Elsevier awarded global accreditation for business continuity program
International ISO 22301 standard affirms highest possible protection for global partners
By Marilynn Larkin Posted on 17 March 2016
Floods, fires, hurricanes, power outages. These are just a few of the challenges that can impact a business, disrupting operations or forcing closure. But with a global company like Elsevier, business must go on.
“Anyone who works with us — researchers, editors, scientific societies, universities, libraries, government agencies, industry R&D — can be assured that we will find a way to keep going so (they) can do the same,” said Zohar Zacks, Elsevier’s Director of Business Continuity.
Elsevier has always offered its business partners the strongest possible protection, ensuring continued operations during any incident, anywhere in the world, Zacks said. Over the past several years, the company also has worked to enhance the depth and scope of its business continuity program to meet evolving standards.
Those efforts were recognized recently when Elsevier received global ISO 22301 accreditation – one of very few organizations to achieve this – confirming its ability, at every site, to safeguard key assets and continue operating even in a crisis.
The ISO 22301 provides a framework to “plan, establish, implement, operate, monitor, review, maintain and continually improve” an organization’s business continuity management system.
“The requirements are especially rigorous for global organizations seeking to gain global accreditation, rather than accreditation for specific locations,” Zacks said. “Meeting those standards underscores our ability to take immediate action to handle any situation, anywhere, that threatens business operations.”
How business partners are protected
Zacks highlighted the key protections Elsevier provides to its business partners under the ISO 22301 framework (see Breakout Box below):
- Risk reduction. Elsevier identifies and addresses any business risks that could result in an incident and/or disaster.
- Incident management. Elsevier rapidly manages an incident to lessen its impact and prevent it from developing into a disaster.
- Business continuity. Each Elsevier business unit has a plan that enables the fast, efficient resumption of essential business operations.
- External vendor resiliency. Elsevier implements controls to reduce any risk that might result from deficiencies in third-party continuity planning.
- Pandemic response. Elsevier’s Pandemic Response Guide — developed to ensure business continuity during a global flu pandemic — will inform the company’s response, in conjunction with each site’s incident management plan and business continuity plan. Elsevier will respond similarly to protect against losses from epidemics such as Zika virus. The World Bank recently estimated the short-term (2016) economic impact of that epidemic at $3.5 billion in Latin America and the Caribbean region alone.
Key elements of the program
Zacks touched on the main elements of the program, which operate globally and locally to protect business assets and services:
- Governance structure that establishes the program’s authorities, roles and responsibilities.
- Impact analysis to identify and prioritize each business unit’s critical services and assets.
- Plans, measures and arrangements to ensure continued availability of critical processes.
- Technology services integration for the recovery of IT assets.
- Ongoing monitoring to maintain the business unit’s overall readiness.
The bottom line
Economic losses from disasters now average $250 billion to $300 billion annually, according to the United Nation’s Global Assessment Report on Disaster Risk Reduction. “It’s good to know that by implementing an internationally recognized business continuity program,” Zacks said, “We at Elsevier are helping to curb those economic losses, whether from major disasters or more common, local incidents that could otherwise disrupt business as usual.”
What it takes to meet the ISO 22301 standard
Elsevier worked with CQR, a security services consulting firm, to meet ISO 22301 requirements. Those requirements include demonstrating:
- Program leadership
- Management commitment
- Necessary competence, appropriate education, training and experience
- Control of documented information
- Process to identify and address risks and opportunities
- Established incident response structure
- BC objectives and plans to achieve them
- BC roles, responsibilities and authorities
- Implementation and testing of BC procedures
- Implementation of Business Impact Analysis and Risk Assessment procedures
- Evaluations of the BC capabilities of suppliers
- Strategy to build BC awareness
- Performance evaluation procedures
- Measures to ensure continual improvement
Elsevier Connect Contributor
Marilynn Larkin is an award-winning science writer and editor who develops content for medical, scientific and consumer audiences. She was a contributing editor to The Lancet and its affiliated medical journals for more than 10 years and a regular contributor to the New York Academy of Sciences' publications and Reuters Health's professional newsfeed. She also launched and served as editor for of Caring for the Ages, an official publication of the American Medical Directors Association. Larkin's articles also have appeared in Consumer Reports,Vogue, Woman's Day and many other consumer publications, and she is the author of five consumer health books.