SPECIALISTS IN INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)  

 

Societal Security — Business continuity management systems — requirements

Introduction

ISO 22301, with its grand title of “Societal Security”, is the ISO replacement for BS 25999-2:2007 and was published on 15 May 2012. It is of particular interest to us, because, like the revised version of 27001, it also conforms to the new ISO directives for the High Level Structure and Identical Core Text for management system standards. Let’s see how they do it.

Structure

The first point to note (page iii of the standard) is that the overall structure in terms of the new ISO directives is as to be expected. The second is that in the forward there is a section on the PDCA model, which is a surprise as its use is depreciated by the new ISO directives. More importantly, however, is that the operational components of BS 25999 — business impact analysis and risk assessment, business continuity strategy, procedures, exercising and testing — are all in one place. The new version of ISO/IEC 27001 splits them between Planning (Clause 6) and Operation (Clause 8). Who got it right, and does it really matter?

Which version

ISO 22301 was published on 15 May 2012, which is about six weeks after the publication of the new ISO directives. There would probably have not been enough time to incorporate the final Identical Core Text changes into ISO 22301, and therefore ISO 22301 may conform to an earlier version of Draft Guide 83.

The only way to tell is to compare the Identical Core Text with that in Annex SL of the new directives (or previous versions of Guide 83 if you have them). However, when we do that, we find that ISO 22301 is a mixture. For example, the Identical Core Text in Sections 4.3 and 4.4 is the same as that in new ISO directives, whereas that in Section 4.1 and 4.2 come from a previous version (June 2011, actually). We might therefore conclude that it is a hybrid — a pick and mix from different versions of Guide 83. However, the correct way to think of it is that it accords totally with the new ISO directives, but that there are deviations, which in this case is a reversion to earlier Guide 83 text.

PDCA

The standard states that it uses the PDCA model to ensure a degree of consistently with other management system standards, which it will of course do until they have all been revised to accord with the new ISO directives. Nevertheless there is a useful list in Section 0.3 that relates Clauses 4 — 10 to the PCDA model. The diagram is identical to that in BS 25999-2:2007, save for a few cosmetic changes.

Of particular interest, when compared with ISO/IEC 27001, is that it points out that the “content of Clause 6 differs from establishing risk treatment opportunities stemming from risk assessment, as well as business impact analysis (BIA) derived recovery objectives.” This appears to be ISO 22301’s way of drawing a distinction between planning actions (Section 6.1) to address the risks and opportunities (identified by the requirements of Section 4.1) and the meat of business continuity planning that derives from a consideration of the risks of disruption. However, why should not the risk of disruption be one of the issues that are identified by the requirements of Section 4.1? From a mathematical perspective there are some interesting laws concerning requirements standards. Why not read them and judge for yourself if ISO 22301 has got it right.

Definitions

The definition of some business continuity terms differ from the definitions given in BS 25999-2:2007. Sources are quoted for some definitions and are either ISO 22300 or ISO Guide 73. Definitions that come from Annex SL are unquoted (e.g. organisation).

The definition of risk in Annex SL was changed in December 2011 to “effect of uncertainty”. ISO 22301 uses the definition given in the October 2010 version of Guide 83 which is the same as that in ISO Guide 73: “effect of uncertainty on objectives”. Thus the definition of risk in ISO 22301 is another deviation from the revised ISO directives.

It is understood that the phrase “on objectives” was dropped from the definition as a result of lobbying from the environmental standards people (ISO 14000). The definition of the term objective is “result to be achieved”, which therefore implies that a risk only exists if the organisation intended to do something. This conclusion logically follows from the definition of organisation which is “person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives”, and it is these objectives that are being referred to in the ISO Guide 73 definition of risk. The argument, we believe from the environment people, was that such a definition is not guaranteed to cover collateral damage. An oil company, for example, may well have the stated objective of extracting oil from under the sea, but the risk of pollution — in accordance with the ISO Guide 73 definition of risk— would only exist if the organisation had also stated that another of its objectives was not to pollute the environment or spill oil into the sea. By dropping the phrase, “on objectives”, the risk of pollution is no longer dependent on whether non-pollution, etc is an objective of the organisation or not. It does mean, of course, that if an organisation does not have an information security objective concerning confidentially and integrity of personal information then there is no risk. However, in the UK, the organisation is subject to the Data Protection Act, and therefore there is a risk that it could be prosecuted and fined for a breach of that law. In accordance with the Guide 73 definition there is, however, no risk, which is clearly silly, and we feel that the Annex SL definition is correct. It will be interesting to see how other standards committees deal with this.

Note that ISO 31000 does not define the term objective, and it therefore takes on it Oxford English Dictionary definition: “a thing aimed at or sought; a goal”, which is not dissimilar to the Annex SL definition. Consequently, we believe that the problem has not arisen because of the amalgamation of the Guide 83 and ISO Guide 73 vocabularies, but is merely one of this need to cover collateral damage.

Of note, making ISO 31000 objectives based is something that TC262 (the responsible standards committee) considers to be of paramount importance, and in SC27 it was agreed to retain the Guide 73 definition in ISO/IEC DIS 27001.

Risk assessment

The section on risk assessment (Section 8.2.3) mentions ISO 31000 in a note. The requirements are quite slender (13 lines in total), effectively:

  • Choose a method appropriate to assessing risks of disruptive incidents
  • Identify the risks
  • Systematically analyse them
  • Decide which requirement treatment
  • Identify treatments commensurate with business continuity objectives and risk appetite.

Deviations

The original idea behind Guide 83 is that management system standards had to conform strictly to the High Level Structure and Identical Core Text given in Guide 83. However, with the publication of the new ISO directives, deviations are allowed provided that they are reported to ISO’s Technical Management Board (TMB) with a “good rationale”. We believe that this facility has been introduced to adjust the Identical Core Text if it prevents a standards committee from expressing the discipline specific requirements in the manner that it needs. Its purpose is not to allow “improvements” to be made, although some National Body experts disagree on this latter point. Let’s see how ISO 22301 deals with deviations.

We have already spotted two: the definition of risk and the reversion to earlier Guide 83 Identical Core Text for some sections in ISO 22301.

Going through the standard, we note:

  1. In Section 5.3 there is an additional requirement (“be reviewed for continuing suitability… ”) which is not BCMS specific.
  2. In Section 6.1 the Annex SL wording “assure… ” and “realise…” has been changed to “ensure…”and “achieve…” respectively.
  3. The bullet points in Section 6.2 in the paragraph starting “To achieve its business continuity objectives… ” are in a different order.
  4. In Section 7.5.3 there are three extra bullet points at the end (“retrieval and use…, etc. ”)

All of these could be construed as being cosmetic and therefore invalid deviations. The first and last ones are particularly interesting:

  • both could apply to all management system standards (i.e. neither are BCMS specific)
  • the first two points in 7.5.3 are duplicates of the Identical Core Text.

Discipline-specific text

One of the ideas in Guide 83 was to distinguish Identical Core Text from Discipline-specific text. In the revision of ISO/IEC 27001 we use two colours: blue for Identical Core Text and black for ISMS specific text. Given the facility for deviations, we actually need three colours: a third, say brown to identify deviations from the Identical Core Text. ISO 22301 does none of this. The lay reader will be oblivious to the existence of the High Level Structure and Identical Core Text (until, of course, they read another new management system standard or the ISO directives).

If the reader is familiar with BS 25999-2:2007 they may look for terms such as preventive action and wonder where they have gone. There is no explanation for this, but they are actually catered for by the requirements of 6.1.

Discipline-specific text has been added as follows:

Section Description of Discipline-specific text
4.1 The 2nd and 3rd paragraphs, relate exclusively to business continuity (or could be read that way), but do not seem to appear in BS 25999-2:2007. The reference to “risk”, perhaps ought to have been qualified as “business continuity risk” , otherwise the requirements could be interpreted as applying to other risks, for example those concerning the running of the management system itself.
4.2.2 This concerns legal and regulatory requirements. BS25999-2:2007 mentions taking these into account. However, the wording in ISO 22301 does not add anything and is simply verbose.
4.3.2 This concerns the scope of the BCMS. There is no mention of the risk sources that ought to be in scope of the BCMS and one might be tempted to conclude that ISO 22301 may have confused scope of the management system with the scope of certification. Again it is a verbose version of what is in BS25999-2:2007.
5.2 There are two additional paragraphs. Neither appear in BS25999-2:2007 but are not inconsistent with it — in other words there does not appear to be any new requirements. However, there is a fair degree of overlap with requirements elsewhere in the standard.
7.3 There is a new item (d), which is a BCMS specific interpretation of point (b).
7.4 There are an extra 7 bullet points, only the last four of which are BCMS specific. The other three could apply to all management system standards.
8.2 — 8.5 This is the real BCMS stuff and at first view is fairly close to what is in BS25999-2:2007.
9.1.1 There is a whole new section here, which could apply to all management system standards.
9.1.2 This appears to be BCMS specific.
9.2 The last two paragraphs are not BCMS specific and are not in BS25999-2:2007, so these could be construed as being deviations from Annex SL.
9.3 Adds a whole list of stuff derived from BS25999-2:2007 concerning what should be considered as inputs and outputs to a management review.

We also note that whereas the new ISO directives require the use of the term documented information, ISO 22301 continues to use the traditional phraseology of a “documented XYZ…”. Nevertheless, it uses the word “record” consistently as a verb, which is correct. There are also many duplicate requirements, which is perhaps not the best way of doing things in a requirements standard.

Conclusions

The new standard clearly accords with the new ISO directives for a High Level Structure and Identical Core Text, albeit with some deviations.

There do not appear to be any requirements that are additional to BS25999-2:2007.