisis were very much in evidence in 2011. As austerity measures and spending cuts took hold, civil unrest, riots, strikes and student protests were witnessed across large parts of Europe. This led to 43 percent of the downgrades in Aon's 2012 map. The UK, France, Germany, Italy, Portugal and Spain were all downgraded from low risk to medium risk. Dramatic political change in the Arab world continued to cause aftershocks in that region and beyond. Authoritarian governments in Africa and Asia took measures to protect themselves from similar challenges as civil unrest, property damage and localised protests continued in the Middle East and North Africa.

Meanwhile, terrorism remains relevant to the security of businesses, with 46 percent of all countries assessed being identified as at risk of a terrorist incident. The death of Osama bin Laden last year signified the decline of a truly globalized radical Islamist terrorism capability, but regionally active groups continue to be inspired by al-Qaida's ideology. While South Asia and the Middle East remain as focal points for Islamist terrorist groups, Africa has shown the most dramatic shift in terrorism threat in the last year. The ratings of six African countries have been downgraded with Senegal receiving a double downgrade from low to high risk.

Access to Aon's 2012 Terrorism & Political Violence Map can be requested viahttp://www.aon.com/terrorismmap

Overview of ISO 22301

According to various sources, the leading business continuity standard BS 25999-2 will be replaced by an international standard ISO 22301 by the end of 2011. (Update: new scheduled date is June or July 2012) This kind of transition is normal – the same thing happens with most management standards, for instance with ISO 27001 when in 2005 it succeeded BS 7799-2. So what are the main changes that ISO 22301 will bring when compared to BS 25999-2?
One important note here – since ISO 22301 hasn’t been published yet, the final version of the standard still doesn’t exist, so some of the things I’ve written here may not exist in the final version. I am using a draft version published in February 2011 on the BSi Draft Review website.

ISO 22301 will have this title: ISO 22301, societal security – Business continuity management systems – Requirements. Although “Societal security” may sound a little strange in relation to business continuity, here is how ISO defines it: “… standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, amongst all interested parties.”

At first sight, it is obvious that the structure of ISO 22301 is very different from BS 25999-2, although all the basic elements of BS 25999-2 still do exist in ISO 22301.
Let’s take a deeper look.


The biggest similarity is that all core business continuity elements in BS 25999-2 will be present in ISO 22301 too: business continuity policy, business impact analysis, risk assessment, business continuity strategy (in ISO 22301 it will be called “business continuity options”), business continuity plans, exercising and testing etc.
Business impact analysis will probably be broken down in several clauses, demanding more precision. The requirements for business continuity plans, including response procedures and recovery plans, are much more detailed too – e.g. the communication part.

The management part of BS 25999-2 will also be transferred to the new standard – document control, internal audit, management review, corrective and preventive actions, human resources management etc. (by the way, these elements exist in all other management standards – ISO 9001, ISO 14001, ISO 27001…).
However the documentation will be called “documented information”, and preventive actions will be called “actions to address issues and concerns”.

… and differences

Plan-Do-Check-Act (PDCA) model is even less clearly stated in ISO 22301 compared to BS 25999-2, although BS 25999-2 is not as clear in that respect as ISO 27001. However, in my view that won’t affect the clarity of the process through which the standard should be implemented since the main sections of the standard are organized in a rather logical way.
ISO 22301 will obviously put much greater emphasis on setting the objectives, monitoring performance and metrics – therefore bringing business continuity much closer to top management way of thinking.

Following that line, ISO 22301 puts clearer expectations on management and summarizes them in a single section.
ISO 22301 will resolve one of the shortcomings of BS 25999-2, and will require much more careful planning for and preparing the resources needed for ensuring business continuity – those requirements are now extended and more clearly structured.
Finally, what will be different about ISO 22301, being an international standard, is that certification bodies will push certification against this standard much harder, so it will gain its popularity much faster.

As a conclusion, all the basic elements of BS 25999-2 will probably be present in ISO 22301 too, only ISO 22301 will be more precise and more demanding. Organizations that have already implemented BS 25999-2, and want to “upgrade” to ISO 22301, will have to pay more attention to detail and will have to invest more time into preparing and maintaining their system. On the other hand, ISO 22301 will certainly help them raise their level of resilience and their level of credibility – the same thing that ISO 27001 did 6 years ago when it replaced BS 7799-2.