Upload
bryghtpath-llc
View
602
Download
0
Embed Size (px)
Citation preview
RethinkingBusinessContinuity:ApplyingISO22301toimproveresiliency,managerisk,anddriveprofitabilityinyourorganization
BryanStrawser,MBCP,MBCI,CEM,CPP,CISSP,PMPPrincipalConsultant&CEO,BryghtpathLLC
2
BryghtpathLLC
Weareastrategicadvisory firmthatspecializesinglobalrisk,businesscontinuity,emergencymanagement, crisiscommunications, andpublicaffairs
3
BryanStrawserCEO,BryghtpathLLC
• ISO22301LeadImplementer/Instructor• MasterBusinessContinuityProfessional(MBCP)• Member,BusinessContinuity Institute
• FormerlyBS25999• Adoptedgloballyin2012• IntersectswithotherISO
Standards– Ex:ISO27001
• EstablishandmaintainaBusinessContinuityManagementSystem
• Accreditation• Certification
– Implementer/Lead– Auditor/Lead
4
ISO22301:2012SocietalSecurity– BusinessContinuityManagementSystems
Copyright©2015byBryghtpath LLC|bryghtpath.com |+1-612-235-6435|[email protected]
• Scope• Termsanddefinition• OrganizationalContext• Leadership• Planning• Support• Operation• PerformanceEvaluation• Improvement
5
ISO22301ContentStructureandContentofISO22301
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
“SettingupandmanaginganeffectiveBusinessContinuityManagementSystem(BCMS)”
ABCMSemphasizestheimportanceof:
• ThenecessityforestablishingaBCMpolicy&objectives
• Implementingandoperatingcontrolsandmeasuresformanaginganorganization’soverallcapabilitytomanagedisruptiveincidents
• Monitoring&reviewingthepeformanceandeffectivenessoftheBCMS
• Continualimprovementbasedonobjectivemeasurement
6
ISO22301:0.1WhatisaBCMS?
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
a) Apolicyb) Peoplewithdefinedresponsibilitiesc) Managementprocessesrelatingto
1. Policy2. Planning3. Implementation&operation4. Performanceassessment5. Managementreview6. Improvement
d) Documentationprovidingauditableevidencee) Anybusinesscontinuitymanagementprocesses
relevanttotheorganization
7
ISO22301:0.1ABCMShasseveralkeycomponents
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
8
ISO22301:0.2ThePlan-Do-Check-Act(PDCA)Model
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
“…specifiesrequirementstoplan,establish,implement,operate,monitor,review,maintain,andcontinuallyimproveadocumentedmanagementsystemtoprotectagainst,reducethelikelihoodof
occurrence,preparefor,respondto,andrecoverfromdisruptiveincidentswhentheyarise...
9
ISO22301:Clause1ScopeofISO22301
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
ThisInternationalStandardisapplicabletoalltypesandsizesoforganizationsthatwishto:
a) Establish,implement,andimproveaBCMS
b) Ensureconformitywithstatedbusinesscontinuitypolicy
c) Demonstrateconformitytoothers
d) Seekcertification/registrationofitsBCMSbyanaccreditedthirdpartycertificationbody
e) Makeaself-determinationandself-declarationofconformitywiththisInternationalStandard
10
ISO22301:Clause1Applicability
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
BusinessContinuityCapabilityoftheorganizationtocontinuedeliveryofproductsorservicesatacceptablepredefinedlevelsfollowingadisruptiveincident
BusinessContinuityPlanDocumentedproceduresthatguideorganizationstorespond,recover,resume,andrestoretoapre-definedlevel ofoperationfollowingadisruption
BusinessImpactAnalysisProcessofanalyzingactivitiesandtheeffectthatabusinessdisruptionmighthaveuponthem
11
ISO22301:Clause3
KeyDefinitions
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
ExerciseProcesstotrainfor,assess,practice,andimproveperformanceinanorganization
IncidentSituationthatmightbe,orcouldleadto,adisruption,loss,emergency,orcrisis
12
ISO22301:Clause3KeyDefinitions
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
Theorganizationshallidentifyanddocument:• Theorganization’sactivities,functions,services,products,
partnerships,supplychains,relationshipswithinterestedparties,andthepotentialimpactrelatedtoadisruptiveincident
• Linksbetweenthebusinesscontinuitypolicyandtheorganization'sobjectivesandotherpolicies,includingitsoverallriskmanagementstrategy
• Theorganization’sriskappetite
13
ISO22301:Clause4TheOrganizationanditscontext
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
Inestablishingthecontext,theorganizationshall:
1) Articulateitsobjectives,includingthoseconcernedwithbusinesscontinuity
2) Definetheexternalandinternalfactorsthatcreatetheuncertaintythatgivesrisetorisk
3) Setriskcriteriatakingintoaccounttheriskappetite4) DefinethepurposeoftheBCMS
14
ISO22301:Clause4TheOrganizationanditscontext
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
Primarilyfocusesonlegal®ulatoryrequirements:• Maintainprocedurestoreview&understandregulatory
requirements• Understandtheinterestofotherrelevantthirdparties
Thisisanareathatisbecomingmoreofafocusinrecentyears
15
ISO22301:Clause4TheNeeds&ExpectationsofInterestedParties
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
5.1: PersonsintopmanagementandotherrelevantmanagementrolesthroughouttheorganizationshalldemonstrateleadershipwithrespecttotheBCMS.
5.2: TopmanagementshalldemonstratecommitmentwithrespecttotheBCMSby:
• Ensuringthatpoliciesandobjectivesareestablished…• EnsuringtheintegrationoftheBCMS...• Ensuringtheresourcesneeded[...]areavailable• EnsuringtheBCMSachievesitsintendedoutcomes
16
ISO22301:Clause5Leadership,Management,andCommitment
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
5.3:Policy
a) Isappropriatetothepurposeoftheorganizationb) Providesaframeworkforsettingbusinesscontinuityobjectivesc) Includesacommitmenttosatisfyapplicablerequirementsd) IncludesacommitmenttocontinualimprovementoftheBCMS
5.4:Organizationalroles,responsibilities,andauthorities
Topmanagementshallensurethattheresponsibilitiesandauthoritiesforrelevantrolesareassignedandcommunicatedwithintheorganization
17
ISO22301:Clause5Policy&Roles,Responsibilities,andAuthorities
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
6.1:Actionstoaddressrisksandopportunities• Organizationshalldeterminetherisksandopportunitiesto
– EnsuretheBCMScanachieveitsintendedoutcomes(s)– Preventorreduceundesiredeffects– Achievecontinualimprovement
6.2:Businesscontinuityobjectivesandplanstomeetthem• Topmanagementshallensurethatobjectivesareestablishedand
communicatedforrelevantfunctionsandlevels– Musttakeaccountoftheminimumlevelofproductsandservicesthatare
acceptabletotheorganizationtoachieveitsobjectives– Mustbemeasurable– Musttakeintoaccountapplicablerequirement– Mustbemonitoredandupdatedasappropriate
18
ISO22301:Clause6Planning
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
Again:• Whowillberesponsible• Whatwillbedone• Whatresourceswillberequired• Whenitwillbecompleted• Howtheresultswillbeevaluated
19
ISO22301:Clause6Planning
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
Clause7containsanumberofstatementsrelatedtoprovidingsupportthroughresources,competence,andawareness.
• Providingtheresourcesneededfortheestablishment,implementation,maintenance,andcontinualimprovementoftheBCMS
• EnsuringthecompetenceofeachpersoninvolvedindoingBCMSwork(training,mentoring,oroutsourcing)
• AwarenessoftheBCMSatalllevelsoftheorganization
• Internalandexternalcommunications
20
ISO22301:Clause7Support
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
7.5:DocumentedInformation
• Theorganization’sBCMSshallinclude:– DocumentedinformationrequiredbythisInternationalStandard– Documentedinformationdeterminedbytheorganizationasbeing
necessaryfortheeffectivenessoftheBCMS
• Informationshallbecontrolledtoensure:– Itisavailableandsuitableforuse,whereandwhenitisneeded– Itisadequatelyprotected(e.g.fromlossofconfidentiality,improper
use,orlossofintegrity)
21
ISO22301:Clause7Documentation
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
8.2:BusinessImpactAnalysis(BIA)andRiskAssessment
• 8.2.2BusinessImpactAnalysis– Identifyingactivities thatsupporttheprovisionofproductsandservices– Assessing theimpactsovertimeofnotperformingtheseactivities– Settingprioritizedtimeframesforresumingtheseactivities– Identifyingdependencies andsupportingresources
• 8.2.3RiskAssessment– Identifyrisksofdisruptiontotheorganization’sprioritizedactivities– Systematicallyanalyzerisk– Evaluatewhichdisruptionrelatedrisksrequirementtreatment– Identifytreatmentscommensuratewithbusiness continuityobjectives
andinaccordancewiththeorganization’sriskappetite
22
ISO22301:Clause8Operations
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
8.3:BusinessContinuityStrategy
• Theorganizationshalldetermineanappropriatebusinesscontinuitystrategyfor– Protectingprioritizedactivities– Recoveringprioritizedactivities– Mitigating,respondingto,andmanagingimpacts
• Theorganizationshalldeterminetheresourcerequirementstoimplementtheselectedstrategies(people,information,data,facilities,technology,finance,partners,thirdparties)
• Foridentifiedrisksrequiringtreatment,theorganizationshallconsiderproactivemeasures
23
ISO22301:Clause8BusinessContinuityStrategy
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
8.4:Establishandimplementbusinesscontinuityprocedures
Procedurestomanageadisruptiveincident andcontinueitsactivitiesbasedonrecoveryobjectivesasidentifiedinthebusinessimpactanalysis• Incidentresponsestructure• Warning&communicating• Businesscontinuityplans
– Documentedproceduresforrespondingtoadisruptiveincident– Howprioritizedactivitieswillberecoveredwithinapredeterminedtimeframe
• Recovery– Documentedprocedurestorestoreandreturnbusinessactivitiesfromthetemporary
measuresadoptedtosupportnormalbusinessrequirementsafteranincident
24
ISO22301:Clause8BusinessContinuityProcedures
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
CrisisManagementFramework
25
SituationalAwareness
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
ExecutiveCrisisTeam(C-Suite&CEODirects)
Cross-FunctionalCrisisTeam(Business lines&support teams)
CrisisManagementTeam
StrategicDecisionMaking
DaytodayoperationsRecommendations toExecutives
HorizontalCommunication
SubjectmatterexpertsSituationalawarenessupstream
Full-time/volunteer
CrisisManagementFramework
26
SituationalAwareness
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
RoutineIncidentHOLYS$@!
Whatjusthappened?!
Protocols&ProcessesIncidentSpecificPlansPreparednessSteps
SituationalAwarenessCollaborativecross-functionaldiscussion
StrategicviewFrameworkfor
collaborativedecisionmaking&communication
CrisisLeadership
27
SituationalAwareness
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
• What’shappening?• Whatdoweknowaboutit?• Whatimpactisithavingonourbusiness?• Whatdon’tweknowwhatweneedtoknow?
• Allplansshouldbeexercisedatleastannually:– Notification– TableTop– Recovery– Fullyintegrated
• DisasterRecovery– TestingDRplansandstrategies
• Definedprocessforcapturinglessonslearnedandapplyingtoplansandstrategies
28
ISO22301– Clause8:Exercise,Testing,&MaturingHowwillIexerciseandtestmyplans? Basedonthoseresults,howwillIimprove?
Copyright©2015byBryghtpath LLC|bryghtpath.com |+1-612-235-6435|[email protected]
• Clause9coverstheneedfortheorganizationtohaveaperformanceevaluation(ormetrics)strategy– Whatismonitored?– Howwillitbemonitored?– How/whenwillitbeanalyzedandevaluated?
• Regularevaluationofproceduresandcapabilities
• Periodicreviews
• Complianceevaluationtopolicy,standards,andindustrybestpractices
• Evaluationsshallbeconductedatplannedintervalsandwhensignificantchangesintheorganizationoccur
29
ISO22301:Clause9PerformanceEvaluation
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
• 9.2:InternalAudit– Theorganizationshallhaveanauditprogram– InternalAuditsshallbeconducted atplannedintervalstoensurethattheBCMS
conformstotherequirementsofthisstandard– andtotheorganization’srequirementsforBCMS
• 9.3:ManagementReview– Topmanagementshallreviewtheorganization’sBCMSatplannedintervalstoensure
itscontinuingsuitability,adequacy,andeffectiveness– Typically,theBCMSisbriefedatleaseonceannuallytotheBoardofDirectorsorthe
Board’sAuditCommittee.
30
ISO22301:Clause9InternalAudits&ManagementReview
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
• 10.1:Non-Conformity– Identifyandreact– Evaluatetheneedforaction– Implementactions– MakechangestotheBCMSifneeded
• 10.2:ContinualImprovement– Theorganizationshallcontinuallyimprovethesuitability,adequacy,oreffectivenessof
theBCMS
31
ISO22301:Clause10Improvement
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
HurricaneSandyTimeline
34
October– November2012
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
October24th
• Firstwarningsareissued
October29th
• StormmakeslandfallinNewJersey
October30th
• Stormfadesaway
CrisisManagementasaCompetitiveAdvantage
37
Source:2012HurricaneSandyRILASurvey
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
10/29 10/30 10/31 11/1 11/2 11/3
Target(195) Sears/K-Mart(236) Macy's(200) Walmart(294) BestBuy(125)
ReputationImpactofaCrisis
38
HurricaneSandy- 2012
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
InternationalBusinessTimes–11/3
GlobalStandards
BusinessContinuity• ISO22301(formerlyBS25999)• NFPA1600• ASISBusinessContinuityManagementStandard• ASISSPC.1:OrganizationalResilience
USGovernment• FederalContinuityDirectives(FCD1/FCD2)• ContinuityGuidanceCirculators(CGC1/CGC2)
39
BusinessContinuityandEmergencyManagement
Copyright©2015byBryghtpath LLC|bryghtpath.com |+1-612-235-6435|[email protected]
ProfessionalCertifications
BusinessContinuity• DisasterRecoveryInstituteInternational
– AssociateBusinessContinuityProfessional(ABCP)– CertifiedBusinessContinuityProfessional(CBCP)– MasterBusinessContinuityProfessional(MBCP)
• BusinessContinuity Institute– Member,BusinessContinuityInstitute(MBCI)– Fellow,BusinessContinuityInstitute(FBCI)
• BusinessContinuityManagementInstitute(Singapore)– Multiplecertifications
EmergencyManagement• InternationalAssociationofEmergencyManagers
– AssociateEmergencyManager(AEM)– CertifiedEmergencyManager(CEM)
40
BusinessContinuityandEmergencyManagement
Copyright©2015byBryghtpath LLC|bryghtpath.com |+1-612-235-6435|[email protected]
ContactInformation
ContactBryan:BryanStrawserPrincipalConsultant&CEOPhone: +1-612-235-6435E-Mail: [email protected]: @bryanstrawser
LearnmoreaboutBryghtpathLLCWebsite: www.bryghtpath.comTwitter: @bryghtpathFacebook: /bryghtpathllc
41
Bryghtpath LLC
Copyright©2015byBryghtpath LLC|bryghtpath.com |+1-612-235-6435|[email protected]
OurConsultingServicesInclude:BusinessContinuity
Crisis/EmergencyManagementEnterpriseRiskManagementExerciseDesign&FacilitationGlobalIntelligence&SecurityISOTraining&Certification
Project&ProgramManagementTravelRisk&Security