iso 22301 business continuity management system · iso 22301 business continuity management system...

TÜV SÜD

ISO 22301 Business Continuity Management System Ensure continuity of critical business functions in the event of disruptions

White paper

AbstractThis white paper provides an overview of ISO 22301, and provides key information in establishing and operatingan effective business continuity management system, as outlined in the standard.

The white paper is intended for all sectors and industries, especially those operating in high risk environment, as well as business continuity management personnel, including management, information technology engineer and employees who are involved in implementing or supporting an organisation’s business continuity program.

2 ISO 22301 | TÜV SÜD

Low Liang NgienProduct Specialist, Auditing CentreMr. Low is a Product Specialist and Auditor for IT certifications, specifically in the area of Business Continuity Management (BCM) and Data Centre Management in TÜV SÜD ASEAN, and is responsible for the development of these products. He has carried out many business continuity, data centre and information security audits in various sectors, including Financial Institutions, ICT sector in ASEAN and South Asia.

He is an appointed member of Work Group by the Technical Committee on Security and Privacy Standards (Information Technology Standard Committee) and helped both InfoComm Development Authority (IDA) of Singapore and SPRING Singapore to provide technical advisory services to support the development and review of the Business Continuity / Disaster Recovery standard, SS 507:2015. Before joining TÜV SÜD, he was with POSBank, providing quality and information security for the bank’s developed / acquired systems, and its IT and Data Centre operations.

Contents

1 INTRODUCTION 3

2 WHAT IS ISO 22301? 3

2 WHAT IS ISO 22301? 4

3 ESTABLISHING AN ISO 22301 COMPLIANT BUSINESS CONTINUITY MANAGEMENT SYSTEM? 5

4 CONCLUSION 11

About TÜV SÜD expert

3TÜV SÜD | ISO 22301

Introduction

Unexpected disruptions such as natural disasters, power outage, workers’ strikes, supply chain delays, pandemic outbreaks etc can cripple a company’s business operations.

The Business Continuity Management System (BCMS) is a process that helps manage risks so as to ensure smooth operation of an organisation or delivery

of a service, enabling continuity of critical functions in the event of a disruption, and effective recovery thereafter. Implementing an appropriate BCM system helps to protect the vital business systems needed to maintain operations, and allows continuity of products or services, thereby preserving a company’s market share, reputation and brand.

A successful BCMS must be regarded as an integral part of an organisation’s normal ongoing management processes. A company’s plan should demonstrate proactive involvement of the management, allocation of appropriate and sufficient resources, and a clear commitment to the implementation of BCM.

ISO 22301 specifies the requirements to plan, implement, monitor, review, and improve a company’s business continuity management. With a formalized BCM framework and well tested plans, it minimizes uncertainties and confusion.

What is ISO 22301?

The ISO 22301 is an international framework and benchmark developed to guide businesses in identifying potential threats to a company’s products or services and to build effective backup systems and processes to safeguard the stakeholders’ interests.

ISO 22301 is based on the management system model found in ISO 9001 (quality management), ISO 14001 (environmental management), ISO 27001 (information security), ISO 20001 (IT service management), and other management systems used by more than one million organizations

worldwide. The model follows the familiar “plan-do-check-act” process for managing and improving an organisation’s operations and performance. As such, the availability of ISO 22301 enables organizations to integrate business continuity management efforts into their existing management systems activities.

It provides formal business continuity guidelines that will keep businesses operational during and following a disruption. It seeks to minimize the impact to products or services, ensuring they are still capable of being delivered or recovered promptly.


By adopting an ISO 22301 compliant business continuity management system, organisations can accomplish the following goals:

� Guide organizations in using a systematic approach to develop, implement, manage, maintain and improve its Business Continuity Program

� Ensure that you are on the right track � Help organisations to identify and

understand the risks that could disrupt and impact the business

� Assure and give confidence to both staff and customers

� Certification is an independent assessment which marks an organization’s commitment, to ensure continuity of its business and service to customers

� Facilitate organisation wide communication on the need for preparedness for unexpected incidents and unwelcome events

� Promote awareness on the importance of making a smooth and quick recovery

� Maintain quality and efficiency even when incidents occur

� Objectively evaluate and prioritise the distribution of resource and implementation of redundancies

� Provide integration with other organisational management systems

� Identify opportunities for improvement throughout the organization

� Gain confidence of stakeholders by implementing best practices for business continuity

The ISO 22301 business continuity management model can help organisations better manage their limited resources today while also supporting for longer term efforts to improve resiliency with technology.

The benefit of ISO 22301?

ISO 22301 specifies the requirements to plan, implement, monitor, review, and improve a company’s business continuity management. It minimizes uncertainties and confusion.

ISO 22031 covers every phase of the implementation and operation of a business continuity management system, and provides a framework that can help organisations accomplish the following tasks:

� Develop an organisation policy for an effective recovery of key business functions

Establish targets and objectives to achieve the goals of the policy.

� Identify business / operations risks and associated business impacts (Perform Risk Assessment (RA) and Business Impact Analysis (BIA))

� Determine Business Continuity Strategy and develop Business Continuity Plan(s) (based on the result of RA and BIA and aligning to BC Policy and Objectives)

� Establish and implement business continuity procedures

� Determine the resource required to ensure emergency preparedness and appropriate responses

� Perform test and exercise on BC Plans to determine that the business continuity procedures and plans address the intended recovery objectives

� Monitor, measure and analyse key characteristics that affect the recovery plan

� Review the suitability, adequacy and effectiveness of the business continuity management system

� Continually improve an organisation’s business continuity capabilities and performance


Establishing an ISO 22301 compliant business continuity management system?

Developing and implementing a business continuity management system is a significant undertaking. For this reason, the commitment and support of an organisation’s senior management is critical.

While the actual work will likely be delegated to an implementation team, management’s commitment to the effort must be unequivocal so that the team has the authority to implement the planned activities and efforts.

Once a commitment from senior management has been given, an implementation team is formed,

consisting of personnel from throughout the organisation. Ideally, participants on the implementation team include personnel from operations, IT, corporate communications, risk & controls, human resource, purchasing, as well as participants from the facilities and maintenance departments.

Establishing team goals as well as a regular meeting schedule can help to ensure that the team’s efforts stay on track. A final preliminary step in establishing a business continuity management system is to identify any and all potential existing alternate

resource / sites that may, or will be available for organization to manage a disruption. This would likely include physical facilities, work seats and space within organization which are current unused. In addition, the implementation team should identify the equipment and systems that may be critical. Once these preliminary steps have been completed, the implementation and maintenance of an ISO 22301 compliant business continuity management system typically involves the following four phases:

A. Business Continuity PlanningPlanning is the first phase in establishing a business continuity management system. A clearly defined and documented plan helps to ensure the success of the overall effort by providing a critical framework for the work to follow.

Organisation shall determine the risks and opportunities that need to be addressed to ensure that the management system can achieve its intended outcomes, prevent or reduce undesired effects and achieve continual improvement. At a minimum, effective planning involves the following activities:

Review organisation external and internal issues and Identify / understand the needs of Interested parties – The first planning step is to identify relevant organization internal and external issues that may affect its ability to continue its business and services, determine interested parties’ expectation of its business and operations with the goal of identifying organization’s activities, functions, services, products, partnerships, supply chains and the potential impact related to a disruptive incident.

This activity helps the organization to identify its internal and external factors that create uncertainties; and therefore, risk. It also determine exactly what is expected level of services and its business operations, in addition perhaps broadly the list of critical business functions that are required to support these services and business deliverables.


Competence, training and awareness – An effective business continuity management system is based on the competence of all personnel involved. An organisation must ensure that all employees, as well as vendors and suppliers, are knowledgeable about:

� Benefits of having well established plan and being prepared

� Threats / risks and their impacts to business

� Right approach to risk assessment and business impact analysis

� Organisation business continuity strategies and its recovery plans

� Objectives and importance of integrated test and exercise

� Importance of conformity with the procedures and requirements of the organisation’s business continuity management system

� How their activities contribute to the achievement of the organisation’s business continuity goals

In addition, an organization should identify any training needs associated with its efforts to maintain the operation of its business continuity management system, and document all training efforts.

Communication – An organization should routinely provide employees with information about new and potential threats / risks that may course business disruption, the impact of these threats / risks and updates on changes / improvement its business continuity management system, and create a process that allows employees and others working on its behalf to make suggestions for improving the system. If an organization decides to provide information about its business continuity policy to external audiences, it should establish and implement an appropriate method to manage this communication.

Documentation – An organization must document, either in paper or electronic form, the core elements of its business continuity management system. The documentation shall include:

� Scope and boundaries of the organisation’s business continuity management system

� Organisation’s business continuity policy

� Business continuity objectives, targets and action plans

� Approach to business impact analysis

� Risk assessment methodology � Business continuity strategy � Business continuity plan / plans � Approach for its tests / exercises

and their plans � Documents and records as

required by ISO 22301 � Any other documents determined

to be necessary for the effective management the system

B. Implementation and operation

Determine the policy and scope for business continuity – With the understanding of organization issues and interested parties expectation and requirements, it provides the information necessary for management to set organisation risk criteria taking into account the its risk appetite, establish the policy and scope of its business continuity and what organization wants to achieve with its business continuity management system.

Identify Business Continuity Objectives and Recovery Targets (Maximum Tolerable Period of Disruption, Minimum Business Continuity Objectives) – Based on the identified requirements, policy and scope, organization can now define business continuity objectives, recovery targets and action plans to achieve these targets. Objectives and targets should be consistent with the organisation’s business continuity policy, and include time frames for

their recovery. The objectives usually include time based targets (e.g. MTPD, RTO, etc). The action plans shall identify the parties responsible for plan implementation, the time frame for completion, a statement of the method used to verify the results, and a statement of the method used to verify business continuity recovery improvements.

With a plan in place, implementation can now begin. The implementation phase includes the following activities:


Document control – In addition to the above documentation requirements, an organisation must also establish and maintain suitable processes and procedures to approve documents for use, to periodically review and update documents as necessary, and to ensure that relevant versions of applicable documents are available to those who need them.

Operational control – A key aspect of the implementation and operation phase is the organizing and managing them (implementation and operation) in a manner consistent with an organisation’s business continuity policy, objectives, targets and action plans. This includes establishing the risk assessment methodology and criteria to assess business impact on service disruption. Documented processes and procedures needed to meet requirements and to implement action plans determined shall be developed.

The approach typically consist of a number of discrete stages together aimed at achieving a comprehensive and viable business continuity plan that will fully meet the requirements of organisation in the event of a disruption:

a) Perform Business Impact Analysis (BIA) This activity enables an organization to analyse the potential impact of a disruption, identify the critical processes / business functions that support its key products and services, the interdependencies between processes and the resources required to operate the processes at a minimally-acceptable level.

b) Perform Risk Assessment (RA)The goal of this requirement is to establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyzes, and evaluates the threat / risk of disruptive events / incidents to the organization. Organisation will also evaluate which threat / risks events required treatment, identify the treatments commensurate with business continuity objectives and in accordance to organisation’s risk appetite.

c) Establishing business recovery priorities, timescales and requirementsThe result from both BIA and RA allows organization to determine its recovery priority and recovery timescales.

d) Business continuity strategy formulationAfter requirements (business recovery priorities and timescales) have been established through the BIA and the RA, strategies can be developed to identify arrangements that will enable the organization to protect and recover critical activities based on organizational risk tolerance and within defined recovery time priorities and timescales. Resource requirements (people; information and data; building, work environment and associate utilities; facilities, equipment and consumable; information and communication technology (ICT) systems; transportation; finance; partners and suppliers) to implement the selected strategies is also determined and established. All in all, the business continuity strategy should be an integral component of an institution’s corporate strategy.

e) Develop business continuity plan and procedures At this stage, organization shall develop, document, implement and maintain the business continuity procedures to manage and response to


Approach to business continuity planning

Security controls incl. for

resilience

Impact, priorities, timescales for recovery and minimum requirements

Conduct of Business Impact Analysis Review,

Assessment of Risks, then based on these results –

Establishment of Business Recovery Priorities,

Timescales & Requirements

Options for meeting priorities, timescales and minimum requirements, and recommendations

Business Continuity Strategy Formulation

Plans(s), organisation, responsibilities, logistics, detailed action tasklist

Business Continuity Plan Production

RiskReduction

Test strategy and test plans, testing and evidence

Testing of Business Continuity Plan

Ongoing maintenance activityOngoing Maintenance

disruptive events / incidents and how it continue or recover activities within a predetermined timeframe based on recovery objectives identified during the BIA and RA phase. According to ISO 22301:2012, the procedures shall :

� Establish an appropriate internal and external communications protocol;

� Be specific regarding the immediate steps that are to be taken during a disruption;

� Be flexible to respond to unanticipated threats and changing internal and external conditions;

� Focus on the impact of events that could potentially disrupt operations;

� Be developed based on stated assumptions and an analysis of interdependencies; and;

� Be effective in minimizing consequences through implementation of appropriate mitigation strategies f) Plan and execute business continuity plan testing As business continuity procedures is not something we execute on a daily basis like our daily operations procedures, identifying potential gaps, blind spots or issues embedded within the procedures post a challenge. Exercising and testing in this case, plays an important role of the entire implementation. To ensure that business continuity procedures are consistent with its business continuity objectives, an organization will have to test them regularly. Exercising and testing are the processes of validating business continuity plans and procedures to ensure the selected

strategies are capable of providing the recovery within the timeframes expected / set, which becomes the benchmark for further improvement. g) Ongoing business continuity plan maintenance The business continuity procedures and plans like all organization’s processes and procedures will undergo review, updates, changes and continual improvement. Gaps and issues identified during exercise and testing, various review (e.g. management review and internal audits) and feedback channels, external and internal organizational changes; planned regular impact and risk review are some of the means organization can make use of to gather inputs for improvement.


Continuous checking of the key characteristics of an organisation’s risks and impact, business continuity capabilities and its achievement of objectives, targets and action plans is an essential element of the process, ensuring that implementation activities are producing the desired results and achieving the anticipated risks efficiencies. The checking phase includes the following activities:

Monitoring, measurement and analysis – This aspect of the checking phase includes the monitoring, measurement and analysis of the following specific areas :

� Exercise and testing result � Post-incident reporting � Ever change threats / risks

and their impacts � Effect � Effectiveness of business continuity

procedures and plans created to achieve the defined business continuity objectives and targets

The results from the monitoring and measuring of these key characteristics must be documented, and the organization must investigate and respond to significant gaps identified. In addition, an organisation must ensure that scenarios used in exercises to test key characteristics of the business continuity procedures and plans are realistic. Post mortem of every each and every exercise should be conducted and documented. Finally, an organisation must periodically review its measurement needs.

Evaluation of compliance with legal and other requirements – An organisation shall periodically evaluate its compliance with legal requirements and any other applicable standards and guidelines in relation to the requirements of its implemented business continuity management system.

Internal audit of the business continuity management system – At planned intervals, an organisation shall conduct internal audits of the business continuity management system to ensure that the system conforms with the business continuity objectives and targets that have been established, and that the implementation and maintenance of the system is producing anticipated capabilities and improvements. The results of these audits shall be documented and reported to the organisation’s management.

Corrective actions – An organisation should be prepared to take correction actions as necessary to address any non-conformities with the planned operation of the organisation’s business continuity management system. Specific actions should include:

� Reviewing actual or potential nonconformities

� Identifying the causes of nonconformities

� Evaluating the need for action to prevent further recurrence

� Determining and implementing appropriate corrective or preventive actions

� Reviewing the effectiveness of corrective or preventative actions

� Maintaining records of all corrective actions

An organisation shall also make any changes necessary to its business continuity management system to prevent the future occurrence of nonconformities.

Record control – The final aspect of the checking phase involves the maintenance of records and other documentation necessary to demonstrate the organisation’s ongoing compliance with the requirements of its business continuity management system as well as those of ISO 22301. Controls shall also include provisions for record retention and retrieval.

C. Checking


In the management review phase, an organisation takes an objective look at the overall effort from a strategic point of view. The review phase also typically includes a briefing for senior management on the progress and the results of the targets and action plans, and the overall effectiveness of the organisation’s business continuity management system (BCMS).

In preparing for the management review, an organisation shall consider and evaluate all of the following performance considerations in connection with its BCMS :

� Follow-up actions from any prior management reviews

� A review of the adequacy of organisation’s business continuity’s policy and if there is a need to change both its policy and objectives

� Opportunities for improvement � A review of the results of internal

audits (including that of key suppliers and partners)

� An evaluation of the technique, products or procedures, which could be used in the organization to improve the business continuity management system’s performance and effectiveness

� Status of corrective actions initiated � A review on the results of exercising

and testing � An evaluation of risks or issues not

adequately addressed in any previous risk assessment

� To review if any changes (both internal and external to the scope of certification) that could affect organization BCMS

� Additional recommendations for improvement

� To review lesson learnt and actions arising from disruptive events

� Any emerging good practice and guidance that may have been identified

The management review itself will typically result in decisions or actions related to continual improvement opportunities and changes in the following areas:

� Organization business continuity policy

� Objectives, targets and other element if the organization’ BCMS

� Update of risk assessment, business impact analysis, risk treatment plans, procedures and control to respond to disruptive events

� Allocation of resources to manage business continuity activities

D. Management review


Conclusion

Being prepared by having an effective business continuity management system and recovery strategy is an increasingly important aspect of organisational performance. ISO 22301 provides a clearly defined roadmap for organisations seeking to implement and maintain a business continuity management system that can help organization to be prepared and ready to handle business disruptions such that they could quickly and effective recover critical business operations minimizing the impact on its services to customers. The structure of ISO 22301 is also consistent with that of

other management systems, such as ISO 9001, ISO 27001 and ISO 20000-1, allowing organisations to leverage their existing investments in management system compliance.

TÜV SÜD is an internationally recognised testing, inspection and certification organisation, with hundreds of technical experts in more than 30 countries around the world. This extensive network makes TÜV SÜD an effective single source for organisations seeking expertise in the certification and auditing of business continuity management systems of all types.

In addition to the certification of business continuity management systems to ISO 22301, TÜV SÜD offers a range of business continuity, information security and risk related audits and certifications, including ISO 27001, SS 584 (Muti-Tier Cloud Security) SS 507 (Business Continuity and Disaster Recover Standard for Service Providers) and ISO 31000, as well as training services in Personal Data Protection Act, ISO 20000-1 and all the above mentioned standards and guidelines.


GLOSSARY OF ACRONYMS BCMS – Business Continuity Management Systems RA – Risk Assessment BIA – Business Impact Analysis ICT – Information and Communication Technology

COPYRIGHT NOTICE

The information contained in this document represents the current view of TÜV SÜD on the issues discussed as of the date of publication. Because TÜV SÜD must respond to changing market conditions, it should not be interpreted to be a commitment on the part of TÜV SÜD, and TÜV SÜD cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. TÜV SÜD makes no warranties, express, implied or statutory, as to the information in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of TÜV SÜD. TÜV SÜD may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from TÜV SÜD, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ANY REPRODUCTION, ADAPTATION OR TRANSLATION OF THIS DOCUMENT WITHOUT PRIOR WRITTEN PERMISSION IS PROHIBITED, EXCEPT AS ALLOWED UNDER THE COPYRIGHT LAWS. © TÜV SÜD Group – 2016 – All rights reserved - TÜV SÜD is a registered trademark of TÜV SÜD Group.

DISCLAIMER

All reasonable measures have been taken to ensure the quality, reliability, and accuracy of the information in the content. However, TÜV SÜD is not responsible for the third-party content contained in this newsletter. TÜV SÜD makes no warranties or representations, expressed or implied, as to the accuracy or completeness of information contained in this newsletter. This newsletter is intended to provide general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). Accordingly, the information in this newsletter is not intended to constitute consulting or professional advice or services. If you are seeking advice on any matters relating to information in this newsletter, you should – where appropriate – contact us directly with your specific query or seek advice from qualified professional people. The information contained in this newsletter may not be copied, quoted, or referred to in any other publication or materials without the prior written consent of TÜV SÜD. All rights reserved © 2013 TÜV SÜD.

13 ISO 22301 | TÜV SÜD 2016

© T

ÜV S

ÜD P

SB P

te L

td |

PSB-

MKG

/XX/

X.0/

en/S

G

Keep businesses operational during and following a disruptionwww.tuv-sud-psb.sg/sg-en/activity/auditing-system-certification

[email protected]

Choose certainty. Add value.TÜV SÜD is a premium quality, safety and sustainability solutions provider that specialises in testing, inspection, auditing, certification, training and knowledge services. Represented in over 800 locations worldwide, we hold accreditations in Europe, the Americas, the Middle East and Asia. By delivering objective service solutions to our customers, we add tangible value to business, consumers and the environment.

CAMBODIATÜV SÜD CambodiaTel: +855 23 500 25 25Email: [email protected]

THAILANDTÜV SÜD ThailandTel: +66 2 564 8041Email: [email protected]

INDONESIATÜV SÜD IndonesiaTel: +62 21 2986 5795/96Email: [email protected]

VIETNAMTÜV SÜD VietnamTel: +84 08 6267 8507Email: [email protected]

MALAYSIATÜV SÜD MalaysiaTel: +60 3 5103 8128 Email: [email protected]

Our ASEAN offices

SINGAPORETÜV SÜD PSB Pte LtdTel: +65 6778 7777Email: [email protected]

PHILIPPINESTÜV SÜD PSB PhilippinesTel: +63 2 687 5673Email: [email protected]