Enabling communication during disruptive incidents according to ISO 22301

Disasters and disruptive business incidents push people and organizations to their limits, and one of the first impacted elements are communication systems.

Depending on incident type and magnitude, increased demand for communication, or communication infrastructure capability reduction, may render communication impossible, adding more confusion to an already chaotic situation.

ISO 22301, one of the world’s leading frameworks for business continuity management, defines some requirements to help ensure communications continue to flow during disruptive incidents. This article will present these requirements, and how an organization should consider them to enhance its communication systems capability to support business continuity.

Why do communication systems fail during disruptive incidents?

As mentioned before, you can consider two main reasons for communication systems failure:

Capability reduction: If the communication infrastructure is directly affected by the incident, its performance may be diminished to a point where it is impossible to use it (e.g., towers and communication links damaged by storms and installations of communication providers affected by fire or hacker attacks).

Increased demand: All communication systems are designed considering that only part of their users will demand them at any given time, but during a disruptive incident practically all users will demand the system. People trying to get or send news to their relatives, emergency services trying to coordinate their efforts to evacuate people and help the wounded, organizations trying to continue or recover their operations – depending on the system design, even a single one of these situations may be sufficient to crash the system.

ISO 22301 requirements for communication activities in a BCP

For communications to support Business Continuity Plans (BCPs), the standard, in its clause 8.4.3 Warning and communication, requires an organization to maintain procedures to:

  • monitor the possibility of an incident happening
  • detect an incident that has already happened
  • communicate with internal and other interested parties about risks, incidents, and potential and/or real impacts
  • ensure communication availability during an incident, especially for response and emergency teams

To ensure these procedures are fit for purpose and will be properly performed by the response teams, they should be periodically exercised and tested. For more information, see: How to perform business continuity exercising and testing according to ISO 22301.

Enabling communications to support BCPs and disruptive incidents response

Like in normal situations, managing information flow is the key to ensuring that the available infrastructure will be used where it is needed most, and for achieving this while considering a disruptive incident response, you should:

1) Make use of as much monitoring and detection points as possible: The larger the number of eyes, ears, and sensors you have, the faster you can identify and respond to conditions that can lead to a disruptive incident, or to a disruptive incident itself. You can accomplish this by:

  • Establishing communication procedures with external monitoring and detection services so they can provide information about potential and real incidents relevant to the organization’s business. For example, organizations in the Asia-Pacific region count on Tsunami Warning Centers, and Midwestern US States count on Tornado Warning Centers. On a more modest scale, communication with police authorities and local government may be sufficient.
  • Raising awareness and training people, in and around the organization, on how to identify and communicate incidents. For more information, see: How to perform training & awareness for ISO 27001 and ISO 22301.

2) Provide alternative routes and communication channels: An old proverb says that is not good to have all your eggs in one basket, and in a crisis situation, depending upon single communication elements that can become overloaded or unavailable can be fatal. To avoid this, you should:

  • Establish agreements with multiple communication providers, considering as evaluation criteria, at least, the use of different physical routes, infrastructure locations, and provision of spare parts. For more information, see: 6-step process for handling supplier security according to ISO 27001.
  • Have available communication devices that can be used in case of normal channels becoming unavailable, like walkie talkies, satellite phones, and amateur radios, and, of course, people capable to operate them.
  • Here again, raising awareness and training people may help, by instructing them not to make use of communication systems during disruptive events unless it is strictly necessary.

3) Document the adopted solutions in your BCPs: All the benefits from the suggested solutions will be useless if the response teams do not know they exist and how to use them. For more information about planning a BCP, see Business continuity plan: How to structure it according to ISO 22301.

4) Periodically exercise and test people, procedures, and equipment: As stated in the previous section, exercising and testing are the best ways to evaluate whether all adopted solutions will work together as an integrated solution.

In a crisis, communication is your best weapon. Don’t lose it.

People fear what they do not know and what represents danger to them, and as social beings they will try to keep in touch with other people to feel safe. This can prove to be a very bad thing if they all start to use the same communication channels that professionals like you need to use to solve a crisis situation, or even worse, if there is no communication at all.

By adopting the requirements stated in ISO 22301, organizations will ensure the consideration of which kinds of solutions they will need to have, as well as guidelines on how to use them, so their communication systems can work properly and help them prevent and promptly address an incident situation.

Check out this free webinar:  ISO 22301: An overview of the BCM implementation process to see how communication fits into overall business continuity planning.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.