Successful strategies for certification
It seems that a commonly asked question within the business continuity community is whether certification to BS 25999 is really that beneficial, particularly for SMEs. In fact, I wondered this same question a couple of years ago. Since then, I have gone through the certification process and have seen the direct results of certification. Over the next few blog posts I will try to provide some thoughts on whether it is indeed a suitable expense or a meaningless expenditure.
The key is to understand that BS 25999 certification is not for everyone. An organisation needs to ask itself some very simple questions before embarking on a programme that, if not thought about correctly, will provide little or no benefit to the organisation over that of simply aligning to the requirements of the standard. These are the sort of questions an organisation needs to ask itself:
- What will BS 25999 certification achieve?
- Would alignment to the principles of the standard achieve the same results?
- Are the principals of the standard suitable for your organisation?
- Certification is an ongoing programme, so can sufficient resources be invested now and in the future?
I found that being certified to BS 25999 does provide some benefits that are not seen through simply aligning to the standard. It was invaluable for marketing purposes – not only did certification offer proof to clients and prospective clients of a high standard of resilience, but it also demonstrated that the organisation was willing to go that extra mile for the client. My experience also taught me that certification does not need to be expensive as is often thought. State of the art solutions are not required for certification, it is about using what the organisation has available, identifying weaknesses and improving upon them. On top of this, certification resulted in lower insurance costs for the organisation. When considering these points, certification can result in a very cost-effective programme.
These benefits will only be realised if the common pitfalls can be avoided. These pitfalls can directly threaten the success of the business continuity programme unless they are avoided. It is worth noting that many organisations have gone for certification and been caught out by the same few pitfalls. In the next blog I will explain some of these pitfalls and how to avoid them.