iso/ts 22317: how to use iso’s newest bc standard to ... iso 22317 sought to re-define iso’s...
TRANSCRIPT
ISO/TS 22317: How to Use ISO’s Newest BC Standard to
Develop Real BC Requirements
Jacqueline RupertManaging ConsultantAvalution Consulting
Agenda
• ISO/TS 22317 • Background
• Overview
• BIA • Outcomes
• Process
• Keys to Success
• Conclusions and Questions
Regional Business Continuity Conference
Background
Since 2013, ISO technical committee 292 (security and resilience) has been working on developing a business impact analysis standard
• Lead by the US Delegation Brian Zawada and Jacqueline Rupert
• Participants from over a dozen countries
Regional Business Continuity Conference
Background
In September 2015, ISO published its newest business continuity standard:
ISO/TS 22317: 2015
Societal security – Business continuity management systems – Guidelines for business impact analysis (BIA)
Regional Business Continuity Conference
Overview
The new technical specification is designed to complement
ISO 22301, but also be a “stand alone” standard
Regional Business Continuity Conference
22301
22313
22317
Note: This standard is not auditable; instead
it provides guidance on how to effectively
implement or mature a BIA process.
Overview
ISO 22317 sought to re-define ISO’s business impact analysis definition, outcomes, and process to be more clear and straight-forward
Regional Business Continuity Conference
The BIA process analyzes the consequences of a disruptive incident on the organization.
The outcome is a statement of justification of business continuity requirements.
Note: business continuity requirements has the same meaning as continuity and recovery priorities, objectives, and targets
BIA Outcomes
• Endorsement or modification of the organization’s BC program scope
• Identification of legal, regulatory, and contractual requirements (obligations) and their effect on business continuity requirements
• Evaluation of impacts on the organization over time, which serves as the justification for business continuity requirements (time and capability)
• Identification and confirmation of product/service delivery requirements following a disruptive incident, which then sets the prioritized timeframes for activities and resources
• Identification of, and establishment of, the relationships between products/services, processes, activities, and resources
• Determination of the resources needed to perform prioritized activities (e.g. facilities; people; equipment; information, communication and technology assets; supplies; and financing)
• Understanding of the dependencies on other activities, supply chains, partners, and other interested parties
• Determination of how up to date the information needs to be
Regional Business Continuity Conference
BIA Process
Regional Business Continuity Conference
Impact Categories Examples of Impacts
FinancialFinancial losses due to fines, penalties, lost profits, or diminished market share
Reputational Negative opinion or brand damage
Legal and Regulatory Litigation liability and withdrawal of license to trade
ContractualBreach of contracts or obligations between organizations
Business ObjectivesFailure to deliver on objectives or take advantage of opportunities
Keys to Success – Prerequisites
• 22317 identifies prerequisites for organizations to consider implementing before the BIA process
• These boil down to what management system (ISO 22301) activities are needed to be successful, including:• Context and scope
• Roles and responsibilities
• Leadership commitment
• Resource allocation
Regional Business Continuity Conference
Keys to Success – BIA Process Levels
Regional Business Continuity Conference
• 22317 breaks down the BIA process into three levels:• Product and service prioritization (section 5.3)
• Process prioritization (section 5.4)
• Activity prioritization (includes resources and interdependencies) (section 5.5)
• Complex organizations should use all three levels, but less complex organizations may choose to combine one or two of the levels
• These levels ensure results are consistent from top-down and bottom-up
Keys to Success – Section 5 Structure
Regional Business Continuity Conference
• The three levels are explained in Section 5 (Performing the Business Impact Analysis) and broken down by the following:• Introduction (Overview)
• Inputs
• Outcomes
• Methods for how to conduct each level are:• Explained in Section 5.6 (Analysis and Consolidation)
• Detailed in Annex C (BIA Information Collecting Methods)
• Information on how to obtain top management endorsement is in Section 5.7
Keys to Success – After the BIA
Regional Business Continuity Conference
• Section 5.8 (Business Continuity Strategy Selection) outlines how to use BIA results to select appropriate business continuity strategies
• Section 6 (BIA Process Monitoring and Review) outlines when the BIA process should be refreshed, including:
• Frequency considerations
• Organizational change considerations
Conclusions
• Provides a new, enhanced BIA definition that is more clear with less jargon
• Offers a BIA value proposition for organizations struggling to gain buy-in
• Identifies the prerequisites that the organization should have in place before starting the BIA
• Outlines a detailed process for how to effectively perform the BIA
• Proposes the outcomes of the BIA (including outcomes of each step of the BIA)
• Provides options for different information collecting methods, along with a pros and cons analysis of each method
• Describes other uses for which organizations may choose to use the BIA
Regional Business Continuity Conference
Contact Information
Jacqueline Rupert
Managing Consultant, Avalution Consulting
216.331.7593 | [email protected]
866.533.0575 | avalution.com | bccatalyst.com
Regional Business Continuity Conference