Monday, February 4, 2013


Standards with holes


The Disaster Recovery Journal (DRJ) issue for Winter 2013 has an advertisement in it from MIR3. MIR3 bills itself as "intelligent notification." Having never used or even evaluated the product, I have no idea if its good or not.

The advertisement caught my eye because it asked, in about 48 point type:

Confused by standards

with the sub-head that read: We can cut through the confusion.

Since I have some strong opinions about "standards," I read on.

At the bottom of the full page advertisement MIR3 invited me to download The Concise Guide to Business Continuity Standards:

(The page I read was hard copy, e.g., paper; the page also is accessible on DRJ's Web site via the Journal > Digital Edition. The advertisement is on Page 23.)

I followed the link to the MIR3 PDF document and downloaded the file.

The MIR3 effort, put together by Ann Pickren, Vice President, Solutions, addressed 3 and a half "standards":

  • National Fire Protection Association's NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs; this document, due to its non-US variations is an "international" standard

  • American National Standard for Security's ASIS SPC-1: Organizational Resilience: Security, Preparedness, and Continuity Management Systems-Requirements with Guidance for Use

  • British Standard BS 25999: Business continuity

  • International Standards Organisation's ISO 22301: Societal security -- Business continuity management systems --- Requirements

The first three standards are approved for use with the US Homeland Security Department's Public Law 110.53, Private Sector Preparedness, a/k/a PS-Prep. The last "standard," is, I am given to believe, the ISO version of BS 25999 and is slated to be added to, or to replace BS 25999, as a PS-Prep acceptable "standard."

According to the MIR3 article,

The MIR3 article includes a table attempting to list each "standard's" contents vis-a-vis Business Continuity requirements.

Unfortunately, the table is less than accurate.

For example, the table shows that BS 25999 aligns with US NIMS and ICS; NFPA 1600 aligns with NIMS/ICS (as stated in the article's text).

I won't categorically state BS 25999 and, by extension ISO 22301 lacks mention of avoidance and mitigation , but I do know the draft BS 25999 lacked this topic. I found that strange then, especially when BS 25999 was supposed to have been the result of work by business continuity - vs. IT DR - professionals.

One reason I am less than enthusiastic about BS 25999/ISO 22301 is because they are purchase documents.

Mind, the people who provided input to BS 25999/ISO 22301 received zero compensation.

If someone wants their "product" to be a voluntarily-adhered-to standard, it MUST be free, gratis, no charge, he'nam.

All-in-all, save for the "chart (that) shows a graphical overview of the standards," the MIR3 article is worth the time to download and read.

There are no surprises, and it is geared to people who need PS-PREP certification. For what it is worth, I think the idea of PS-PREP is worthwhile since, in theory it can give vendor managers a "warm, fuzzy" feeling that the vendor has a viable plan. (As for this practitioner, I will continue to insist on seeing some hard evidence of a vendor risk management, or at least business continuity, plan; in the end, the buck stops with me if the vendor fails to meet its contract requirements.)

No comments: