1

WWW.ISO.ORG

2

INTERNATIONAL

ORGANIZATION

FOR

STANDARDIZATION

INTERNATIONAL

STANDARDS

ORGANIZATION 3

ISO 9000

ISO 14000

ISO 27001

ISO 31000

Quality Management

(Data Center)

Environmental

Information Security

Risk Management

SOME POPULAR ISO STANDARDS

4

FIRST KNOWN BUSINESS

CONTINUITY STANDARD BS25999

British Standard

Written in 2006/2007

Popular in EMEA

Not so much in Americas … sporadic usage …

Never fully adopted by ISO

Did drive the point home of the need for an international standard, though

5

ISO

BUSINESS CONTINUITY STANDARDS

WERE INTRODUCED IN

2012

ISO 22301

IS0 22313

6

WHY 2 ?

7

ISO 22301

A “Requirements” standard for BCMS

Auditable

“Shall/Must”

High-Level Content

Describes the “what” not the “how”

The first International Standard exclusively for Business

Continuity

8

ISO 22301 - BCMS

BCMS:

Business Continuity Management System

Emphasizes the importance of:

• Understanding needs of the organization

• Understanding necessity for establishing

BC policies and objectives

9

ISO 22301 - BCMS

BCMS:

Business Continuity Management System

Emphasizes the importance of:

• Implementing and operating controls and measures for managing an organization’s overall resilience and its capability to manage disruptive events

10

ISO 22301 - BCMS

BCMS:

Business Continuity Management System

Emphasizes the importance of:

• Monitoring and reviewing the performance and effectiveness of the BCMS

• Continual improvement based on objective measurement (metrics)

11

ISO 22301 - BCMS

SCOPE:

Implementing

Operating

Continuously improving

12

ISO 22301 - BCMS

FOCUS:

Written for any organization regardless of:

Size

Type

Location

13

ISO 22301 - BCMS

PURPOSE:

To Be A Requirements Document That

Drives BC Performance To A Higher Level

With The Goal Of Certifying To The ISO

Standards

14

ISO 22301 – BCMS

KEY CHARACTERISTICS OF A BCMS

• Accountability

• Repeatable Processes

• Documentation Providing Auditable evidence

• Resources

• Performance Measurement and Review

• Competence

• Cultural Change

15

ISO 22301 – BCMS

KEY COMPONENTS OF A BCMS:

• Policy

• Leadership – People with Defined Responsibilities

• Context and Obligations

• Resources

• Competencies of the resources

• Communications

• Evaluation and Internal Audit

• Corrective Action

• Management Review

• Continuous Improvement

16

ISO 22301 – APPLYING THE PDCA CYCLE TO BCMS

Planning

Establishing

Implementing

Operating

Monitoring

Reviewing

Maintaining

Continually Improving

17

DIRECT RELATIONSHIP PDCA TO ISO22301 CLAUSES

18

ISO 22301

A DOCUMENT WITH TEN CLAUSES

CLAUSE 1: Scope

CLAUSE 2: Normative References

CLAUSE 3: Terms and Definitions

These are known as the INTRODUCTION clauses

19

ISO 22301

A DOCUMENT WITH TEN CLAUSES

REQUIREMENTS:

CLAUSE 4: Context of the Organization

CLAUSE 5: Leadership

CLAUSE 6: Planning

CLAUSE 7: Support

These are the PLAN clauses

20

ISO 22301

A DOCUMENT WITH TEN CLAUSES

Deeper look at the PLAN clauses:

CLAUSE 4: Context of the Organization

• BC Policy

• BIA Methodology

• Risk Assessment

• Legal and Regulatory Requirements

• Scope of the BCMS; explanation of exclusions

• 4 Mandatory Documents of Record

21

ISO 22301

A DOCUMENT WITH TEN CLAUSES

Deeper look at the PLAN clauses:

CLAUSE 5: Leadership

• Leadership commitment

• Management commitment

• Organizational roles and responsibilities

• 1 Mandatory Document

22

ISO 22301

A DOCUMENT WITH TEN CLAUSES

Deeper look at the PLAN clauses:

CLAUSE 6: Planning

• Risks and Opportunities

• BC Objectives, and plans to achieve them

• Approval by executive management

• 1 Mandatory Document

23

ISO 22301

A DOCUMENT WITH TEN CLAUSES

Deeper look at the PLAN clauses:

CLAUSE 7: Support

• Resources

• Competencies

• Awareness

• Communication

• Documentation, including version controls

• 2 Mandatory Documents

24

ISO 22301

A DOCUMENT WITH TEN CLAUSES

REQUIREMENTS:

CLAUSE 8: Operations Business Impact Analysis Risk Assessment BC Strategy BC Procedures 10 Mandatory Documents

This is the DO clause

25

ISO 22301

A DOCUMENT WITH TEN CLAUSES

REQUIREMENTS:

CLAUSE 9: Performance / Evaluation • Risk treatment, preventive actions, maintenance plans • Actions addressing adverse trends/results • Data and results of monitoring /measurement • Results of post-incident review • Results of internal audit(s) • Results of management review • 5 Mandatory Documents

This is the CHECK clause

26

ISO 22301

A DOCUMENT WITH TEN CLAUSES

REQUIREMENTS:

CLAUSE 10: Improvement

• Nature of nonconformities and actions taken

• Results of corrective actions

• 2 Mandatory Documents

This is the ACT clause

27

ISO 22301:

A DOCUMENT

OF

TEN

COMMANDMENTS

CLAUSES 28

ISO 22301:

10 CLAUSES

AND

25 DOCUMENTS

ARE

MANDATORY (TO BECOME CERTIFIED)

29

ISO 22301

METHODS OF CERTIFICATION

First-Party –

Self-Certification of

Conformity

30

ISO 22301

METHODS OF CERTIFICATION

Second-Party –

Via Internal Audit

31

ISO 22301

METHODS OF CERTIFICATION

Third-Party –

Via External Audit with

Accredited Certification

Bodies, i.e. ANSI or IAS

32

ISO 22301

METHODS OF CERTIFICATION

Full USA listing:

http://www.iaf.nu/articl

es/IAF_MEM_USA__all/1

12

33

ISO 22313

• A “Guidance” standard

– Aligns with Requirements

– Detailed cross-referencing by clause

– Provides recommendations and permissions

– “Should/May”

– Strategy Options

– Best when paired with ISO22301

34

ISO 22301 VS. ISO 22313

35

ISO 22301 VS. ISO 22313

36

37

PRESENTED BY:

CAROL DELATTE, CBCP

CAROL.6323@GMAIL.COM

972-415-6751

OCTOBER 2014

38