White Paper: ISO Business Continuity Management An Overview. ISO Business Continuity Management An Overview

Transcription

1 White Paper: ISO Business Continuity Management An Overview ISO Business Continuity Management An Overview

2

3 Introduction As incidents such as malicious activism, terrorist attacks and environmental disasters among others garner increased attention, so does the need for appropriate business continuity planning within organisations. Aside from overall business closure, further motivation is gained from considering consequences of business continuity disasters. These include decreased employee productivity, data loss, reductions in revenues and profits, and overall damage to corporate reputation and customer relationships. This paper provides an introduction to the Business Continuity Management (BCM) discipline and the critical process steps involved in developing a continuity initiative throughout your organisation. This includes defining what BCM is, discussing historical and emerging standards (particularly key changes in the new ISO standard versus predecessors) and the steps in planning and executing BCM initiatives. The impacts of emerging technologies on business continuity planning are also highlighted. The key guardians of BCM initiatives are also identified in this paper giving a high-level overview of typical requirements for CEOs and other board-level executives, IT and Risk professionals, as well as project managers, consultants, or other line managers potentially involved in endorsing and driving BCM initiatives. So what is Business Continuity Management? Officially known as Societal Security, Business Continuity Management Systems - Requirements, ISO is a standard for implementing a business continuity management system and continuously improving business continuity capabilities based on management priorities and feedback. ISO was officially approved for publication as an international standard on 2 April 2012, and ISO published the final version of the standard on 15 May BCM is often considered as part of overlapping disciplines such as security management, emergency management and risk management, but while overlapping concerns exist there also are significant differences. For example, risk management focuses on identifying probabilities and causes of adverse events, whereas business continuity focuses on the impact of a potential event, and what can be done should that event happen. Also, BCM has a more holistic and cross-functional focus, involving personnel within disciplines of IT, security, HR, and individual business lines, meaning that ownership of BCM should ultimately sit at the CEO level. In contrast, management of the other mentioned disciplines tend to exist at a department level, for example within Compliance or IT Department management roles. BCM Key Business Failure Outcomes By Numbers 40% of businesses experiencing a major failure or disaster event will go out of business within five years. Source: Gartner 30% of businesses experiencing a disaster event never reopen, while 29% go out of business within two years. Source: Meta Insurance 80% of businesses without pre-emptive Business Continuity Plans will go out of business within 13 months of a major incident. Source: Business Continuity Institute Why BCM? 1) Proactively improves an organisation s resilience against the disruption of its ability to achieve its key objectives. 2) Provides a rehearsed method of restoring an organisation s ability to apply its business critical products and services after a disruption. 3) Delivers a proven capability to manage a business disruption and protects the organisation s reputation and brand. ISO Business Continuity Management An Overview Page 1

4 Implementing an organisational BCM strategy has many advantages, supporting improvements such as: A predictable and effective response to future crises Protection of individuals Maintenance of vital activities of the organisation A better overall understanding of the organisation Cost reduction Respect of the interested parties Protection of company s reputation and brand Ensuring client confidence in the organisation Increased competitive advantage Better support for legal and regulatory compliance Better assurance that various contractual obligations are met Business Continuity Standards History and Context Development of the BCM global standard began in the mid-2000s, where the ISO Technical Committee No. 223 examined existing BCM standards and created a framework for a global BCM standard. The ISO adapted content from many existing standards such as ISO 9000 and ISO into the new BCM standard. An important standard, which heavily influenced ISO 22301, was the British Standards Association s BS standard which was first released in December 2006 and updated in November Prior to ISO 22301, this standard also influenced a number of BCM standards for other EU member states. (Source PECB ISO Business Continuity Management An Overview Page 2

5 There are a number of key differences between the present ISO and its predecessors. ISO places greater emphasis on setting objectives, developing metrics and measuring performance, therefore placing further emphasis on making top management levels accountable for Business Continuity processes. It also places emphasis on defining necessary resources for ensuring business continuity, and as it is an international standard, certification bodies are more likely to buy-in and push the standard, and should lead to greater popularity and certification among implementers. Other overlapping standards in the BCM arena include ISO 22399, ISO (ICT disaster recovery focus), ISO 27031, NIST and NFPA ISO versus its predecessors Key Changes Much greater emphasis on setting objectives and monitoring performance via metrics Clearer expectations and responsibilities placed on top management Increased focus placed on planning and preparing necessary resources As ISO22301 is a global standard, certification against standard will be pushed more strongly by certification bodies. There is also significant overlap between ISO s Information Security standard and ISO Firstly, ISO s section A.14.1 already covers information security aspects of business continuity management, so compliance with ISO will already ensure coverage of this. Also, both imply use of the same Plan, Do, Check, Act (PDCA) management framework, so certification in either standard will immediately place the other on the right track. Implementing BCM The first stage towards implementing Business Continuity processes in an organisation is to set up an appropriate management system. Like other management systems, a Business Continuity policy needs to be defined alongside identification of key people and their relevant responsibilities, and definition of appropriate management processes for planning, implementing, assessing, reviewing and improving Business Continuity efforts. Provision for relevant documentation to support auditing is also necessary, as well as identification of the business continuity management processes that are relevant to the organisation. As with other ISO standards, ISO standard adopts the Plan-Do-Check-Act (PCDA) approach that is applied to the structure of all processes in a management system. Stakeholder requirements and expectations are fed to the cycle as input, leading to the necessary BCM actions and processes as output. Key elements of the PDCA cycle in relation to BCM include: Plan: Establish and agree the scope, identify within scope the information assets, roles and responsibilities of staff members and conduct a Business Impact Analysis for the agreed scope. Do: Implement and operate the policy, controls, processes and procedures of the management system. Check: Assess and measure (where applicable) the process performances and report findings to management for review. Act: Undertake corrective and preventive actions on the basis of the overall process review, driving continual improvement of the Business Continuity System. ISO Business Continuity Management An Overview Page 3

6 BCP Implementation Methodology Setup BCMS and Agree/Update Scope Ensure BCP is signed off by senior management/board before proceeding. Act External Certification audit, Stage 1 & Stage 2 is required for ISO certification. Identify key roles and responsibilities Act Feedback Improvements and changes into BCP Indentify all information assets in scope ISO BCP Implementation Methodology Check Review and monitor the BCP. Conduct Internal audit, management reviews and measurements and metrics Conduct business impact analysis/ risk assessment exercise for the scope agreed 'Do' Implement BCP Testing Analyse and evaluate the risks to determine unacceptable risks. 'Do' Implement BCP training and awareness for ISMS Identify appropriate controls to mitigate these risks and obtain management approval. 'Do' Implement Physical controls* Define BCP framework, objectives, methodology 'Do' Develop of BC and DR strategy, policies, procedures and plan, and other administrative controls 'Do' Implement Technical controls * * Completed in parallel PDCA diagram Author Karn G. Bulsuk ISO Business Continuity Management An Overview Page 4

7 Planning for Business Continuity As part of the planning stage, initial steps need to be taken to understand the organisation and its context, obtain leadership and management buy-in, and established business continuity scope. Firstly, an organisation needs to itemise the various facets that might be affected by a disruptive incident, both internal and external. This could include facets such as activities, services, products, partnerships, supply chains, and existing and potential relationships with interested parties. This might include crucial information assets, goods and services produced, critical business processes, and identification of infrastructure elements such as hardware, software, networks or sites. It should also include a definition of the links between the BCM policy and other organisation objectives such as any existing risk management strategies, general business vision, as well as consideration of the organisation s appetite for risk. The next important step is to establish leadership buy-in. As already mentioned the raising of responsibility for BCM to the board level is necessary for the success of the plan. Steps towards achieving this buy-in include: Presenting a rational business case Establishing a project team Establishing a steering committee Assembling the necessary resource requirements By achieving buy-in, management commit to: Ensuring that adequate policies and objectives are established Making policy compatible with business objectives Integrating effectively with existing processes Making the necessary resources available Communicating the importance of BCM strongly across the organisation From here, business continuity scope needs to be established and determining what needs to be included in the plan. Key areas to be scoped include establishing the parts of the organisation to be included in the initiative, products and services within scope, and the external stakeholders to be included and prioritised, aligning with their importance, expectations and interest in relation to the organisation. As part of this scoping exercise it is also important to explain and justify any scope exclusions. At a minimum, the Business Continuity Management System (BCMS) should contain the following documentation: 1. Scope and objectives of the BCMS 2. Business Continuity Policy 3. Description of roles and responsibilities 4. Risk assessment and Business Impact Analysis (BIA) report 5. Business Continuity Plan 6. Communication, Training and Awareness Plan 7. Exercise and test procedure 8. Evaluation, management review and audit procedures 9. Preventative and corrective actions ISO Business Continuity Management An Overview Page 5

8 Business Impact Analysis and Risk Assessment Following the initial planning steps above, a Business Impact Analysis (BIA) should be carried out. In line with ISO Section 8.2.2, the organisation should establish, implement and maintain a formal documented evaluation process for determining continuity and recovery priorities, objectives and targets. More specifically, the aim of BIA is to identify the key activities that need to be performed in order to deliver business critical products and services, in order to meet the most important, time-critical objectives. By extension, the resources supporting those key activities also need to be identified, be they people, premises, technology, information, supplies and stakeholders. The criticality of some activities can fluctuate depending on timing, for example a company offering an online tax return service would have a most critical uptime for the period immediately prior to tax return dates compared to other time periods. Examples of resources examined and recorded in a BIA include: Process Stages - e.g. R&D, Sales, Design, Production, Accounting Information - e.g. patents, customer data, market research reports, financial statements, and source code Hardware - e.g. servers, laptops, external drives, networks, printers Software - CRM, word processing, Excel, accounting packages, production simulation tools Personnel - defined company roles relevant to the organisation s structure Identification of critical points of failure in critical business processes or other activities is another crucial part of a BIA - particularly single points that will prevent an entire system or subsystem from working if they fail. Outside services such as electricity, water, gas, transport and communications supply are the most common examples. A summary output of this stage would be a business impact matrix indicating impact thresholds (limited, important, serious, critical) in relation to different impact categories, such as financial risk, functionality impact, impact on public image, engagement of responsibility, and economic, human or social impacts. Another key step in the continuity planning stage is to identify, analyse and evaluate the risk of disruptive incidents occurring to the organisation. This process ties heavily with the standard for risk management (ISO 31000) and a wide range of techniques can apply depending on the specific context. Risk scenarios might include a building being made unavailable due to a disaster such as a fire, flood, bomb alert, worker strike or other incident. Once individual scenarios are defined, potential consequences of such events in relation to that scenario can be defined, and an overall risk level rating applied (i.e. impact x probability = risk level). Key Steps in Implementing BCM Once the planning and organisational understanding stage is completed, next steps can be taken towards implementing the continuity process, or executing the Do step in the PDCA process. The first step towards implementation is to determine the correct BCM strategy, based on prior assessment of maximum tolerable disruption periods, costs involved, and consequences of inaction. Depending on the scenario, strategies may be required for people, premises, technology, information, supplies and stakeholders - for example: People - how do we maintain core skills and knowledge? Premises - how do we reduce the impact of a normal worksite not being available? Technology - how do we maintain availability and uptime of key technology assets when disasters occur? Information - how do we protect and recover vital information? Supplies - how do we maintain key supplies and inventory to minimise supply chain impact upon an unexpected event? ISO Business Continuity Management An Overview Page 6

9 Cost-benefit analysis is a crucial component of developing this strategy, in particular weighing the cost of being without a given service at various points in time versus the cost of the continuity solution. Various ways of introducing backup redundancy support for business critical operations should be considered, and appropriate approaches identified. This can include having dedicated backup sites that become active when primary sites are compromised, or having two active sites that can failover onto each other if needed. Several hybrid variants of these two options are also possible depending on scenario and business needs. Developing a continuity strategy around the organisation s business-critical technology elements is a crucial part of any plan, and for most organisations, there will be both internal and external technology-based assets and services that need consideration. Strategies for handling continuity might involve spreading technology geographically so that a disaster event is less likely to affect entire infrastructures, holding older equipment as emergency replacement or spares, or adding particular risk mitigation for sensitive unique or long lead time equipment. By extension, chosen technology continuity strategies need to consider elements such as: The required recovery time for key systems and applications Location and distance between technology sites Remote access requirements and required telecoms connectivity Failover requirements - are system downtime and manual intervention required? Does the continuity switchover need to be instantaneous? Influence of Key Macro Technology Trends on Business Continuity IT business continuity strategies are also being influenced by key macro-trends such as virtualisation, cloud computing, mobile devices, and social networking among others. Much of these developments are positive and can facilitate continuity planning, but they can also introduce new IT challenges. Virtualisation A key benefit that virtualisation allows in relation to BCM is that it can greatly reduce the number of physical servers or other hardware that an organisation needs to manage and worry about. Virtual machines and applications can be replicated more easily, and switched more easily between physical resource pools such as processors, memory and storage. In addition, desktop virtualisation technologies such as Citrix and DVI, combined with secure tunnelling, can facilitate employees working remotely away from core premises in the case of a disaster event. Cloud Computing Developments in cloud computing can facilitate significant benefits around continuity planning. For example organisations are now able to combine external SaaS options with private cloud infrastructures, switching seamlessly between different internal and external cloud scenarios as needed for continuity. For example baseline operating scenarios might operate on a private cloud infrastructure, but a downtime event or a need to scale up requirements may automatically transition the infrastructure to an external cloud provided by service providers. While this creates new possibilities, it also creates new IT management challenges, and appropriate SLAs with external service providers should be arranged. It is important to note that gaining insight into the site recovery capabilities of external providers may be a challenge. ISO Business Continuity Management An Overview Page 7

10 Mobile Computing Business Continuity thought leaders increasingly see mobile devices as a key medium in supporting workforce recovery during a business recovery event. Mobile devices can alert employees to information such as the current status of recovery, locations to which employees should be in response to the event, applications and services to which they can access. Mobile sales personnel can also be supported in continuing remote work with minimal disruption. Aside from these communication aspects, mobile devices are increasingly subsuming much of the functionality traditionally associated with PCs, allowing them to support actual work tasks when PC-based sites are unavailable. Social Networks The role that social networking platforms such as Twitter, Facebook, LinkedIn, Skype and others can play around BCM is still emerging. Its potential as a mass communications channel for supporting incident management and disaster recovery is self-evident, particularly in relation to mobilising employees and other key stakeholders. However, it can also be harmful from a PR perspective if misleading, inappropriate or untimely information around a disaster event is made available to the public. Drafting Business Continuity Plans (BCPs) Clause of ISO establishes documented procedures for responding to a disruptive incident and how it will continue and recover activities within a predetermined timeframe. The primary goal is to address the business disruption or loss from the initial response to the point at which normal business operations are resumed. Crucial plan elements to be covered include defining incident response roles for people and teams, processes for activating necessary incident responses, identifying necessary notifications and communications (both to internal and external parties), and the key activities that need to be taken and allowable timeframes involved. Ultimately, the overarching BCP will contain various categories of sub-plan depending on the organisation s specific context, with overlapping plans covering areas such as incident response, emergency response, crisis management, recovery and restoration, communication and training and awareness. Training, Awareness and Testing As part of the planning stage, it is important to consider the skills requirements of those who will be required to manage and execute BC efforts, whether existing personnel can manage the efforts, and/or whether new personnel are needed. Once personnel requirements are identified, a plan needs to be put in place to make the relevant people aware of the business continuity initiative, and details of their role within that effort. If skill gaps exist, appropriate training measures should also be put in place. Once the continuity plans are in place and the necessary procedures identified, they should be practiced and tested to ensure consistency with the business continuity objectives. Different levels of testing can be employed depending on the scenario, ranging from less invasive methods such as distributing business plans for review, to practice simulations, to parallel tests that replicate a core process without interrupting it, to full invasive tests that fully replicate the disaster event and actually require day-to-day operations to be interrupted. The goal of such tests and exercises is to ensure that personnel are capable of executing the defined continuity plan, and to ensure that defined procedures are consistent with the necessary steps in question. ISO Business Continuity Management An Overview Page 8

11 Monitoring, Reviewing and Improving BCM Efforts The Check and Act elements of the PDCA wheel involve an iterative analysis of the continuity planning and execution stages. Taking the outputs of the business continuity planning, exercise and test stages as input, the overall performance and effectiveness of the initiative needs to be evaluated. An important part of this evaluation is to identify key metrics against which the process can be measured. Such metrics can be defined for both operational aspects of the continuity planning (e.g. rating the quality of the defined procedures and associated documentation), versus KPI-type metrics to support management understanding at the high-level (e.g. monitoring the average cost of a disruptive incident over time). The self-validation stage should also include provision for self-auditing and ensuring that what has been outlined and defined in the BCP is in fact delivered upon and executed. For added assurance, external auditing by a suitably qualified third party can also be considered. This auditing process forms the basis for management review, ensuring the continuing suitability, adequacy and effectiveness of the BCMS, and highlighting opportunities for improvement. Business Continuity Planning - What Espion Can Provide Espion can provide your organisation with end-to-end support towards developing improved Business Continuity Management processes within your organisation ranging from consultancy services, training, and auditing. More specific service offerings include: Scoping exercise to identify requirements BCM Workshops Gap Analysis between current status and full compliance Business Impact Analysis (BIA) Risk Assessment Roadmap to compliance Risk Assessment Plan Documentation Certified Training & Awareness BCP and DR Exercise Facilitation Internal Audit Certification Preparation Need To Know More Info For more information on this research, contact Seamus Galvin, Espion Research at +353 (1) , or seamus.galvin@espiongroup.com ISO Business Continuity Management An Overview Page 9

12

13 About Espion Espion are Corporate Information specialists. We work with organisations across all industries and business functions to provide advice and assistance relating to the holistic compliance, protection and management requirements of their most valuable asset information. This allows our clients to focus on their core business and ultimately achieve greater success. Espion Headquaters Corrig Court, Corrig Road, Sandyford Industrial Estate, Dublin 18, Ireland +353 (01)