By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd



Similar documents
Business Continuity Management and BS by Steve Chan, Head of Training - HK, BSI Management Systems

Proposal for Business Continuity Plan and Management Review 6 August 2008

Il nuovo standard ISO sulla Business Continuity Scenari ed opportunità

Business Continuity Management

Business Continuity Management Policy

Business Continuity Management

Business Continuity Management Framework

BCP and DR. P K Patel AGM, MoF

1.0 Policy Statement / Intentions (FOIA - Open)

Business Continuity Policy

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

Global Statement of Business Continuity

Company Management System. Business Continuity in SIA

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

Business Continuity Policy and Business Continuity Management System

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

Business Continuity Policy

Business Continuity Policy

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

The PNC Financial Services Group, Inc. Business Continuity Program

Principles for BCM requirements for the Dutch financial sector and its providers.

Business Continuity Management Policy

Business Continuity Policy

WEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy

External Supplier Control Requirements BCM

Business Continuity Management

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Essex Clinical Commissioning Groups. Business Continuity Management System. Scope and Policy

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

DEPARTMENT FOR TRANSPORT BUSINESS CONTINUITY MANAGEMENT POLICY

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0

BUSINESS CONTINUITY MANAGEMENT POLICY

Business Continuity Planning

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

BS BUSINESS CONTINUITY MANAGEMENT

Business Continuity Management Policy and Framework

Sustainability through Business Continuity Management

ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance

Coping with a major business disruption. Some practical advice

Temple university. Auditing a business continuity management BCM. November, 2015

Business Continuity Management (BCM) Policy

Business continuity management policy

Emergency Response and Business Continuity Management Policy

EPRR: Toolkit Facilitator Guide

BUSINESS CONTINUITY POLICY RM03

Introduction to Business Continuity Planning

How To Manage A Disruption Event

Solihull Clinical Commissioning Group

I attach the following documents in response:

Business Resiliency Business Continuity Management - January 14, 2014

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

The PNC Financial Services Group, Inc. Business Continuity Program

Business Continuity Management Planning Methodology

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

BUSINESS CONTINUITY STRATEGY

BUSINESS CONTINUITY POLICY

Information Services IT Security Policies B. Business continuity management and planning

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Overview TECHIS Manage information security business resilience activities

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

Business Continuity and Risk Management. Ken Kaberia Principal BCM Officer, Enterprise Risk Safaricom Limited

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

Business Continuity: NHS Workshop Appendix 1.1

Update from the Business Continuity Working Group

NHS Durham Dales, Easington and Sedgefield Clinical Commissioning Group. Business Continuity Plan

Business Continuity Planning

RETAIL AUDIT FORUM - AUDITING BUSINESS CONTINUITY

Business Continuity (Policy & Procedure)

Finding the areas for improvement in plans, processes and procedures to protect shareholder value Performance driven. Quality assured.

BUSINESS CONTINUITY MANAGEMENT POLICY

Business Continuity and Disaster Recovery Planning

University of Michigan Disaster Recovery / Business Continuity Administrative Information Systems 4/6/2004 1

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy Business Continuity Policy Statement 2015

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

Business Continuity Planning and Disaster Recovery Planning

abcdefghijklmnopqrstu

Business Continuity Management - Code of Practice

Business Continuity Management. Policy Statement and Strategy

Business Continuity Management

BUSINESS CONTINUITY MANAGEMENT SYSTEM STEP BY STEP GUIDE TO DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM REPUBLIC OF IRELAND

Business Continuity Planning. A guide to loss prevention

#316 The Security Elements of Business Continuity & Disaster Recovery Plans

NHS 24 - Business Continuity Strategy

VICTOR KHANYE LOCAL MUNICIPALITY PLAASLIKE MUNISIPALITEIT. ICT Business Continuity Plan. DRAFT v0.1 Page 1 of 9

NHS Hardwick Clinical Commissioning Group. Business Continuity Policy

Transcription:

BS 25999 Business Continuity Management By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd 1

Contents slide BSI British Standards 2006 BS 25999(Business Continuity) 2002 BS 15000 -> ISO/IEC 20000 2000 BS 8600 -> ISO 10002 1979 BS 5750 -> ISO 9001 1996 BS 8800 -> OHSAS 18001 1995 BS 7799 -> ISO/IEC 27001 1992 BS 7750 -> ISO 14001

Is your business ready to face the following situations? It may not be from you but from your neighbors or suppliers? 3

6 BS 25999 Not just about managing the high profile disasters but also the day to day business disruptions Not an IT standard and not about Disaster Recovery A business-owned, business-driven process that establishes a fit-for-purpose strategic and operational framework. 6

Defining Business Continuity Management Holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities BS 25999-2:2007, 2.4 7

8 Publication dates BS25999-1 Code of Practice December 2006 BS25999-2 Specification Mid November 2007 Certification process BSI develops certification process 8

9 Why was BS 25999 developed? Business Continuity identified as a critical issue Need for a best practice framework to guide business. Need for a mechanism to demonstrate Business Continuity Management maturity 9

10 Who developed BS 25999? Committee Profile: 33 members 10

11 Who developed BS 25999? Association of British Insurers Association of Insurance & Risk Managers Institute of Directors 11

12 Who developed BS 25999? Association of Chief Police Officers Metropolitan Police Chief Fire Officers Association (CFOA) Society of Industrial Emergency Services 12

13 Who developed BS 25999? Business Continuity Institute Continuity Forum Institute of Emergency Management Institute of Risk Management 13

14 Infrastructure Dependence (power, telecom, etc.) Suppliers Clients / Your Subcontractors Organization Customers Conduit Organizations Vendors System Up Time (computing, data,networks, etc.) 14

15

16

Sequence of Events of an Incident Incident! Overall recovery objective: back-to-normal as quickly as possible Timeline Incident Response Business continuity Within minutes to hours: Staff and visitors accounted for Casualties dealt with Damage containment/ limitation Damage assessment Invocation of BCP Within minutes to days: Contact staff, customers, suppliers, etc. Recovery of critical business processes Rebuild lost work-in-progress Within weeks to months: Damage repair/replacement Relocation to permanent place of work Recovery of costs from insurers Recovery/resumption back to normal 17

Business continuity lifecycle and the Plan-Do-Check-Act cycle Continual improvement of the business continuity management system Plan Interested parties Business continuity requirements and expectations Interested parties Establish Act Maintain and improve Do Implement and operate Check Monitor and review Managed business continuity BS 25999-2 :2007 Figure 2 18

BCM programme management Scoping of BCM Policy agreement & sign off Identification & engagement of stakeholders Approach agreed Roles & responsibilities 19

Understanding the organisation 20

Understanding the organization 21 Scope, policy, stakeholders, regulatory Identify key products and services Identify activities that support key product and services Identify critical activities according to priority for recovery Establish MTPD for each activity Identify impacts from disruption to activities Set recovery time objectives for critical activities Identify impact of threat to critical activities Estimate resources required to recover each critical activity Determine choices for critical activities Define and document method for risk assessment

Identify key products and services and critical activities which support them Identify organisations objectives, obligations, duties Identify supporting activities, assets and resources Assess impact of failure of activities, assets and resources Identify and evaluate threats Identify all interdependencies of activities Understand 3rd party reliance's 22

23 Service Level MTPD and RTO Normal level of service OK! MTPD RTO Minimum level of service Time Incident management plan Business continuity plan

24 MTPD and RTO Service Level Normal level of service Disaster! MTPD RTO Minimum level of service Time Incident management plan Business continuity plan

Determining BCM strategy Definition of incident response structure enabling an effective response & recovery Identification of restart timescales and service levels following a disruption Agreement of timescales to restore normal service levels Stakeholder relationship management Strategy may be modified as an output of management review in response to internal or external events 25

Developing and implementing a BCM response Aligned to the objectives of the organisation s BCM strategy Development of plans to effectively manage a business disruption to the point it is contained Creation of business continuity plans designed to facilitate the resumption of critical activities Detailed plans covering people, communication, roles & responsibilities, locations, resources etc 26

Incident Management Plan Contents of an incident management plan include: 27 Task and action lists Emergency contacts People activities Media response Stakeholder management Incident management location Contact information for emergency responders that support response strategies

Business Continuity Plan Contents of a business continuity plan include: 28 Action plans / task lists Resource requirements Responsible person(s) Incident log / decision record A plan to resume back to normal operations (business recovery plan)

Exercising, reviewing and maintaining Validates effectiveness of plans Ensures understanding of plans, roles & responsibilities Identifies improvement opportunities Maintains relevance of plans as result of business changes 29

30 Exercising plans Different types of exercise Desk check Walk through Simulation Component/activity Full test Exercising supports awareness programme competency development BS 25999-2:2007, 4.4.2

Structure of BS 25999-2 1 Scope 2 Terms and definitions 3 Planning the BCMS General requirements, establishing and managing, embedding BCM in the organisation s culture, documentation and records 4 Implementing and operating the BCMS Understanding the organisation, determining strategy, developing and implementing a response, exercising, maintaining and reviewing 5 Monitoring and reviewing the BCMS Internal audit, management review 6 Maintaining and improving the BCMS Continual Improvement, preventive and corrective actions 31

Implementing and operating the BCMS 4.1 Understanding the organisation 4.2 Determining business continuity strategy 4.3 Developing and implementing a BCM response 4.4 Exercising, maintaining and reviewing BCM arrangements 32

Monitoring and reviewing the BCMS 5.1 Internal audit 5.2 Management review of the BCMS 33

Maintaining and improving the BCMS 6.1 Preventive and corrective actions 6.2 Continual improvement 34

35 35

36 BS 25999 Clients 36