View
2
Download
0
Category
Preview:
Citation preview
How to transition to ISO 22301How to transition to ISO 22301
. . . the new business continuity standard. . . the new business continuity standard
Phil WilloughbyPhil Willoughby
ICT Technical Service Manager
LRQA Limited
Download LRQA’s presentation support pack
• www.lrqa.co.uk/bsiconference
• Pack includes:
• Copy of the presentation slides
• Online copy of the Needhams case study
• Links to LRQA Training Courses
• Overview
• Detailed review
• Section 4 – understanding
• Section 5 – leadership• Section 6 – planning
• Section 7 – support• Section 8 – operation
• Section 9 – performance• Section 10 – improvement.
Agenda
Structural changes
• Name change – Societal security – contributing to a resilient society
• The new format is more consistent with other ISO management system
standards (e.g. ISO 9001, ISO 14001), but retains the existing BC lifecycle
• 105 ‘Shall’s’ compared
with the 56 of BS 25999
• Some simplification,
clarification or re-wordingand some new
requirements.
PDCA comparison
0
5
10
15
20
25
30
35
40
45
50
Plan Do Check Act
Co
un
t o
f re
qu
ire
me
nts
BS25999
ISO22301
Change Categorisation
• New requirements
• Enhanced requirements
• Clarification
• Alignment to other Management system standards
• Word changes not really affecting requirements.
Important terminology changes
Gone
• Key
• Critical
• MTPoD
• Preventive action
New
• Prioritized
• Establishing timeframe
and recovery levels.
New Requirements Summary
• Management Commitment
• Business Continuity Objectives
• Legal and regulatory requirements
• Resource Planning
• 3rd Party Management
• Measures and Effectiveness
• Formalisation of external and internal issues relevant to BCMS outcomes.
Enhanced requirements
5.2 Management commitment
5.3 Policy requirements
6.2 Business Continuity Objectives
7.1 Resources
7.2 Communications.
Section 4 - Understanding the organisation and its context• Focuses on external and internal issues relevant to its purpose
and that affect its ability to achieve the expected outcomes of its
BCMS
• Increased documentation likely to be required, e.g. Supply chain
information
• Documented procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements . . .
related to the continuity of its operations, products and services, as well as the interests of relevant interested parties.
Section 4 - Understanding the organisation and its context (continued…)• These requirements are taken into account in establishing,
implementing and maintaining its BCMS
• This information must be documented, updated and communicated to affected employees and other interested
parties when requirements change
• Define, document and explain any exclusions.
Section 5 - Leadership
• Top management demonstrate Leadership
• Compatibility of BCMS to company strategic direction
• Integration, achievement of outcomes
• Policy enhancements include:
• Provide the framework for setting business continuity objectives,
• Be communicated within the organization to all persons working for or on behalf of the organization within the scope of the BCMS
This clarifies existing requirements and aligns it to the normal management
system expectations (e.g. roles, responsibility & authority definition, resource
determination and review).
Section 6 - Planning
6.1 Actions to address risks and opportunities
• Replaces preventive action clause (6.1.2)
• Improvement (6.2)
This risk assessment is aimed at a corporate level risks (for which a BCMSis effective mitigation) rather than operational risks that might trigger a
BCMS response.
Section 6 - Planning (continued…)
6.2 Business Continuity Objectives
Requirements for objectives clarified
• Link to policy
• Consider acceptable minimum level of products and services
• Be measurable
• Take into account applicable requirements, and
• Be monitored and updated as appropriate
The plans to achieve these objectives must be defined.
Section 7 - Support
New section covering
• Resource requirements
• Competence & awareness
• Communication
• Document and record control
7.1 Resource requirements
• Clarifies the types of resources required to be considered
• All resources under the organisation’s control to be identified together with associated competences
• Resource requirements for the continuity strategies should be identified and could include:
o People, information and data, buildings, work environment and associated utilities, facilities, equipment and
consumables, information and communication technology
(ICT) systems, transportation, finance, and partners and suppliers.
7.2 Competence 7.3 AwarenessCompetence requirements clarified
• Includes full time and contract staff with BCMS roles and responsibilities – “under organisation’s control”
• Removed reference to training needs analysis
• Changed records to appropriate documentation.
7.4 Communication
• Essentially now need to define What, When and Whom
• Procedure(s) for
o Internal communications
o External communications with customers, partner entities, local community, media and IP’s
o Processing communication from interested parties,o Ensuring communications availability during a disruptive incident,
o Communications with appropriate authorities and interoperability of multiple responding organizations
o Operating and testing of communications capabilities.
7.5 Document Control
• Inline with other management systems standards
• No longer a list of the required documents
• Records are a special type of document
• Need a process for . . rather than a procedure
• Format is required information (e.g. language, software version,
graphics) and media (e.g. paper, electronic)
Section 8 - Operational planning and control
• Determine and manage processes needed to address BCMS risks and opportunities
• Control planned changes
• Take action on unintended effects
• Control processes that are contracted-out or outsourced.
Section 8 - Operational planning and control (continued…)
For this purpose “management control” of a process consists of:
• Knowledge and control of inputs
• Knowledge, use and interpretation of outputs
• Definition, measurement and monitoring of related metrics
• Definition, measurement and review of process improvements
• SLA or contract in placeo Defines service expectations
o Defines procedures to follow
• Regular reports or service reviews.
Section 8.2 Business Impact and Risk Assessment• Requires overview process linking BIA and RA
• More detail on risk assessment and impact on BC objectives
• Change of emphasis from incident response to business continuity strategy with associated need for resource planning
• Further detail on response procedures in particular need for
effective communication and preservation of life.
8.2.2 Business Impact Analysis
Less prescriptive than 25999:
• No MTPoD, No critical activities, No RTO
• All activities are recovered but to a prioritised timeframe and a specified level taking into account the implications of missing the target timescale.
• There is a general requirement to keep the information confidential from
the BIA and RA
• Contracted out work must be controlled rather than determined.
8.2.2 Business Impact Analysis (continued…)Still requires a documented process that:
• a) Establishes the context of the assessment, defines criteria and
evaluates the potential impact of a disruptive incident
• b) Takes into account legal and other requirements to which the
organization subscribes,
• c) Includes systematic analysis, prioritization of risk
treatments, and their related costs,
• d) Defines the required output from the business impact
analysis and risk assessment, and
8.2.3 Risk Assessment
• No significant changes but substantial rewording
• ‘prioritized’ activities, indicates a BIA is completed before the
risk assessment
• Requirement now to treat identified risks using 3 types of
proactive measures rather than identified treatments for all
critical activities.
8.3 Business continuity strategy
• Largely the same requirements to determine strategies to
recover prioritized activities based on outputs from BIA and RA
• Strategy includes approving prioritized activities and time frames
for the resumption
• Strategy includes conducting evaluations of the business
continuity capabilities of suppliers.
8.4.2 Incident Response
Largely the same as now but:
• Using life safety as the first priority to decide whether to communicate
externally.
8.4.4 Business Continuity Plans
• Largely the same requirements, with a few items removed and someadditions
• All plans should be re-evaluated against the new requirements
• Each plan shall define:
o Purpose and scope,o Objectives,o Activation criteria and procedures,o Implementation procedures,o Roles, responsibilities, and authorities,o Communication requirements and procedures,o Internal and external interdependencies and interactions,o Resource requirements, ando Information flow and documentation processes.
8.4.5 Recovery
• The organization shall have documented procedures to restore and
return business activities from the temporary measures adopted to support normal business requirements after an incident
• Recovery commences once prioritised activities have resumed
• ISO 22313 suggests the procedure should include:
o Options for restoring and returningo Resources and infrastructure – covering operation and recovery
o Operational split (recovery and primary sites)o Restoring damaged facilities and salvage equipment
o Emergency funding and procurement, claims against insuranceo Lost documentation
o Communication and due diligence requirements.
8.5 Exercise and Test
• Testing is explicitly mentioned
• Consistent with Policy AND Objectives
• Reviewed against aims and objectives
• Based on scenarios
• The communication and warning procedures shall be regularly exercised.
Section 9 - Performance evaluation
• What needs to be monitored or measured
• Methods to use
• When it needs to be done
• When analysis needs to done
• Action on adverse trends
• Periodic review of legal and regulatory requirements.
9.2 Internal Audit
• No significant additions except
• Alignment with other Management system standards• Procedure covers Scope, frequency
• Clear separation of Audit from review.
9.3 Management Review
Gone
• Results of education &
training programmes
• Level of residual risk and
acceptance as input
• Feedback from interested
parties
• ‘When significant changes occur’
New
• Trends audits and measures
• Changes required to policy
and objectives
• Updates to BIA, RA and BCPs
• Security requirements rather
than resilience
• Changes to contractual
requirements.
Section 10 - Improvement
• Clarification on handling nonconformity
• React to address the instance
• Identify cause and correct
• No procedural requirements
• Preventive action is now part of risk assessment and planning.
Experiences of Transition Assessments
An independent provider of risk
management and business continuity
consultancy, planning and training services.
The Conversion Process
• Conducted an internal audit of our old BCMS against the new ISO,
thereby identifying potential non-conformities
• Re-ordered our BCMS so that it followed the ISO Chapter headings,
making it easier for the external certifying body easier to audit the system.
• Reflect enhanced top management role
• Ensured that the BCMS stated the links between business continuity and the business as a whole, with demonstrable evidence of how it is
incorporated into the business processes
• To better demonstrate the accountability of 3rd party suppliers,
independent audits of critical outsourced dependencies incorporated into Monitoring and Measurement.
Changes to the BCMS
Challenges
• The thought of an auditor arriving can leave some members of an
organisation a little apprehensive.
Challenges
• Being able to prove to an auditor that the business
continuity plan can achieve
• “Recovery of its activities to a predetermined level,
based on management approved recovery objectives.”
• Specific plans are required for any RTOs for critical activities that are time sensitive.
Summary
• The changes from BS 25999 to ISO 22301 are
not a great leap into the unknown; rather, it is a process of evolving the BCMS
• The initial internal audit is crucial to critically analyse the changes required to ensure our
BCMS conformed to ISO 22301.
• UKAS requirements on Certification Body (CB) drives the maximum
period to transition
• CB’s must transition by 30 May 2014
• CB transition visits can start from 1 November 2012
• No new client certificates or renewals to BS 25999 in 2014
• For how long does your BS 25999 certificate remain valid?
• 30 May 2015 at the latest, but is governed by other rules . . .
• Client transition should be at the first surveillance or renewal after
CB transition.
What to expect from LRQA . . .
Transition Plans
How long would the transition audit take?• Up to a 1 day depending on approach
What is the approach to the transition audit?• Can take place at a surveillance visit
• Driven by a checklist pre-completed by the organisation with supporting
information
• Additional time will be required if the checklist is completed following
‘exploration’ by the assessor
• Any deficiencies will be reported as findings in the usual way. As long
as these are minimal and a corrective action plan has been agreed, the assessor will recommend approval to the ISO/IEC 22301 standard.
What to expect from LRQA . . .
Transition Plans
What happens if you are part way through your initial assessmentagainst BS 25999?
• Subject to normal assessment limitations, the limit is 31 December 2013
• Switching standards between Stage 1 and 2 is not recommended and will
require some additional time to check the new requirements have been
met.
What to expect from LRQA . . .
Transition Plans
Experiences of Transition Assessments
• In the intervening period between now and when LRQA are assessed by
UKAS to gain accreditation
• LRQA will offer transition assessments AND initial assessment to ISO
22301
• These will not initially accredited, but subject to UKAS assessment will be granted accredited status.
• www.lrqa.co.uk/bsiconference
• Pack includes:• Copy of the presentation slides
• Online copy of the Needhams case study
• Links to LRQA Training Courses.
Download LRQA’s presentation support pack
Lloyd’s Register and LRQA are trading names of Lloyd’s Register Group Limited and its subsidiaries.
For further information visit www.lr.org/entities
For more information, please contact:
Phil WilloughbyICT Technical Service Manager
Lloyd’s Register Quality Assurance Limited
Hiramford, Middlemarch Office Village
Siskin Drive, Coventry CV3 4FJ, United Kingdom
T +44 (0)24 7688 2292
E phil.willoughby@lrqa.comw www.lrqa.co.uk
Thank you very much for your time today
Recommended