BSI

introducing

ISO 22301

BACKGROUND

How ISO 22301 was formed

Contributors

Context

• Source documents included

– BS25999-2

– NFPA 1600

– ASIS OR standard

– Singapore standards

– ISO 27031

– ISO Guide 73

– ISOPAS22399

• So ISO 22301 is not simply an international version of BS25999

Context

• Move towards standardization of management systems headings and text

– Was in development as we were writing

– Only now coming to agreement around ISO Guide 83

– Rules on how to apply this were not always clear and seemed to change

• Hence our interpretation may differ in detail from others like ISO 27001

Context

• ISO 22301 is the requirements document

• ISO 22313 is the guidance document that accompanies this

– It was originally planned to publish these together but in practicality 22301 has run ahead of the guidance

– It is aligned to 22301, clearly BS25999-1 was not

• ISO 22313 should be published early next year

– Currently at DIS

ISO 22301

Key points

Standardized structure

• Sections 1-3 are as per usual

(scope, normative references,

terms and definitions)

• Sections 4-7 and 9-10 are ISO

Standardized management

systems headings and text

• We were permitted to add text to

these sections where necessary

• Section 8 is the heart of the BCM

discipline

• Note that 8.1 is standardized text!

Legal and regulatory requirements

• 4.2.2 covers this area in 3 paragraphs

• BS25999 did not cover in such explicit detail

• BS25999 was assuming a UK context, e.g. CCA and so on

• ISO cannot make such assumptions and so far more explicit

• However there is a danger of making this unreasonably onerous

• BCI document assists in identifying these (LRSG.PDF available from BCI web site)

7 Support

• 7.2 Competence

– Recognized weakness

for those implementing

BS25999

– Wording slightly

different but still key

area

• It is people who take action

when an incident occurs

• Competence relates both to

operating the BCMS AND to

performing following an

incident

• Note also 7.3 d) – everyone

has to be aware of their role

during disruptive incidents

7 Support

The organization shall establish, implement, and

maintain procedure(s) for

— internal communication amongst interested parties

and employees within the organization,

— external communication with customers, partner

entities, local community, and other interested parties,

including the media,

— receiving, documenting, and responding to

communication from interested parties,

— adapting and integrating a national or regional threat

advisory system, or equivalent, into planning and

operational use, if appropriate,

— ensuring availability of the means of communication

during a disruptive incident,

— facilitating structured communication with

appropriate authorities and ensuring the

interoperability of multiple responding organizations

and personnel, where appropriate, and

— operating and testing of communications capabilities

intended for use during disruption of normal

communications.

• 7.4 includes additional

text

• Interested parties – not

stakeholders

• New and specific

compared to BS25999

Context

Hurricanes, Tsunami, Earthquake,

Flood and so on may all have national

or regional warning systems

This places an obligation on you to

make sure that you get these

messages and act upon them in a

timely manner

Context

You may need to talk to these chaps

So you need to show how you are

going to do this

May be fire, police, ambulance for

instance

Preparing for communicating in an incident

• Much more explicit in requiring that you think about this in the context of how communications are disrupted by incidents– E.g. mobile networks get swamped, telecommunications

damaged by earthquakes

• NOTE: There are no fool proof perfect answers to these issues. Organizations can only take the steps that are reasonable for them – quite clearly what is required of the Police is not the same as what is required of a small business – but both must show that they have done this

• NOTE: 8.4.3 returns to this area

8 Operation

• This is the main area where business continuity is addressed

• The old BCM Lifecycle is encapsulated here

– BIA/RA

– Strategy

– Implementing solutions

– Exercising

• BC practitioners should recognise these steps

• Like BS25999

Strategy

The organization shall conduct evaluations of the business continuity capabilities of suppliers.

• A one liner that appears in 8.3.1 with a wealth of meaning

• Not ALL suppliers please note – remember that this relates to the output from the BIA and RA

• So they will need to show how they determine which suppliers to look at (if any) and how they do this

8.4 Establish and implement business continuity

procedures

• Key area

• All based on BIA and recovery

objectives

• We tried to move away from talking

about plans – limited success!

• 8.4.1 a good summary (my

highlighting)

The organization shall establish, implement, and

maintain business continuity procedures to manage

a disruptive incident and continue its activities

based on recovery objectives identified in the

business impact analysis.

The organization shall document procedures

(including necessary arrangements) to ensure

continuity of activities and management of a

disruptive incident.

The procedures shall

a) establish an appropriate internal and external

communications protocol,

b) be specific regarding the immediate steps that

are to be taken during a disruption,

c) be flexible to respond to unanticipated threats

and changing internal and external conditions,

d) focus on the impact of events that could

potentially disrupt operations,

e) be developed based on stated assumptions and

an analysis of interdependencies, and

f) be effective in minimizing consequences through

implementation of appropriate mitigation strategies.

Incident Response Structure

• 8.4.2 broadly equivalent to 4.3.2 in BS25999

• External communications a specific requirement. Think about Buncefield or similar – they should warn the public and life safety is explicitly mentioned. In which case, how do they do this? (E.g. a siren?)

Warning and Communication

•ISO 22301

contains a specific

requirement on

warning and

communication in

8.4.3

•Differs from

BS25999-2

a) detect incident

b) monitor incident

c) internal communications

d) regional advisories

e) assure availability of

communications

f) communicate with emergency

responders

g) record vital information

Warning and Communication

• Additionally

consider:

a) alerting interested parties potentially

impacted by an actual or impending

disruptive incident;

b) assuring the interoperability of multiple

responding organizations and personnel;

c) operation of a communications facility

Warning and Communication

• You must also exercise these arrangements

regularly

8.4.4 Business continuity plans

• Less prescriptive than BS25999 but covers

very much the same ground

• Note my earlier comment that people take

action – plans are there to support them

when they are not thinking straight; they are

not a manual of how to run the business nor

are they a response to every possible risk

8.4.5 Recovery

• In BS25999-1 we talked about 3 phases and the last of these being a “return to normal”

• This never became a part of BS25999-2– Viewed as “too difficult” to define

• As ISO 22301 was being developed, a PD was being written in the UK on this very topic so we had a marker in the draft to use this as input

• That never came to fruition for various reasons

• We discussed taking this section out but it actually received a lot of international support to keep it in

Recovery

The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident.

• These might be very specific for some organizations but could be pretty general in other cases

• This is a new area

• Clearly, thinking through how you get the business running normally once the initial invocation has been completed is important!– E.g. I invoke my contract with

ICM/IBM/SunGard – what happens after the contracted period is completed?

8.5 Exercising and testing

• Covers pretty much the same ground as BS25999-2

• Note that it talks about exercises and tests

• These are different and complimentary– Tests have a defined outcome which you achieve or don’t

(pass/fail)

– Exercises are more nuanced and will probably include elements of training and awareness building

– So my generator either works or it doesn’t, but an exercise of the CMT will always produce learning points

• Expect to see a programme – point is that over time these should provide objective assurance that the arrangements made will work as anticipated and when required: so does the programme really do this?

Section 9

• Performance evaluation is also a new requirement

• How do you know if the BCMS is doing what it should unless you have some metrics?

– E.g. I have 20 plans and they are all up to date

– But beware of metrics too focussed on documents and not enough on competent people and teams who are ready to perform when needed

• Note: Management review includes additional material to the standard text

BENEFITS

Benefits

• Demonstrable good practice to– Top management

– Internal and External auditors

– Customers

– Other interested parties, including staff, shareholders, regulators

• Possible to achieve accredited certification

• Management systems approach like other similar disciplines– Opportunity to integrate with other management systems

– Easier to learn for new professionals

– Removes old dichotomies of programme v project v ongoing task

• Adoption by your suppliers affords some assurance

• International Standard– Replaces many national standards

– Introduces recognized standard where none previously existed

– Spreads good practice business continuity worldwide

– Carries the business continuity message to new organizations andjurisdictions

How to prepare

• Read the standard– I mean really read the standard

– This means every word

• Go through it and compare it to what you currently do and ask yourself:– Can we really satisfy this requirement?

– How do I show evidence that we do?

– If you don’t, why not?• Are there institutional obstructions?

• Resource constraints?

– Develop a gap analysis and plan how to address these

Dave Austin

Project Team Leader, TC223 WG4

Director of Operational Resilience Ltd.

31