iso 22301- the route map to business continuity management dimaria john bsi iso 22301.pdf•iso...

Copyright © 2012 BSI. All rights reserved.

ISO 22301- The Route Map to Business Continuity Management

John A. DiMaria; CSSBB, HISP, MHISP, AMBCIISO Product Manager; BSI Group Americas Inc.


Agenda

•A basic understanding of ISO 22301:2012

•How identifying crucial risk factors already affecting your organization drives the overall plan

•Understanding your organization’s needs and obligations

•Essential steps in program management such as awareness, training, and exercising

•A step-by-step discussion on making the transition to the new standard for business continuity management


ISO 22301

•Newest international standard for business continuity management (BCM)

• Its official title is ISO 22301 Societal Security - Business continuity management system - Requirements

•All core business continuity elements in BS 25999-2 are present in ISO 22301


ISO 22301?

•Provides the requirements for a business continuity management system (BCMS)

•Based on global BCM best practice

•Created in response to strong interest in the original British Standard BS 25999-2 and other regional standards

•BS 25999-2 key source text in its development

•For those certified to or aligned with BS 25999-2, the additional requirements are not onerous

Copyright © 2012 BSI. All rights reserved.5

How was ISO 22301 Formed



Context

Source documents included

• BS25999-2

• NFPA 1600

• ASIS OR standard

• Singapore standards

• ISO 27031

• ISO Guide 73

• ISOPAS22399

So ISO 22301 is not simply an international version of BS25999


Societal Security and BCM?

•ISO 22301 now comes under a wider societal security responsibility.

•This acknowledges the important role that BCM has to play in protecting society and ensuring our ability to respond to incidents, emergencies and disasters.


Benefits of adopting a systems approach to managing BCM

• Allows organizations to benefit from global BCM best practice, regardless of whether they are planning to certify or not

• Provides a foundation and a common vocabulary for BCM best practice and guidance

• Consensus standards like ISO 22301 represent the input and recommendations of hundreds of BC professionals and industry experts

• Saves you having to reinvent the wheel


Comparing ISO 22301 and BS 25999-2

•Includes all core requirements

• The ‘Plan Do Check Act’ cycle

• Business continuity policy

• Business impact analysis

• Risk assessment and risk treatments

• Exercising

• Business continuity plans and strategy

• Internal audit

• Management review

• Non conformity and corrective action

• Improvement actions


Key aspects

• First standard written in accordance with Annex SL

• Change in the way an organization is defined

• Clearer expectations on management

• Preventive action has been replaced with “actions to address risks and opportunities” and features earlier

• ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics –aligning BC to top management strategic thinking

11


Key aspects

•22301 requires more careful planning for and preparing the resources needed for ensuring business continuity

•Communication elements more demanding and there is a responsibility to the wider community defined

•BIA similar but with some changes to terminology

•There is a stronger link to the organizations approach to risk

•To reflect the societal security approach some new terminology has been introduced, see ISO 22300 (Societal security – Terminology)

12


New high level structure

• ISO 22301 is the first management system standard to be developed using Annex SL

• Annex SL* is for standards writers and provides a Standardized text suitable for all ISO management system standards

• The intention is to Standardize terminology and requirements for fundamental Management System requirements

http://www.iso.org/iso/standards_development/processes_and_procedures/iso_iec_directives_and_iso_supplement.htm


Objectives, monitoring performance and metrics

•Greater emphasis on setting of objectives, monitoring performance and metrics

•Most organizations will already produce metrics which can be tailored to BCMS performance


Top management commitment

•Top management given clearer BCM responsibilities

•The ISO outlines specific ways in which management must demonstrate its commitment to the system


Planning

•The ISO contains extended requirements, clearly structured

• It requires that the BCMS be integrated with the organizations objectives, taking into account its risk appetite

• It requires the organization to address threats to the BCMS not being successfully established, implemented and maintained and threats to the business itself

•Also requires a procedure to manage legal and regulatory requirements


Requirements around supply chain

• ISO 22301 outlines more requirements relating to suppliers

•These make it a useful tool for validating supply chains and client and contractual requirements


Structure of ISO 22301:2012

Clause Description

4.0 Is a component of Plan. It introduces requirements necessary to establish the context of the BCMS as it applies to the organization, as well as needs, requirements, and scope.

5.0 Is a component of Plan. It summarises the requirements specific to top management’s role in the BCMS, and how leadership articulates its expectations to the organization via a policy statement.

6.0 Is a component of Plan. It describes requirements as it relates to establishing strategic objectives and guiding principles for the BCMS as a whole. The content of Clause 6 differs from establishing risk treatment opportunities stemming from risk assessment, as well as business impact analysis (BIA) derivedrecovery objectives.

18


Structure of ISO 22301:2012

Clause Description

7.0 Is a component of Plan. It supports BCMS operations as they relate to establishing competence and communication on a recurring/as-needed basis with interested parties, while documenting, controlling, maintaining and retaining required documentation.

8.0 Is a component of Do. It defines BC requirements, determines how to address them and develops the procedures to manage a disruptive incident.

9.0 Is a component of Check. It summarises requirements necessary to measure BCM performance, BCMS compliance with the International Standard and management’s expectations, and seeks feedback from management regarding expectations.

10.0 Is a component of Act. It identifies and acts on BCMS non-conformance through corrective action.

19


New concepts and activities

• Context of the organization

• Interested parties

• Leadership

• Maximum acceptable outage (MAO)

• Minimum business continuity objective (MBCO)

• Performance evaluation

• Prioritized timeframes

• Warning and communication


Concept of interested parties

• ISO 22301 replaces the term ‘stakeholders’ with that of “interested parties”

•The ISO requires broader consideration of interested parties than BS 25999-2

•Closer alignment with organizational objectives for corporate social responsibility

Context - Interested Parties

22


How identifying crucial risk factors already affecting your organization drives the overall plan

Understanding your organization’s needs and

obligations


Essential steps in program management

Documentation

•Requirement for documenting:

• links between the business continuity policy and the organization’s objectives and other policies, including its overall risk management strategy; and

• the organization’s risk appetite.

•The requirement to have procedures which identify legal and regulatory requirements. There is also a requirement to keep this information up to date which must tie in with maintenance.

25Copyright © 2012 BSI. All rights reserved.


Planning

Section 6.1 talks about risks and 6.2 about objectives

•Standardized text

•Having fully understood the context of the organization, planning activities are introduced to address the risks and opportunities of the business.

•This proactive approach, if carried out properly, will ensure a resilient BCM system as it will focus on planning for successfully achieving BCM objectives and realizing opportunities for improvement. Ownership and accountability of BC objectives will be allocated and a clear direction to accomplishing these objectives will be agreed.

Support

•7.2 Competence

•The organization (generally acknowledged to be through its Top Management) has a responsibility to ensure that sufficient and appropriate resource is available for the BCMS. Appropriateness is often determined through competency analysis

• It is people who take action when an incident occurs

•Competence relates both to operating the BCMS

AND

• to performing following an incident

•Note also 7.3 d) – everyone has to be aware of their role during disruptive incidents


Communication

•external communication with customers, partner entities, local community, and other interested parties, including the media,

• receiving, documenting, and responding to communication from interested parties,

•adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate,

•ensuring availability of the means of communication during a disruptive incident

•operating and testing of communications capabilities intended for use during disruption of normal communications.


Risk Assessment

•The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyzes, and evaluates the risk of disruptive incidents to the organization.

•NOTE This process could be made in accordance with ISO 31000.

The organization shall

• identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, analyze them, evaluate and treat them.


BIA

a) identifying activities that support the provision of products and services;

b) assessing the impacts over time of not performing these activities;

c) setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and

d) identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.


Strategy

• ISO 22301 better defined

•Decide what you are going to do to reduce the likelihood and impact as well as how to respond

•Set RTOs

•Work out the resource requirements

•Act on the protection and mitigation needed

•Evaluate business continuity capability of suppliers


Incident Response Structure

• “Impact thresholds” is new

•Personnel to assess the incident

•Communication mentions “authorities” and “media” explicitly

•External communications a new requirement. Life safety explicitly mentioned.

“Warning and Informing”


Warnings and CommunicationThe organization shall establish, implement and maintain procedures for

a) detecting an incident,

b) regular monitoring of an incident,

c) internal communication within the organization

d) receiving, documenting and responding to any national or regional risk advisory system or equivalent,

e) assuring availability of the means of communication during a disruptive incident,

f) facilitating structured communication with emergency responders,

g) recording of vital information about the incident, actions taken and decisions made,


Recovery

•The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident


Exercising and Testing

•Covers pretty much the same ground as BS25999-2

• It talks about exercises and tests.

•Expect to see a program – point is that over time these should provide objective assurance that the arrangements made will work as anticipated and when required: so does the program really do this?



Performance evaluation

•As with all management system standards there is a need to look back at what has been achieved

• ISO 22301 also requires that this analysis is evaluated and conclusions drawn by the organization

•Greater emphasis on setting of objectives, monitoring performance and metrics

•Most organizations will already produce metrics which can be tailored to BCMS performance


Performance evaluation

• Internal audits and management review continue to be key methods of reviewing the performance of the BCMS and tools for its continual improvement


Improvement

•Nonconformities of the BCMS have to be dealt with together with corrective actions to ensure they don’t happen again

•As with all management system standards, continual improvement is a core requirement of the standard

Certification VS Compliance


To certify or not to certify

What is Compliance?

•Compliance is an informal industry term generally accepted to mean the system provides support for some or all of a given standard.

•Vendors of compliant systems are generally expected to offer documentation describing which parts of the standard are supported, and which are not.



41What is certification?

•Certification on the other hand is a recognition of formal testing, to prove that a system provides 100% support for a given standard.

•Certification is awarded to an organization after an official accredited Certification Body (CB) has reviewed not only the results of formal testing, but formal conformance documentation as well as assessing their management system against the requirements of a standard and the organizations own internal requirements proving effectiveness.proving effectiveness.

•Shows that the organization abides by the principles set out in the standard.

•Offers global consistency in implementation.

•Continual improvement - achieved through regular assessments of the management system.

•Supply Chain Management.~Accountability~


Transition Plan to ISO 22301


Transition plan

•Certification certificates will remain valid during the two year transitional period

•Organizations will need to complete their transition to the new revision by 1 June 2014

•Failure to do this will result in the expiry of their certificate


How will the transition take place for existing BS 25999 organizations?

•They will be able to be assessed to the new standard during continuing assessment visits

•A date for their transition will be agreed with their auditor

•A new certificate will be issued once they have demonstrated compliance with ISO 22301

•Clients can transition ahead of their next surveillance audit for an additional fee


How will the transition take place for existing PS-Prep customers?

•BS 25999 certified organizations will have to wait to see if ISO 22301 is accepted by DHS or transition to ISO 22301 under the UKAS scheme or Rule 40 under ANAB.

•DHS is reviewing and analyzing ISO 22301

• If accepted, it will have to posted on the federal register for public comment.

• Exact time lines are not known at this time, but DHS has indicated that the ISO 22301 will be issued for comment VIA federal register in March.

Contact Us

46

Address: BSI Management Systems America Inc.

12110 Sunset Hills Road

Reston

VA 20190

John DiMaria – [email protected]

Main Office Telephone: 888-429-6178

Fax: 703 437 9001

Email: [email protected]

Links: http://www.bsiamerica.com


iso 22301- the route map to business continuity management dimaria john bsi iso 22301.pdf•iso...

Documents