ISO/TS 22317: How to Use ISO’s Newest BC Standard to ... ISO 22317 sought to re-define ISO’s business impact analysis definition, outcomes, and process to be more clear and straight-forward

ISO/TS 22317: How to Use ISO’s Newest BC Standard to

Develop Real BC Requirements

Jacqueline RupertManaging ConsultantAvalution Consulting

Agenda

• ISO/TS 22317 • Background

• Overview

• BIA • Outcomes

• Process

• Keys to Success

• Conclusions and Questions

Regional Business Continuity Conference

Background

Since 2013, ISO technical committee 292 (security and resilience) has been working on developing a business impact analysis standard

• Lead by the US Delegation Brian Zawada and Jacqueline Rupert

• Participants from over a dozen countries


Background

In September 2015, ISO published its newest business continuity standard:

ISO/TS 22317: 2015

Societal security – Business continuity management systems – Guidelines for business impact analysis (BIA)


Overview

The new technical specification is designed to complement

ISO 22301, but also be a “stand alone” standard


22301

22313

22317

Note: This standard is not auditable; instead

it provides guidance on how to effectively

implement or mature a BIA process.

Overview

ISO 22317 sought to re-define ISO’s business impact analysis definition, outcomes, and process to be more clear and straight-forward


The BIA process analyzes the consequences of a disruptive incident on the organization.

The outcome is a statement of justification of business continuity requirements.

Note: business continuity requirements has the same meaning as continuity and recovery priorities, objectives, and targets

BIA Outcomes

• Endorsement or modification of the organization’s BC program scope

• Identification of legal, regulatory, and contractual requirements (obligations) and their effect on business continuity requirements

• Evaluation of impacts on the organization over time, which serves as the justification for business continuity requirements (time and capability)

• Identification and confirmation of product/service delivery requirements following a disruptive incident, which then sets the prioritized timeframes for activities and resources

• Identification of, and establishment of, the relationships between products/services, processes, activities, and resources

• Determination of the resources needed to perform prioritized activities (e.g. facilities; people; equipment; information, communication and technology assets; supplies; and financing)

• Understanding of the dependencies on other activities, supply chains, partners, and other interested parties

• Determination of how up to date the information needs to be


BIA Process


BIA Process


Impact Categories Examples of Impacts

FinancialFinancial losses due to fines, penalties, lost profits, or diminished market share

Reputational Negative opinion or brand damage

Legal and Regulatory Litigation liability and withdrawal of license to trade

ContractualBreach of contracts or obligations between organizations

Business ObjectivesFailure to deliver on objectives or take advantage of opportunities

Keys to Success – Prerequisites

• 22317 identifies prerequisites for organizations to consider implementing before the BIA process

• These boil down to what management system (ISO 22301) activities are needed to be successful, including:• Context and scope

• Roles and responsibilities

• Leadership commitment

• Resource allocation


Keys to Success – BIA Process Levels


• 22317 breaks down the BIA process into three levels:• Product and service prioritization (section 5.3)

• Process prioritization (section 5.4)

• Activity prioritization (includes resources and interdependencies) (section 5.5)

• Complex organizations should use all three levels, but less complex organizations may choose to combine one or two of the levels

• These levels ensure results are consistent from top-down and bottom-up

Keys to Success – Section 5 Structure


• The three levels are explained in Section 5 (Performing the Business Impact Analysis) and broken down by the following:• Introduction (Overview)

• Inputs

• Outcomes

• Methods for how to conduct each level are:• Explained in Section 5.6 (Analysis and Consolidation)

• Detailed in Annex C (BIA Information Collecting Methods)

• Information on how to obtain top management endorsement is in Section 5.7

Keys to Success – After the BIA


• Section 5.8 (Business Continuity Strategy Selection) outlines how to use BIA results to select appropriate business continuity strategies

• Section 6 (BIA Process Monitoring and Review) outlines when the BIA process should be refreshed, including:

• Frequency considerations

• Organizational change considerations

Conclusions

• Provides a new, enhanced BIA definition that is more clear with less jargon

• Offers a BIA value proposition for organizations struggling to gain buy-in

• Identifies the prerequisites that the organization should have in place before starting the BIA

• Outlines a detailed process for how to effectively perform the BIA

• Proposes the outcomes of the BIA (including outcomes of each step of the BIA)

• Provides options for different information collecting methods, along with a pros and cons analysis of each method

• Describes other uses for which organizations may choose to use the BIA


Questions?Thank you!


Contact Information

Jacqueline Rupert

Managing Consultant, Avalution Consulting

216.331.7593 | [email protected]

866.533.0575 | avalution.com | bccatalyst.com


Documents

ISO/TS 22317: How to Use ISO’s Newest BC Standard to ... ISO 22317 sought to re-define ISO’s business impact analysis definition, outcomes, and process to be more clear and straight-forward