awareness bcp for manufacturing industry.pptx

Business continuity management system by parabakaran

SCOPE and TERMS of BCMS PURPOSE and BENEFITS OF BCMS BCMS family of standards Clause ISO 22301:2019

scope This document specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptions when they arise.

Terms and definition business continuity, capability of an organization ( 3.31 ) to continue delivery of products and services ( 3.41 ) within acceptable time frames at predefined capacity relating to a disruption ( 3.12 ) [SOURCE: ISO 22300:2018, 3.24, modified.] . business continuity management system, BCMS, management system ( 3.25 ) for business continuity ( 3.3 ) Note 1 to entry: The management system includes organizational structure, policies, planning ( 3.36 ) activities ( 3.1 ), responsibilities, procedures ( 3.39 ), processes ( 3.40 ) and resources [SOURCE: ISO 22300:2018, 3.26, modified]

business continuity plan documented information ( 3.13 ) that guides an organization ( 3.31 ) to respond to a disruption ( 3.12 ) and resume, recover and restore the delivery of products and services consistent with its business continuity objectives [SOURCE: ISO 22300:2018, 3.27, modified. Note 1 to entry deleted.] business impact analysis process ( 3.40 ) of analyzing the impact (3.18) of a disruption ( 3.12 ) on the organization ( 3.31 ) Note 1 to entry: The outcome is a statement and justification of business continuity ( 3.3 ) requirements ( 3.45 ). [SOURCE: ISO 22300:2018, 3.29, modified. Note 1 to entry added.]

Incident event ( 3.16 ) that can be, or could lead to, a disruption ( 3.12 ), loss, emergency ( 3.15 ) or crisis [SOURCE: ISO 22300:2018, 3.111, modified.] Disruption incident ( 3.19 ), whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services ( 3.41 ) according to an organization’s ( 3.31 ) objectives ( 3.30 ) [SOURCE: ISO 22300:2018, 3.70, modified.]

Crisis management holistic management (3.135) process (3.180) that identifies potential impacts (3.107) that threaten an organization (3.158) and provides a framework for building resilience (3.192), with the capability for an effective response that safeguards the interests of the organization’s key interested parties (3.124), reputation, brand and value-creating activities (3.1), as well as effectively restoring operational capabilities Note 1 to entry: Crisis management also involves the management of preparedness (3.172), mitigation (3.146) response, and continuity (3.49) or recovery (3.187) in the event of an incident (3.111), as well as management of the overall program through training (3.265), rehearsals and reviews (3.197) to ensure the preparedness, response and continuity plans stay current and up-to-date. (ISO 22300:2018)

recovery time objective RTO period of time following an incident (3.111) within which a product or service (3.181) or an activity (3.1) is resumed, or resources (3.193) are recovered Note 1 to entry: For products, services and activities, the recovery time objective is less than the time it would take for the adverse impacts (3.107) that would arise as a result of not providing a product/service or performing an activity to become unacceptable. Source ISO 22300:2018

recovery point objective RPO point to which information (3.116) used by an activity (3.1) is restored to enable the activity to operate on resumption Note 1 to entry: Can also be referred to as “maximum data loss”. Source ISO 22300:2018

What is an BCMS? Business continuity is the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business continuity management (BCM) is the process of achieving business continuity and is about preparing an organization to deal with disruptive incidents that might otherwise prevent it from achieving its objectives. Placing BCM within the framework and disciplines of a management system creates a business continuity management system (BCMS) that enables BCM to be controlled, evaluated and continually improved. Any incident, large or small, natural, accidental or deliberate has the potential to cause major disruption to the organization’s operations and its ability to deliver products and services. However, implementing business continuity before a disruptive incident occurs, rather than waiting for this to happen will enable the organization to resume operations before unacceptable levels of impact arise.

fundamental principles a) awareness of the need for BCMS b) assignment of responsibility for BCMS c) incorporating management commitment and the interests of stakeholders d) enhancing societal values e) risk assessments determining appropriate controls to reach acceptable levels of risk f) security incorporated as an essential element of BCMS g) active prevention and detection of Business continuity incidents h) ensuring a comprehensive approach to Business continuity management i ) continual reassessment of Business continuity and making of modifications as appropriate.

steps: being clear on the organization’s key products and services and the activities that deliver them knowing the priorities for resuming activities and the resources they require having a clear understanding of the threats to these activities, including their dependencies, and knowing the impacts of not resuming them having tried and trusted arrangements in place to resume these activities following a disruptive incident; and making sure that these arrangements are routinely reviewed and updated so that they will be effective in all circumstances

PURPOSE BCMS By focusing on the impact of disruption rather than the cause, business continuity identifies those activities on which the organization depends for its survival, and enables the organization to determine what is required to continue to meet its obligations. Through business continuity, an organization can recognize what needs to be done to protect its resources (e.g. people, premises, technology and information), supply chain, interested parties and reputation, before a disruptive incident occurs. With that recognition, the organization is able to take a realistic view on the responses that are likely to be needed as and when a disruption occurs, so that it can be confident of managing the consequences and avoid unacceptable impacts

benefits Protects business from a range of threats Ensures business continuity Minimizes financial loss Optimizes return on investments Increases business opportunities

BCMS FAMILY STANDARD ISO 22300, Security and resilience — Vocabulary ISO/IEC 22301, Business continuity management systems — Requirements ISO/IEC 22313, Societal security — Business continuity management systems — Guidance

Clause ISO 22301:2019

Main difference to other ISO standard are 4.2.2 Legal and regulatory requirements And Clause 8

Clause 8 operation 8.1 Operational planning and control 8.2 Business impact analysis and risk assessment 8.2.1 General 8.2.2 Business impact analysis 8.2.3 Risk assessment 8.3 Business continuity strategies and solutions.. 8.3.1 General 8.3.2 Identification and selection of strategies and solutions 8.3.3 Resource requirements 8.3.4 Implementation of solutions

8.4 Business continuity plans and procedures 8.4.1 General. 8.4.2 Response structure 8.4.3 Warning and communication 8.4.4 Business continuity plans 8.4.5 Recovery 8.5 Exercise programme

8.2.2 BIA, process ( 3.40 ) of analyzing the impact (3.18) of a disruption ( 3.12 ) on the organization ( 3.31 ) a) defines impact categories and criteria relevant to the organization’s context; b) uses these impact categories and criteria for measuring impact; c) identifies activities that support the provision of products and services; d) analyses the impacts over time resulting from disruption of these activities; e) identifies the time within which the impacts of not resuming activities would become unacceptable to the organization; NOTE This may be referred to as maximum tolerable period of disruption (MTPD) f) sets prioritized timeframes within the time identified in e) above for resuming disrupted activities at a specified minimum acceptable capacity; NOTE This may be referred to as recovery time objective (RTO) g) uses the business impacts to identify prioritized activities; h) determines which resources are needed to support prioritized activities; i ) determines the dependencies and interdependencies of prioritized activities.

BIA

Self assessment BIA Is there a formal risk assessment process for analyzing the risk of disruptive incidents? Does this risk assessment method identify risk treatments appropriate to BC objectives? Is there evidence of prioritizing risk treatments with costs identified? Source BSI self assessment BIA

8.2.3 Risk assessment The organization shall implement and maintain a systematic risk assessment process. NOTE This process can be made in accordance with ISO 31000. The organization shall: a) identify risks of disruption to the organization's prioritized activities and to their supporting resources; b) systematically analyse risks of disruption; c) evaluate risks of disruption which require treatment

Risk Assessment

8.3 Business continuity strategies and solutions business continuity capability of an organization (3.158) to continue the delivery of products or services (3.181) at acceptable predefined levels following a disruption (3.70) continuity strategic and tactical capability, pre-approved by management (3.135), of an organization (3.158) to plan for and respond to conditions, situations and events (3.82) in order to continue operations at an acceptable predefined level

Based on the outputs from the business impact analysis and risk assessment. The organization shall identify and select business continuity strategies that consider option for before, during and after disruption. 8.3.2 Identification of strategies and solution 8.3.3 Selection of strategies and solutions 8.3.3 Resource requirements 8.3.4 Implementation of solutions

The organization shall identify and select appropriate business continuity strategies and solutions taking into consideration their associated costs for (goal for BC Strategy): a) responding to disruptions; b) continuing and recovering prioritized activities and their required resources to meet the delivery of products and services at the agreed capacity over time. For the prioritized activities, the organization shall identify and select strategies and solutions considering business continuity objectives and the amount and type of risk that the organization may or may not take that: a) reduce the likelihood of disruption; b) shorten the period of disruption; c) limit the impact of disruption on the organization's products and services

Self assessment BC strategy Is the BC strategy based on the outputs of the BIA and risk assessment? Does the BC strategy protect prioritized activities and provide appropriate continuity and recovery of them, their dependencies and resources? Does the BC strategy provide for mitigating, responding to and managing impacts ? Have prioritized time frames been set for the resumption of all activities? Have the BC capabilities of suppliers been evaluated? Have the resource requirements for the selected strategy options been determined, including people, information and data, infrastructure, facilities, consumables, IT, transport, finance and partner/supplier services? Have measures to reduce the likelihood, duration or impact of a disruption for identified risks been considered and implemented, and are these in accordance with the organization’s risk appetite?

8.4 Business continuity plans and procedures The organization shall implement and maintain a structure that will enable timely warning and communication to relevant interested parties. It shall provides plans and procedures to manage the organization during a disruption. The plans and procedures shall be used when required to activate business continuity solutions. The procedures shall: a) be specific regarding the immediate steps that are to be taken during a disruption; b) be flexible to respond to changing internal and external conditions of a disruption; c) focus on the impact of incidents that potentially lead to disruption; d) be effective in minimizing impact through implementation of appropriate solutions; e) assign roles and responsibilities for tasks within it.

Self assessment BCP Have BC procedures been put in place to manage a disruptive incident, and have continuity activities based on recovery objectives been identified in the BIA? Are the business continuity procedures documented? Have internal and external communication protocols been established as part of these procedures? Source BSI self assessment ISO 22301

8.4.2 Response structure The organization shall implement and maintain a structure identifying one or more teams responsible for responding to disruptions For each team there shall be: a) identified personnel and their associates with the necessary responsibility, authority and competence to perform their designated role; b) documented procedures to guide their actions (see 8.4.4 ) including those for the activation, operation, coordination and communication of the response.

Self assessment Incident Response Structure (IRS) Is there the management structure and trained personnel in place to respond to a disruptive incident? Does the IRS and associated procedures include thresholds, assessment, activation, resource provision and communication? Do the people in your IRS have the necessary competency to perform their duties, and have you kept records to demonstrate their competence?

8.4.3 Warning and communication 8.4.3.1 The organization shall document and maintain procedures for: a) communicating internally and externally to relevant interested parties, including what, when, with whom and how to communicate; NOTE The organization may document and maintain procedures for how, and under what circumstances, the organization communicates with employees and their emergency contacts. b) receiving, documenting and responding to communications from interested parties, including any national or regional risk advisory system or equivalent; c) ensuring availability of the means of communication during a disruption; d) facilitating structured communication with emergency responders; e) details of the organization's media response following an incident, including a communications strategy; f) recording details of the disruption, actions taken and decisions made The communication and warning procedures shall be exercised as part of the organization’s exercise programme referred to in 8.5 .

Self assessment Incident communications and warnings Is there a procedure for detecting and monitoring incidents? Is there a procedure for managing internal communications and external communications from interested parties during a disruptive incident? Is there a procedure for receiving and responding to warnings from outside agencies and emergency responders? Is there a structure to communicate with emergency responders and other authorities during an incident, or for responding organizations are communications interoperable with others? Is there a procedure for recording vital information about the incident, actions taken and decisions made? Is there a procedure for issuing alerts and warnings if appropriate? Are the organization’s communication and warning systems regularly exercised, and records kept of the results?

8.4.4 Business continuity plans 8.4.4.1 The business continuity plans shall provide guidance and information that will assist the teams to respond to a disruption and assist the organization with response and recovery. Collectively, the business continuity plans shall contain: a) details of the actions that the teams will take in order to continue or recover prioritized activities within predetermined timeframes and to monitor the effects of the disruption and the organization’s response to it; b) reference to the pre-defined threshold and process for activating the response; c) procedures to enable the delivery of products and services at agreed capacity to interested parties; d) details to manage the immediate consequences of a disruption giving due regard to: 1) the welfare of individuals; 2) prevention of further loss or unavailability of prioritized activities; 3) protection of the environment; e) a process for standing down once the incident is over.

Business Continuity Plan shall has purpose and scope, and objectives; roles, responsibilities of the team that will implement the plan; actions and resources to implement the solutions; supporting information needed to activate (including activation criteria), operate, coordinate and communicate the team’s actions; internal and external interdependencies; resource requirements; reporting requirements. Each plan shall be usable and available at the time and place at which it is required

Self assessment Business continuity response and recovery plans Are there documented plans/procedures for restoring business operations after an incident? Do these plans reflect the needs of those who will use them? Do the plans define roles and responsibilities? Do the plans define a process for activating the response? Do the plans consider the management of the immediate consequences of a disruption, in particular the welfare of individuals, options for response and further loss prevention? Do the plans detail how to communicate with the various interested parties during the disruption? Do the plans contain details on how prioritized activities will be continued or recovered within predetermined time frames? Is there a planned media response to an incident? Do the plans include a procedure for standing down the response? Does each plan contain the essential information to use it effectively?

8.4.5 Recovery The organization shall have documented processes to restore and return business activities from the temporary measures adopted to support normal business requirements during and after a disruption.

Self assessment Exercising and testing Have business continuity procedures been tested to ensure they are consistent with your BC objectives? Do top management “actively engage” in testing and exercising the BCMS? Are the test exercises clearly defined, consistent with the scope of the BCMS and business continuity objectives, and based on appropriate scenarios? Will the test exercises that have been conducted over time validate the whole of the organization’s business continuity arrangements? Are the test exercises designed to minimize the risk of disruption to operations? Have formal post-exercise reports been produced for the conducted tests? Are the outcomes of exercises reviewed to ensure they lead to improvement? Are test exercises undertaken at planned intervals, and when significant changes occur is this process documented within the BCMS?

8.5 Exercise programme The organization shall implement and maintain a program of exercising and testing to validate over time the effectiveness of its business continuity strategies and solutions. The organization shall conduct exercises and tests that: a) are consistent with its business continuity objectives; b) are based on appropriate scenarios that are well planned with clearly defined aims and objectives; c) develop teamwork, competence, confidence and knowledge for those who have roles to perform in relation to disruptions; d) taken together over time validate the whole of its business continuity strategies; e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements; f) are reviewed within the context of promoting continual improvement; g) are performed at planned intervals and when there are significant changes within the organization or the context in which it operates. The organization shall act on the results of its exercising and testing to implement changes and improvements

Short-term goals and performance objectives should be established and include the following: (1) Recovery of critical or time-sensitive personnel, systems, operations, records, and equipment (2) Agreed-upon priorities for restoration and mitigation (3) Length of downtime acceptable before restoration to a minimal level is required (4) Minimal acceptable level of resources needed to provide for the restoration of facilities, processes, programs, services, and infrastructure

certification

Interrelation ISO 27001 A.17 Information security aspects of business continuity management A.17.1 Information security continuity Objective: Information security continuity shall be embedded in the organization’s business continuity management systems. A.17.1.1 Planning information security continuity Control The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

A.17.1.2 Implementing information security continuity Control The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. A.17.1.3 Verify, review and evaluate information security continuity Control The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

ISO 22301 Mandatory documents List of legal, regulatory and other requirements (clause 4.2.2) – lists everything you need to comply with. Scope of the BCMS and explanation of exclusions (clause 4.3) – defines where your BCMS will be implemented. Business continuity policy (clause 5.2) – defines main responsibilities, and the intent of the management. Business continuity objectives (clause 6.2) – defines measurable objectives that are to be achieved with business continuity. Competencies of personnel (clause 7.2) – defines knowledge and skills needed. Business continuity plans and procedures (clause 8.4) – includes plans and procedures for response, communication, recovery (including disaster recovery plans), restore and return activities. Documented communication with interested parties (clause 8.4.3.1) – these could be emails, but also official communication from sources such as government agencies and others. Records of important information about the disruption, actions taken and decisions made (clause 8.4.3.1) – normally these records are done through minutes or by filling out checklists of performed activities.

Data and results of monitoring and measurement (clause 9.1.1) – this is the evaluation on whether your BCMS met the objectives. Internal audit program (clause 9.2) Results of internal audit (clause 9.2) – normally, this is the Internal audit report. Results of management review (clause 9.3) – usually, this is in the form of minutes or perhaps documented decisions. Nature of nonconformities and actions taken (clause 10.1) – this is a description of nonconformities, and their cause. Results of corrective actions (clause 10.1) – this is a description of what has been done to eliminate the cause of a nonconformity. Source advisera https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/

Commonly used non-mandatory BCMS documents and records Procedure for identification of applicable legal and regulatory requirements (clause 4.2.2) Implementation plan for achieving the business continuity objectives (clause 6.2) Training and awareness plan (clauses 7.2 and 7.3) Procedure for control of documented information (clause 7.5) Contracts and service level agreements (SLAs) with suppliers and outsourcing partners (clause 8.1) Process for business impact analysis and risk assessment (clause 8.2.1) Results of business impact analysis (clause 8.2.2) Results of risk assessment (clause 8.2.3)

Strategies and solutions for business continuity (clause 8.3.3) Incident scenarios (clause 8.5) Exercise and testing plans (clause 8.5) Post-exercise reports (clause 8.5) Results of post-incident review (clause 8.6) Methods for monitoring, measurement, analysis and evaluation (clause 9.1.1) Procedure for internal audit (clause 9.2) Procedure for corrective action (clause 10.1) Source advisera https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301

Difference ISO 22301:2012 to 22301:2019 • The 2019 edition is significantly less detailed and prescriptive than its predecessor. However, in the process of removing the detail and providing less direction, the Standard places greater emphasis on the skills and competence of those individuals who are responsible for designing and implementing the management system processes. There are no substantial changes in the processes that make up a business continuity management system (BCMS) and the same end results are required. • Clause 6.1.2 now makes it clear that the risks (and opportunities) that need to be addressed relate to the effectiveness of the BCMS, as opposed to the risks of disruption, which are addressed by Clause 8.2.3. The same relationship is intended in other standards such as ISO 27001 and if you are implementing a BCMS, you will need to work out how to meet the requirements of this clause. Source: https://www.urmconsulting.com/2019/12/10/iso-223012019-released-5-key-changes/

• The requirements for conducting the pivotal business impact analysis (BIA) are now clearer. The relationship between unacceptable impact, maximum tolerable period of disruption and prioritized timeframes for activity resumption is defined as well as using the BIA to identify ‘prioritized activities’. The 2012 edition required prioritized timeframes simply to consider impact. It should be noted that there is no specific requirement with the 2019 version to document the BIA process. • A key assurance process, evaluation of procedures, specifically requires the suitability, adequacy and effectiveness of BIAs and risk assessments to be evaluated. This was previously only an implicit requirement in the name of effectiveness, but points to the key role played by BIAs and risk assessments. • The concept of minimum activity levels has shifted, from the need to identify minimum levels of products and services and minimum acceptable levels of activity, the linking of which is implicit, to the minimum acceptable capacity of resumed activities.

Phases of Business Continuity Planning Business Impact Analysis BIA 65

Phases of Business Continuity Planning BC Planning typically includes five Phases : 1. BCP Governance 2. Business Impact Analysis (BIA) 3. Documents , Controls , Measures, and Arrangements for BC 4. Readiness activities 5. Assessment process 66 |

1- BCP Governance To establish control The governance structure is often in the form of a steering committee and a list of appropriate committees , working groups and teams to develop and execute the plan (s) / documents Team members should be selected from trained and experienced personnel who are knowledgeable about their responsibilities. The number and scope of the teams will vary depending on organization's size, function and structure 67 |

It may be necessary to be multitask teams and provide cross-team training. The teams data shall be documented in the plans/ Documents Consider decentralization as a way to provide better resiliency 68 |

Examples : An alternate site coordination team Contracting and procurement team Damage assessment team Crisis Management team Finance and accounting team Hazardous materials team Insurance team Legal issues team Telecommunications / alternate communications team Equipment team Public and media relations team Transport coordination team Records management team 69 |

The duties and responsibilities for each team must be defined, and include identifying: The team leader The team members Identifying the specific team tasks Member's authority, and responsibilities Identifying possible alternate members. Creation of contact list 70 |

Business Continuity Planning 1. BCP Governance 2. Business Impact Analysis (BIA) 3. Documents , Controls , Measures, and Arrangements for BC 4. Readiness activities 5. Assessment 71 |

2- Business Impact Analysis (BIA) Process of analyzing the activities & the effect that the business disruption might have upon them (Source: ISO 22301:2019) BIA is all about data analysis to identify The organization's mandate and critical services or products The priority of services or products for continuous delivery or rapid recovery The possible Internal and external threats and The impact of the threats: . 72 |

Information of the organization's mandate and critical services or products can be obtained from the Mission statement of the organization Legal requirements for delivering specific services and products. Contracts and other obligations Critical services or products must be prioritized based on minimum acceptable delivery levels and the maximum period of time without delivery Identify impacts of disruptions to determine How long the organization could function without the service / product provision , and How long clients would accept its services or products unavail ability. 74 |

75 |

BIA Related activities Supply chain analysis Assessment of the most critical business components IT continuity analysis Identify areas of potential revenue loss Identify any additional expenses Identify intangible losses Identify insurance requirements Identify dependencies Analyze current recovery capabilities 76 |

1- Supply Chain Analysis 77 |

Conduct supply chain impact analysis to The evaluation metrics may include the following : Revenue impact Reputation impact Operational impact Production impact Delivery impact Research and development impact Delay impact Staffing impact Find out if these members in the supply chain have BC/DR plans and if you can review them / share with them. Identify & Evaluate each link in terms of business impact to find the high-impact link(s) 78 |

2- Assessment of the most critical business components To create a complete business continuity plan, you need to assess the impact of interruption on four components: People (Key persons - Key Competencies ) Physical Property (Equipment – Storage- Alternate facilities -………) Systems (Hardware, Software, Email, Phone Systems ,Communication Stations,……..) Data (critical to run your business) Both data and systems are IT Systems ( IT continuity ) 79 |

3- Conduct IT Continuity Analysis Is to decide about which of the organization's IT Functions / Assets are essential for business continuity. Is to decide about how to manage the technology systems in the event of a major disruption. The existence and suitability of IS Policies / Procedures / IT Continuity Plans Review computer Data Backups – Cabling – IT Service Providers Capabilities -…………. 80 |

4- Identify Areas of Potential Revenue Loss Determine which processes and functions that support service or product delivery are involved with the creation of revenue . If these processes and functions are not performed, is revenue lost ? How much? and for what length of time? If clients cannot access certain services or products would they then need to go to another provider, resulting in further loss of revenue ? 81 |

5- Identify additional expenses If a business function or process is inoperable How long would it take before additional expenses would start to add up? How long could the function be unavailable before extra personnel would have to be hired? Would penalties from breaches of legal responsibilities, agreements, or governmental regulations be an issue, and if so, What are the penalties ? 82 |

6- Identify intangible losses Estimates are required to determine the approximate cost of The loss of consumer Investor confidence Damage to reputation Loss of competitiveness Reduced market share Violation of laws and regulations Business relationships with vendors 83 |

Increased insurance cost Loss of employees Loss of financial support and cash flow Loss of community support Cost of equipment and facilities used during recovery Replacement, restoration, recovery costs not adjusted for inflation Increased cost when operations resume 84 |

7- Identify insurance requirements What needs insurance The existing insurance The level of coverage. What aspects may have over or under insurance . Is there a policy/ document in place related the insurance 85 |

8- Identify dependencies Identify the internal and external dependencies of critical services or products, Identify the expected impacts from a disruption to those dependencies. Internal dependencies include Employee ( availability – competencies) Corporate assets such as Equipment, Facilities, Computer Applications, Data, Tools, Vehicles. Support services such as Finance, Human Resources, Security ,and IT Support. 86 |

External dependencies include : Suppliers Any external corporate assets such as Equipment, Facilities, Computer Applications, Data, Tools, and Vehicles. Any external support services such as Facility management Utilities Communications Transportation Finance institutions Insurance providers Government services Legal services Health and safety service. 87 |

9- Analyze Current Recovery Capabilities Analyze current recovery capabilities the organization already has in place, and their continued applicability Try to answer the following questions Can employees work from home or another location? Do I need a pre-determined alternate facility? Do I have enough spare parts / IT equipment ? Do critical vendors and suppliers have their business continuity plans/document? 88 |

Business Continuity Planning 1. BCP Governance 2. Business Impact Analysis (BIA) 3. Documents , Controls , Measures, and Arrangements for BC 4. Readiness activities 5. Assessment 89 |

3. Documents , Controls , Measures, and Arrangements for BC This step consists of the preparation of the management system documentation including: Detailed Response Plans / Recovery Plans Policies / objectives Arrangements Consider the critical vendors and suppliers business continuity plans. Focus on three categories of protection / Safety to help survive a disaster: Human Resources Physical Resources Business Operations. 90 |

1- Human Resources Consider the possible impact a disaster may have on your employees’ ability to return to work Alternate staffing plans (to ensure your business stays functional when a large percent of your staff is unable to come to work) Consider how your customers can reach you or receive your goods / services Create evacuation plans Develop and post evacuation routes / assembly locations / Create a phone-tree / Consider having an employee emergency number 91 |

2- Physical Resources Building (Maintenance - Fire System -……………) Interior, exterior components ( Equipment – Hard Ware /Soft Ware) Materials / Spare Parts Alternate Facilities ( three types ) 1- Cold site (the least expensive option) 2- Warm site (more expensive than cold sites) 3- Hot site (the most expensive option) 92 |

3- Business Operations / Processes Critical Inputs – things needed to do your job Critical Outputs – things you produce that others want or need to do their job Outsourced processes 93 |

Examples for resiliency plans / documents and arrangements : An alternate telecommunication provider Emergency backup generator in case of a power outage Agreements with fuel provider Alternate work site and equipment . Annually Meeting with critical vendors to discuss their recovery operations and locations Develop the relationships with Contractors / Vendors Create manual processes to be used in case of the computers are unavailable Mitigating the different threats 94 |

The Response preparation procedures to answer “What to do before a disruption occurs?” ( Proactive Activities ) “What to do when a disruption occurs?” ( Response – Recovery – Continuity ) “What to do after a disruption occurs?” ( Learned Lessons / Change Management ) 95 |

96 |

Business Continuity Planning 1. BCP Governance 2. Business Impact Analysis (BIA) 3. Documents , Controls , Measures, and Arrangements for BC 4. Readiness activities 5. Assessment 97 |

4- Readiness Activities Awareness Individual and team – Task Training Procedures Exercises – Testing Post-Exercise evaluation 98 |

Goals of Procedures Exercises – Testing Test all components of the plan , including hardware, software, personnel, data and voice communications, etc. Ensure the understanding and workability of documented recovery procedures. Adapt and update existing plans to encompass new requirements. Train team leaders and members in the procedures of executing the continuity plan. Obtain information about recovery strategy implementation. Verify that recovery strategies are viable. Demonstrate that output performance of the backup systems and networks are consistent with production systems and networks. 99 |

Business Continuity Planning 1. BCP Governance 2. Business Impact Analysis (BIA) 3. Documents , Controls , Measures, and Arrangements for BC 4. Readiness activities 5. Assessment 100 |

5- Assessment How to assess the plan's accuracy, and effectiveness How to conduct the Internal or external audit (BC Readiness Audit) Identify needed improvement 101 |

How to Perform BC Readiness Audit Check for the existence of the following documents / information : Emergency Procedures Evacuation Plan Fire Protection Plan Environmental Policies Safety and Health Program Security Procedures Finance / Purchasing Procedures Facility Closing Policy Process Safety Assessment Risk Management Plan Records and information Management 102 |

Mutual Aid Agreements Hot / cold site Agreements Capital Improvement Program Hazard Materials / Waste Disposal Alternative or Manual Procedures Disaster Recovery Plans for Information Resources 103 |

Based on the review, ask the following questions How would your organization resume operations after loss of access to your facility loss of access to your information resources (IR), or loss of key personnel? Have any audit findings been reported from internal or external auditors? Would most individuals know how to report or respond to an event? If policies relative to recovery efforts are in place, who knows about them? Do people know if they have recovery responsibilities ? Are program managers aware of their owner and user security responsibilities? 104 |

Has testing been done to see how people would react during a recovery effort in the following areas: Senior Management Management Information Systems/ Security Information Technology Risk Management Internal Departments Auditing Vendors Telecommunications 105 |

12. Check to see if Computer backups (PC, LAN, mainframe) are being taken off-site according to policy Alternate work locations are available; Items required to be off-site are really there; Security measures are being followed; Emergency equipment (generally UPS, batteries, etc.) is working correctly; Emergency lighting is in good working order and in the correct places. 106 |

8.2.3 Risk Assessment The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. NOTE This process could be made in accordance with ISO 31000. 107 |

The Organization Shall a) Identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, b) Systematically analyse risk, c) Evaluate which disruption related risks require treatment, and; d) Identify treatments commensurate (مناسبة) with business continuity objectives and in accordance with the organization’s risk appetite. 108 |

109 |

Risk Criteria Reference against which the significance of a risk is evaluated to determine the level of risk Risk criteria can be derived from Standards Laws Policies Any other requirements (interested parties). Risk criteria are based on organizational objectives, and context Level of risk is the magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood 110 |

The risk criteria includes : Risk Evaluation Criteria Risk Impact Criteria Risk Acceptance Criteria . 111 |

Consequences Moderate UNIMPORTANT RISK ACCEPTABLE RISK UNCONTROLLED RISK UNCONTROLLED RISK IMPORTANT RISK UNACCEPTA RISK Likelihood Slightly High Low Unimportant Uncontrolled Risk Medium Acceptable Risk High Important Risk Unacceptable Risk Acceptable Risk Uncontrolled Risk Uncontrolled Risk Important Risk 112

Risk Matrix Control Plan 113 | Risk Level Action and Timescale Unimportant No action is required and no document ed records needed to be kept. Acceptable risk No additional controls are required. Consideration may be given to a more cost-effective solution or improvement that imposes no additional cost burden. Monitoring is required to ensure that the controls are maintained . Uncontrolled risk Efforts should be made to reduce the risk, but the costs of prevention should be carefully measured and limited. Risk reduction measures should be implemented within a defined time period. Where the moderate risk is associated with extremely harmful consequences, further assessment may be necessary to establish more precisely the likelihood of harm as a basis for determining the need for improved control measures. Important risk Work should not be started until the risk has been reduced. Considerable resources may have to be allocated to reduce the risk. Where the risk involves work in progress, urgent action should be taken. Unacceptable risk Work should not be started or continued until the risk has been reduced. If it is not possible to reduce risk even with unlimited resources , work has to remain prohibited .

P r o b a b i l i t y 5 5 10 15 20 25 4 4 8 12 16 20 3 3 6 9 12 15 2 2 4 6 8 10 1 1 2 3 4 5 1 2 3 4 5 Consequence Legend ≥20 E: Extreme risk - immediate action required >10& <20 H: High risk - urgent management attention needed >5 & ≤10 M: Medium risk - management attention as soon as possible < 5 L: Low Risk – periodical evaluation 114

Impact / Consequences Rank Financial loss Strategic directions and objectives Customer Legal OHS Env. InfSec. 5 Very High >1M Negative Impact on strategic directions execution Contract termination Closure Fatality / Catastrophe / Fatal Occupational Illness Permanent damage Permanent loss of the service 4 High 250K to 1M Negative Impact on execution 2 objectives Major product /Service recall Non-renewal of one of legal documents Partial / Complete Incapacity Long time damage Long time non-availability of the service 3 Moderate 50K to 250K Negative Impact on execution 1 objective Minor Product / Service recall Formal Violations Lost Working Days / Work Related Illness Limited damage / Kills fauna , flora, Concerns global issues, Temporary non-availability of the service 2 Low 1K to 50K Slight negative impact on one the objectives Complaint from customer Notice / Warning Medical Treatment Case / Restricted Work Case / Work Related Illness Aspect causes slight impact on fauna or flora, Slight impact on the service 1 Very Low <1K No impact over the objectives Verbal communication from customer Verbal communication from regulatory parties First Aid / Near Miss / Health Complaint Aspect that can be treated simply / causes Nuisance Negligible impact; easy to recover from the loss 115

Impact Reputation Financial (Corporate) Financial (Site) Legal Customer Very High Regional media coverage over multiple days Or Global media coverage More than $100 M More than $10 M closure notice Ending the contract High National media coverage over multiple days Or Single regional media coverage $10 - $100M $1 - $10M no renewal of operating permit Major product recall Moderate Local media coverage over multiple days Or Single national media coverage $1 - $10M $100K - $1M violation notice payment partial product recall Low Single local media coverage $100K - $1M $10K - $100K violation notice explanation product price concession Very Low Only internal communications Less than $100K Less than $10K Verbal communication from a regulatory body one complaint from customer 116

Best Practice fOr BCMS

Agenda Business Continuity Planning Business Continuity Implementation Roadmap BCP in times of COVID-19 Challenges and Best Practices

Business Continuity Planning “Planning to to continue the Business” Not a new concept. A fancy name for common sense. In reality, we have been performing Business Continuity Planning for centuries But still, many organizations struggled to restart operations during COVID-19 So we need more than just common sense. We need a structured and formal implementation of common sense.

What we do not fully do in BAU common sense Agree timelines, worst case and best case (MTPD and RTO) Base it fully on facts and data (consequences of downtime) Consultative process involving all interested parties Comprehensive, documented and signed off Communicate to all who need to know, including relevant third parties and service providers Practice, Test & exercise. Review. Maintain & continually Improve Amazingly, this works…!!

Challenges for cyber professionals An uneven battle against an unknown enemy who has nothing better to do Y ou have other matters to focus on but they have a single point agenda – to damage Y ou constantly focus on getting better and better - but so do they By the sheer law of averages, once in a while they will succeed At those times, your best best is to be able to restart fast and within minimum loss. So you need the world’s best Business Continuity readiness Have you formally put in place the 6 Rs (Reduce, Respond, Recover, Resume, Restore Return)? When did you last practice them?

Challenges for cyber professionals Economic Times, June 24 2020

Some reasons for Outages (Global data) 123

Business Continuity is a wise investment Minimize business disruptions and quickly recover Retain business model and increase market share and profits Protect the organization’s value and reputation Corporate governance and shareholder commitment National requirements Contractual commitments, Legal and regulatory compliance Moral and social responsibilities Demonstrate “best practice” Reduce insurance liabilities 124 | Lack of BCP is self goal

Typical steps Business Continuity Implementation Roadmap

International BCM Standard – ISO 22301 126 Clause 1 : Scope Clause 2 : Normative references Clause 3 : Terms and definitions Clause 4 : Context of the organisation Clause 5 : Leadership Clause 6 : Planning Clause 7 : Support Clause 8 : Operation Clause 9 : Performance evaluation Clause 10 : Improvement

Please implement a BCMS – not just BCM “Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity”– ISO 22301 Ensure continual improvement via the PDCA cycle

BCP in times of COVID-19 COVID-19 is different from a typical Business Continuity situation Much longer duration No clarity on final resolution Triggered not by damage to resources Entire ecosystem is impacted SOME POSITIVES Realization by all Even the PM asked entities to implement Business Continuity Tolerance – “It’s Ok” Permanent mindset changes

Suggestions for professionals Don’t stop now – complete the journey Protect yourself against other new threats - implement the full BCM cycle Use this opportunity to create permanent BCM readiness and awareness across all segments Get your people ISO22301 trained and your organization ISO22301 compliant – or even ISO22301 certified

Implement the full BCM lifecycle Choose the right people Provide effective training in advance of the implementation Best Practices

Customers Citizens Distributors Shareholders Investors Owners Insurers Government Regulators Recovery Services Suppliers Competitors Media Commentators Trade Groups Neighbours Pressure Groups Emergency Services Transport Services Other Response Agencies Dependents of staff THE ORGANIZATION Top Management Those who establish policies and objectives for the BCMS Those who set up & manage BC Those who maintain BC Procedures Owners of business continuity procedures Incident Response Personnel Those with authority to invoke Appropriate spokespeople Response Teams Other Staff Contractors Build culture across all Interested Parties ..

Group/ Audience Training Top Management Awareness, Crisis Management, Crisis Communication Core BCM Team CBCI/ Lead Implementer, Lead Auditor Core BCM Team Specialised courses (BIA, RA, Plan Writing, Testing etc.) Department Coordinator/ BC Champions Implementer, Internal Auditor Audit Team Internal Auditor, Lead Auditor All Employees Awareness Build Culture via Training and Awareness

Graph not to scale Cost Complexity Risk Assurance Frequency Build Culture via tests and exercises

Ensure Review, Maintenance and Improvement Maintenance Advanced Testing and Exercising Ongoing Awareness and Training Internal Audit and Self Assessment Management review Supplier Review Corrections and Corrective actions Benchmarking Continual Improvement Instilling a BCM mindset 134 |

Way Forward=> Organizational Resilience Way Forward=> Organizational Resilience The ability of an organisation to absorb and adapt in a changing environment (BCI GPG 2018/ ISO 22316:2017)

awareness bcp for manufacturing industry.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

awareness bcp for manufacturing industry.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

7-10. STP + Branding and Product & Services Strategies.pptx