introducing iso 22301 - bsi group conference...context • iso 22301 is the requirements document...
TRANSCRIPT
BSI
introducing
ISO 22301
BACKGROUND
How ISO 22301 was formed
Contributors
Context
• Source documents included
– BS25999-2
– NFPA 1600
– ASIS OR standard
– Singapore standards
– ISO 27031
– ISO Guide 73
– ISOPAS22399
• So ISO 22301 is not simply an international version of BS25999
Context
• Move towards standardization of management systems headings and text
– Was in development as we were writing
– Only now coming to agreement around ISO Guide 83
– Rules on how to apply this were not always clear and seemed to change
• Hence our interpretation may differ in detail from others like ISO 27001
Context
• ISO 22301 is the requirements document
• ISO 22313 is the guidance document that accompanies this
– It was originally planned to publish these together but in practicality 22301 has run ahead of the guidance
– It is aligned to 22301, clearly BS25999-1 was not
• ISO 22313 should be published early next year
– Currently at DIS
ISO 22301
Key points
Standardized structure
• Sections 1-3 are as per usual
(scope, normative references,
terms and definitions)
• Sections 4-7 and 9-10 are ISO
Standardized management
systems headings and text
• We were permitted to add text to
these sections where necessary
• Section 8 is the heart of the BCM
discipline
• Note that 8.1 is standardized text!
Legal and regulatory requirements
• 4.2.2 covers this area in 3 paragraphs
• BS25999 did not cover in such explicit detail
• BS25999 was assuming a UK context, e.g. CCA and so on
• ISO cannot make such assumptions and so far more explicit
• However there is a danger of making this unreasonably onerous
• BCI document assists in identifying these (LRSG.PDF available from BCI web site)
7 Support
• 7.2 Competence
– Recognized weakness
for those implementing
BS25999
– Wording slightly
different but still key
area
• It is people who take action
when an incident occurs
• Competence relates both to
operating the BCMS AND to
performing following an
incident
• Note also 7.3 d) – everyone
has to be aware of their role
during disruptive incidents
7 Support
The organization shall establish, implement, and
maintain procedure(s) for
— internal communication amongst interested parties
and employees within the organization,
— external communication with customers, partner
entities, local community, and other interested parties,
including the media,
— receiving, documenting, and responding to
communication from interested parties,
— adapting and integrating a national or regional threat
advisory system, or equivalent, into planning and
operational use, if appropriate,
— ensuring availability of the means of communication
during a disruptive incident,
— facilitating structured communication with
appropriate authorities and ensuring the
interoperability of multiple responding organizations
and personnel, where appropriate, and
— operating and testing of communications capabilities
intended for use during disruption of normal
communications.
• 7.4 includes additional
text
• Interested parties – not
stakeholders
• New and specific
compared to BS25999
Context
Hurricanes, Tsunami, Earthquake,
Flood and so on may all have national
or regional warning systems
This places an obligation on you to
make sure that you get these
messages and act upon them in a
timely manner
Context
You may need to talk to these chaps
So you need to show how you are
going to do this
May be fire, police, ambulance for
instance
Preparing for communicating in an incident
• Much more explicit in requiring that you think about this in the context of how communications are disrupted by incidents– E.g. mobile networks get swamped, telecommunications
damaged by earthquakes
• NOTE: There are no fool proof perfect answers to these issues. Organizations can only take the steps that are reasonable for them – quite clearly what is required of the Police is not the same as what is required of a small business – but both must show that they have done this
• NOTE: 8.4.3 returns to this area
8 Operation
• This is the main area where business continuity is addressed
• The old BCM Lifecycle is encapsulated here
– BIA/RA
– Strategy
– Implementing solutions
– Exercising
• BC practitioners should recognise these steps
• Like BS25999
Strategy
The organization shall conduct evaluations of the business continuity capabilities of suppliers.
• A one liner that appears in 8.3.1 with a wealth of meaning
• Not ALL suppliers please note – remember that this relates to the output from the BIA and RA
• So they will need to show how they determine which suppliers to look at (if any) and how they do this
8.4 Establish and implement business continuity
procedures
• Key area
• All based on BIA and recovery
objectives
• We tried to move away from talking
about plans – limited success!
• 8.4.1 a good summary (my
highlighting)
The organization shall establish, implement, and
maintain business continuity procedures to manage
a disruptive incident and continue its activities
based on recovery objectives identified in the
business impact analysis.
The organization shall document procedures
(including necessary arrangements) to ensure
continuity of activities and management of a
disruptive incident.
The procedures shall
a) establish an appropriate internal and external
communications protocol,
b) be specific regarding the immediate steps that
are to be taken during a disruption,
c) be flexible to respond to unanticipated threats
and changing internal and external conditions,
d) focus on the impact of events that could
potentially disrupt operations,
e) be developed based on stated assumptions and
an analysis of interdependencies, and
f) be effective in minimizing consequences through
implementation of appropriate mitigation strategies.
Incident Response Structure
• 8.4.2 broadly equivalent to 4.3.2 in BS25999
• External communications a specific requirement. Think about Buncefield or similar – they should warn the public and life safety is explicitly mentioned. In which case, how do they do this? (E.g. a siren?)
Warning and Communication
•ISO 22301
contains a specific
requirement on
warning and
communication in
8.4.3
•Differs from
BS25999-2
a) detect incident
b) monitor incident
c) internal communications
d) regional advisories
e) assure availability of
communications
f) communicate with emergency
responders
g) record vital information
Warning and Communication
• Additionally
consider:
a) alerting interested parties potentially
impacted by an actual or impending
disruptive incident;
b) assuring the interoperability of multiple
responding organizations and personnel;
c) operation of a communications facility
Warning and Communication
• You must also exercise these arrangements
regularly
8.4.4 Business continuity plans
• Less prescriptive than BS25999 but covers
very much the same ground
• Note my earlier comment that people take
action – plans are there to support them
when they are not thinking straight; they are
not a manual of how to run the business nor
are they a response to every possible risk
8.4.5 Recovery
• In BS25999-1 we talked about 3 phases and the last of these being a “return to normal”
• This never became a part of BS25999-2– Viewed as “too difficult” to define
• As ISO 22301 was being developed, a PD was being written in the UK on this very topic so we had a marker in the draft to use this as input
• That never came to fruition for various reasons
• We discussed taking this section out but it actually received a lot of international support to keep it in
Recovery
The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident.
• These might be very specific for some organizations but could be pretty general in other cases
• This is a new area
• Clearly, thinking through how you get the business running normally once the initial invocation has been completed is important!– E.g. I invoke my contract with
ICM/IBM/SunGard – what happens after the contracted period is completed?
8.5 Exercising and testing
• Covers pretty much the same ground as BS25999-2
• Note that it talks about exercises and tests
• These are different and complimentary– Tests have a defined outcome which you achieve or don’t
(pass/fail)
– Exercises are more nuanced and will probably include elements of training and awareness building
– So my generator either works or it doesn’t, but an exercise of the CMT will always produce learning points
• Expect to see a programme – point is that over time these should provide objective assurance that the arrangements made will work as anticipated and when required: so does the programme really do this?
Section 9
• Performance evaluation is also a new requirement
• How do you know if the BCMS is doing what it should unless you have some metrics?
– E.g. I have 20 plans and they are all up to date
– But beware of metrics too focussed on documents and not enough on competent people and teams who are ready to perform when needed
• Note: Management review includes additional material to the standard text
BENEFITS
Benefits
• Demonstrable good practice to– Top management
– Internal and External auditors
– Customers
– Other interested parties, including staff, shareholders, regulators
• Possible to achieve accredited certification
• Management systems approach like other similar disciplines– Opportunity to integrate with other management systems
– Easier to learn for new professionals
– Removes old dichotomies of programme v project v ongoing task
• Adoption by your suppliers affords some assurance
• International Standard– Replaces many national standards
– Introduces recognized standard where none previously existed
– Spreads good practice business continuity worldwide
– Carries the business continuity message to new organizations andjurisdictions
How to prepare
• Read the standard– I mean really read the standard
– This means every word
• Go through it and compare it to what you currently do and ask yourself:– Can we really satisfy this requirement?
– How do I show evidence that we do?
– If you don’t, why not?• Are there institutional obstructions?
• Resource constraints?
– Develop a gap analysis and plan how to address these
Dave Austin
Project Team Leader, TC223 WG4
Director of Operational Resilience Ltd.
31