Evaluating Business Continuity Management Software

Download Fusion's guide "Evaluating Business Continuity Management Software: A Buyer's Guide for Practitioners"


As defined by the Project Management Body of Knowledge (PMBOK) Guide – 6th Edition, a Standard is a “document established by consensus and approved by a recognized body that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at achievement of the optimum degree of order in a given context.” (Credit to Risk & Resilience Hub) There are different types of standards that our customers leverage Fusion for to help their organization adhere to.

Generally speaking, standards are considered voluntary for organizations to comply with – although meeting the requirements of the standards can help customers prove they are in compliance with their regulatory and customer obligations, build trust, and demonstrate that they are doing more than just the bare minimum in managing obligations.

ISO Standards

The International Organization for Standardization (ISO) is a non-governmental organization that forms standards bodies from 160 countries. Members are national standards organizations that collaborate to develop international standards for technology, risk management, business continuity, and many other disciplines. ISO and its members then sell documents detailing these standards. The ISO Standards are designed to be regulation agnostic, and some of them are auditable, giving a sense of assurance that the requirements are being met.

Further Standards

ISO 22301

ISO 22301 supplies a framework to plan, establish, implement, operate, monitor, review, maintain, and continually improve a business continuity management system (BCMS).

The ISO 22301 is regulation agnostic, and the requirements can be applied to all organizations (or parts thereof) regardless of the type, size, and nature of the organization. The application of these requirements is flexible, and execution depends on the organization’s operating environment and complexity.

It is applicable to any organization that wants to implement, maintain, and improve a BCMS; wants documented proof that the organization is in compliance with their stated business continuity policy; is required to continue to deliver products and services at an acceptable threshold during a disruption; and wants to enhance their resilience through the effective application of the BCMS.

This standard is available for free from ISO in read-only format.

The ISO 22313 supplies guidance and recommendations for applying the requirements of the business continuity management system given in ISO 22301. The guidance and recommendations are based on global best practices and can be used in conjunction with maintaining an ISO 22301 certification.

The ISO 22313 applies to organizations that seek to implement, maintain, and improve a BCMS; want to ensure conformity with a stated business continuity policy; need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; and seek to enhance their resilience through the effective application of the BCMS.

All sizes and types of organizations – including large, medium, and small organizations operating in industrial, commercial, public, and not-for-profit sectors – can leverage the 22313 methodology. The approach adopted depends on the organization’s operating environment and complexity.

The ISO 22316 helps define the nature and the scope of resilience to help an organization deal with the changing nature of the world around them. As an international standard, the ISO 22316 provides a better understanding of the concepts of organizational resilience, its principles, and the mechanisms that support resilience. The standard can apply to any organization regardless of the size and type (public or private) and does not specify the industry or sector.

The ISO 22318 provides guidance for security and resilience, business continuity management systems, and supply chain continuity management.

Supply chain continuity management (SCCM) specifically considers the issues faced by an organization which relies on the continuity of supply of resources as well as the ability to continue delivery of its products and services. The goal of SCCM is to protect the organization’s business activities from supply chain disruption.

The ISO 27000-series standards are designed to aid companies in managing cyber-attack risks and internal data security threats.

ISO 27001 is the most popular because it is currently the only standard that can provide a company with an audited certification.

The ISO 27701 is a privacy add-on to the ISO 27001 security standard.

Added standards in this series include the ISO 27005 which provides guidance on conducting risk assessments for your information security.

ISO 27032 provides general guidance on the best practices to enforce cybersecurity measures.

The COBIT (Control Objectives for Information and Related Technologies) framework was created by ISACA for information technology (IT) management and governance.

The framework is business focused and defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process activities, process objectives, and performance measures along with an elementary maturity model.

The Payment Card Industry (PCI) Data Security Standard includes 12 requirements, including multiple sub-requirements, that contain numerous directives against which businesses may measure their own payment card security policies, procedures, and guidelines. The PCI Document Library includes resources to help organizations who process credit card payments ensure security through every step of the process.

The SOC 2 is a standard for service organizations, developed by the American Institute of CPAs (AICPA), that specifies how organizations should manage customer data. Adherence to the standard is voluntary and is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

A SOC 2 report is a control report that is tailored to the unique needs of each organization. The advantage to the standard is that it is flexible, and each organization can design controls that follow one or more principles of trust. These internal reports provide organizations and their regulators, business partners, and suppliers with important information about how the organization manages its data.

There are two types of SOC 2 reports:

  • Type I describes the organization’s systems and whether the system design follows the relevant trust principles.
  • Type II details the operational efficiency of these systems.

The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce. This agency published a voluntary NIST Cybersecurity Framework that provides guidelines to mitigate enterprise cybersecurity risks. The framework “provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes” as well as guidance on the protection of data privacy and civil liberties in the context of cybersecurity.

The Basel Committee on Banking Supervision is an international committee that encourages cooperation between banks across multiple nations. It was founded in 1974 because of the global currency and banking crisis. The Basel Committee’s goals are to improve the quality of banking supervision worldwide and to serve as a forum for cooperation between member countries on banking supervision.

The Committee includes 16 member countries: Australia, Argentina, Belgium, Canada, Brazil, China, France, Hong Kong, Italy, Germany, Indonesia, India, Korea, the United States, the United Kingdom, Luxembourg, Japan, Mexico, Russia, Saudi Arabia, Switzerland, Sweden, the Netherlands, Singapore, South Africa, Turkey, and Spain.

The Basel Committee outlined principles that aim to strengthen banks’ ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets, such as pandemics, cyber incidents, technology failures, or natural disasters. This principle-based approach builds on the Committee’s principles for the sound management of operational risk.

The requirements include the following principles: governance, operational risk management, business continuity planning and testing, mapping interconnections and dependencies, third-party dependency management, incident management, information and communications technology (ICT) risk management, and cybersecurity.

Each participating member country pledges to enact these principles, but it is through the individual country’s legislative process.