ISO The Route Map to Business Continuity Management

Similar documents
Il nuovo standard ISO sulla Business Continuity Scenari ed opportunità

ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

ISO 9001 and the Supply Chain

Checklist of ISO Mandatory Documentation

Business Continuity Management

Business Continuity Management

Is Business Continuity Certification Right for Your Organization?

Business Continuity Standards A Primer

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

ISO/IEC 27001:2013 webinar

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

ISO 22301:2012 Societal Security Appendix B Business Continuity Management Systems Requirements 347

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

ISO 14001: White Paper on the Changes to the ISO Standard on Environmental Management Systems JULY 2015

NEW SCHEME FOR THE INFORMATION SECURITY MANAGEMENT WITH ISO 27001:2013

Solihull Clinical Commissioning Group

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

The PNC Financial Services Group, Inc. Business Continuity Program

eet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet

Preparation for ISO OH&S Management Systems

BUSINESS CONTINUITY POLICY

ISO 9001 REVISION INTRODUCTION TO ISO 9001: 2015

Business Continuity Management Policy

ISO/IEC 27001:2013 Your implementation guide

Proposal for Business Continuity Plan and Management Review 6 August 2008

Business Continuity Management and BS by Steve Chan, Head of Training - HK, BSI Management Systems

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

ISO 14001:2004 vs. ISO 14001:2015

ABA Homeland Security Law Institute Panel. Two Ounces of Prevention: The SAFETY Act and PS Prep Voluntary Programs to Mitigate Liability

Business continuity management policy

Principles for BCM requirements for the Dutch financial sector and its providers.

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

ISO 9001:2015 Your implementation guide

Business Continuity / Disaster Recovery Context

How to manage the transition successfully ISO 9001:2015 TOP MANAGEMENT - QUALITY MANAGERS TECHNICAL GUIDE. Move Forward with Confidence

BS BUSINESS CONTINUITY MANAGEMENT

BCP and DR. P K Patel AGM, MoF

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Navigating ISO 14001:2015

South Norfolk Council Business Continuity Policy

White Paper: ISO Business Continuity Management An Overview. ISO Business Continuity Management An Overview

ISO/IEC Part 1 the next edition. Lynda Cooper project editor for ISO20000 part 1

Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

Sustainability through Business Continuity Management

Business Intelligence & Business Continuity

Business Continuity Management Systems. Protecting for tomorrow by building resilience today

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Need to protect your business from potential disruption? Prepare for the unexpected with ISO

Quality Management Standard BS EN ISO 9001:

ISO 14001:2015 How your ISO audit will be different. Whitepaper

Preparing for the Convergence of Risk Management & Business Continuity

Disaster Recovery Journal Spring World 2014

INTRODUCTION TO ISO 9001 REVISION - COMMITTEE DRAFT

Business Continuity Policy

BT Conferencing Business Continuity Management. Planning to stay in business

Business Continuity Management Standard and Guide

Company Management System. Business Continuity in SIA

GENERIC STANDARDS CUSTOMER RELATIONSHIPS FURTHER EXCELLENCE CUSTOMISED SOLUTIONS INDUSTRY STANDARDS TRAINING SERVICES THE ROUTE TO

CQI briefing note. Annex SL

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

De Nederlandsche Bank N.V. May Assessment Framework for Financial Core Infrastructure Business Continuity Management

AS9100 B to C Revision

When Recognition Matters WHITEPAPER ISO RISK MANAGEMENT PRINCIPLES AND GUIDELINES.

ISO20000: What it is and how it relates to ITIL v3

Business Continuity and Disaster Recovery Planning

ISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems

The PNC Financial Services Group, Inc. Business Continuity Program

ISO/IEC Registration Guidance Document

Preparing yourself for ISO/IEC

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

How to measure your business resiliency

ISO 9001:2015 Draft International Standard Overview

EPRR: Toolkit Facilitator Guide

Business Resiliency Business Continuity Management - January 14, 2014

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Deliverable: D2.2: Desktop Study Contingency Planning Methodologies and Business Continuity Version: 1.0 Seventh Framework Programme Theme

Temple university. Auditing a business continuity management BCM. November, 2015

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy Business Continuity Policy Statement 2015

The Role of Internal Audit In Business Continuity Planning

Practice Guide BUSINESS CONTINUITY MANAGEMENT

Risk, Risk Assessments and Risk Management. Christopher Bowler CPA, CISA August 10, 2015

BUSINESS CONTINUITY MANAGEMENT POLICY

TG TRANSITIONAL GUIDELINES FOR ISO/IEC :2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES

Business Continuity Planning and Disaster Recovery Planning

Chapter 1. The ISO 9001:2000 Standard and Certification Process

ISO Revisions Whitepaper

Presentation by BSI on the main changes to the IATF ISO/TS certification scheme

INFOSEC.MY KNOWLEDGE SHARING SESSION

Ensuring operational continuity

ISO/IEC Part 1 the next edition

CQI. Chartered Quality Institute

ISO 9001 Quality Management System

ISO 9001:2015 Overview of the Revised International Standard

Maseno University. Towards ISO 9001:2008. Certification

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Transcription:

ISO 22301- The Route Map to Business Continuity Management John A. DiMaria; CSSBB, HISP, MHISP, AMBCI ISO Product Manager; BSI Group Americas Inc. Agenda A basic understanding of ISO 22301:2012 How identifying crucial risk factors already affecting your organization drives the overall plan Understanding your organization s needs and obligations Essential steps in program management such as awareness, training, and exercising A step-by-step discussion on making the transition to the new standard for business continuity management

ISO 22301 Newest international standard for business continuity management (BCM) Its official title is ISO 22301 Societal Security - Business continuity management system - Requirements All core business continuity elements in BS 25999-2 are present in ISO 22301 ISO 22301? Provides the requirements for a business continuity management system (BCMS) Based on global BCM best practice Created in response to strong interest in the original British Standard BS 25999-2 and other regional standards BS 25999-2 key source text in its development For those certified to or aligned with BS 25999-2, the additional requirements are not onerous

How was ISO 22301 Formed 5 6

Context Source documents included BS25999-2 NFPA 1600 ASIS OR standard Singapore standards ISO 27031 ISO Guide 73 ISOPAS22399 So ISO 22301 is not simply an international version of BS25999 7 Societal Security and BCM? ISO 22301 now comes under a wider societal security responsibility. This acknowledges the important role that BCM has to play in protecting society and ensuring our ability to respond to incidents, emergencies and disasters.

Benefits of adopting a systems approach to managing BCM Allows organizations to benefit from global BCM best practice, regardless of whether they are planning to certify or not Provides a foundation and a common vocabulary for BCM best practice and guidance Consensus standards like ISO 22301 represent the input and recommendations of hundreds of BC professionals and industry experts Saves you having to reinvent the wheel Comparing ISO 22301 and BS 25999-2 Includes all core requirements The Plan Do Check Act cycle Business continuity policy Business impact analysis Risk assessment and risk treatments Exercising Business continuity plans and strategy Internal audit Management review Non conformity and corrective action Improvement actions

Key aspects First standard written in accordance with Annex SL Change in the way an organization is defined Clearer expectations on management Preventive action has been replaced with actions to address risks and opportunities and features earlier ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics aligning BC to top management strategic thinking 11 Key aspects 12 22301 requires more careful planning for and preparing the resources needed for ensuring business continuity Communication elements more demanding and there is a responsibility to the wider community defined BIA similar but with some changes to terminology There is a stronger link to the organizations approach to risk To reflect the societal security approach some new terminology has been introduced, see ISO 22300 (Societal security Terminology)

New high level structure ISO 22301 is the first management system standard to be developed using Annex SL Annex SL* is for standards writers and provides a Standardized text suitable for all ISO management system standards The intention is to Standardize terminology and requirements for fundamental Management System requirements http://www.iso.org/iso/standards_development/processes_and_procedures/iso_iec_d irectives_and_iso_supplement.htm Objectives, monitoring performance and metrics Greater emphasis on setting of objectives, monitoring performance and metrics Most organizations will already produce metrics which can be tailored to BCMS performance

Top management commitment Top management given clearer BCM responsibilities The ISO outlines specific ways in which management must demonstrate its commitment to the system Planning The ISO contains extended requirements, clearly structured It requires that the BCMS be integrated with the organizations objectives, taking into account its risk appetite It requires the organization to address threats to the BCMS not being successfully established, implemented and maintained and threats to the business itself Also requires a procedure to manage legal and regulatory requirements

Requirements around supply chain ISO 22301 outlines more requirements relating to suppliers These make it a useful tool for validating supply chains and client and contractual requirements Structure of ISO 22301:2012 18 Clause Description 4.0 Is a component of Plan. It introduces requirements necessary to establish the context of the BCMS as it applies to the organization, as well as needs, requirements, and scope. 5.0 Is a component of Plan. It summarises the requirements specific to top management s role in the BCMS, and how leadership articulates its expectations to the organization via a policy statement. 6.0 Is a component of Plan. It describes requirements as it relates to establishing strategic objectives and guiding principles for the BCMS as a whole. The content of Clause 6 differs from establishing risk treatment opportunities stemming from risk assessment, as well as business impact analysis (BIA) derived recovery objectives.

Structure of ISO 22301:2012 19 Clause Description 7.0 Is a component of Plan. It supports BCMS operations as they relate to establishing competence and communication on a recurring/asneeded basis with interested parties, while documenting, controlling, maintaining and retaining required documentation. 8.0 Is a component of Do. It defines BC requirements, determines how to address them and develops the procedures to manage a disruptive incident. 9.0 Is a component of Check. It summarises requirements necessary to measure BCM performance, BCMS compliance with the International Standard and management s expectations, and seeks feedback from management regarding expectations. 10.0 Is a component of Act. It identifies and acts on BCMS nonconformance through corrective action. New concepts and activities Context of the organization Interested parties Leadership Maximum acceptable outage (MAO) Minimum business continuity objective (MBCO) Performance evaluation Prioritized timeframes Warning and communication

Concept of interested parties ISO 22301 replaces the term stakeholders with that of interested parties The ISO requires broader consideration of interested parties than BS 25999-2 Closer alignment with organizational objectives for corporate social responsibility Context - Interested Parties 22

How identifying crucial risk factors already affecting your organization drives the overall plan Understanding your organization s needs and obligations Essential steps in program management

Documentation Requirement for documenting: links between the business continuity policy and the organization s objectives and other policies, including its overall risk management strategy; and the organization s risk appetite. The requirement to have procedures which identify legal and regulatory requirements. There is also a requirement to keep this information up to date which must tie in with maintenance. 25 Planning Section 6.1 talks about risks and 6.2 about objectives Standardized text Having fully understood the context of the organization, planning activities are introduced to address the risks and opportunities of the business. This proactive approach, if carried out properly, will ensure a resilient BCM system as it will focus on planning for successfully achieving BCM objectives and realizing opportunities for improvement. Ownership and accountability of BC objectives will be allocated and a clear direction to accomplishing these objectives will be agreed.

Support 7.2 Competence The organization (generally acknowledged to be through its Top Management) has a responsibility to ensure that sufficient and appropriate resource is available for the BCMS. Appropriateness is often determined through competency analysis It is people who take action when an incident occurs Competence relates both to operating the BCMS AND to performing following an incident Note also 7.3 d) everyone has to be aware of their role during disruptive incidents Communication external communication with customers, partner entities, local community, and other interested parties, including the media, receiving, documenting, and responding to communication from interested parties, adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, ensuring availability of the means of communication during a disruptive incident operating and testing of communications capabilities intended for use during disruption of normal communications. 28

Risk Assessment The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyzes, and evaluates the risk of disruptive incidents to the organization. NOTE This process could be made in accordance with ISO 31000. The organization shall identify risks of disruption to the organization s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, analyze them, evaluate and treat them. 29 BIA a) identifying activities that support the provision of products and services; b) assessing the impacts over time of not performing these activities; c) setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and d) identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. 30

Strategy ISO 22301 better defined Decide what you are going to do to reduce the likelihood and impact as well as how to respond Set RTOs Work out the resource requirements Act on the protection and mitigation needed Evaluate business continuity capability of suppliers 31 Incident Response Structure Impact thresholds is new Personnel to assess the incident Communication mentions authorities and media explicitly External communications a new requirement. Life safety explicitly mentioned. Warning and Informing 32

Warnings and Communication The organization shall establish, implement and maintain procedures for a) detecting an incident, b) regular monitoring of an incident, c) internal communication within the organization d) receiving, documenting and responding to any national or regional risk advisory system or equivalent, e) assuring availability of the means of communication during a disruptive incident, f) facilitating structured communication with emergency responders, g) recording of vital information about the incident, actions taken and decisions made, 33 Recovery The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident 34

Exercising and Testing Covers pretty much the same ground as BS25999-2 It talks about exercises and tests. Expect to see a program point is that over time these should provide objective assurance that the arrangements made will work as anticipated and when required: so does the program really do this? 35 Performance evaluation As with all management system standards there is a need to look back at what has been achieved ISO 22301 also requires that this analysis is evaluated and conclusions drawn by the organization Greater emphasis on setting of objectives, monitoring performance and metrics Most organizations will already produce metrics which can be tailored to BCMS performance

Performance evaluation Internal audits and management review continue to be key methods of reviewing the performance of the BCMS and tools for its continual improvement Improvement Nonconformities of the BCMS have to be dealt with together with corrective actions to ensure they don t happen again As with all management system standards, continual improvement is a core requirement of the standard

To certify or not to certify Certification VS Compliance What is Compliance? Compliance is an informal industry term generally accepted to mean the system provides support for some or all of a given standard. Vendors of compliant systems are generally expected to offer documentation describing which parts of the standard are supported, and which are not.

What is certification? Certification on the other hand is a recognition of formal testing, to prove that a system provides 100% support for a given standard. Certification is awarded to an organization after an official accredited Certification Body (CB) has reviewed not only the results of formal testing, but formal conformance documentation as well as assessing their management system against the requirements of a standard and the organizations own internal requirements proving effectiveness. Shows that the organization abides by the principles set out in the standard. Offers global consistency in implementation. Continual improvement - achieved through regular assessments of the management system. Supply Chain Management. ~Accountability~ 41 Transition Plan to ISO 22301

Transition plan Certification certificates will remain valid during the two year transitional period Organizations will need to complete their transition to the new revision by 1 June 2014 Failure to do this will result in the expiry of their certificate How will the transition take place for existing BS 25999 organizations? They will be able to be assessed to the new standard during continuing assessment visits A date for their transition will be agreed with their auditor A new certificate will be issued once they have demonstrated compliance with ISO 22301 Clients can transition ahead of their next surveillance audit for an additional fee

How will the transition take place for existing PS-Prep customers? BS 25999 certified organizations will have to wait to see if ISO 22301 is accepted by DHS or transition to ISO 22301 under the UKAS scheme or Rule 40 under ANAB. DHS is reviewing and analyzing ISO 22301 If accepted, it will have to posted on the federal register for public comment. Exact time lines are not known at this time, but DHS has indicated that the ISO 22301 will be issued for comment VIA federal register in March. Contact Us Address: BSI Management Systems America Inc. 12110 Sunset Hills Road Reston VA 20190 John DiMaria john.dimaria@bsigroup.com Main Office Telephone: 888-429-6178 Fax: 703 437 9001 Email: Inquiry.msamericas@bsigroup.com Links: http://www.bsiamerica.com 46

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information