ISO-22301-Presentation [Recovered]recent.pptx

JustinBNickaf 143 views 113 slides Jun 29, 2024
Slide 1
Slide 1 of 113
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42
Slide 43
43
Slide 44
44
Slide 45
45
Slide 46
46
Slide 47
47
Slide 48
48
Slide 49
49
Slide 50
50
Slide 51
51
Slide 52
52
Slide 53
53
Slide 54
54
Slide 55
55
Slide 56
56
Slide 57
57
Slide 58
58
Slide 59
59
Slide 60
60
Slide 61
61
Slide 62
62
Slide 63
63
Slide 64
64
Slide 65
65
Slide 66
66
Slide 67
67
Slide 68
68
Slide 69
69
Slide 70
70
Slide 71
71
Slide 72
72
Slide 73
73
Slide 74
74
Slide 75
75
Slide 76
76
Slide 77
77
Slide 78
78
Slide 79
79
Slide 80
80
Slide 81
81
Slide 82
82
Slide 83
83
Slide 84
84
Slide 85
85
Slide 86
86
Slide 87
87
Slide 88
88
Slide 89
89
Slide 90
90
Slide 91
91
Slide 92
92
Slide 93
93
Slide 94
94
Slide 95
95
Slide 96
96
Slide 97
97
Slide 98
98
Slide 99
99
Slide 100
100
Slide 101
101
Slide 102
102
Slide 103
103
Slide 104
104
Slide 105
105
Slide 106
106
Slide 107
107
Slide 108
108
Slide 109
109
Slide 110
110
Slide 111
111
Slide 112
112
Slide 113
113

About This Presentation

introduction to business continuity management

Size: 12.48 MB
Language: en
Added: Jun 29, 2024
Slides: 113 pages

Slide Content

1 ISO 2 2 3 1 :2019 :Security and resilience — Business continuity management systems — Requirements

Presentation outline ISO Business continuity Importance of formalized business continuity management system ISO 22301 Principles and requirements of ISO 22301 2019

WHAT IS ISO? Acronorm for the International Organization for Standardization Derived from the Greek word isos , meaning equal Founded 23 Feb 1947 by 25 countries in London Headquarters in Geneva, Switzerland Membership covers 97% of world population, about 173 countries Members have equal voting rights Standards are equal wherever applied Standards cover products, processes and systems

About ISO Founded in 1947 Independent Non-governmental organization Global network of national standards bodies* One member per country represented by NSBs ISO membership comes with rights, benefits, obligations and good practice Nigeria is represented by SON *NSB=National standard body : only national body must representative of standardization

The ISO brand Democratic. Voluntary ISO itself does not regulate or legislate. Market-driven Consensus ISO standards retain their position as the state of the art. Globally relevant ISO standards are technical agreements which provide the framework for compatible technology worldwide. They are designed to be globally relevant - useful everywhere in the world. ISO standards are useful everywhere in the world.

What is business continuity and why is it important ? Business continuity is an organization's ability to maintain essential functions during and after a disaster has occurred. Business continuity planning establishes  risk management  processes and procedures that aim to prevent interruptions to  mission-critical services , and reestablish full function to the organization as quickly and smoothly as possible. The most basic business continuity requirement is to keep essential functions up and running during a disaster and to recover with as little downtime as possible. A   business continuity plan  considers various unpredictable events, such as natural disasters, fires, disease outbreaks, cyberattacks and other external threats.

What is business continuity and why is it important ? Business continuity is important for organizations of any size, but it might not be practical for any but the largest enterprises to maintain all functions for the duration of a disaster. According to many experts, the  first step in business continuity planning  is deciding what functions are essential and allocating the available budget accordingly. Once crucial components have been identified, administrators can put  failover  mechanisms in place. Technologies such as  disk mirroring  enable an organization to maintain up-to-date copies of data in geographically dispersed locations, not just in the primary data center. This enables data access to continue uninterrupted if one location is disabled and protects against data loss.

Why is business continuity important? At a time when downtime is unacceptable, business continuity is critical. Downtime comes from a variety of sources. Some threats, such as cyberattacks and extreme weather, seem to be getting worse. It's important to have a business continuity plan in place that considers any potential disruptions to operations. The plan should enable the organization to keep running at least at a minimal level during a crisis. Business continuity helps the organization  maintain resiliency , in responding quickly to an interruption. Strong business continuity saves money, time and company reputation. An extended outage risks financial, personal and reputational loss.

Why is business continuity important? Business continuity requires an organization to take a look at itself, analyze potential areas of weakness and gather key information -- such as contact lists and technical diagrams of systems -- that can be useful outside of disaster situations. In undertaking the business continuity planning process, an organization can improve its communication, technology and resilience. Business continuity might even be a requirement for legal or compliance reasons. Especially in an era of  increased regulation , it's important to understand which regulations affect a given organization.

What does business continuity include? Business continuity is a proactive way to ensure mission-critical operations proceed during a disruption. A comprehensive plan includes contact information, steps for what to do when faced with a variety of incidents and a guide for when to use the document. Business continuity features clear guidelines for what an organization must do to maintain operations. If the time comes for response, there should be no question about how to move forward with business processes. The company, customers and employees are all potentially at stake.

What does business continuity include? Proper business continuity includes different levels of response. Not everything is mission-critical, so it's important to lay out what is most vital to keep running, and what could stand to come back online at later times . It's crucial to be honest about recovery time objectives and  recovery point objectives . The process includes the whole organization, from executive management on down. Although IT might drive the business continuity, it's essential to get buy-in from management and communicate key information to the entire organization. One other important area of collaboration is with the security team -- although the two groups often work separately, an organization can gain a lot by sharing information across these departments. At the very least, everyone should know the basic steps for how the organization plans to respond.

What are the key elements of business continuity management? BCM is a holistic management process that integrates various elements, namely : Business Continuity Plan (BCP), Emergency Response , Crisis Management, Disaster Recovery, Risk Management , Business Impact Analysis , Resilience and Reputation Management.

Three key components of a business continuity plan A business continuity plan has three key elements: Resilience, recovery and contingency. An organization can increase  resilience  by designing critical functions and infrastructures with various disaster possibilities in mind; this can include staffing rotations, data  redundancy  and maintaining a surplus of capacity. Ensuring resiliency against different scenarios can also help organizations  maintain essential services on location and off site  without interruption.

Three key components of a business continuity plan Rapid recovery to restore business functions after a disaster is crucial. Setting  recovery time objectives  for different systems, networks or applications can help prioritize which elements must be recovered first. Other recovery strategies include resource inventories, agreements with third parties to take on company activity and using converted spaces for mission-critical functions. A  contingency plan  has procedures in place for a variety of external scenarios and can include a chain of command that distributes responsibilities within the organization. These responsibilities can include hardware replacement, leasing emergency office spaces, damage assessment and contracting third-party vendors for assistance.

Business continuity vs. disaster recovery Like a business continuity plan, disaster recovery planning specifies an organization's planned strategies for post-failure procedures. However, a  disaster recovery plan  is just a subset of business continuity planning. Disaster recovery plans are mainly data focused, concentrating on storing data in a way that can be more easily accessed following a disaster. Business continuity takes this into account, but also focuses on the risk management, oversight and planning an organization needs to stay operational during a disruption.

Business continuity vs. disaster recovery

Business continuity development Business continuity starts with initiating the planning project.  Business impact analysis  (BIA) and  risk assessment  are essential steps in gathering information for the plan. Conducting a BIA  can reveal any possible weaknesses, as well as the consequences of a disaster on various departments. The BIA report informs an organization of the most crucial functions and systems to prioritize in a business continuity plan.

Business continuity development A risk assessment identifies potential hazards to an organization, such as natural disasters, cyberattacks or technology failures. Risks can affect staff, customers, building operations and company reputation. The assessment also details what or who a risk could harm, and the likeliness of the risks. The BIA and risk assessment work hand in hand. The BIA provides details on potential effects to the possible disruptions outlined in the risk assessment.

Business continuity management It's important to designate who will manage business continuity. It could be one person, if it's a small business, or it could be a whole team for a larger organization. Business continuity management software is also an option. Software -- either on premises or cloud-based -- helps conduct BIAs, create and update plans and pinpoint areas of risk. Business continuity is an evolving process. As such, an organization's business continuity plan shouldn't just sit on a shelf. The organization should communicate its contents to as many people as possible. Implementation of business continuity isn't just for times of crisis; the organization should have training exercises, so employees know what they'll be doing in the event of an actual disruption.

Business continuity management Business continuity testing is critical to its success. It's difficult to know if a plan is going to work if it hasn't been tested. A business continuity test can be as simple as a  tabletop exercise , where staff discuss what will happen in an emergency. More rigorous testing includes a full emergency simulation. An organization can plan the test in advance or perform it without notice to better mimic a crisis. Once the organization completes a test, it should review how it went and update the plan accordingly. It's likely that some parts of the plan will go well but other actions might need adjusting. A regular schedule for testing is helpful, especially if the business changes its operations and staff frequently.  Comprehensive business continuity undergoes continual testing, review and updating .

2 Backgr o u n d H o w was the ISO22301 f ormed?

Contributors 3 ::::::::::: : : :::::::::::::::: . . . I I . I . . I .. . . • . .

4 C o nte x t Sour c e do c uments inc l ud e d – B S 259 9 9-2 NFPA 1600 A S IS OR standard S ingapore standards – I S O 270 3 1 I S O Guide 73 I S O PAS 22399 So ISO 22 3 01 is not s i mply an internat i on a l ver sion of BS25999

5 Pu b lication Ti m elin e … ISO 22301 BC M – R e qu ireme n ts DIS P u bli c Co mm e n t i ng P eri o d FDIS D e v e l op m en t FDIS P u bli s h e d F i n a l I S O P u bli c at i on ISO 22313 BC M – G u i d eli n es Docu m e n t o u t f or p u b l i c c o mm e n t P u bli c at i on ??? Q 1 Q 2 Q 3 Q 4 Q 1 Q 2 Q 3 Q 4 2013 Q3 20 1 1 20 1 1 20 1 1 20 1 1 2012 2012 2012 2012 201 9

7 ISO 2 2 3 1 Key Po i n t s (Socie t al Securi t y – BCMS) ". . .s t an d ardizat i on in t he area of soc i etal securit y , aimed at i n creasing crisis management and bus i ness conti n uity cap a bi l ities, i.e. through improved techn i ca l , human, orga n iz a tio n a l , a n d functi o n a l i n teroperabi l ity as we l l as shared situati o nal aw a reness, amongst all i n terested p a rti e s."

8 4 Conte x t o f t h e organis a ti o n 5 Le a de rs hip 6 Plan n i n g 7 Support 8 O p e r ation 9 P e rfor m an c e E v a lu a tion 1 I m pro v eme nt ISO 22301 2019 structure * I n trod u ction 1 S c ope 2 No rma ti v e R e f e r e nc e s -G u i d e 7 3 : Risk m gmt. v oc a b. -ISO 2 2 3 T e r min o l o gy 3 T e r ms and D efin i ti o ns

10 Key C h a n g e s / A s p e ct s … Nota ble s hifts in emphas i s from BS2599 9 -2:200 7 ; 2013 Change i n the way an organi satio n may be defined. Top Mana g ement lead ership s ha l l be more demonstrable and a ctive. Prevent i ve a ctio n has been replace d with “actio ns to ad dres s ris ks and opportunit i e s” and feature s earl i er. ISO 22301 puts a mu c h greater emphas i s on s etting the ob j e ctives, monitor i ng performan c e and metric s – aligning BC to top management strategic think i ng.

11 Key C h a n g e s / A s p e ct s … Strong empha sis on performance evaluat i on & metrics. Com m un i c atio n elements more demanding and there is a res p on sib i l i ty to the wider com m unity def i ned. BIA s i milar b ut with s ome c h an g es to terminology. Th ere i s a stron ger l i nk to the organ i s atio ns approa c h to risk. To ref l e ct the Soc i etal se cur i ty approa c h s o me new terminology has been introd u c ed, s e e ISO 2 2 30 0.

Benefit of BCM -sudden disruption 12 2 M i t i ga t i o n of i m pa c t s t h r o u g h effec t i v e B C M - s u dd e n d i s r u p t i o n Resum pt i on of ac t i v i t i es at accepta b l e l ev e l w i t h i n accepta b l e t i mef r a me Vl c 2. Shortened d i sruption 4- T a r g et r esump t i on t i me I Ma x i mum acc e p t a b l e t i me I I I I T i me F i g u r e 2 - Il l us t r a t i on of B C M b e i n g e f f e c ti v e f o r sudden dis r u p t i o n

Benefit of BCM -gradual disruption 3 Resu m p t i on of ac t i v i t i es a t acc e p ta b l e l ev e l w i t h i n accepta b l e t i me f r ame I ! T ar get r esumpt i on t i me ! I Ma x i mum acceptab l e t i me -- , --------- - - + ---- - : - - - I +--- ---------------- \ I ' \ I I / 2. Short e n ed disruption I I I I I I R e c o we ry with BCM ./ r I - - ··------------l-------i------------------------- - . - . - . . . . - - ------------------ , I , : • ..... . ,...... ,,... · M i n i mum acc e p ta b l e l ev e l o f \ ' \ \ \ ---------------------- - ' \ ·-------- \ ' ' ' ' ', 1 . Mi t i ga t i n g , respon d i n g to and managing impacts i I , , ope r a t i ons I \ I J' '------------- 1 / i Recovery without BCM o I ...... ro !..... w c.. 1 - --"-----, 4- Controlled w > w .....J r esponse Ti m e Figure 3- Ul u strat i on of BCM b e i n g effective for gradu a l d i srup t i on ( e . g. approac h i ng pandemic}

9 4 Conte x t o f t h e organis a ti o n 5 L eader s h ip 6 Pla nn i n g 7 Su p p o rt 8 O p e r ation P e rfor m an c e E v aluati o n I mpro v e m ent BS 2 5 9 99 3 P lann i n g the BC M S -Sc o p e , O b j e ctives, P o l i cy -R e so u rces -C o m p e te n cy -E m b e d d i n g -D o cu m e n tati o n I m p l e m e n ting a n d Op e rati n g the BCMS - BIA -R i sk a n d R i sk Ch o ic e s* -Strate g y -Inci d e n t res p o n se, IM P , BCP -Ex e rcis i n g , Rev i ew Mo n itor i ng a n d R e vi e w i n g the BCMS Inter n al A u d i t Ma n a g e m e n t R e vi e w M a i n ta in i n g an d I m p r o vi n g the BC M S -Prev e ntiv e* , C o rrective & I m pr o ve m e n t Acti o ns *

1.Scope Specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise . Applicable to all types and sizes of organizations that: a) implement, maintain and improve a BCMS; b) seek to ensure conformity with stated business continuity policy; c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; d) seek to enhance their resilience through the effective application of the BCMS.

2 Normative references ISO 22300, Security and resilience — Vocabulary 3 Terms and definitions Activity : set of one or more tasks with a defined output Audit : systematic , independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled Business continuity : capability of an organizationto continue delivery of products and services within acceptable time frames at predefined capacity relating to a disruption.

Business continuity management system BCMS management system for business continuity Business continuity plan documented information that guides an organization to respond to a disruption and resume, recover and restore the delivery of products and services consistent with its business continuity objectives B usiness impact analysis process of analyzing the impact of a disruption on the organization

Competence ability to apply knowledge and skills to achieve intended results Conformity fulfilment of a requirement Prioritized activity activity to which urgency is given in order to avoid unacceptable impacts to the business during a disruption . Resilience : ability to absorb and adapt in a changing environment

14 3. Terms & D e fini t ion s … Busine s s c o ntinui t y plan Cor r e c tion Cor r e c ti v e a c tion In t ere s ted party Max i mum a c c e ptable outage (MAO) Ma x imum to l erable period of disruption (MTPD) Minimum bu s ine s s continui t y objecti v e (MBCO)

4 Context of the organization 4.1 Understanding of the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. 4.2 Understanding the needs and expectations of interested parties 4.2.1 General When establishing its BCMS, the organization shall determine: a) the interested parties that are relevant to the BCMS; b) the requirements of these interested parties

4.2.2 Legal and regulatory requirements The organization shall: a) implement and maintain a process to identify , have access to , and assess the applicable legal and regulatory requirements related to the continuity of its products and services, processes, activities and resources, as well as the interests of relevant interested parties; b) ensure that these applicable legal, regulatory and other requirements are taken into account in implementing and maintaining its BCMS; c) document this information and keep it up-to-date.

4.3 Determining the scope of the business continuity management system 4.3.1 General The organization shall determine the boundaries and applicability of the BCMS to establish its scope. When determining this scope, the organization shall consider: a) the external and internal issues referred to in 4.1; b) the requirements referred to in 4.2. The scope shall be available as documented information.

4.3.2 Scope of the BCMS The organization shall: a) consider its mission, goals, and internal and external obligations; b) establish the parts of the organization to be included in the BCMS, taking into account its location(s), size , nature and complexity; c) identify the products and services and their related processes, activities and resources to be included in the BCMS; d) take into account interested parties' needs . When defining the scope, the organization shall document and explain exclusions; any such exclusions shall not affect the organization's ability and responsibility to provide business continuity, as determined by the business impact analysis or risk assessment and applicable legal or regulatory requirements .

4.4 Business continuity management system The organization shall establish, implement, maintain and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of the Standard, ISO 22301

15 C o nte x t - Interest e d Parties

5 Leadership 5.1 Leadership and commitment Top management shall demonstrate leadership and commitment with respect to the BCMS by: a) ensuring that the business continuity policy and business continuity objectives are established and are compatible with the strategic direction of the organization; b) ensuring the integration of the BCMS requirements into the organization's business processes; c) ensuring that the resources needed for the BCMS are available; d) communicating the importance of effective business continuity and conforming to the BCMS requirements ; e) ensuring that the BCMS achieves its intended outcome(s); f) directing and supporting persons to contribute to the effectiveness of the BCMS; g) supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility; h) promoting continual improvement.

5.2.1 Top management shall establish a business continuity policy that: a ) is appropriate to the purpose of the organization; b) provides a framework for setting business continuity objectives; c) includes a commitment to satisfy applicable requirements; d ) includes a commitment to continual improvement of the BCMS.

5.2.2 The business continuity policy shall: a ) be available as documented information; b) be communicated within the organization; c) be available to interested parties, as appropriate.

5.3 Organizational roles, responsibilities and authorities Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. Top management shall assign the responsibility and authority for: a) ensuring that the BCMS conforms to the requirements of this document; b) reporting on the performance of the BCMS to top management

Evidencing Leadership to an Auditor Top management are the group of individuals who set the strategic direction of an organization and approve the allocations of resources to the organization or business area within the scope of your BCMS. Depending on the size and how your organization is structured, these individuals may or not be the day-to-day management team. An auditor will typically test leadership commitment by interviewing one or more members of your top management and assessing their level of involvement and participation in the: • evaluation of risks and opportunities • establishment and communication of policies • setting and communication of objectives • review and communication of system performance • allocation of appropriate resources, accountabilities and responsibilities

6 Planning 6.1 Actions to address risks and opportunities When planning for the BCMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: a) give assurance that the management system can achieve its intended outcome(s); b) prevent, or reduce, undesired effects; c) achieve continual improvement. The organization shall plan: a) actions to address these risks and opportunities, b) how to: 1) integrate and implement the actions into its BCMS processes (see 8.1), 2) evaluate the effectiveness of these actions (see 9.1).

17 6. Plan n ing Se ctio n 6.1 ta l ks ab out ris ks and 6.2 about objectives Standardiz e d text but might c o nfuse Having fully und e r s tood the c o ntext of the organi s ation, planning a c tivit i es are introdu c ed to add r e s s the ri s ks and opp o rtunities of the bu s ine s s. This proa c tive app r oa c h, if c a r r ied out prope r ly, will en s ure a re s ilient BCM s y stem as it will focus on planning for s u c c e s sf u lly a c hie v ing BCM obje c tives and realising opp o rtunities for i m pro v e m ent. Ow n ers h ip and a c c o untability of BC objectiv e s will be allocated and a clear dir e ction to a c c o m plis h ing these obje c tives will be ag r eed.

6.2 Business continuity objectives and planning to achieve them 6.2.1 The organization shall establish business continuity objectives at relevant functions and levels. The business continuity objectives shall: a) be consistent with the business continuity policy; b) be measurable (if practicable); c) take into account applicable requirements; d) be monitored; e ) be communicated; f) be updated as appropriate. The organization shall retain documented information on the business continuity objectives.

16 C o nte x t Requir e ment for do c ument i ng: l i n k s between the bus i ne s s continuity polic y and the organi zation’s objectives and other policies, including its overa l l ris k management strategy; and the org an i z ation’s ris k appetite. The req uirement to h ave proc e dures whi c h i de ntify legal and regulatory requirement s. There is also a requirement to k eep th i s informat i on up to date wh i ch m ust tie in w ith m aintenance.

6.2.2 When planning how to achieve its business continuity objectives, the organization shall determine : a) what will be done; b) what resources will be required; c) who will be responsible; d) when it will be completed; e) how the results will be evaluated.

6.3 Planning of changes to the BCMS When the organization determines the need for changes to the BCMS, including those identified in clause 10 improvement, the changes shall be carried out in a planned manner. The organization shall consider: a) the purpose of the changes and their potential consequences; b) the integrity of the BCMS; c) the availability of resources; d) the allocation or reallocation of responsibilities and authorities

7 Support 7.1 Resources The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the BCMS

7.2 Competence The organization shall: a) determine the necessary competence of person(s) doing work under its control that affects its business continuity performance; b) ensure that these persons are competent on the basis of appropriate education, training, or experience; c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; d) retain appropriate documented information as evidence of competence.

18 7. Su p p o rt 7.2 Competen c e The org an i s atio n (g en era l ly a c k n owl e dg e d to be through its Top M anagement) has a res pons i bi l ity to en s ure that s uffic i ent and appropr i ate res ource is avai l ab l e for the BCM S . Appr opr i atene s s is ofte n determined through competency ana l y s i s It i s people who tak e action wh e n an i n cident o c c urs Co m peten c e relates both to ope r ating the BCMS AND to perfor m ing fo l lowing an incident Note also 7.3 d) – e v ery o ne has to be aware of their role du r ing disruptive incidents

7.3 Awareness Persons doing work under the organization's control shall be aware of: a) the business continuity policy; b) their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity performance; c) the implications of not conforming with the BCMS requirements; d) their own role and responsibilities before, during and after disruptions.

7.4 Communication The organization shall determine the internal and external communications relevant to the BCMS including : a) on what it will communicate; b) when to communicate; c) with whom to communicate; d) how to communicate; e) who will communicate.

19 C o m m u n i c ation ex t ernal c o mmunic a tion with cu s tomer s , pa r tner enti t ies, local c o mmunit y , and other intere s ted pa r ties, including the media, re c ei v ing, documen t ing, and re s ponding to communication from intere s ted pa r ties, ada p ting and integrating a national or regional threat adviso r y syste m , or equi v alent, i nto planning and operational use, if app r op r iate, en s uring availabili t y of the means of c o mmunic a tion du r ing a disrupti v e incident, facilita t ing stru c tur e d c o mmunic a tion with app r op r iate authorit i es and en s uring the interop e rability of mult i ple res p onding organi z ations and pe r s o nnel, where app r op r iate, and operating and tes t ing of communications capabili t ies in t ended for u s e du r ing disruption of no r mal c o mmunic a tions.

7.5 Documented information 7.5.1 General The organization's BCMS shall include: a) documented information required by this document; b) documented information determined by the organization as being necessary for the effectiveness of the BCMS.

7.5.2 Creating and updating When creating and updating documented information, the organization shall ensure appropriate: a) identification and description (e.g. a title, date, author or reference number); b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic), c) review and approval for suitability and adequacy

7.5.3 Control of documented information 7.5.3.1 Documented information required by the BCMS and by this document shall be controlled to ensure : a) it is available and suitable for use, where and when it is needed; b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). 7.5.3.2 For the control of documented information, the organization shall address the following activities , as applicable: a) distribution, access, retrieval and use; b) storage and preservation, including preservation of legibility; c) control of changes (e.g. version control); d) retention and disposition. Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled

8 Operation 8.1 Operational planning and control The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by: a) establishing criteria for the processes; b) implementing control of the processes in accordance with the criteria; c) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced processes and the supply chain are controlled.

8.2 Business impact analysis and risk assessment 8.2.1 General The organization shall implement and maintain a process for analyzing business impact and assessing risks of disruption that establishes the context, defines criteria and evaluates the potential impact of a disruption 8.2.2 Business impact analysis The organization shall implement and maintain a process for determining business continuity priorities and requirements that: a) defines impact categories and criteria relevant to the organization’s context; b) uses these impact categories and criteria for measuring impact; c) identifies activities that support the provision of products and services;

d) analyses the impacts over time resulting from disruption of these activities; e) identifies the time within which the impacts of not resuming activities would become unacceptable to the organization f) sets prioritized timeframes within the time identified in e) above for resuming disrupted activities at a specified minimum acceptable capacity;This may be referred to as recovery time objective (RTO) g) uses the business impacts to identify prioritized activities; h) determines which resources are needed to support prioritized activities; i ) determines the dependencies and interdependencies of prioritized activities.

BIA a) i de ntifying activit i es that s up port the provis i on of produ cts and s ervices; b) a s se s s i ng the impacts over time of not performing these a ctivit i e s; c) s etting pr i or i tiz ed timefra mes for res uming these activities at a s pe cif i ed m in i m um ac c eptable l evel, taking into con s ideratio n th e t i me within which the impa cts of not res uming them wou l d be c ome una c ce p tab l e; and d) i de ntifying d ep e nd e n cies and s u pp orting res ourc e s for these a ctivit i e s, inc l ud i ng suppliers, outs ourc e partners and other rele v ant inte rested part i es.

8.2.3 Risk assessment The organization shall implement and maintain a systematic risk assessment process.This process can be made in accordance with ISO 31000. The organization shall: a) identify risks of disruption to the organization's prioritized activities and to their supporting resources ; b) systematically analyse risks of disruption; c) evaluate risks of disruption which require treatment.

21 Ri s k A s s e s s m e nt This means t he organi z ation s h all e s tablish, implement, and maintain a formal do c umented ri s k a s s e s s ment pro c e s s t hat systematically identi f ies, analyses, and evaluates the ri s k of disrupti v e incidents to the organi z ation. NOTE This pro c e s s c o uld be made in ac c ordance with I SO 310 0. The organi z ation s h all identi f y ri s ks of disruption to the organi z ation’s prioritized a c ti v it i es and the pro c e s s e s, system s , information, peo p le, a s s e ts, outsource pa r tners and other res o urc e s that s u ppo r t them, analyse them, evaluate and treat them.

8.3 Business continuity strategies and solutions 8.3.1 General The organization shall identify and select business continuity strategies based on the outputs from the business impact analysis and risk assessment. The business continuity strategies shall be comprised of one or more solutions.

8.3.2 Identification and selection of strategies and solutions The organization shall identify and select appropriate business continuity strategies and solutions taking into consideration their associated costs for: a) responding to disruptions; b) continuing and recovering prioritized activities and their required resources to meet the delivery of products and services at the agreed capacity over time. For the prioritized activities, the organization shall identify and select strategies and solutions considering business continuity objectives and the amount and type of risk that the organization may or may not take that: a) reduce the likelihood of disruption; b) shorten the period of disruption; c) limit the impact of disruption on the organization's products and services.

22 Strategy BS2599 9-2 had 4.1.3 Determining Cho i c e s and 4.2 Determining bu sines s continuity stra tegy ISO 22301 better def i ned Decide what you are going to do to redu c e the likelih o od and impa c t as well as how to res p ond (the s e are not al t ernati v e approaches) Set RTOs Work out the res o urce requi r ements Act on t he protection and mi t igation nee d ed E v aluate bu s ine s s c o ntinui t y c a pability of s u pplie r s

23 Inci d e n t R e s p o n se Structure broadly eq uivalent to 4.3.2 in BS25999 “Impa c t thre s hold s ” is new Per s onn e l to a s s e ss the incident Communic a tion mentions “authorities” and “media” explicitly E x ternal c o mmunic a tions a new requi r ement. Life s a fe t y explicitly m entioned.

8.3.3 Resource requirements The organization shall determine the resource requirements to implement the selected business continuity solutions. The types of resources considered shall include but not be limited to: a) people; b) information and data; c) physical infrastructure such as buildings, work places or other facilities and associated utilities; d) equipment and consumables; e) information and communication technology (ICT) systems; f) transportation; g) finance; h) partners and suppliers.

8.3.4 Implementation of solutions The organization shall implement selected business continuity solutions so they can be activated when needed. 8.4 Business continuity plans and procedures 8.4.1 General The organization shall implement and maintain a structure that will enable timely warning and communication to relevant interested parties and provide plans and procedures to manage the organization during a disruption. The plans and procedures shall be used when required to execute business continuity solutions .

The procedures shall: a) be specific regarding the immediate steps that are to be taken during a disruption; b) be flexible to respond to changing internal and external conditions of a disruption ; c) focus on the impact of incidents that potentially lead to disruption; d) be effective in minimizing impact through implementation of appropriate solutions; e) assign roles and responsibilities for tasks within it.

8.4.2 Response structure The organization shall implement and maintain a structure identifying one or more teams responsible for responding to disruptions. The roles and responsibilities of each team and the relationships between the teams shall be clearly stated. Collectively, the teams shall be prepared to: a) assess the nature and extent of a disruption and its potential impact; b) assess the impact against pre-defined thresholds that justify initiation of formal response; c) activate an appropriate business continuity response; d) plan actions that need to be undertaken;

e) establish priorities (using life safety as the first priority); f) monitor the effects of the disruption and the organization’s response; g) activate the business continuity solutions; h) communicate with relevant interested parties, authorities and the media. For each team there shall be: a) identified personnel and their associates with the necessary responsibility, authority and competence to perform their designated role; b) documented procedures to guide their actions (see 8.4.4) including those for the activation, operation , coordination and communication of the response.

8.4.3 Warning and communication 8.4.3.1 The organization shall document and maintain procedures for: a) communicating internally and externally to relevant interested parties, including what, when, with whom and how to communicate; b ) receiving, documenting and responding to communications from interested parties, including any national or regional risk advisory system or equivalent; c) ensuring availability of the means of communication during a disruption; d) facilitating structured communication with emergency responders; e) details of the organization's media response following an incident, including a communications strategy; f) recording details of the disruption, actions taken and decisions made.

8.4.3.2 Where applicable the following shall also be considered and implemented: a) alerting interested parties potentially impacted by an actual or impending disruption; b) assuring the appropriate coordination and communication between multiple responding organizations ; The communication and warning procedures shall be exercised as part of the organization’s exercise programme referred to in 8.5.

8.4.4 Business continuity plans 8.4.4.1 The business continuity plans shall provide guidance and information that will assist the teams to respond to a disruption and assist the organization with response and recovery. Collectively, the business continuity plans shall contain: a) details of the actions that the teams will take in order to continue or recover prioritized activities within predetermined timeframes and to monitor the effects of the disruption and the organization’s response to it; b) reference to the pre-defined threshold and process for activating the response; c) procedures to enable the delivery of products and services at agreed capacity to interested parties;

d) details to manage the immediate consequences of a disruption giving due regard to: 1) the welfare of individuals; 2) prevention of further loss or unavailability of prioritized activities; 3) protection of the environment; e) a process for standing down once the incident is over

8.4.4.2 Each plan shall include: a) purpose and scope, and objectives; b) roles, responsibilities of the team that will implement the plan; c) actions and resources to implement the solutions; d) supporting information needed to activate (including activation criteria), operate, coordinate and communicate the team’s actions; e) internal and external interdependencies; f) resource requirements; g) reporting requirements. Each plan shall be usable and available at the time and place at which it is required.

24 W a rning a n d C o m m u n ic a tion In short t he organi z ation s h all e s tablish, implement and maintain pro c edures for a) detect i ng an incident, b) regular monitoring of an incident, c) internal c o mmunic a tion within t he organi z ation d) rec e i v ing, do c umenting and res p onding to any national or regional ri s k adviso r y system or equivalent, e) a s s u ring availabili t y of the means of c o mmunic a tion during a d i s r upt iv e incident, f) facilita t ing str u ctu r ed c o mmunic a tion with emergen c y res p ond e r s, g) rec o rding of v i tal information abo u t the incident, a c tions taken and de c isio n s mad e ,

8.4.5 Recovery The organization shall have documented processes to restore and return business activities from the temporary measures adopted to support normal business requirements during and after a disruption.

25 R e c o v e ry The o rgan i zation sha l l have documented procedures to restore a n d retu r n bus i ness acti v iti e s f r om the temporary m e a sures a d o p ted to sup p ort normal bus i ness requ i re m ents after a n i n ci d ent

8.5 Exercise programme The organization shall implement and maintain a programme of exercising and testing to validate over time the effectiveness of its business continuity strategies and solutions. The organization shall conduct exercises and tests that: a) are consistent with its business continuity objectives; b) are based on appropriate scenarios that are well planned with clearly defined aims and objectives; c) develop teamwork, competence, confidence and knowledge for those who have roles to perform in relation to disruptions

d) taken together over time validate the whole of its business continuity strategies; e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements; f) are reviewed within the context of promoting continual improvement; g) are performed at planned intervals and when there are significant changes within the organization or the context in which it operates. The organization shall act on the results of its exercising and testing to implement changes and improvements

26 E x erci s ing a n d T e sting Covers pretty much the same ground as BS25 9 9 9 -2 It talk s about exercis es and tests. Expe c t to s e e a progra mm e – point is that o v er ti m e t he s e s h ould pro v ide obje c tive a s s u ran c e that the arrange m ents m ade will wo r k as ant i cipated and when requi r ed: so does the prog r a mm e really do this?

9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.1.1 General The organization shall determine: a) what needs to be monitored and measured; b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; c) when and by whom the monitoring and measuring shall be performed; d) when and by whom the results from monitoring and measurement shall be analysed and evaluated. The organization shall retain appropriate documented information as evidence of the results. The organization shall evaluate the BCMS performance and the effectiveness of the BCMS.

27 Perform a n c e E v alu a tion… As w ith a l l m an a gement system stan d ards there i s a ne e d to look ba c k at what h as been a chieved. ISO 22 3 01 als o re qu i res that this an alys i s is evaluated and co n clus i ons drawn by the org an i s ation. Performance metric s (to be s elected by the bus i ne ss) are required in I S O 2 2301. Wh i l st this is a new requirement it is l i k ely that orga n i sat i ons wi l l alrea dy produ c e certain metric s and these may be ab l e to be ta i lored to c over the BC M S performan ce.

9.1.2 Evaluation of business continuity plans, procedures and capabilities The organization shall evaluate the suitability, adequacy and effectiveness of its business continuity plans , procedures and capabilities. These evaluations shall be undertaken through periodic reviews, analysis, exercises, tests, post-incident reports and performance evaluations. The organization shall periodically evaluate compliance with applicable legal and regulatory requirements , industry best practices, and conformance with its own business continuity policy and objectives . The organization shall conduct evaluations at planned intervals after an incident or activation and when significant changes occur shall be updated in a timely manner.

9.2 Internal audit 9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the BCMS: a) conforms to: 1) the organization's own requirements for its BCMS, 2) the requirements of this document; b) is effectively implemented and maintained.

9.2.1 The organization shall: a) plan, establish, implement and maintain (an) audit programme (s), including the frequency, methods, responsibilities , planning requirements and reporting. The audit programme (s) shall take into consideration the importance of the processes concerned and the results of previous audits; b) define the audit criteria and scope for each audit; c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; d) ensure that the results of the audits are reported to relevant management; e) retain documented information as evidence of the implementation of the audit programme and the audit results .

9.3 Management review 9.3.1 General Top management shall review the organization's BCMS, at planned intervals, to ensure its continuing suitability , adequacy and effectiveness . 9.3.2 Management review input The management review shall include consideration of: a) the status of actions from previous management reviews; b) changes in external and internal issues that are relevant to the BCMS;

c) information on the business continuity performance, including trends in: 1) nonconformities and corrective actions; 2) monitoring and measurement evaluation results; 3) audit results; d) feedback from interested parties; e) the need for changes to the BCMS, including the policy and objectives; f) procedures, and resources which could be used in the organization to improve the BCMS' performance and effectiveness

g) information from the BIA and risk assessment; h ) risks or issues not adequately addressed in any previous risk assessment ; i ) results of exercises and tests; j) lessons learned and actions arising from near-misses and disruptions; k )opportunities for continual improvement.

9.3.3 Management review outputs 9.3.3.1 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS to improve its efficiency and effectiveness and include the following: a) variations to the scope of the BCMS; b) update of the business impact analysis, risk assessment, business continuity strategies and solutions , and business continuity plans; c) modification of procedures and controls to respond to internal or external issues that may impact the BCMS; d) how the effectiveness of controls will be measured.

9.3.3.2 The organization shall retain documented information as evidence of the results of management reviews , and: a) communicate the results of management review to relevant interested parties; b) take appropriate action relating to those results.

c) information on the business continuity performance, including trends in: 1) nonconformities and corrective actions; 2) monitoring and measurement evaluation results; 3) audit results; d) feedback from interested parties; e) the need for changes to the BCMS, including the policy and objectives; f) procedures, and resources which could be used in the organization to improve the BCMS' performance and effectiveness

28 Perform a n c e E v alu a tion… In t e r n a l au d its a n d ma n a g em ent re v iew c on t inu e to be key met h o ds of r ev i ew i ng t h e pe rfo rm a n c e of th e BCMS a n d t o o ls for its cont i nu a l imp r ove me n t.

10 Improvement 10.1 Nonconformity and corrective action 10.1.1 When nonconformity occurs, the organization shall: a) react to the nonconformity, and, as applicable: 1) take action to control and correct it; 2) deal with the consequences. b) evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere, by: 1) reviewing the nonconformity; 2) determining the causes of the nonconformity; 3) determining if similar nonconformities exist, or could potentially occur

c) implement any action needed; d) review the effectiveness of any corrective action taken; e) make changes to the BCMS, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered. 10.1.2 The organization shall retain documented information as evidence of: a) the nature of the nonconformities and any subsequent actions taken; b) the results of any corrective action. 10.2 Continual improvement The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. The organization shall consider the results of analysis and evaluation, and the outputs from management review , to determine if there are needs or opportunities that shall be addressed as part of continual improvement .

Root Cause Analysis Organizations are to investigate nonconformities to: • establish if the nonconformity exists elsewhere • identify the root cause of the nonconformity • identify any corrective action required to prevent a re-occurrence of the nonconformity • identify any changes to the BCMS required. Any corrective actions identified to address nonconformities are to be implemented without undue delay. The corrective action implemented is to be reviewed to determine its effectiveness.

26 E x erci s ing a n d T e sting Covers pretty much the same ground as BS25 9 9 9 -2 It talk s about exercis es and tests. Expe c t to s e e a progra mm e – point is that o v er ti m e t he s e s h ould pro v ide obje c tive a s s u ran c e that the arrange m ents m ade will wo r k as ant i cipated and when requi r ed: so does the prog r a mm e really do this?
Tags
Categories
Business
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 143
  • Slides 113
  • Age 521 days
Related Slideshows
DTI BPI Pivot Small Business - BUSINESS START UP PLAN 1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
CATHOLIC EDUCATIONAL Corporate Responsibilities 1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
Karin Schaupp – Evocation; lançamento: 2000 11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
28 views
Pillars of Biblical Oneness in the Book of Acts 10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
7-10. STP + Branding and Product & Services Strategies.pptx 31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
Business Legislation PPT - UNIT 1 jimllpkggg 44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
30 views
View More in This Category