Building Resilience in the Face of Disruption: LinkedIn's Journey to ISO 22301 Certification
October 6, 2023
In March 2020, the world turned upside down—the World Health Organization declared a global pandemic, and life as we knew it was altered completely. Offices closed, we stopped traveling, and we had to change the way we interacted with others.
In the face of this disaster, businesses were challenged to adapt to continue operating while keeping their employees safe and healthy. When companies began reaching out to LinkedIn for information on how we were handling the crisis, we believed that our customers should have complete confidence in the reliability of our products and services. Customers wanted to know about our response to the pandemic, our ability to conduct routine exercises, and whether we had a dedicated business continuity program. As defined by the International Standard Organization (ISO), business continuity is the capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption. We wanted to demonstrate our commitment to continuity and resilience to our customers and that's one of the reasons why we pursued ISO 22301 business continuity certification.
The pandemic caused a meaningful disruption, which underscored the criticality of business continuity as well as the need to create a dedicated program to bring together all the work that had been done while expanding the integrity of products and services within a business continuity focus. With no formal business continuity program, the need to sustain LinkedIn throughout any future disasters, while maintaining the trust and reliability posture, was necessary and just made sense. As a result, we began to build our team.
Like most businesses, LinkedIn responded to the pandemic by utilizing existing systems and resources while addressing business continuity gaps. According to Sonora Al-Najjar, Senior Security Manager, Global Security & Safety, “As LinkedIn and the world navigated the unprecedented times of the pandemic, we were challenged with the requirement of providing our core essential services, workspaces, and services to our global employees who had abruptly pivoted to a fully remote model.” Creating any new program inherently involves addressing uncertainties. Regardless of this monumental challenge, LinkedIn stayed committed to ensuring uninterrupted service for our global customers by taking the necessary steps in establishing LinkedIn's first formalized Business Continuity & Resilience Program.
In this post, we will share how we formalized the LinkedIn Business Continuity & Resilience Program, how this new program helped increase our customers' confidence in our operations, and the lessons that we learned as we attained ISO 22301 certification.
Building the Program
LinkedIn established its Business Continuity and Resilience Program in January 2021 to ensure the continued delivery of products and services following disruptive incidents. Though the program was new, it was built on measures that we currently had in place. To ensure success, we needed to take time to understand the organization as well as learn more about the key processes crucial for sustained growth and maturity. Observing how LinkedIn navigated the pandemic provided much needed insight into how our current practices needed to evolve.
We needed to find a way to introduce business continuity concepts to all employees and get their buy-in. This was done through cultivating relationships, active listening, and connecting the dots. To empower our teams, it was also important to understand their experiences during the pandemic and identify areas for improvement, which was achieved by appointing a person-in-charge for each team.
We also created the role of Team Business Continuity Lead, who leads and participates in all business continuity activities to ensure their team responds adequately to any incident. They also perform specific duties outlined in their team's Business Continuity Plans.
Setting clear expectations for Team Business Continuity Leads and key-stakeholders is imperative. This is accomplished by the Business Continuity and Resilience Strategic Roadmap that delineates all the annual activities to mature and sustain the program as well as to facilitate the attainment of ISO 22301. This roadmap outlined key milestones for program maintenance and a straightforward progression to build a scalable and efficient program.
This strategic roadmap is cycled through each year to mature the Business Continuity Program and account for LinkedIn's internal changes regarding teams, processes, and expansion of products and services. This was critical in demonstrating our continued commitment to program maturity and our readiness for ISO 22301 certification. Throughout the certification process, we demonstrated our ISO 22301 readiness by providing documented evidence and showcasing key stakeholder knowledge and competence of our program.
With the overwhelming progress of establishing the program and completed activities, and the dedication of all of our Team Business Continuity Leads, we were confident and made the decision to pursue our ISO 22301 certification within a year and a half of the program's inception. This was ambitious considering the size and scope of LinkedIn and the complexity of meeting all the ISO 22301 standards.
A thorough readiness assessment was conducted to prepare us for the ISO 22301 external audit. This exercise not only ensured that we were on the right track, but instilled confidence in obtaining our certification. As we moved forward through our formal audit, spanning weeks and months, involving all of our Team Business Continuity Leads and partners at our offices in Singapore (Singapore), Bangalore (India), Sunnyvale (California), and New York (New York) LinkedIn successfully obtained its first ISO 22301 certification.
Our ISO 22301 certification helps us assure our customers that we are prepared to support them in the event of any major disruption.
Tim Cresci, Customer Information Security Manager highlights, “The ISO 22301 certification reduces customer inquiries as it validates the effectiveness of our strategies in minimizing service disruptions. Our focus remains on delivering exceptional services, building strong partnerships, and upholding the highest level of operational resilience.”
The process of securing ISO 22301 certification was filled with lessons learned:
It's never too late or too early to get certified. Whatever field you may be in, research best in class certifications and go after them. They can bring tremendous growth, improvement and credibility to your team.
Be an advocate for key stakeholders. For many of our key stakeholders, it was their first time going through a certification or audit. Helping them understand and anticipate what to expect was key to their certification engagement. By conducting meetings to prepare stakeholders prior to audits, we were able to address any questions or concerns they had. This allowed dialogue in a safe environment and contributed to increased stakeholder confidence. We also wanted to take every opportunity we could, to share our gratitude with key stakeholders throughout and after the audit.
There is always an opportunity to increase awareness of what you do with cross functional partners. Agnostic to your role or industry, letting others know what your team does, how it can provide value to them, etc. is something we can improve each year.
Work smart, not hard. Spend more time up front planning the audit to make the best use of stakeholder time as possible. For example, with teams dispersed globally, it was even more important to be mindful of varied time zones and site specific-nuances. Some aspects of the audit were relevant at some locations but not others. Fully understanding the scope of the audit, and matching stakeholder availability and expertise to these objectives, was key to a successful audit.
Document lessons learned. Just as we preach in our program training, every incident or big project is full of lessons learned. These are gold nuggets of information that can be used for continuous improvement. With the initial certification under our belt, we feel even more prepared for future audits and recertifications. Keeping a repository of lessons learned and auditor questions asked, will help us improve our approach each year.
Policy & Compliance Manager Tricia Hoff said, “Attaining the ISO 22301 certification has undoubtedly marked a transformative milestone for our Finance team. It presented us with a valuable opportunity to pause, reflect, and evaluate our capabilities to restore operations effectively. During the rigorous program development and tabletop exercise, we gained profound insights into our pain points, identified potential areas for operational improvements, and deepened our understanding of interdepartmental dependencies.”
To access the certification, please visit LinkedIn’s ISO 22301 Certification.
Obtaining LinkedIn’s first ISO 22301 certification would not have been possible without the support of senior management, all LinkedIn employees, and especially every Team Business Continuity Lead across the entire global company. Our Team Business Continuity Leads supported the Business Continuity & Resilience Program through their continued engagement and dedication to ensure we operate collectively under a shared set of values that are driven by our vision to create economic opportunity for every member of the global workforce regardless of any future disasters.