IRISH COMPANY CERTIFICATION EUROPE AWARD THE REVENUE COMMISSIONERS WITH BUSINESS CONTINUITY CERTIFICATE

Certification Europe audits the Revenue Commissioners Business Continuity Management system resulting in Revenue being awarded BS 25999 certification to become the first organization in Ireland to achieve certified best practice in business continuity management. Client: Certification: Irish Revenue Commissioners BS 25999 Business Continuity Management Standard

Main Benefit: Assurance that up-to-date business continuity management processes in place should an event impact the ability of the Irish Revenue Commissioners to collect taxes and send monies to the exchequer and ensuring the continuity of the processing of public finances at all times. Quote: The certification process gives you much more than a technical document that would be put on a shelf and forgotten. You get a broad management system that includes technology, building maintenance, health and safety, and staff issues that are all part of delivering a level of service needed even after a fire, flood, snowstorm or other event. Vincent Duffy, IT Manager, Revenue Commissioners The Revenue Commissioners was the first organization in Ireland to achieve BS 25999 certification.

Key Note:

What is Business Continuity? When companies think about business continuity, they often focus on technology and unlikely events. For example, they invest in data backup equipment and off-site storage in anticipation of a terrorist attack. In fact, business continuity planning goes beyond technology to include building maintenance, health and safety, staff availability and applies to more common events like snowstorms, flooding or cooling system failures. It also involves planning for events outside of your control and your own environment. The consequences of a business interruption range from loss of revenue, product shipments being delayed, invoices not being received and booked or worse, emergency calls not being responded to and

lives lost. The impact is not merely financial but can lead to irretrievable brand damage, loss of clients and customers that are never recovered or public trust and damage to shareholder value.

Why Business Continuity for Revenue Commissioners? In the case of the Revenue Commissioners, an interruption to normal business would mean taxes not being collected, funds not being delivered to the exchequer and services not being funded. Therefore the Revenue Commissioners decided to attain BS 25999 certification, the business continuity standard that indicates an organization has systems in place to assure required levels of service. Were a government organization and IT is critical to the services we provide. We dont want to be off the air so we looked for a standard to follow and found BS 25999 says Vincent Duffy. Duffy explains that the Revenue Commissioners was already a mature IT organization and could have simply created systems that followed the standard but going the next step to achieve certification was important. Not everyone can prove business continuity measures are in place he says. Certification says that our systems are validated by an independent third party and that the state can be confident we know what were doing. It also drives us to maintain and continuously assess and improve our BCM practices.

Creating Documentation for Certification BS 25999 certification does require work and time. Duffy explains that the first step is updating the existing documentation to be readable, workable, usable and credible. The standard serves as a guide for the requirements of a certified business continuity management system. Documentation includes comprehensive instructions for how to maintain operations during and after an event. Along with technical information, it includes guidance on what Duffy calls the softer skills; things like business priorities, order of services to be restored, escalation criteria and who to call for assistance and information. Creating the proper documentation wasnt as challenging as Duffy and others thought it would be. We reworked procedures for one application and shared it with our auditors Certification Europe says Duffy. They thought it would serve as a good template for other applications and so we asked other technical teams to follow the format. We ended up with a series of short, six to seven page procedures that would help an inexperienced person to get systems back up and running. The harder part was getting the technical IT staff to think about what detail had to be documented. Technical people tend to keep things in their head says Duffy. Weve all been here for a while and know exactly what to do. We dont think about writing it all down. Writing it down is the critical part of the process though. Certified business continuity plans assume that key staff wont be able to help; theyll be impacted by the event (injured, stuck in a storm etc.) or travelling or ill. And Duffy points out that not all people are good in a crisis. Not everyone can cope under pressure, he says.

Once the updated documentation was in place, all staff were trained in business continuity procedures and senior management could identify those best able to deal with specific scenarios. Skills gaps were noted so that additional instruction could be given. The Certification Audit To prepare for the certification audit, the Revenue Commissioners engaged Certification Europe to conduct two preliminary audits. The first was a document review and the second was a two day on-site review of revised documentation and evidence that proved processes were being followed. We went into the preliminary audit with open minds says Duffy. Certification Europe couldnt tell us what to do, but they could offer opinions on what we proposed to do. Wed make suggestions about how procedures could be fixed and theyd let us know if our ideas made sense. Certification audits are done after an organization has had time to adequately train staff and use procedures. During the second preliminary audit, Certification Europe checked revised documentation and looked for evidence that procedures were being followed by looking at minutes of meetings, action logs and business continuity exercises. Duffy reports that the gap analyses were incredibly valuable and essential for a successful audit. You take a critical look at what youve put in place. You go over everything so that there are no surprises during the audit which is an intense two days, says Duffy. The audit process is fair but tough. And it should be tough. Quality has to be enforced. You cant fool the auditor. They walk the floor. They talk to people. Conclusion It would have been easy for the Revenue Commissioners not to pursue business continuity certification. Duffy points out that as the Revenue Commissioners is a monopoly certification doesnt differentiate it from competition. The Revenue Commissioners is very conscious of the personal information it is charged to protect (it also holds certification in Information Security Management: ISO 27001) and wants to assure the state that it is in a strong position to recover and restore service. We could have just followed the standard and produced a lovely document that went on the shelf and was out of date in three months says Duffy. By going through certification and the ongoing re-audits, we have created a management system that keeps our procedures and documentation up to date. Now that weve had audits we can see the management process coming to the front and really working for us. The Revenue Commissioners was the first organization to achieve BS 25999 certification in Ireland. We really want this standard to mature and that requires more adopters and certified organizations he says. When theres a certified community we can learn from one another and continually improve Duffy concluded. Note The International Standards Organization (ISO) is currently reviewing British Standard BS 25999 for use and an ISO standard.