Tuesday, July 17, 2012


The trouble with standards


The Disaster Recovery Journal Summer issue's lead article , ISO 22301: The New Standard, tells practitioners about the latest and greatest "standard" for business continuity.

The article, written by John A. DiMaria (CSSBB, HISP, MHISP, AMBCI), a British Standards Institute (BSI) Group America product manager, tells us that the new ISO document replaces the BSI's BS 25999-series "standards" and requires recompliance to the new "standard."

As an after thought, the author notes that the (few) organizations involved with PS-PREP need to wait until the new "standard" is accepted by the U.S. Department of Homeland Security (DHS) before it is acceptable for PS-PREP compliance. Meanwhile, both ANSI and NFPA approved standards remain in force for PS-PREP.

So what is the problem - more accurately, what ARE the problems - to "standards," especially those emanating from the UK?

Expectations of standards organizations

Standards organizations, in particular BSI and ISO, typically consider their efforts to be The Final Word on any given topic and that all practitioners of that topic must comply with the standard as written.

Some standards organizations promote their efforts outside the relevant profession or trade to pressure practitioners to develop their work to a particular standard. Not knowing what the practitioner is about does not stop some proposal writer from requiring "expertise with <pick a standard>."


I have followed international lists and forums for a number of years. Over those years I have come to the conclusion that U.S. and UK thinking often are at odds.

U.S. practitioners, at least the ones I know and respect, emphasize threat management - implementing avoidance or mitigation measures. Some UK practitioners - albeit certainly not all UK practitioners - almost completely ignore threat avoidance and mitigation.
Threat management was absent from the first iteration of British Standard 25999. Threat management eventually did creep into the British Standard before the final release.

To be fair, we have some folks in the U.S. who have their heads as firmly in the sand as the British Air practitioner who told me that the Gate Gourmet fiasco and associated LHR baggage handler strikes could not have been avoided.

Rigidity - real or imagined

Some practitioners, and some clients, will buy the "standard" and rigidly and try to adhere to every word. Standards must be "interpreted" in light of each specific instance. Parts may apply in some cases; parts may not apply in some others, and parts may apply "with modification" to still others.

An experienced practitioner knows when to apply what. The problem for the experienced practitioner may be diplomatically convincing the client that a particular section of the standard needs to be adjusted or ignored.

Constant change to what purpose

I sometimes think, and at other times I am convinced, that some "standards" organizations really are in the publishing business.

Most standards sell in the hundreds of dollars range. ISO 22301 sells for £100 at the BSI Group Web site. £100 equals about US$155, €127, and ₪622.


In addition to the costs listed above, there also can be training costs. An organization called CIMA offered an ISO 22301 course with a US$100 discount for early sign-up. The actual price of the course never was listed, but the course did require an "ISO 22301 Introduction Course plus practice experience as a prerequisite." The PECB organization offers a similar course, again sans any pricing information. While the post-course exam fees are included in the cost of the course, PECB will sell exams - three levels - separately. Again, no pricing available.

Check-the-box for tyros

Based on queries I see on sundry "professional" forums and groups, I am confident that many "certified" practitioners know little or nothing about the process they pretend to perform.

These people are the same people who will use a "standard" as a check list - the standard requires this, so this will be done; perhaps not to the minimum level of expertise expected by the client, or perhaps even when a particular paragraph of a standard is totally inappropriate for the client.

Who will buy ISO 22301?

Consultancy shops, especially those with deep pockets clients, will jump on the latest and greatest "standard" to sell updates or "improvements" to their clients who recently bought plans aligned with the then-latest-and-greatest standard.

Can anything good be said for standards?

There IS much to be said for standardization as a GUIDELINE, a check list of things to consider for inclusion within a plan or program.

Standards never should be used as a "crutch" by a novice and the check list must not become a "check the box" exercise. A better term for what I think should be considered by practitioners is a "GUIDE."
Does/Did the plan/program consider:
and then list, in a logical order, a generic list or perhaps columns (Pick one from Column A and Two from Column B and ...).

The bottom line for this practitioner is not to be forced to shoehorn square pegs into round holes.

Standards are OK as a staring point, but to blindly follow one as a "hard and fast" rule is, at least in risk management, foolish for the practitioner and dangerous for the client.

For the record "Client" may be an external client for a consultant or an internal client for a "captive" or staff practitioner.

No comments: