isaca singapore seminar and networking dinner sg... · •iso/iec 24762 guidelines for bc-dr ......
TRANSCRIPT
ISACA Singapore
Seminar and Networking Dinner
December 20, 2011
National Library Board Building
Level 5, Possibility Room
Auditing the Business Continuity Management Programme:
Challenges, Preparation and Competency
Dr Goh Moh Heng
President
Dr Goh Moh Heng
• President – Business Continuity Management (BCM)
Institute – www.bcm-institute.org
• Managing Director – GMH Continuity Architects – Asia Pacific BCM Consulting Firm – www.GMHasia.com
• Professional BCM Appointments – Technical Advisor for TR19:2005 &
SS540:2008 BCM Standard (Management Council and Technical Committee) www.ss540.org
– Project Director, Technical Working Group for SS507:2004 • ISO/IEC 24762 Guidelines for BC-DR
Services
http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng
Dr Goh Moh Heng
Prior Appointments
• Government of Singapore Investment Corporation (GIC)
• Standard Chartered Bank
– Global Head for BCM
• PriceWaterhouseCoopers
• Past Certification Broad Member for DRI International’s Certification Board
• Past Executive Director for DRI Asia
• Senior Technical Advisor, China Business Continuity Management Forum
http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng
Agenda
• Back to Basic
• Update on Global BCM Development
• Mandate BCM Competency
• Audit and Review Key BCM Components
• Learn from Recent Disaster
Business Continuity Management Fundamentals
CRISIS IT
RECOVERY SECURITY
BUSINESS CONTINUITY
Plan
SPECIFIC CRISIS MANAGEMENT
PLAN IT DR PLAN
SPECIFIC PLANS
SECURITY PLAN BC PLAN
Incidents, Emergencies,
Events, Disasters
Common Planning Methodology
http://www.bcmpedia.org/wiki/ BCM_Planning_Process_or_Methodology
Global BCM Development
BCM Standards and Regulations
National Standards for BCM
• UK
– BS25999 Pt 1 & 2
• Singapore
– SS:507:2008
– SS:540:2008
• Australia/ New Zealand
– ANZ 5050
– HB Series 221, 292, 293
• US
– NFPA 1600: 2011
– ASIS SPC.1-2010 Organizational Resilience
Standards and Guidelines
• Regulations and guidelines to organization
– Sarbanes-Oxley Act
– Basel III Capital Accord
– Central Bank’s BCM guidelines
– COSO; COBIT; SAS70
– OSHA
• New BCM Standards
– ISO 22301
• Societal security - Business continuity management systems
– ISO 22399
• Societal security - Guideline for incident preparedness and operational continuity management
BCM Planning Methodology and S540 for BCM
BCM Planning Methodology & BS25999
International BCM Standards
BS 25999
NFPA 1600 ANZ 5050
SS 540
ISO 22301 (2012)
Organizational BCM Competency
BCM Competency Level
http://www.bcm-institute.org/bcmi10/en/education
Auditable Components of BCM Programme
Audit Requirement for BCM
Key: Controls: BCM Competency
Key Controls: Approved Reports
Audit Skillset and Upgrading
BCM Audit Process Compare with ISO 19011:2002
Audit Planning and Preparation
Audit Fieldwork
Audit Review and Reporting
Audit Follow-up Conducting Audit Follow-up
Completing the Audit
Preparing, Approving, Distributing Audit Report
Conducting On-site Activities
Preparing for On-site Activities
Conducting Document Review
Initiating the Audit
Training Competency for Auditors
• Business Continuity Management – BCM Body of Knowledge
– SS540:2008
• Audit BCM Programme (Walkthrough of a Live Implementation) – Quality Management
– Financial
– IT
• Lead Auditors – Course Code: BCM-8540
• Internal Auditor (Organization Quality Manager) – Course Code: BCM-8540
http://www.bcm-institute.org/bcmi10/en/bc-governance-and-compliance
Recent Disasters
Thailand Flooding
Japan Tsunami
Lessons from Recent Disasters
• Lack of understanding of what exactly is BCM?
• Review of key planning scenario (KPS)
– Single site, regional and multiple disasters
• Focus on:
– Low probability High Impact to
– High probability High Impact
• Definition of “BCP”
– Crisis management
– Business continuity
– Emergency response
• Supply chain considerations
• Coordination with public authority
• Welfare of staff and family members
BCM Framework
• Policy
– Strong governance
– Alignment with business mission
– Consistency in communication
• People
– Senior Management
– Key executive assign to the project or programme
– Involved by business heads and units
– BCM competency
• Process
– Common methodology for BCM, DR, CM, ER, etc
– Integration of plans within organization
0
People
Process
Policy
BCM Institute Forum Building a Community
80% Asian and Middle Eastern BCM
and DR Professionals
www.bcmi.groupsite.com
Web-based Activities
• Exchange of information and experiences
THANK YOU
Dr Goh Moh Heng President Mobile: +65 96711022 Tel: +65 63231500 Email: [email protected]