ISO The Route Map to Business Continuity Management

Transcription

1 ISO The Route Map to Business Continuity Management John A. DiMaria; CSSBB, HISP, MHISP, AMBCI ISO Product Manager; BSI Group Americas Inc. Agenda A basic understanding of ISO 22301:2012 How identifying crucial risk factors already affecting your organization drives the overall plan Understanding your organization s needs and obligations Essential steps in program management such as awareness, training, and exercising A step-by-step discussion on making the transition to the new standard for business continuity management

2 ISO Newest international standard for business continuity management (BCM) Its official title is ISO Societal Security - Business continuity management system - Requirements All core business continuity elements in BS are present in ISO ISO 22301? Provides the requirements for a business continuity management system (BCMS) Based on global BCM best practice Created in response to strong interest in the original British Standard BS and other regional standards BS key source text in its development For those certified to or aligned with BS , the additional requirements are not onerous

3 How was ISO Formed 5 6

4 Context Source documents included BS NFPA 1600 ASIS OR standard Singapore standards ISO ISO Guide 73 ISOPAS22399 So ISO is not simply an international version of BS Societal Security and BCM? ISO now comes under a wider societal security responsibility. This acknowledges the important role that BCM has to play in protecting society and ensuring our ability to respond to incidents, emergencies and disasters.

5 Benefits of adopting a systems approach to managing BCM Allows organizations to benefit from global BCM best practice, regardless of whether they are planning to certify or not Provides a foundation and a common vocabulary for BCM best practice and guidance Consensus standards like ISO represent the input and recommendations of hundreds of BC professionals and industry experts Saves you having to reinvent the wheel Comparing ISO and BS Includes all core requirements The Plan Do Check Act cycle Business continuity policy Business impact analysis Risk assessment and risk treatments Exercising Business continuity plans and strategy Internal audit Management review Non conformity and corrective action Improvement actions

6 Key aspects First standard written in accordance with Annex SL Change in the way an organization is defined Clearer expectations on management Preventive action has been replaced with actions to address risks and opportunities and features earlier ISO puts a much greater emphasis on setting the objectives, monitoring performance and metrics aligning BC to top management strategic thinking 11 Key aspects requires more careful planning for and preparing the resources needed for ensuring business continuity Communication elements more demanding and there is a responsibility to the wider community defined BIA similar but with some changes to terminology There is a stronger link to the organizations approach to risk To reflect the societal security approach some new terminology has been introduced, see ISO (Societal security Terminology)

7 New high level structure ISO is the first management system standard to be developed using Annex SL Annex SL* is for standards writers and provides a Standardized text suitable for all ISO management system standards The intention is to Standardize terminology and requirements for fundamental Management System requirements irectives_and_iso_supplement.htm Objectives, monitoring performance and metrics Greater emphasis on setting of objectives, monitoring performance and metrics Most organizations will already produce metrics which can be tailored to BCMS performance

8 Top management commitment Top management given clearer BCM responsibilities The ISO outlines specific ways in which management must demonstrate its commitment to the system Planning The ISO contains extended requirements, clearly structured It requires that the BCMS be integrated with the organizations objectives, taking into account its risk appetite It requires the organization to address threats to the BCMS not being successfully established, implemented and maintained and threats to the business itself Also requires a procedure to manage legal and regulatory requirements

9 Requirements around supply chain ISO outlines more requirements relating to suppliers These make it a useful tool for validating supply chains and client and contractual requirements Structure of ISO 22301: Clause Description 4.0 Is a component of Plan. It introduces requirements necessary to establish the context of the BCMS as it applies to the organization, as well as needs, requirements, and scope. 5.0 Is a component of Plan. It summarises the requirements specific to top management s role in the BCMS, and how leadership articulates its expectations to the organization via a policy statement. 6.0 Is a component of Plan. It describes requirements as it relates to establishing strategic objectives and guiding principles for the BCMS as a whole. The content of Clause 6 differs from establishing risk treatment opportunities stemming from risk assessment, as well as business impact analysis (BIA) derived recovery objectives.

10 Structure of ISO 22301: Clause Description 7.0 Is a component of Plan. It supports BCMS operations as they relate to establishing competence and communication on a recurring/asneeded basis with interested parties, while documenting, controlling, maintaining and retaining required documentation. 8.0 Is a component of Do. It defines BC requirements, determines how to address them and develops the procedures to manage a disruptive incident. 9.0 Is a component of Check. It summarises requirements necessary to measure BCM performance, BCMS compliance with the International Standard and management s expectations, and seeks feedback from management regarding expectations Is a component of Act. It identifies and acts on BCMS nonconformance through corrective action. New concepts and activities Context of the organization Interested parties Leadership Maximum acceptable outage (MAO) Minimum business continuity objective (MBCO) Performance evaluation Prioritized timeframes Warning and communication

11 Concept of interested parties ISO replaces the term stakeholders with that of interested parties The ISO requires broader consideration of interested parties than BS Closer alignment with organizational objectives for corporate social responsibility Context - Interested Parties 22

12 How identifying crucial risk factors already affecting your organization drives the overall plan Understanding your organization s needs and obligations Essential steps in program management

13 Documentation Requirement for documenting: links between the business continuity policy and the organization s objectives and other policies, including its overall risk management strategy; and the organization s risk appetite. The requirement to have procedures which identify legal and regulatory requirements. There is also a requirement to keep this information up to date which must tie in with maintenance. 25 Planning Section 6.1 talks about risks and 6.2 about objectives Standardized text Having fully understood the context of the organization, planning activities are introduced to address the risks and opportunities of the business. This proactive approach, if carried out properly, will ensure a resilient BCM system as it will focus on planning for successfully achieving BCM objectives and realizing opportunities for improvement. Ownership and accountability of BC objectives will be allocated and a clear direction to accomplishing these objectives will be agreed.

14 Support 7.2 Competence The organization (generally acknowledged to be through its Top Management) has a responsibility to ensure that sufficient and appropriate resource is available for the BCMS. Appropriateness is often determined through competency analysis It is people who take action when an incident occurs Competence relates both to operating the BCMS AND to performing following an incident Note also 7.3 d) everyone has to be aware of their role during disruptive incidents Communication external communication with customers, partner entities, local community, and other interested parties, including the media, receiving, documenting, and responding to communication from interested parties, adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, ensuring availability of the means of communication during a disruptive incident operating and testing of communications capabilities intended for use during disruption of normal communications. 28

15 Risk Assessment The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyzes, and evaluates the risk of disruptive incidents to the organization. NOTE This process could be made in accordance with ISO The organization shall identify risks of disruption to the organization s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, analyze them, evaluate and treat them. 29 BIA a) identifying activities that support the provision of products and services; b) assessing the impacts over time of not performing these activities; c) setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and d) identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. 30

16 Strategy ISO better defined Decide what you are going to do to reduce the likelihood and impact as well as how to respond Set RTOs Work out the resource requirements Act on the protection and mitigation needed Evaluate business continuity capability of suppliers 31 Incident Response Structure Impact thresholds is new Personnel to assess the incident Communication mentions authorities and media explicitly External communications a new requirement. Life safety explicitly mentioned. Warning and Informing 32

17 Warnings and Communication The organization shall establish, implement and maintain procedures for a) detecting an incident, b) regular monitoring of an incident, c) internal communication within the organization d) receiving, documenting and responding to any national or regional risk advisory system or equivalent, e) assuring availability of the means of communication during a disruptive incident, f) facilitating structured communication with emergency responders, g) recording of vital information about the incident, actions taken and decisions made, 33 Recovery The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident 34

18 Exercising and Testing Covers pretty much the same ground as BS It talks about exercises and tests. Expect to see a program point is that over time these should provide objective assurance that the arrangements made will work as anticipated and when required: so does the program really do this? 35 Performance evaluation As with all management system standards there is a need to look back at what has been achieved ISO also requires that this analysis is evaluated and conclusions drawn by the organization Greater emphasis on setting of objectives, monitoring performance and metrics Most organizations will already produce metrics which can be tailored to BCMS performance

19 Performance evaluation Internal audits and management review continue to be key methods of reviewing the performance of the BCMS and tools for its continual improvement Improvement Nonconformities of the BCMS have to be dealt with together with corrective actions to ensure they don t happen again As with all management system standards, continual improvement is a core requirement of the standard

20 To certify or not to certify Certification VS Compliance What is Compliance? Compliance is an informal industry term generally accepted to mean the system provides support for some or all of a given standard. Vendors of compliant systems are generally expected to offer documentation describing which parts of the standard are supported, and which are not.

21 What is certification? Certification on the other hand is a recognition of formal testing, to prove that a system provides 100% support for a given standard. Certification is awarded to an organization after an official accredited Certification Body (CB) has reviewed not only the results of formal testing, but formal conformance documentation as well as assessing their management system against the requirements of a standard and the organizations own internal requirements proving effectiveness. Shows that the organization abides by the principles set out in the standard. Offers global consistency in implementation. Continual improvement - achieved through regular assessments of the management system. Supply Chain Management. ~Accountability~ 41 Transition Plan to ISO 22301

22 Transition plan Certification certificates will remain valid during the two year transitional period Organizations will need to complete their transition to the new revision by 1 June 2014 Failure to do this will result in the expiry of their certificate How will the transition take place for existing BS organizations? They will be able to be assessed to the new standard during continuing assessment visits A date for their transition will be agreed with their auditor A new certificate will be issued once they have demonstrated compliance with ISO Clients can transition ahead of their next surveillance audit for an additional fee

23 How will the transition take place for existing PS-Prep customers? BS certified organizations will have to wait to see if ISO is accepted by DHS or transition to ISO under the UKAS scheme or Rule 40 under ANAB. DHS is reviewing and analyzing ISO If accepted, it will have to posted on the federal register for public comment. Exact time lines are not known at this time, but DHS has indicated that the ISO will be issued for comment VIA federal register in March. Contact Us Address: BSI Management Systems America Inc Sunset Hills Road Reston VA John DiMaria Main Office Telephone: Fax: Links: 46