iso 22301, the first ever iso for bcm - presented at bci qatar forum
DESCRIPTION
TRANSCRIPT
"ISO 22301, the First Ever ISO Standard for BCM.“Societal Security – Business Continuity Management Systems
Muhammad Ghazali – MBCICBCI, CRISC, ISO 22301 Lead AuditorRegional Head ‐ BCM Consulting Service Protiviti Middle EastForum Leader, The BCI Kuwait Forum
What is Business Continuity Management(BCM)?
“Plans and actions that provide protection and alternate modes of operation”
What’s In A Name?
Addition of “Societal Security” with “Business Continuity”.
“Societal Security,” recognizes that no organization operates in a vacuum
Operate within the context of society, through customers, partners, suppliers, local, regional, national and foreign governments, and more.
This change in title is a significant shift between the BS25999:2 and ISO 22301 to explain it is about society
“Societal Security –Business Continuity
Management Systems
What could cause a business interruption?
Why ISO Standard for Business Continuity?
› Finally a global standard for Business Continuity Management which speaks thesame language across the boarders
› Auditable Specification to validate the effectiveness
› Clearer expectations from organization’s management
› First standard Developed on Guide 83, which is the new roadmap for standarddeveloper. All ISO Standards will follow the same structure with the new version tocome.
› Making Leadership accountable to inculcate competence besides the awareness.
› Organizations can offer their customers and clients greater assurance continuity,following any disruption
ISO 22301 Vs. BS 25999
› Larger canvas for BCMS
› Expansion in the canvas from Organizational BCMS to Societal Security –BCMS
› Clearer expectation from Top Management
› Leadership participation is required. Top Management leadership shall be more demonstrable and active.
› More careful planning and preparation of the resource
› Preventive action has been replaced with “actions to address risks and opportunities” Resilient organizations.
Overall Structure
Context of Organization
Leadership
Planning
Support
Operation
Performance Evaluation
Improvement9
6
5
7
8
4
10
Plan
DO
Check
Act
Context of Organization
Understanding the organization and its environment is an
essential step. i.e. Culture, people, mix of nationalities.
Micro environment i.e. customers, suppliers, partners,
contractors, distributors and arbitrators
Macro environment i.e. Social, Political, economic, ethics of
trade, local regulators, environmental considerations
The parts of the organization to be included in the BCMS
shall be identified. Any exclusions shall not affect the
organization’s ability to provide continuity of its services
and operations.
Organization Policy
Business Continuity Policy
Context of Organization
Context of Organization – Interested Parties4
InvestorsInvestors
ShareholdersShareholders
SuppliersSuppliers
CustomersCustomers
PeoplePeople
Recovery Service Providers
Recovery Service Providers
RegulatorsRegulators
GovernmentGovernment
InsurersInsurers
OwnersOwners
Employee Unions
Employee Unions
NeighborsNeighbors
Industry UnionsIndustry Unions
CompetitorsCompetitors
MediaMedia
Leasers Leasers
ContractorsContractors
TechnologyTechnology
Concerned AgenciesConcerned Agencies
Staff Dependents
Staff Dependents
Top ManagementResponsible for establishing framework
ManagementOwners of Business Continuity
Incident Response Team
Media Communicator
Response Team
Rest of the Organization
Setting the BC Policy
Ensuring that policies
and objectives of BCMS
are compatible with the
strategic direction of the
organization
&
Communication of the
BCMS vision across
organization
Continual Support to BCMS
That the Continual
Supports is available to
BCMS once
Implemented
Roles, Responsibilities and Authorities
Requires top
management to assign
responsibility for the
establishment,
implementation and
monitoring of the BCMS.
Leadership
Planning6
› Addition in ISO 22301 which requires
› the risks and opportunities that need to be
addressed to ensure that the BCMS can achieve
its intended outcome
› Ensure about the Business Continuity Objectives
are aligned to organization
› identification of responsible individual for
delivering those objectives.
Support7
› Addition in ISO 22301 which requires
› An organization to ensure persons are competent on
the basis of education, training and experience.
› Organization wide awareness of BCM Policy and
understanding about the effectiveness of BCMS
› Sets out requirements for receiving and responding to
communications from interested parties, through
integrated warning system.
Operation8
Requires the organization to ensure processesto manage BCMS
Conduct Business Impact Analysis, with MTPD, RTO and RPO
Identification of Risk that could impact the prioritized activities
Establish and implement business continuity strategy
Documentation of Business Continuity Plans
Exercise and Testing of BCMS on appropriate scenarios for continual improvement
1
2
3
4
5
Performance Evaluation 9
› Yet another addition in ISO 22301 which requires
› Internal Audit and Management Reviewcontinue to be key method of reviewingperformance of BCMS
› Monitoring, measurement, analysis andevaluation to ensure that appropriate metricsare in place and implemented
› Communicate the results of [the] managementreview to relevant interested parties and takeappropriate action
Improvement10
› Management Review › Continual Improvement is based on Japanese Philosophy of
Kaizen, means “Change for Better”
› ISO 22301 requires that organization shall also ‘evaluate the need for action to eliminate the causes of the nonconformity, by
› Cause of nonconformity› Need of Improvement › Making Change BCMS› Making Change in business process (if required)
The usual path for an organization that wishes to be certified against ISO 22301 is the
following:
1. Implementation of the management system
2. Internal audit and review by top management
3. Selection of the certification body (registrar)
4. Pre‐assessment audit (optional)
5. Stage 1 audit for conformity of design
6. Stage 2 audit to evaluate whether the declared management system
7. conforms to all requirements of the standard, is actually being implemented in the
organization and can support the organization in achieving its objectives.
8. Follow‐up audit (optional) in the case of non‐conformities that require additional
9. Confirmation of registration after compliance to the requirement
10. Continual improvement and surveillance audits after certification
Path for Certification
• ISO 22301 is an important next step in the evolution of international
standards for business continuity, talking single language for Organizational
resilience
• Organizations of every size can implement ISO 22301 framework to help
them achieve a level of maturity within their continuity planning process.
• So far, the most comprehensive Certifiable requirement for Business
Continuity Management
Conclusion
Q & A Session
Muhammad Ghazali – MBCICBCI, CRISC, ISO 22301 Lead AuditorRegional Head ‐ BCM Consulting Service Protiviti Middle EastForum Leader, The BCI Kuwait Forum