Upload
angelgmv9492
View
335
Download
14
Tags:
Embed Size (px)
Citation preview
1
Introducing ISO 22301
2
Background
How was the ISO22301 formed?
3
Contributors
4
Context
• Source documents included
– BS25999-2
– NFPA 1600
– ASIS OR standard
– Singapore standards
– ISO 27031
– ISO Guide 73
– ISOPAS22399
• So ISO 22301 is not simply an international version of
BS25999
5
Publication Timeline…
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
ISO 22301 BCM
– Requirements
DIS Public Commenting
Period
FDIS
Development
FDIS
Published
Final ISO
Publication
ISO 22313 BCM
– Guidelines
Document out for public
comment
Publication
???
6
• ISO is currently developing a high level structure
(Guide 83) and standardised text suitable for all ISO
management system standards, ISO 22301 is the first
to be developed to this new structure.
• The intention is standardise terminology and
requirements for essentially what are the fundamental
elements of a management system.
• As ISO 22301 will be the first “new” ISO management
system standard it will be the vanguard for all new and
revised versions of existing ISO standards
Summary of ISO FDIS 22301:2012
7
ISO 22301 Key Points
(Societal Security – BCMS)
"...standardization in the area of
societal security, aimed at
increasing crisis management and
business continuity capabilities, i.e.
through improved technical, human,
organizational, and functional
interoperability as well as shared
situational awareness, amongst all
interested parties."
8
4 Context of the organisation
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance
Evaluation
10 Improvement
ISO22301
*
0 Introduction
1 Scope
2 Normative References
-Guide 73: Risk mgmt. vocab.
-ISO 22300 Terminology
3 Terms and Definitions
9
4 Context of the organisation
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance
Evaluation
10 Improvement
BS25999
3 Planning the BCMS
-Scope, Objectives, Policy
-Resources
-Competency
-Embedding
-Documentation
4 Implementing and Operating the
BCMS
-BIA
-Risk and Risk Choices*
-Strategy
-Incident response, IMP, BCP
-Exercising, Review
5 Monitoring and Reviewing the BCMS
Internal Audit
Management Review
6 Maintaining and Improving the BCMS
-Preventive*, Corrective &
Improvement Actions
*
10
Key Changes / Aspects…
Notable shifts in emphasis from BS25999-2:2007:
• Change in the way an organisation may be defined.
• Top Management leadership shall be more demonstrable
and active.
• Preventive action has been replaced with “actions to address
risks and opportunities” and features earlier.
• ISO 22301 puts a much greater emphasis on setting the
objectives, monitoring performance and metrics – aligning
BC to top management strategic thinking.
11
Key Changes / Aspects…
• Strong emphasis on performance evaluation & metrics.
• Communication elements more demanding and there is a
responsibility to the wider community defined.
• BIA similar but with some changes to terminology.
• There is a stronger link to the organisations approach to risk.
• To reflect the Societal security approach some new
terminology has been introduced, see ISO 22300.
12
Benefit of BCM – sudden disruption 1
2
13
Benefit of BCM – gradual disruption 1
3
14
3. Terms & Definitions…
• Business continuity plan
• Correction
• Corrective action
• Interested party
• Maximum acceptable
outage (MAO)
• Maximum tolerable period
of disruption (MTPD)
• Minimum business
continuity objective
(MBCO)
15
Context - Interested Parties 1
5
16
Context
• Requirement for documenting:
• links between the business continuity policy and the
organization’s objectives and other policies, including
its overall risk management strategy; and
• the organization’s risk appetite.
• The requirement to have procedures which identify
legal and regulatory requirements. There is also a
requirement to keep this information up to date which
must tie in with maintenance.
17
6. Planning
• Section 6.1 talks about risks and 6.2 about objectives
• Standardized text but might confuse
– Having fully understood the context of the organisation,
planning activities are introduced to address the risks
and opportunities of the business.
– This proactive approach, if carried out properly, will
ensure a resilient BCM system as it will focus on
planning for successfully achieving BCM objectives and
realising opportunities for improvement. Ownership and
accountability of BC objectives will be allocated and a
clear direction to accomplishing these objectives will be
agreed.
18
7. Support
7.2 Competence
• The organisation (generally acknowledged to be
through its Top Management) has a responsibility to
ensure that sufficient and appropriate resource is
available for the BCMS. Appropriateness is often
determined through competency analysis
• It is people who take action when an incident occurs
– Competence relates both to operating the BCMS AND
to performing following an incident
– Note also 7.3 d) – everyone has to be aware of their role
during disruptive incidents
19
Communication
• external communication with customers, partner entities, local
community, and other interested parties, including the media,
• receiving, documenting, and responding to communication
from interested parties,
• adapting and integrating a national or regional threat advisory
system, or equivalent, into planning and operational use, if
appropriate,
• ensuring availability of the means of communication during a
disruptive incident, facilitating structured communication with
appropriate authorities and ensuring the interoperability of
multiple responding organizations and personnel, where
appropriate, and
• operating and testing of communications capabilities intended
for use during disruption of normal communications.
20
BIA
• a) identifying activities that support the provision of
products and services;
• b) assessing the impacts over time of not performing
these activities;
• c) setting prioritized timeframes for resuming these
activities at a specified minimum acceptable level,
taking into consideration the time within which the
impacts of not resuming them would become
unacceptable; and
• d) identifying dependencies and supporting resources
for these activities, including suppliers, outsource
partners and other relevant interested parties.
2
0
21
Risk Assessment
• The organization shall establish, implement, and maintain a
formal documented risk assessment process that
systematically identifies, analyses, and evaluates the risk of
disruptive incidents to the organization.
• NOTE This process could be made in accordance with ISO
31000.
• The organization shall
• identify risks of disruption to the organization’s prioritized
activities and the processes, systems, information, people,
assets, outsource partners and other resources that support
them, analyse them, evaluate and treat them.
2
1
22
Strategy
• BS25999-2 had 4.1.3 Determining Choices and 4.2
Determining business continuity strategy
• ISO 22301 better defined
– Decide what you are going to do to reduce the likelihood
and impact as well as how to respond (these are not
alternative approaches)
– Set RTOs
– Work out the resource requirements
– Act on the protection and mitigation needed
– Evaluate business continuity capability of suppliers
23
Incident Response Structure
8.4.2 broadly equivalent to 4.3.2 in BS25999
– “Impact thresholds” is new
– Personnel to assess the incident
– Communication mentions “authorities” and “media”
explicitly
– External communications a new requirement. Life safety
explicitly mentioned.
24
Warning and Communication
• The organization shall establish, implement and maintain
procedures for
• a) detecting an incident,
• b) regular monitoring of an incident,
• c) internal communication within the organization
• d) receiving, documenting and responding to any national or
regional risk advisory system or equivalent,
• e) assuring availability of the means of communication
during a disruptive incident,
• f) facilitating structured communication with emergency
responders,
• g) recording of vital information about the incident, actions
taken and decisions made,
25
Recovery
• The organization shall have documented
procedures to restore and return business
activities from the temporary measures adopted
to support normal business requirements after an
incident
26
Exercising and Testing
• Covers pretty much the same ground as BS25999-2
• It talks about exercises and tests.
• Expect to see a programme – point is that over time these
should provide objective assurance that the arrangements
made will work as anticipated and when required: so does
the programme really do this?
27 Performance Evaluation…
• As with all management system standards there is a
need to look back at what has been achieved. ISO
22301 also requires that this analysis is evaluated and
conclusions drawn by the organisation.
• Performance metrics (to be selected by the business)
are required in ISO 22301. Whilst this is a new
requirement it is likely that organisations will already
produce certain metrics and these may be able to be
tailored to cover the BCMS performance.
28
Performance Evaluation…
• Internal audits and
management
review continue to
be key methods of
reviewing the
performance of the
BCMS and tools for
its continual
improvement.
29
Transition…
• Organizations who are currently certified to BS25999-2:2007
will be provided with:
– A transition guideline
– A transition timescale
• Widely expected that transitions will be conducted during a
CAV visit.
• Guidelines and timescales dependent upon UKAS. Certified
organisations have 12 to 18 months to transition although
could be up to 3 years
2
9
30
3
0