Tuesday 26 July 2011

Starting the blog



This is my Business Continuity Blog, started in august 2011 in the Spanish version and in agust 2012 for the English version.  I've translated all my previous posts to English and, from now on, I'll publish all the post in Spanish and in English at the same time. I really think that  the BC sector needs this kind of initiative, at least in Spain.

In this post I'd like to justify the name of the blog, that people that has worked with me has hear about this thoughts. I've been saying from a long time: ladies, gentlemen, Business Continuity is not Information Security.
Information Security has such a big lobby in Spain that don't allow other adjacent sectors, like business continuity, because:
  • BC appears in ISO 27.002 as a chapter of ISMS.
  • The BC manager and the IS manager used to be the same person.
  • Usually, IS responsible has a kind of obsession for get more and more responsibilities. Its a strange phenomenon but is quite often. 
  • Consultancy companies usually include the BC in their IS portfolio, just because the decision maker is the same and skills of  consultants use to be the same. 
  • Both management systems (BS25999 y 27000) have a lot of issues in common: policy, risk analysis, continual improvement, ...
All thins things makes that the inclusion of BC as IS was too common.

However, everybody who has been in touch with BC in any time knows that concept of Continuity referred by information security is a reduced concept of Business Continuity.
Business Continuity is more complete and multidisciplinar than Information Security, because it has to understand whole business, not only information managed by business. Depending on type of business IS and BC could be more or less aligned, but in general terms there are a lot of differences. For example, has IS anything to do with shifts?, I don't think so, isn't it? Shifts are an key piece in BC for companies with a high dependency on people: call centers, supermarket cashier, physical security companies, etc.

A good Business Continuity System must be integrated with emergency systems, building evacuation, auto protection manuals, firefighting, media relationships, human resources... and this things, usually, has not too much to be with Information Security

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)