At the end of 2024, PSI achieved ISO 22301 certification for the Business Continuity Management System that supports delivery of our Skills for English and Secure English Language Test (SELT) program. This is a significant achievement and the outcome of many months of hard work for our compliance team. But why does ISO 22301 matter in the testing industry? And why is it relevant to the non-SELT testing programs we partner with?
The steps needed for ISO 22301 have an impact beyond our SELT program, because over time we aim to extend the concepts and practices involved to the benefit of all our clients. What’s more, while we have achieved ISO 22301, it isn’t a case of done and dusted. It is a long-term project of continuous improvement. In this blog you’ll read about why we do it, the steps and processes involved, and the outcomes that will positively impact our testing programs.
Building a foundation for ISO 22301
A lot of work goes into developing a robust business continuity program. It’s a significant foundational piece of work to implement the framework required for ISO certification. This starts with conducting a gap assessment and risk assessment of current practices:
- What systems are currently in place?
- Where are the areas we can improve existing practices?
- What are the gaps and areas where we need to start from nothing?
These assessments involve a broad range of stakeholders, extensive documentation review, and multiple discussions. Transparency and openness are critical to understanding potential worst-case scenarios and any efficiencies that could be introduced.
We also conducted a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats). From this we developed a solid action plan of how to implement the necessary improvements. Some of these actions were outside the scope of the ISO 22301 certification, and many were beneficial to the whole organization as well as our SELT program.
Important ISO certifications in testing
Individual Management Systems don’t exist in isolation. We operate several Management Systems that we have obtained certification for. This includes:
- ISO 9001 for Quality Management Systems (QMS)
- ISO 27001 for Information Security Systems (IMS)
- ISO 14001 for Environmental Management Systems (EMS)
There is a lot of overlap between the different systems and certifications. Often the same or similar practices apply, even if the scope is different. For example, our business continuity systems can have an impact on the environment. We drew on our aspects and impacts register for ISO 14001 to identify how business continuity may impact the climate for the ISO 22301 audit.
One link between environmental management and business continuity is our cloud hosting service. The cloud is backed up by a physical data center that uses energy – the more back-up storage we use, the more energy we use. ISO 22301 preparations were an opportunity to get a transparent environmental impact report from our suppliers. We were then able to update our register to show the impact of back-ups on our carbon footprint.
Equally, policies and procedures covering system back-ups need to consider the security aspects of storing those backups and how system availability may impact information security. So there are overlaps with our ISO 27001 Management System. And reputational risk also comes into business continuity, so there are links with ISO 9001 and the quality of services we deliver to our clients.
Key ISO outcomes
When we find risks we need to work on, we give each risk a score and prioritize it for action. For ISO 22301, one area we prioritized was supplier management. This involved building a more consistent understanding of key supplier disaster and business continuity systems. As well as ensuring required recovery timescales are detailed in all Service Level Agreements (SLAs). This rigor and consistency make us better able to meet SLAs with our own clients, with a positive effect on the test taker experience.
To make this improvement, we needed to get a better understanding of the risk to our clients and test takers of a supplier outage. This might be an issue that affects test delivery in our test center network or with remote online proctoring. We conducted reviews and due diligence with suppliers to collate the relevant information to feed into our business impact assessment. For example, what is the maximum amount of time we can tolerate a system downtime from a particular supplier? This not only helps meet client SLAs and reputational criteria, but also the regulations we must conform to.
Of course, the obvious success story for the compliance team and the whole business is achieving ISO 22301 certification. An external audit measured what we have implemented against the required framework and deemed that we are compliant with the requirements in the framework.
A practical outcome is that because of this work, we have created a series of playbooks. These playbooks outline the prescribed route in a variety of different outage scenarios. Details include which personnel should receive risk alerts, and who should be contacted at what stage of an outage.
Continuous improvement cycle
Business continuity management is an ongoing cycle of planning, doing, checking and acting. We are constantly reviewing our recovery Management Systems, setting new goals for continuous improvement, implementing changes, and then checking the results. And we’re always looking to improve the credibility and quality of our processes and services through additional certifications – whether that’s through an ISO certification or SOC (Service Organization Controls) compliance.
Find out more about our commitment to compliance and the different standards we comply with: Compliance – PSI Exams