What’s the difference between a BCMS and a BCP?

Organisations and regulators don’t often agree on how businesses should be run, but lately both have championed the adoption of business continuity – a method that enables organisations to keep functioning during an incident, and address the prevention of and response to disruptions.

Business continuity has proved essential in the modern landscape, with the number of cyber attacks on the rise and the amount of information being stored by organisations growing rapidly.

But for all the agreement over the importance of business continuity, there is one area of disconnect. Some organisations have adopted a BCMS (business continuity management system) and others a BCP (business continuity plan). This might sound like it’s two names for the same thing, but there’s an important difference.

What’s a BCMS?

A BCMS helps organisations cope with incidents affecting their business-critical processes and activities, from the failure of a single server to the complete loss of a major facility. ISO 22301, the international standard that describes best practice for business continuity, states that there are four major components to a successful BCMS.

The first component is to seek management support. As with any major project, a BCMS must be backed by senior staff for it to be effective. This ensures that the organisation will be given the necessary resources and that the project will be supported throughout the organisation.

The second component is to conduct a business impact analysis. It’s used to identify an organisation’s critical activities and dependencies, which determine its priorities for recovery following a disruption. A large part of the analysis is ascertaining how soon after the incident each activity needs to be resumed.

The third component is to perform a risk assessment. This enables organisations to determine:

  • The specific scenarios that can affect each business activity;
  • How likely it is that those scenarios will occur; and
  • How severe the damage of each scenario could be.

By assigning a number to each level of probability and severity, organisations can create a ‘risk score’ for each threat. Anything over a certain score – determined by the organisation based on its defence resources – will need to be planned for, but anything below the threshold can be ignored on the grounds that it probably won’t happen and/or won’t cause significant damage.

The fourth component is to create a BCP.

Business continuity plan

The BCP is where the three previous components come tvogether. It details the scenarios that an organisation needs to prepare for and how it will respond to them. The goal is to stabilise the situation and allow the organisation to continue operating as efficiently as possible until the disruption is resoled.

It’s possible to have a BCP but not a fully-fledged BCMS. That’s because there are further steps to a BCMS after the plan is in place – namely: developing, testing and reviewing the BCP. Completing these steps obviously involves a bigger investment in time and resources, but it ensures that organisations have accounted for any new threats and are tackling existing ones as effectively as possible.

Is your organisation prepared for a breach?

Whether your organisation has a BCP or you’re thinking about creating one, the first thing to do is see how your current set-up compares to the requirements of ISO 22301. This enables you to see what you’re getting right and what needs to be improved.

Our ISO 22301 Gap Analysis provides expert guidance on how you can meet the Standard’s requirements. A specialist will visit your organisation, interview key managers, review your policies and procedures, and advise you on your necessary course of action. They’ll also:

  • Give you a proposed, ideal scope for your BCMS;
  • Tell you what internal resource requirements you need; and
  • Suggest a potential timeline to achieve an ISO 22301-compliant BCMS.

Contact us for a free, no obligation quote today >>