DRG: What do you see as the growth potential of BCMS in manufacturing?

John: Customers just want their products to be made in spec and the level of quality they have come to expect. Most importantly they expect it to be available when they want to buy it. And, if that particular product can’t be found, they are just as easily satisfied with a similar product from someone else.

Many manufacturing processes are high-tech and run with software.

The overall premise behind manufacturing is simple enough – create a quality product and keep it consistently available for the customer to purchase.

Behind the scenes is where things get a little more complex, and the potential for disruptions and problems develop.

In today’s world, the market place is very competitive. It’s the job of business continuity professionals in the manufacturing industry to make sure that no matter what happens, stock is always available with exactly what the customer wants to buy.

DRG: How does BCMS fit into a Security Management System?

John: It integrates very well with security and quality, especially when you’re talking in terms of standards like BS 25999. The appendix A of BS 25999 actually has a crosswalk table that shows the integration between BS 25999, 27k, 9k and 14k. A.14 of 27001 outlines the requirements for BC for ISO 27001. BS 25999 handshakes directly with this control.

DRG: How do companies justify the cost?

John: Companies stay in business for one reason – They have learned to turn back the storms that the world of business throws at them daily. If business were easy and without issues, we would all be rich. The reality is this... integrity and availability of an organization’s resources depends heavily on the organization being able to keep the business functional under all possible scenarios. This requires an investment.

Continuity planning goes well beyond the idea of simply doing a weekly backup. BCMS is an in depth, involved process that allows a company to prepare for the unexpected.

A good BCMS involves understanding what it is you are trying to protect (inventory), how it can be affected (disaster scenarios), how likely it is to happen (risk assessment) and how to recover from it (recovery). Events such as fires, floods, acts of terrorism, equipment failure, illness and striking workers are all examples of disaster scenarios that may need to be addressed in an organization. In addition it ensures the system is managed properly and continually improved.

DRG: What is going to be the prevalent BCP standard?

John: There are many solutions out there. However, few can really be recognized as "standards." BS 25999 fits that bill.

Example: Standards may be expressed in terms of language: something becomes recognizable and real when both the sender and the receiver know what they are talking about, that is, when they are using the same parameters or standard.

This very simple example clearly shows that standards make life easier to both consumers and manufacturers while - also very important - they do not constrain market development.

DRG: How are registrars going to register BCP?

John: The process is already in place and for BS 25999, it is an accredited process, which means registrars will have to follow UKAS and international specified rules of engagement such as ISO 17021 Requirements for bodies providing audit and certification of management systems.

DRG: How are BCP risk audits conducted? (audits or analysis)

John: The certification audit is carried out assessing the organization to all the elements of the standard to ensure the system is not only in place and meets the requirements, but there must be evidence that it is effective as well.

DRG: How can all industry professionals get involved with BCMS?

John: They have to have process ownership. By default when implementing the BCMS (just as when you implement a quality process), you must identify the stakeholders.

BCP only works when we give the manager, or person who has the accountability for the process, accountability for the plan as well.

DRG: There seems to be a perception that NFPA 1600 and BS 25999 are competitive standards. What is your experience?

John: I don’t see it that way. Organizations have to make up their own minds on what is best for them. Several factors enter into this:

Contractual requirements, mandates and the organization’s own analysis of what fits their structure the best.

As professionals we should be educating industry on the importance of having a BCMS in the first place. Many surveys have already identified that 50% or more of organizations, not only in the US but in the EU also, are not prepared and many of those who have plans are not updating them on a regular basis.

We need to get people off the chair and start planning. As Benjamin Franklin said "We must all hang together, or assuredly we shall all hang separately".

John A. DiMaria;Certified Six Sigma BB; HISP

John DiMaria, is the BSI (British Standards Institution) Americas technical specialist and Product Manager of Business Continuity specializing in BCMS, ISMS and ITSM standards. John is a Certified HISP (Holistic Information Security Practitioner) and Six Sigma Black Belt and donates his expertise as a Board Member of the HISP Institution.

He has 25 years in the industry specializing in Quality, Information Security, Management System Analysis and Improvement, Regulatory Analysis and Compliance, Risk Assessment and Management, Failure Mode Investigation and Six Sigma strategies on both a national and international level.

John serves on committees that influence legislation and drive international harmonization such as the CSIA (Cyber Security Industry Alliance) and the BITS Shared Assessment Program. He has been featured in many publications such as Computer World, Quality Magazine, QSU, SC Magazine, ABA and Campus Technology concerning various topics regarding information security and business continuity. Most recently was the feature profile in GSN Magazine as “business continuity’s new standard
Bearer.”

John can be reached at John.DiMaria@bsigroup.com.  BSI America can be accessed on the web at http://www.bsiamerica.com.