The Disaster Recovery Journal (DRJ) issue for Winter 2013 has an advertisement in it from MIR3. MIR3 bills itself as "intelligent notification." Having never used or even evaluated the product, I have no idea if its good or not.
The advertisement caught my eye because it asked, in about 48 point type:
Confused by standards
with the sub-head that read: We can cut through the confusion.
Since I have some strong opinions about "standards," I read on.
At the bottom of the full page advertisement MIR3 invited me to download The Concise Guide to Business Continuity Standards: www.mir3.com/bc-standards
(The page I read was hard copy, e.g., paper; the page also is accessible on DRJ's Web site via the Journal > Digital Edition. The advertisement is on Page 23.)
I followed the link to the MIR3 PDF document and downloaded the file.
The MIR3 effort, put together by Ann Pickren, Vice President, Solutions, addressed 3 and a half "standards":
- National Fire Protection Association's NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs; this document, due to its non-US variations is an "international" standard
- American National Standard for Security's ASIS SPC-1: Organizational Resilience: Security, Preparedness, and Continuity Management Systems-Requirements with Guidance for Use
- British Standard BS 25999: Business continuity
- International Standards Organisation's ISO 22301: Societal security -- Business continuity management systems --- Requirements
The first three standards are approved for use with the US Homeland Security Department's Public Law 110.53, Private Sector Preparedness, a/k/a PS-Prep. The last "standard," is, I am given to believe, the ISO version of BS 25999 and is slated to be added to, or to replace BS 25999, as a PS-Prep acceptable "standard."
According to the MIR3 article,
- The AISI document is a free PDF download from http://www.asisonline.org/guidelines/ASIS_SPC.1-2009_Item_No._1842.pdf
The NFPA document is a free PDF download from http://www.nfpa.org/assets/files/pdf/nfpa1600.pdf
England's contribution, BS 25999-2 is a US$20 PDF download. BSI's 25999-1 was withdrawn. The British standard may be bought at http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030211018 The reason this PDF is so cheap is because, like BS 25999-1, the title has been withdrawn; reason: BS 25999-2 has been superseded by ISO 22301.
Finally, the ISO version of BS 25999, ISO 22301, is available in PDF format for CHF 166.00 from the ISO store at http://www.iso.org/iso/catalogue_detail?csnumber=50038
The MIR3 article includes a table attempting to list each "standard's" contents vis-a-vis Business Continuity requirements.
Unfortunately, the table is less than accurate.
For example, the table shows that BS 25999 aligns with US NIMS and ICS; NFPA 1600 aligns with NIMS/ICS (as stated in the article's text).
I won't categorically state BS 25999 and, by extension ISO 22301 lacks mention of avoidance and mitigation , but I do know the draft BS 25999 lacked this topic. I found that strange then, especially when BS 25999 was supposed to have been the result of work by business continuity - vs. IT DR - professionals.
One reason I am less than enthusiastic about BS 25999/ISO 22301 is because they are purchase documents.
Mind, the people who provided input to BS 25999/ISO 22301 received zero compensation.
If someone wants their "product" to be a voluntarily-adhered-to standard, it MUST be free, gratis, no charge, he'nam.
All-in-all, save for the "chart (that) shows a graphical overview of the standards," the MIR3 article is worth the time to download and read.
There are no surprises, and it is geared to people who need PS-PREP certification. For what it is worth, I think the idea of PS-PREP is worthwhile since, in theory it can give vendor managers a "warm, fuzzy" feeling that the vendor has a viable plan. (As for this practitioner, I will continue to insist on seeing some hard evidence of a vendor risk management, or at least business continuity, plan; in the end, the buck stops with me if the vendor fails to meet its contract requirements.)