Business Continuity Standards A Primer

Similar documents
Is Business Continuity Certification Right for Your Organization?

ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program

ISO 22301:2012 Societal Security Appendix B Business Continuity Management Systems Requirements 347

Business Continuity Management Policy

eet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet

Business Continuity Management and BS by Steve Chan, Head of Training - HK, BSI Management Systems

Introduction to Business Continuity Planning

Business Continuity and Disaster Recovery Planning

Time Warner Cable s (TWC) Path to Declaring Conformity to ISO 22301

Business Continuity / Disaster Recovery Context

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Plan Development Getting from Principles to Paper

Business Continuity for the New Professional. Britt Corra Enterprise BCM Erika Voss Senior BCM

Evaluating and Improving Your Business Continuity Plan

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Business Resiliency Business Continuity Management - January 14, 2014

security standards and guidelines development

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

WEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy

Business Continuity Management

The Role of Internal Audit In Business Continuity Planning

Company Management System. Business Continuity in SIA

On the New Voluntary Corporate Preparedness Accreditation and Certification Program

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

Principles for BCM requirements for the Dutch financial sector and its providers.

Proposal for Business Continuity Plan and Management Review 6 August 2008

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Emergency Management and Business Continuity Policy

Business Continuity and Disaster Recovery Planning 3/16/2011. Lee Goldstein CPCP, MBCI President Business Contingency Group

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

Why Should Companies Take a Closer Look at Business Continuity Planning?

Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June

BS BUSINESS CONTINUITY MANAGEMENT

Need to protect your business from potential disruption? Prepare for the unexpected with ISO

Appendix 3 Disaster Recovery Plan

Business Continuity Management. Policy Statement and Strategy

DESIGNING A BUSINESS CONTINUITY TRAINING PROGRAM TO MAXIMIZE VALUE & MINIMIZE COST

Temple university. Auditing a business continuity management BCM. November, 2015

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Management Group Policy

BCM and DRP - RFP Template

BUSINESS CONTINUITY MANAGEMENT SINGAPORE SS540 BCM STANDARDS. LSA Consultants Pte Ltd

Business Continuity Management

RETAIL AUDIT FORUM - AUDITING BUSINESS CONTINUITY

Business Continuity Management Policy

Business Continuity Management

White Paper: ISO Business Continuity Management An Overview. ISO Business Continuity Management An Overview

BCP and DR. P K Patel AGM, MoF

Business Continuity & Disaster Recovery

BUSINESS CONTINUITY PLANNING

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Business Continuity & Crisis Management

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Business Continuity Management Planning Methodology

Business Continuity Planning

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Il nuovo standard ISO sulla Business Continuity Scenari ed opportunità

Business Continuity Management Framework

CSA Z1600 Emergency Management and Business Continuity Programs

CLASSIFICATION SPECIFICATION FORM

Business Continuity Management Program Development Guide

How To Plan A Crisis Management Program

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

The Importance of Performance Metrics in Business Continuity Paul Kirvan, FBCI, CISA

Ensuring operational continuity

Business Continuity and Emergency Preparedness Planning. Vandita Zachariah, MA, MBA, CIA HHSC Internal Audit Division May 21, 2010

Business Continuity Management

BUILDING A SECURITY CONSCIOUS BUSINESS CONTINUITY MANAGEMENT (BCM) PROGRAM

Business Continuity and Disaster Planning

London Local Authorities Business Continuity Guidance for Suppliers & Contractors

NHS Commissioning Board Business Continuity Management Framework (service resilience)

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Business Continuity Planning. Description and Framework. White Paper. Preface. Contents

MHA Consulting. Business Continuity Management 101

BCM Data Research within a Business Intelligence Dashboard

External Supplier Control Requirements BCM

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Meeting FFIEC Requirements: Enterprise-Wide Testing of Your. Business Continuity Plan

CSC AND THE BUSINESS CONTINUITY MATURITY ASSESSMENT PROGRAM

Business Continuity and Disaster Recovery Policy

Business Continuity Planning for Water Utilities: Guidance Document [Project #4319]

Business continuity management policy

National Fire Protection Association s Contribution to Business Continuity Strategies

Transcription:

INTELLIGENT NOTIFICATION Alphabet Soup: Making Sense of BC/DR Standards Part 1: Business Continuity Standards A Primer

Why all the attention now? One of the hottest topics in BC/DR these days is standards. BC standards have been around for a while, but the rollout of the Department of Homeland Security s (DHS) Private Sector Preparedness initiative (PS Prep) focused new attention on the subject and put the quest for comprehensive and effective standards on a fast track. In the process, three standards have emerged as leaders for certification and recognition under the PS Prep Program: NFPA 1600, BS25999 and ASIS SPC.1. This brief will give you an overview of each of the major standards, touching on international standards and established guidelines and regulations that drive the definition and implementation of BC programs. Which standard is best? NFPA 1600 The NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs * provides a basis for BC/DR programs by providing common program elements, techniques, and processes. This standard follows a total program approach to enhancing disaster/emergency management and BC programs to manage the impact of disasters. The NFPA standard emphasizes program policies and management components, providing guidelines that address the analysis, planning and implementation of the core elements of crisis management, business resumption planning and IT disaster recovery. To certify to the NFPA 1600 standard, your organization must develop a fully documented program to be run by a program coordinator and an advisory committee whose primary function is to administer, maintain, and review the organization s program. The standard identifies five primary aspects in its response program: Mitigation Prevention Mitigation Preparedness Preparedness Response Recovery Prevention Recovery Response These aspects are in line with the analysis and planning/implementation of the core elements of PS Prep. NFPA 1600 addresses these core elements by requiring risk assessments, impact analyses, @ 2011 MIR3, Inc. All rights reserved. 2

incident prevention strategies, mitigation strategies, resource management and logistics, incident management systems, and operational procedures in order to prevent, prepare for, and respond to a disaster or emergency situation. The NFPA 1600 standard emphasizes a regular planning process in order to improve current strategies and confront newly identified problems. BS 25999-2 The British Standard 25999-2:2007 * specification for business continuity management (BCM) defines requirements for a management systems approach. The emphasis of this standard is on creating, implementing, and managing an effective BCM system and then embedding it within the organization s culture. The standard Understanding the Organization primarily focuses on the planning and implementation of the core elements through its attention to continuity and recovery plans. Exercising, Maintaining and Reviewing Determining BCM Strategy The British Standard describes detailoriented continuity and recovery plans that organizations must enact for accreditation. Developing and It requires specifics on how your Implementing BCM organization will reestablish operations, Response communications and policies during disasters and specifics on how to implement a media response strategy. The British Standard requires action and task details that need to be performed once the response plan is initiated, as well as the resources required for business continuity and business recovery efforts at different points in time. The British Standard also emphasizes the maintenance, review, and improvement of the core elements. It requires that your organization develop and conduct exercises that are consistent within the scope of the BCM system, hold post-exercise reviews of each exercise, and review its BCM arrangements to ensure continuing suitability, adequacy, and effectiveness. This standard establishes an internal auditing system, management review of the BCMS, and reviewing inputs and outputs from the BCMS in order to ensure that management monitors and reviews its effectiveness and efficiency. ASIS SPC.1 ASIS International SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems * is a management framework for action planning and decision making to anticipate, prevent and prepare for and respond to a disruptive incident. The standard seeks to increase organizational and customer confidence by creating a safe and secure environment for both @ 2011 MIR3, Inc. All rights reserved. 3

the organization and its stakeholders. It emphasizes the planning and implementation of the core elements, as well as the maintenance, review and improvement element. Continuous Improvement Know Environment Policy The ASIS standard plans and implements its Organizational Resilience (OR) Management Review management policy by requiring management to provide evidence of its commitment to implementing disaster/ Implemenation emergency response strategies. ASIS focuses on the maintenance, review Checking and and improvement element by providing Corrective Action auditable criteria to establish, check, maintain, and improve its management system. The standard requires your organization to implement evaluation activities that include: internal audits, exercise and testing, management reviews, input and output reviews, program maintenance, and policies aimed at continuously improving the standard. Planning Implementation & Operation Should you certify? Why would you? Aligning your business continuity program and all key processes to a standard is clearly a smart decision for any organization, but needs to be considered carefully as the process takes time and resources. Here are some things to reflect on when making the decision whether or not to formally conform to a standard: Regulatory environments Many businesses are required to operate within regulatory environments and must implement specific components in their business continuity program. Compliance and certification to a standard will complement the requirements for the regulations. Organizations providing products and services that are critical to the infrastructure of the United States (as defined by the DHS) There are 19 sectors identified by the DHS as components of the US s critical infrastructure. While not required by the DHS to implement programs and certify to a standard, these critical sectors are encouraged to adopt the PS Prep program (and thus the approach to a standard). Supply chain criticality Businesses are becoming more and more dependent on critical supplies, products or services to deliver products or services to customers. Interruptions in the supply chain for critical products or services is becoming more and more intolerable, resulting @ 2011 MIR3, Inc. All rights reserved. 4

in increased pressure from an organization to require critical providers, such as your business, to demonstrate preparedness through adoption and certification to a standard. Competitive positioning Securing new business requires demonstrating a competitive advantage over the competition. Your organization can position an internal business continuity program as a competitive advantage in business development. How do you certify to a standard? If your company wants to certify to a standard, it must have a third-party review by an authorized certification board to validate the company s preparedness to a standard. However, in some cases a self-declaration of conformity can meet your company s goal. Regardless of the decision to move for formal certification or simply self-declaration, here s how to get started: Step 1: Get executive buy-in Without the commitment of executives, it ll be tough to secure the resources needed to implement all the components of a standard and complete certification. Step 2: Choose a standard Your organization must begin by selecting a standard that will be used in developing its internal business continuity program. Step 3: Define the scope It is not necessary to certify your enterprise-wide program, or all of a single location at one time. Your company may select the scope of the business continuity program to meet the business requirements that are driving the company s pursuit to certification. Step 4: Align to regulations required for your industry Many of the current processes that are in place to meet certain regulatory requirements can also be applied toward implementation of key specifications within your chosen standard. This alignment exercise will help identify the gaps that must be addressed for adherence to the standard. Step 5: Implement all the components within the selected scope Using each of the components of the standard, within the given scope of the BC program, design and implement key processes to meet each of the specifications as defined in the standard. Remember, the certification process is a pass-fail system, requiring 100% conformity to the standard within your scope. Step 6: Execute a self-administered assessment of conformity Once all the components of the standard have been implemented (or as the process is being implemented), it helps if you perform a self-assessment of conformity to all the components of the standard. An audit by a third party is costly and you want to be sure your organization is @ 2011 MIR3, Inc. All rights reserved. 5

ready before attempting it. Self-assessment is a good tool to measure progress and readiness for certification. And in fact, some organizations may elect to stop at this point and use the results of the self-administered assessment of conformity as sufficient for their internal requirements as well as any external requirements. Step 7: Select a certifying body Once the internal program (within the scope selected) has met all of the requirements as defined by the standard, a third-party certifying body must be selected to complete an audit of the defined program scope. Selecting a third-party certifying body is an important step. The certifying body selected should be one that has identified experience within the business sector in which your company operates, particularly in regulated environments. Step 8: Satisfactorily complete an audit by the certifying body All the hard work is done, now it is up to the certifying body to complete the audit and validate that the specifications of the standard have all been addressed completely. Learn more about BC/DR standards and why they matter by joining the full webinar series. Alphabet Soup: Making Sense of BC/DR Standards http://www.mir3.com/bcdrstandards MIR3: Proven technology, global reach Founded in 1999, MIR3 is a leading developer of notification and response technology. The company has a history of meeting exacting customer requirements with innovative technologies that continue to set standards for the industry. MIR3 is the provider of choice for many of the Global FORTUNE 100 companies and thousands of other organizations around the world. When you choose MIR3, you are choosing a strong company with extensively proven technology and a solid global communication infrastructure. * The Sloan Report, A Framework for Voluntary Preparedness, January 18, 2008 @ 2011 MIR3, Inc. All rights reserved. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information