The New Corporate ISO 22301 BC

Standard:
What It Takes To Comply
Robert C. Chandler, Ph.D.
Di t Ni
Director,
Nicholson
h l
S
School
h l off C
Communication
i ti

About Everbridge

The Global Leader in incident notification

systems

Fast-growing
Fast
growing global company with
more than 1,500 clients in more
than 100 countries

Serve the Global 2000

2000, healthcare
systems, state and local government,
federal government, military, financial
services firms, and universities

100% focused on incident notification

solutions that merge technology
and expertise

Agenda
Part 1: Presentation
The standards on which ISO 22301 is based
What this means for your current business continuity
communication plan
How to improve your plan to withstand audit and
review
Part 2: Q&A

The New Corporate ISO

22301 BC Standard:
BracingWhat
for the
2010To Comply
It Takes

Hurricane Season
Dr. Robert Chandler
University of Central Florida

Do ISO standards really matter?

Over a million organizations worldwide are
independently certified
certified, making ISO 9001 one of the
most widely used management tools in the world today.
In addition to several stakeholders benefits, a number
of studies have identified significant financial benefits
for organizations certified to ISO
ISO.
Studies also indicate that certified organizations
g
achieved superior return on assets compared to
otherwise similar organizations without certification.

BS 25999-2 was the beginning

In November 2006, the first draft of BS 25999 was
published in the British Standards Institution
Institution, finally
providing a necessary structure to processes, principles
and terminology for business continuity.
The second draft was published in November, 2007.
Targeted stakeholder assurance of BC plans in place
place.
Will be withdrawn when ISO 22301 is finalized

The standard evolves with ISO 22301

Greater emphasis on setting the objectives, monitoring
performance and metrics
metrics.
Clearer expectations on management.
Requires more careful planning for and preparing the
resources needed for ensuring business continuity.
An international standard appeals to top management
of any organization.

The main differences between

BS25999 2 and
BS25999-2
d ISO 22301?
Communication:
The requirements for business continuity plans, including
response procedures and recovery plans, are much more
detailed too - e.g. the communication part

Monitoring performance:
Requirement for BCM/BCMS Metrics ee.g.
g BIA update frequency
frequency,
number of plans, number of exercises completed, etc

Operational planning and control:

Emphasis on operational planning and setting controls
for the BCMS

The shift from BCMS to PCMS

BCMS (Business Continuity Management System)
vs PCMS (Preparedness and Continuity
Management System)
An emphasis on preparedness is now integrated
in terminology.
Preparedness includes:

Creating policies and actions.

Controlling and measuring an organizations risks.
Monitoring and reviewing progress
progress.
Implementing continual improvement based on measurement

ISO 22301 anticipated timeline

The standard, entitled Societal security - Business
continuity
ti it managementt systems
t
Requirements
R
i
t iis
currently on to the Final Draft International Standard
((FDIS)) stage.
g
The draft now needs a two-thirds majority of a yes
or no vote ((with less than one-third of the total vote
being negative) by the TC233 committee for the
standard to be published.
The earliest that the standard will be published is the
end of 2011 but 2012 may be more likely.

Lets highlight a few of the

communication
i ti aspects
t off ISO 22301
Section 8
8.5.3
53
The organization shall establish, implement
and maintain procedures for:
c) internal communication between the various levels
and functions within the organization;
d) external communications with partner organizations
and other stakeholders;

Everbridge Aware
Single step to send to all of your
Single-step
internal contacts and external partners
and constituents
11

Lets highlight a few of the

communication
i ti aspects
t off ISO 22301
Section 8
8.5.3
53
The organization shall establish, implement
and maintain procedures for:
e) receiving, documenting and responding to
communication from other stakeholders;
h) assuring availability of means of communication
during a disruptive incident;

Everbridge Aware
Receive 2-way
2 way, real-time
real time feedback on
notifications. Bullet proof infrastructure
with 99.99% availability.
12

Lets highlight a few of the

communication
i ti aspects
t off ISO 22301
Section 8
8.5.3
5 3 contd
cont d
The organization shall establish, implement
and maintain procedures for:
i) facilitating structured communication with emergency responders;
j) assuring the interoperability of multiple
responding organizations and personnel;
k) recording of vital information about
the incident, actions taken and
decisions made; and

Everbridge Aware
Pre planned structured messages
Pre-planned
Communicate across all device types
Robust real-time reporting and results
13

Lets highlight a few of the

communication
i ti aspects
t off ISO 22301
Section 8
8.5.3
5 3 contd
cont d
The organization shall establish, implement
and maintain procedures for:
l) operations of a communications facility.

The communication and warning system

shall be regularly exercised
Everbridge Aware
ENS system is core component of
every communication facility. Easy
and cost-effective to test regularly.
14

Lets highlight a few of the

communication
i ti aspects
t off ISO 22301
Section 8
8.5.4
54
The organization shall nominate incident response
personnel with the necessary responsibility,
responsibility
authority and competence to manage an incident.
The organization shall establish an incident
response structure that provides for personnel to:
b) trigger an appropriate response;
c) have processes and procedures
for the activation, operation,
coordination and communication
of the incident response;

Everbridge Aware
Facilitates the response process.
process
Easy to incorporate your
communication processes into
the system

15

Lets highlight a few of the

communication
i ti aspects
t off ISO 22301
Section 8
8.5.4
54
The organization shall nominate incident response
personnel with the necessary responsibility,
responsibility
authority and competence to manage an incident.
The organization shall establish an incident
response structure that provides for personnel to:
d)) have resources available to support
pp
the processes and procedures to
manage an incident; and
e) communicate with stakeholders
stakeholders.

Everbridge Aware
Provides the central infrastructure to
communicate with stakeholders
16

Here are communication tips to enhance

your compliance
li
with
ith requirements
i
t

Communication priorities to improve your

plan
l and
d enhance
h
compliance
li
1. Optimal timing
2. Message content
3. Maintain control
4. Transparency
5. Optimal delivery channels

Reaction time
Factors that affect reaction time include:

Recognition

Choice

Number of stimuli

Fatigue

Reasoning

Remembering

Imagining

Learning

19

Situation awareness
Situation awareness is knowing what is
going on so you can figure out what to do*
do
To function in a crisis, people need to
have answers to:
What is happening?
Why
Wh is
i it h
happening?
i ?
What will happen next?
What can I do about it?

20
*Wikipedia

Is your communication plan fortified?

Effective crisis communication includes just the right
amountt off information,
i f
ti
but
b t
What constitutes the right amount of information?
How much information is enough?
How much is too much?

Pitfalls to avoid in your messaging audit

1. Underloading or
overloading messages
9 Balance ideas,
information, and words
the context of a crisis.
crisis

Pitfalls to avoid in your messaging audit

2. Not testing messages
9 Test content, tone, and comprehension
with focus groups.

Pitfalls to avoid in your messaging audit

3. Sending mixed messages
9 Create messages that are
accurate, consistent, and
reinforce each other.

Pitfalls to avoid in your messaging audit

4. Poorly-timed messages
9 Avoid too-early or too-late
messages. Plan ahead and
act quickly to communicate
during the short window when
people are most receptive.

Pitfalls to avoid in your messaging audit

5. Wrong delivery channels
9 Account for changes to common
communication channels due to
quarantine, illness, and other
pandemic effects
effects.

Pitfalls to avoid in your messaging audit

6. Mismatched messages
9 Create and send authoritative,
accurate forthright messages.
accurate,
messages
Do not downplay risks
or threats. Correct
misinformation swiftly.

Pitfalls to avoid in your messaging audit

7. Failure to understand your audience
9 Understand and adapt messaging to your
audiences comprehension levels and
motivations. Avoid jargon and sophisticated
concepts.
concepts

Pitfalls to avoid in your messaging audit

8. Lack of transparency
9 Provide factual, accurate information.
Remember that people have a right to
know the risks and consequences.

Discussion continues

Twitter:
@ISO22301

LinkedIn:
http://www.linkedin.com/groups/ISO22301-3931836
p
g p

Download the draft:

http://www.iso.org/iso/iso_catalogue/catalogue_tc/c
atalogue_detail.htm?csnumber=50038
t l
d t il ht ?
b 50038

30

Its your choice!

Your organization can choose how important
it iis tto certify.
tif
Weigh the impact or advantages/disadvantages
of certification on your organization.
organization
More research is recommended to understand the
full implications of ISO 22031 in your situation
situation.

31

Incident Notification
Marc Ladin
Chief Marketing Officer, Everbridge

32

Incident notification solutions address

common communication challenges
Communicate quickly
quickly, easily
easily, and
efficiently with large numbers of
people in minutes, not hours, making
sure that the lines of communication
are open

Receive feedback from your

messages by using polling
capabilities

Reduce miscommunication and

control rumors with accurate,
consistent messages

Satisfy regulatory requirements

with extensive and complete
reporting
ti off communication
i ti attempts
tt
t
and two-way acknowledgements
from recipients

Ensure two-way
two way communication
to get feedback from message
receivers

Deliver refined, prepared , timed

messages to each pre-designated
audience group, by scenario

33

Key evaluation criteria for an incident

notification system

Experience and expertise

Ease of use

Ability to reach all contact paths,

including voice
voice, email
email, native SMS
(over SMPP and SMTP), IM, and more

Ease of integration

34

Communication resources

Contact information
Robert C. Chandler, Ph.D.
rcchandl@mail.ucf.edu
h dl@ il f d
1.407.823.2683

Marc Ladin

Upcoming webinars:
Business Case Demo (August 25)
www everbridge com/webinars
www.everbridge.com/webinars
White papers, literature, case studies
www.everbridge.com/resources

Follow us:
blog.everbridge.com
twitter.com/everbridge
facebook.com/everbridgeinc
youtube.com/user/everbridge

marc.ladin@everbridge.com
1 818 230 9700
1.818.230.9700

Reminder
Everbridge Insights webinars
qualify for Continuing Education
Activity Points (CEAPs) for DRII
certifications. Visit www.drii.org
to register your credit.
Item Number (Schedule II): 26.3
Activity Group: A
1 Point for each webinar