Q: What is the ISO and this particular ‘standard’?
A: It’s an international measurement tool of competence and excellence in a particular area – to demonstrate the use of best practice across a range of areas…we also have ISO 27001;2013 Information Security Management, ISO 9001:2015 Quality Management and British standard BS10012 Personal Information Management System. It’s great to have an external body review what you as a business are doing in a particular area.
This one is about business continuity and the ability of our business to manage, with very clear direction, how to continue to manage the business where events occur that are out of the normal day-to-day business. You just have to take the pandemic as an obvious example – six months’ ago we would have thought something like that wouldn’t affect us but now we’re all more cautious about who we do business with and how. We want to give customers the confidence that we are a resilient business.
Q: Why do you think it’s important to AdvanceTrack and why has it been undertaken now?
A: It’s important to us as a business because it hit home to our full team that they have a clearer direction of what to do, should certain scenarios present themselves. One of the scenarios we thought about was me dying… I hope to be around a long time - but something like that could be detrimental to the business. If I’m not here, someone has to have my thoughts on how things then move forward. What’s important is that the business continues to operate without me.
The pandemic, rather than applying for the standard, had got us thinking in more depth about what sort of things might happen and to be better prepared to deal with them.
With the pandemic we had a good bunch of people in our team who managed our migration to working from home successfully. If that is to happen again, it’s now enshrined with our formal disaster recovery and business planning processes.
The last few months showed us it is even more important that we demonstrate our ability to cope in incredibly challenging circumstances.
Q: Why is it something that should be of interest to AdvanceTrack’s existing and former clients?
A: Our existing customers will know about this direction of travel. After our first client comms around the Pandemic, one of them said ‘we knew you’d have it under control’.
Existing clients see what we do every day, but for someone that doesn’t know us, gaining this certification gives them additional comfort. In very trying circumstances you will know that we have a robust business process to continue to be supported, and that it’s not something being made up as we go along. Gaining the standard means we faced a rigorous stress-testing of processes – of how we operate now and what we might face in the future.
Q: What has been the process of audit and achieving the standard?
A: It followed the way most of these standards work. There is initially an overview and analysis taken by the standard’s auditors that you have the basis for commencing the certification process. That’s effectively ‘day one’ - auditors come in and look at documentation to support attaining the standard.
Then you also have to have an internal audit process, where you look to identify improvements to address before the ‘actual’ audit. However, we also used an external body to undertake the internal audit – we didn’t want that stage too ‘friendly’… we went for rigour.
Then in the external process they’re seeking evidence that what we say we can do is actually something that is beyond the documentation. Such as demonstrating how we’d handle if our servers went down for example, or one of our buildings suddenly didn’t exist – however unlikely these scenarios may be. It’s then a case of showing how long you can operate without impacting service.
Q: How does it align or complement with other standards you’ve achieved?
A: We’ve always tried to demonstrate excellence – which is why we already have core standards. Allied to that it’s about showing consistency of delivery – that we’re ‘continuous’. What this has been about has been exactly that, even in trying circumstances.
Before we decided to go with this standard my phone ‘crashed’ and the backup didn’t work. I lost a lot of contact numbers. I told our CTO that this stressed me, and made me think about the business. As a result we ramped up the availability and resilience of our servers, shortly after this event, so we would lose very little data even if there was a huge problem.
Q: How does the standard set you apart from competitors?
A: There’s a reason why accounting practices work with us and stay for the long term. It’s our consistent approach, high standards from a delivery point of view but also security and infrastructure. Ultimately, I sincerely believe in the abilities of AdvanceTrack’s senior management – that they’re better than our competitors.
Q: What’s the future for AdvanceTrack in context of other certifications and standards? What are your next improvements?
A: We’re not ruling out other certifications – but these current ones are absolutely to the core of what we do. I’m sure as we evolve then other certifications will become important to us. It’s important to note that we don’t ‘chase’ certifications to puff up what we do. We strive for the best, as I’ve already outlined, in terms of service, security and resilience – these certifications are the upshot of what we do and try to achieve on a daily basis.
What ISO 22301 means for business continuity...
The ISO, in its own words, is an “independent, non-governmental international organisation with a membership of 165 national standards bodies. It uses this vast network to build international standards that are “consensus-based” and “market-relevant”.
ISO 22301:2019, of which AdvanceTrack has completed certification, focuses on security and resilience. Namely, requirements for robust business continuity management systems.
The certification requires rigour in a number of key areas:
Organisational context – an understanding of how the organisation works, for whom, and what that means for the scope of its business continuity requirements
Leadership – How the business continuity policy has been formed, and its communication to interested parties; alongside set roles and responsibilities
Planning – The determination of risks and opportunities, alongside addressing them; and establishing and determining business continuity objectives
Support – Documentation and resources relating to the plan
Operations – Impact analysis; continuity strategies and solutions; implementation of solutions; recovery plans
Performance evaluation – Monitoring and assessment by internal audit and management of performance against business continuity metrics
Improvement – Corrective actions and continual improvement.
Source: ISO (iso.org)