COVID-19 Considerations for your BCMS and ISMS
- COVID-19 Considerations for your 22301 BCMS
- COVID-19 The New Norm and its implications on your 27001 ISMS
COVID-19 Considerations for your 22301 BCMS
COVID-19 has shown us the importance of organisational resilience. It has also shown us that too many organisations focus only on operational resilience, while ignoring supply-chain resilience and information resilience.
We advise our clients to think at an organisational level in all their BC Planning and the adjustments that they make in relation to the new normal working practices.
Assured GRC consultants are on hand to assist in making those adjustments so you don’t have to worry, allowing you to get on with the important day-to-day tasks of running your business. For immediate response email us at firstname.lastname@example.org now!
If you plan to make these adjustments yourself we hope you find the information below useful and if you have any questions or suggestions we would love to hear from you. Information will be continuously updated for the benefit of everyone at this difficult time.
Home Working the New Norm
Homeworking is not the universal panacea to current issues and there is strict guidance as well as legislation relating to it.
The Health & Safety Executive has updated their information in response to COVID-19 and home working and we urge businesses to review and make use of this information and the self-assessments provided on their website at https://www.hse.gov.uk/toolbox/workers/home.html
Business should also note that they have the same legal responsibilities for employees ‘home working’ as they do in the office. This bares the question, have risk assessments been carried out or checks made for the appropriateness of furniture. The below findings suggest not in many cases.
THE TICKING “LITIGATION” TIME BOMB
According to the “Homeworker Wellbeing Survey”, carried out by the Institute of Employment Studies, 7th April 2020, after just 2 weeks of homeworking the following physical health problems were reported:
- 58% aches/pains in neck
- 56% aches/pains in shoulder
- 55% aches/pains in back
- 55% headaches/migraines
- 37% leg cramps
- 33% chest pains
- 60% fatigue
- 60% not active & vigorous
Based on the evidence that inadequate home-working conditions cause employees harm, it is clear that the potential for significant liabilities, deteriorating employee morale and bad publicity are building.
We recommend performing DSE (display screen equipment) and other self-assessments provided by HSE to head off, or mitigate some of the issues above, as we foresee a number of cases being brought against employers in the coming months.
BCP for homeworking should also include the requirements defined in ISO 22313 S 126.96.36.199 – ‘Challenges posed by home working’.
Working from Home and Wellbeing
- Constant updates and news about COVID-19 can trigger anxiety. Try restricting yourself to watching the news once a day only to avoid worrying throughout the day but keeping abreast of developments.
- Maintain your usual routine as you would if going to the office, get up at the usual time, shower, get dressed and take regular breaks throughout the day.
- If you are in a household with others who are not working, set limits and boundaries so that you are not being disturbed during working hours.
- Ensure regular contact with colleagues through VC and phone, continue being social and check up on each other.
- Take regular breaks as you might in the office and get away from the screen, whether it is a 20-minute walk, preparing dinner or talking to family.
- Ensure to keep up a balanced lifestyle, keep active and try to eat healthily.
- If possible, set up workspace somewhere away from your downtime areas if possible to give you distinction between the two. Plan your working day and tasks you aim to complete. Using lists to help you stay focused and prioritise.
Advice to Management
- Be transparent and upfront with employees. People dot like surprises thrust upon them, its better to be open and give them time to prepare for any changes coming their way.
- Remain positive and give staff something to look forward to in the future, not matter how small, being able to focus on the light at the end of the tunnel helps to maintain positivity.
- Communicate often and with clarity, do not withhold information and be concise in what you communicate.
- Demonstrate confidence, this will ensure your employees are confident in you and your abilities and hopefully lift the team’s morale.
Returning to BAU Post Pandemic and Ongoing Support
- Accept that not all staff will be comfortable returning to the office immediately, in particular those with vulnerable family. Be flexible in your approach and allow staff time to adapt.
- Reinforce processes and procedures once staff are back to the office, this will provide a level of discipline and efficiency.
- Ensure wipes and hand sanitizer are readily available for use in every office space.
- Consider having the office deep cleaned and make staff aware so that they have confidence in returning to work, especially those in the vulnerable category.
- Make allowances for those with children if schools remain closed as they may have to continue working from home for longer.
- Update or develop the pandemic plan with any lessons learned. If you are not already doing performing a debrief, we recommend you start now. See how our structured debrief workshop can help during as well as after COVID-19.
- Offer support to anyone who may have been directly affected by the virus (relative contracted virus, partner or family member job loss etc.)
- Monitor staff morale closely, staff safety and wellbeing should be paramount.
Actions and Suggestions for Consideration if not Already Being Performed
- Sometimes there is too much information to take in and knowing where to start is a challenge in itself. If this is you perform a dynamic risk assessment considering the following:
- What is the best case?
- What is the most likely case?
- What is the reasonable worst case?
- Once you have written down each of these cases, you should then have a better idea of what could happen and if there are any actions you can take now to prevent the worst-case from happening.
- Think about how a prolonged lockdown is going to affect your organisation. As suggested in Step 3 of our 7-Step framework, planning for pandemic. Consider how your customers may react, how their
- Will there be a huge pent up demand for customers to go out and spend money once they are able to do so?
- How badly will the economy be affected?
- Will potential customers want to spend money and make investments or work on their debts accumulated as a result of the pandemic?
- The impact may differ depending on the length of lockdown, consider carry out the dynamic risk assessment in step 1 to look at the impact across different periods of lockdown.
- Lockdown will eventually affect your supply-chain which may not initially be obvious. Put processes in place to monitor supply closely. You should look at not only at current supply levels but also the viability of supplier to remain in business. Early warning could save your business.
- he longer I work from home the worse my habits become and the more fatigued I feel. Maintaining control of staff productivity will become more challenging and management needs to appear supportive rather than watchful. BIA’s can be used to identify time-critical activities so that checks can be made to ensure they are delivered to predetermined levels.
- Keeping in touch with staff and ensuring morale is kept high is a key role of management. Worries about job security, finances can be compounded by having their children at home or spending an unusual amount of time working in their home alongside their partner or spouse. Equally those on their own may feel isolated without social interaction. Daily team calls where open discussion can take place should be encouraged. Early intervention, good communications and leadership are all important factors in looking after your staff and making sure that your organisation is ready to resume when this is over.
- Discuss how you will sustain morale during extended periods of working from home and encourage employee interaction.
- Assess the impact of parents being able to deliver their work while schools are closed if they have to provide teaching and supervision to their children. Will HR polices be updating for the period of the pandemic?
- Review your RTOs and MTPDs and review them in light of current operations. Can some operations be suspended to concentrate on the ones with the shortest RTOs. Look at your MBCOs and check that you are not near reaching them.
- If the current situation is going to last for several months, review the impact on your business model. If required look at the government help to businesses and apply early if help is required.
- Make sure your Pandemic Team is meeting every morning, reviewing any changes to the situation and decided whether any new actions or communications need to be made.
- Establish and communicate reporting lines from all parts of the business to the pandemic team.
- As government advice changes, you should communicate any new actions to be carried out to staff and stakeholders.
COVID-19 The New Norm and its implications on your 27001 ISMS
Organisations that have implemented ISO / IEC 27001 or for that matter any ISMS will understand its tailored to their organisation and operating model. You can’t just lift it and apply to another organisation without adjustment, in the same way you wouldn’t expect to wear a teammates football boots and have a good game.
If COVID-19 has changed your operating model so to, do you need to make changed to your ISMS to accommodate those changes and remain secure and compliant. Assured GRC consultants are on hand to assist in making those adjustments so you don’t have to worry, allowing you to get on with the important day-to-day tasks of running your business. For immediate response email us at email@example.com now!
Remaining compliant under the new operating model is one of the biggest concerns for senior management. ISO / IEC 27001:2013 requires that ‘All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization’.
We recommend a review of existing legislation, regulation, and contractual requirements in respect to all new working practices. For example:
- Contractual requirements stipulating where the processing of data can take place may not work for homeworkers, especially if your staff might be returning to their home countries during lockdown.
- Can you enforce Health and Safety regulations at home or under the new social distancing guidelines?
- Health and safety at Work Act 74, the supporting 6 pack and subsequent revisions and regulations will be included and must remain in compliance under new working conditions.
- DSE Regulations 1992 for working with display screen equipment.
- Lone working regulations without supervision.
Operational security issues relating to increased level of working from home while protecting information processing, communications, storage and cleansing should be addresses. ISO / IEC 27002 (Guidance to implement ISO / IEC 27001) includes the following:
Organizations allowing teleworking activities should issue a policy that defines the conditions and restrictions for using teleworking. Where deemed applicable and allowed by law, the following matters should be considered:
- the existing physical security of the teleworking site, taking into account the physical security of the building and the local environment;
- the proposed physical teleworking environment;
- the communications security requirements, taking into account the need for remote access to the organization’s internal systems, the sensitivity of the information that will be accessed and passed over the communication link and the sensitivity of the internal system;
- the provision of virtual desktop access that prevents processing and storage of information on privately owned equipment;
- the threat of unauthorized access to information or resources from other persons using the accommodation, e.g. family and friends;
- the use of home networks and requirements or restrictions on the configuration of wireless network services;
- policies and procedures to prevent disputes concerning rights to intellectual property developed on privately owned equipment;
- access to privately owned equipment (to verify the security of the machine or during an investigation), which may be prevented by legislation;
- software licensing agreements that are such that organizations may become liable for licensing for client software on workstations owned privately by employees or external party users;
- malware protection and firewall requirements.
The guidelines and arrangements to be considered should include:
- he provision of suitable equipment and storage furniture for the teleworking activities, where the use of privately owned equipment that is not under the control of the organization is not allowed;
- a definition of the work permitted, the hours of work, the classification of information that may be held and the internal systems and services that the teleworker is authorized to access;
- the provision of suitable communication equipment, including methods for securing remote access;
- physical security;
- rules and guidance on family and visitor access to equipment and information;
- the provision of hardware and software support and maintenance;
- the provision of insurance;
- the procedures for backup and business continuity;
- audit and security monitoring;
- revocation of authority and access rights, and the return of equipment when the teleworking activities are terminated.