Societal Security – the new standard ISO 22301 for Business Continuity Management

1,405 views

Published on

Luigi BRUSAMOLINO

CISM, CRISC – Managing Director Southern Europe BSI

Published in: Education, Business, Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,510
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Good morning/afternoon, my name is Suzanne Fribbins, and I am BSI’s EMEA Product Marketing Manager for the Risk Portfolio. 29/08/12
  • So what is business continuity? “ Business continuity is the capability of an organization to continue delivery of products or services at acceptable predefined levels following disruptive incident.” The plan is called a business continuity plan.
  • The business case for BCM – 81 per cent of managers whose organisations activated their Business Continuity Management (BCM) arrangements in the last 12 months agree that it effectively reduced disruption. The same number agree that the cost of developing BCM is justified by the benefits it brings their organisation. Adoption of BCM – adoption of BCM continues to rise cementing a sharp increase in uptake over the past two years. Overall 61 per cent of managers report that their organisation has BCM in place, up from 58 per cent last year and 49 per cent in 2010.
  • Drivers of BCM – corporate governance remains the biggest external driver of BCM, with 42 per cent of managers highlighting it as a catalyst for their organisation implementing or changing BCM. Demand from existing or potential customers makes up the second biggest driver (37 per cent), followed by regulation/legislation (33 per cent). Disruptive events of 2011 – almost four in ten managers report that the BlackBerry outage in 2011 caused their organisation some disruption, while 55 per cent of managers say their organisation was affected by public sector strikes. The riots last summer caused disruption for 26 per cent of managers, with the worst of the disruption felt by managers in central and local government and the emergency services. Disruptive weather – 49 per cent of managers report that severe weather conditions caused disruption to their organisation over the last year, making it the leading cause of business disruption for the third year running.
  • ISO 22301 is the new international standard for business continuity management (BCM). Its official title is ISO 22301 Societal Security - Business continuity management system - Requirements. ISO 22301 is an ISO requirements standard, which effectively means we can audit to it. All core business continuity elements in BS 25999-2 are present in ISO 22301 too.
  • ISO 22301 provides the requirements for a business continuity management system (BCMS) and is based on global BCM best practice. BSI is one of the pioneers of the original BCM best practice standard, BS 25999-2 and this has now been superseded by ISO 22301. Since its introduction in 2007, BS 25999-2 has grown in acceptance worldwide. Unlike BS 25999-2, ISO 22301 is an international standard, which will see greater international acceptance. For those certified to or aligned with BS 25999-2, the additional requirements are not onerous.
  • ISO 22301 now comes under a wider societal security remit, acknowledging the important role that BCM has to play in protecting society and ensuring our ability to respond to incidents, emergencies and disasters.
  • In comparing ISO 22301 with BS 25999-2 you will see that it includes all the core requirements of 25999-2. The ‘Plan Do Check Act’ cycle Business continuity policy Business impact analysis Risk assessment and risk treatments Exercising Business continuity plans and strategy Internal audit Management review Non conformity and corrective action Improvement actions
  • Notable shifts in emphasis from BS 25999-2:2007: First standard written in accordance with Guide 83 Change in the way an organization is defined Clearer expectations on management Preventive action has been replaced with “actions to address risks and opportunities” and features earlier ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics – aligning BC to top management strategic thinking
  • 22301 requires more careful planning for and preparing the resources needed for ensuring business continuity Communication elements more demanding and there is a responsibility to the wider community defined BIA similar but with some changes to terminology There is a stronger link to the organizations approach to risk To reflect the Societal security approach some new terminology has been introduced, see ISO 22300
  • Even if organizations don’t intend to certify to these standards, they should strongly influence their BCM program. By adopting ISO 22301 organizations will benefit from global BCM best practice, regardless of whether they intend to certify or not. Standards provide a foundation and a common vocabulary for BCM best practices and processes. These standards represent the input and recommendations of hundreds of BC professionals and industry experts. Rather than reinvent the wheel, you can take advantage of years of expertise and the lessons learned from your peers.
  • Certification offers many advantages, including: It challenges your BCM program and your organization to reach a higher level of maturity and preparedness. You will also find that through the certification process, opportunities for improvement will be identified … and this is one of the greatest benefits of having a third party audit, having a fresh set of eyes on your business. All of our client managers not only understand the Standards, they understand your industry, and can make informed observations Partners may demand it of you anyway. It can allow you to meet the prequalification requirements for tenders, reducing the amount of time it takes to comply with external audits of your BCM program. It can provide a competitive advantage, opening up new markets and helping you to win new business, and finally It signifies a base level readiness and a commitment and seriousness about BCM An accredited certification can only be conducted by a certification body that is accredited with a recognised national body e.g. UKAS. At present there are no certification bodies in the UK able to offer accredited certifications, however BSI will be offering unaccredited certification until such a point as we are accredited to offer accredited certification to ISO 22301 and is already made arrangements to be first in line to be accredited by UKAS.
  • Societal Security – the new standard ISO 22301 for Business Continuity Management

    1. 1. Societal Security – the new standard ISO 22301 forBusiness Continuity ManagementLuigi Brusamolino, Managing Director Southern EMEA - BSICopyright © 2012 BSI. All rights reserved.
    2. 2. Who is BSI? – 10 fast facts No owners/ Global independent Founded in business services shareholders … all profit 1901 organization reinvested into the business Standards, assessment, testing, National #1 certification >2,500 staff certification, training, Standards body in the UK and >50% non- software Body in the UK and USA UK 53 offices 64,000 clients £244.9m located around in 147 revenue in the world countries 2011 Copyright © 2012 BSI. All rights reserved. 2
    3. 3. What is business continuity?• “Business continuity is the capability of an organization to continue delivery of products or services at acceptable predefined levels following disruptive incident.” (ISO 22301 – Societal security – Terminology) Copyright © 2012 BSI. All rights reserved. 3
    4. 4. Examples of disruptions• Extreme weather conditions• Loss of IT/Cyber Security• Loss of people• Supply chain disruption• Transport Disruption• Loss of access to site The dependency on offshore outsourcing, the use of just-in-time sourcing, and the reliance on global supply chains make businesses highly vulnerable. Copyright © 2012 BSI. All rights reserved. 4
    5. 5. Organisations which are at risk• 72% of companies surveyed had experienced at least one disruption to their supply chain.• 83% had experienced disruption over all. Copyright © 2012 BSI. All rights reserved. 5
    6. 6. 6 Are organisations ready for the next crisis? 83% AGREE BCM is important/very important yet…*• 61% of CEO’s surveyed say they have BCM plans in place• 50% of organizations with BCM report that it includes plans for handling the media• 45% of organizations with BCM do not require any supply chain partners to have their own plans• 50% of organizations with BCM exercise their plans once a year.• Around 25% fail to exercise their plans on a regular basis.* BSI/BCI/Cabinet Office survey 2012 with Chartered Management Institute (CMI) Copyright © 2012 BSI. All rights reserved. 6
    7. 7. 2012 BCM survey – key findings• The business case for BCM – 81 per cent of managers whose organisations activated their Business Continuity Management (BCM) arrangements in the last 12 months agree that it effectively reduced disruption. The same number agree that the benefits outweighed the cost.• Adoption of BCM – Overall 61 per cent of managers report that their organisation has BCM in place, up from 58 per cent last year and 49 per cent in 2010. Copyright © 2012 BSI. All rights reserved. 7
    8. 8. 2012 BCM survey – key findings• Drivers – the three biggest external drivers of BCM were corporate governance (42%), demand from existing or potential customers (37%) and regulation (33%).• Disruptive events of 2011 – four in ten were affected by the BlackBerry outage in 2011, 55% of organisations by public sector strikes and 26% by the summer riots*• Disruptive weather – severe weather conditions caused disruption to 49% of organisations over the last year.*UK specific disruptive events of 2011 Copyright © 2012 BSI. All rights reserved. 8
    9. 9. 9International development of BCM standard PAS 56 BS 25999 ISO 22301 2003 2006 2012 • Started as a “PAS” (Publicly Available Specification) by BSI • Became British Standard BS 25999 in 2006 • New ISO 22301 (16 May 2012) Copyright © 2012 BSI. All rights reserved. 9
    10. 10. Introducing ISO 22301• ISO 22301 Societal Security - Business continuity management system - Requirements.• Management system standard• All core business continuity elements in BS 25999-2 are present in ISO 22301 Copyright © 2012 BSI. All rights reserved. 10
    11. 11. Societal Security – ISO 223xx family standardThe term Societal Security was first uded by Barry Buzan in the book People, Statesand Fear: National Security Problems in International Relations (1991).ISO defines Societal Security as the challenge an organization, group of organizations orsociety may face before, during and after a disruptive event.Societal Security ISO 223xx family standards integrates a range of interconnecteddisciplines: asset protection, security, risk management, preparedness, crisis management,emergy management, business continuity management , recovery management anddisaster management.In order to assure sustainability of operations and maintain resilience, competitiveness andperformance, organizations must have an integrated framework and system tomanage risks. Copyright © 2012 BSI. All rights reserved. 29/08/12 11
    12. 12. B2S – Business to Society paradigmaThe term Societal Security and the importance of theeconomic, political, social environment ini which an organizationoperate, re-define the business priorities and focus from traditionalB2C, B2B models to a B2S (Business-to-Society) model inwhich the importance of interested parties (supply chain,governments, local authorities, citizens,..) is critical to the successand sustainability of an organization. Copyright © 2012 BSI. All rights reserved. 29/08/12 12
    13. 13. What is ISO 22301?• Provides the requirements for a business continuity management system (BCMS)• Based on global BCM best practice• Created in response to strong interest in the original British Standard BS 25999- 2 and other regional standards• BS 25999-2 key source text in its development• For those certified to or aligned with BS 25999-2, the additional requirements are not onerous Copyright © 2012 BSI. All rights reserved. 13
    14. 14. Societal Security and BCM?• ISO 22301 now comes under a wider societal security remit• This acknowledges the important role that BCM has to play in protecting society and ensuring our ability to respond to incidents, emergencies and disasters. Copyright © 2012 BSI. All rights reserved. 14
    15. 15. Comparing ISO 22301 and BS 25999-2Includes all core requirements• The ‘Plan Do Check Act’ cycle atte e w dd rra tt ieew aann• Business continuity policy pee nndd eenn oop aa em m r i vvi r ree ti toor k• Business impact analysis mp pl le Mo onn h ec Im D o M• Risk assessment and risk treatments I C• Exercising• Business continuity plans and strategy vee shh oov• Internal audit bbl li is r ppr nndd ai nn i ttaa m• Management review s i im aa ntta c t Es E l an aai in A• Non conformity and corrective action P MM• Improvement actions Copyright © 2012 BSI. All rights reserved. 15
    16. 16. Key changes and aspectsNotable shifts in emphasis from BS 25999-2:2007:• First standard written in accordance with Guide 83• Change in the way an organization is defined (extended enterprise)• Clearer expectations on management• Preventive action has been replaced with “actions to address risks and opportunities” and features earlier• ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics – aligning BC to top management strategic thinking Copyright © 2012 BSI. All rights reserved. 16
    17. 17. Key changes and aspects• 22301 requires more careful planning for and preparing the resources needed for ensuring business continuity• Communication elements more demanding and there is a responsibility to the wider community defined• BIA similar but with some changes to terminology• There is a stronger link to the organizations approach to risk (integrated risk- management)• To reflect the societal security approach some new terminology has been introduced, see ISO 22300 Copyright © 2012 BSI. All rights reserved. 17
    18. 18. BCM standard global adoption Copyright © 2012 BSI. All rights reserved. 18
    19. 19. Multi-sector adoption Copyright © 2012 BSI. All rights reserved. 19
    20. 20. Benefits of ISO 22301• Allows organizations to benefit from global BCM best practice, regardless of whether they are planning to certify or not• Provides a foundation and a common vocabulary for BCM best practice and guidance• Consensus standards like ISO 22301 represent the input and recommendations of hundreds of BC professionals and industry experts• Saves you having to reinvent the wheel Copyright © 2012 BSI. All rights reserved. 20
    21. 21. Benefits of certification• Certification offers many advantages, including:• It challenges your BCM programme and organization to reach a higher level of maturity and preparedness• Supply chain requirement• Prequalification for tenders• Provides a competitive advantage• Signifies a base level of readiness and a commitment and seriousness about BCM Copyright © 2012 BSI. All rights reserved. 21
    22. 22. Questions? Copyright © 2012 BSI. All rights reserved. 22
    23. 23. Contact usAddress: BSI Via Fara, 35 Milano 20124Telephone: +39 02 6679091Email: Marketing.italy@bsigroup.comLinks: www.bsigroup.it Copyright © 2012 BSI. All rights reserved. 23

    ×