Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Thursday, 24 January 2008

Business Continuity Planning BS25999-2:2007

I wonder how many companies were faced with the same problem that I faced following the Christmas and New Year shutdown: my office landlord decided that he would turn off the heating during this period in order to save money. The net result was that the office, and more importantly the computer equipment, became very cold. Upon turning the heating back on, condensation formed and this caused the equipment to short out.

The resulting bang not only did my constitution no good, it meant that the computer equipment had to be repaired. Fortunately our company has a business continuity plan which was put into action and none of our clients were put to any inconvenience.

At the end of 2007 The British Standards Institute produced an new standard BS 25999-2 Business Continuity Management and its code of practice BS25999-1. This can be either a stand-alone system or as part of ISO27001 (Information Security Management Standard).

BS25999-2 sets out the requirements for BCM (business continuity management) and how any organisation can reduce or mitigate any incident which interrupts or degrades the company or its operations.

The main areas are:

  • Identify what potential risks could affect the company;

  • Know what equipment would be needed in the event of a loss of building/facility;

  • Keep copies of staff information off-site to be able to contact key personnel if required;

  • Plan who will do what and when;

  • Make contingency plans for staff if buildings are unavailable;

  • Keep copies of important information off-site;

  • Review and train everyone in the continuity plan and IT disaster recovery routine;

  • Test the plan regularly;

  • Learn lessons from any tests;

  • Ensure the plan is kept up to date.

Having a business continuity plan in place will not stop a disaster happening, but it certainly will ensure that its effect can be mitigated and will ensure that the company can be up and running in the shortest possible time.

It is important to note that many companies that have been subject to a major disaster and do not have a business continuity plan have gone out of business.

Be prepared. It is not only for boy scouts.

Thursday, 17 January 2008

Business Continuity Planning

Business continuity planning is one subject that is often left to the last minute but is one of great importance.

If you wait until 'something' happens, it could be too late. I have seen people wading in calf deep water looking for the stopcock; others reading the instructions on a fire extinguisher in the middle of a fire.

In reality we should all know what to do in an emergency well before the emergency happens and be prepared for most eventualities.

We have read about the terrorist attack, the dirty bomb and other major catastrophes but it is often the 'soft' disasters which can cause irreparable damage to a company.

One such problem occurred recently; the company uses a card entry system to gain access to the building. The server housing the operating system failed and prevented anyone entering the building. It was apparent that there was no manual override; people milled around outside the building, not really knowing what to do. Eventually someone broke a window to gain entry. Of course the alarm went off and before it could be turned off the police were on site; embarrassment all round.

The company has now put a system in place to override the card system if it fails in the future.

The winter season also means that illness will increase; how many companies have prepared for a flu epidemic? Sadly very few.

Companies that have incorporated ISO27001 (Information Security Management System) will have an emergency plan in place, regularly tested and validated. This together with an IT disaster Recovery Plan will be able to deal with most eventualities. The old saying that 'if you hope for the best but prepare for the worst' is a good mantra to use.

Companies that have suffered major disaster, like being in the vicinity of the Buncefield fuel depot fire, and did not have any business continuity plan have disappeared without trace. Insurance cover just didn't mitigate all the problems. Those companies that did have a plan in place, had difficulties but managed to survive.

It is a pity that, as of December 2007, there are only 363 companies in the UK certificated to ISO27001. It is a very big standard to achieve but the benefits are huge.

Thursday, 10 January 2008

IS09001 Quality Management Standards

In the UK there are some 6.6 million companies trading and of these over a million are certificated to ISO9001:2000. These companies have procedures and processes in place which are tested by independent certification bodies accredited by UKAS (The United Kingdom Accredited Service).

Companies certificated to ISO9001 have to provide evidence of their compliance to the standard.

This testing is repeated on a regular basis to ensure continued compliance.

Essentially, 9001 is a management system process to turn customer enquiries into customer satisfaction and provide information to the management of the company. The measure of customer satisfaction is an important one and must be measured in a proactive way. The absence of complaints is not a sure fire way of monitoring customer satisfaction; often dissatisfied customers will simply go elsewhere. The sad thing is that the company may never realise why customers do not return. The only way to find out how your customers perceive the quality of service they receive is to ASK them.

The other measures in 9001 are monitoring and measuring of processes and products which ensure that the resulting product (or service) really does meet requirements.

Nowadays 9001 is expected as an entry point for tenders; Government contracts often specify 9001 as a mandatory requirement. If companies do not have this, any submitted tender does not get past the starting gate.

One other point about 9001 certificated companies relates to survivability during tough times; 9001 are more likely to weather difficult times as they have documented and tested procedures in place to cope with problems.

Thursday, 3 January 2008

A Happy New Year (and a more secure one!)

We should all hope that 2008 is going to be a more secure year for our data. It seems that every day brings fresh news that our data has been compromised in one way or another. The chief culprits appear to be government departments which are being forced to own up to data breaches in the past rather than being found out by the Information commissioner.

In addition to lost disks, there are paper records discarded in public dustbins and lost laptops by the boat-load. Security which was trumpeted by ministers as being paramount seems to have been very low on their priority list in their own domains. It is also lamentable that there has been a deliberate policy of hiding the facts from those people most at risk.

We must be vigilant as these data breaches might not affect us until some date in the future. Criminals will wait until the furore has died down before using the data illegally.

Let us make sure that 2008 is a year of data security, here is a recap of precautions:

  • Always shred confidential documents or documents having identifiable data;

  • Never give passwords or log on information to email enquiries, telephone callers or visitors;

  • Be wary of emails directing you to a bank or other secure site which ask for personal information;

  • Do be aware that information put into social sites such as Facebook may be visible to people other than the intended audience. Dates of birth, names and addresses, telephone numbers and details of family can be used to steal identities.

  • Never dispose of old computers until the hard drives have been removed or destroyed; remember deleting or re-formatting the disk does not actually delete the data;

  • Never leave confidential documents on desks overnight or when unattended (clear desk policies);

  • Laptops should be secured with a multistrand cable to an immovable object like a radiator when unattended;

  • Laptops should be password protected;

  • Laptops should be encrypted if data is sensitive;

  • Never share passwords and use complex passwords to prevent other gaining access to desktops and laptops;

  • Never leave desktops and laptops logged in and unattended;

The list goes on and on but use common sense - assume that the worst may happen and take precautions to stop or at least reduce it.

Let us all have a Happy and safe New Year

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design