Your SlideShare is downloading. ×
  • Like
27ian2011   silensec
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

27ian2011 silensec

  • 730 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
730
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
34
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Managing Business Continuity withBS25999 – Beyond Technologies Dr. Almerindo Graziano CEO, Silensec al@silensec.com © 2011
  • 2. About Silensec• IT Governance – Approved BSI Associate Consultants• Penetration Testing• Security Training• E-fraud and Cybercrime Services• Computer Forensics Services © 2011
  • 3. Offices Sheffield (UK) Bucharest (Romania) Nairobi (Kenya) © 2011
  • 4. Business Continuity Strategic and tactical capability of the organization to plan for and respond toincidents and business disruptions in order to continue business operations at an acceptable predefined level © 2011
  • 5. BCM and Incident Management © 2011
  • 6. BCM is NOT Disaster Recovery• Disaster Recovery is an integral part of a Business Continuity plan – REACTIVE process focused on restoring the organization to business as usual after a disaster occurs• Business Continuity is PROACTIVE – its focus is to avoid or mitigate the impact of a risk © 2011
  • 7. BCMS• A Business Continuity Management System (BCMS) is the set of processes, people and controls aimed at guaranteeing the continuity of a business in case of a disaster © 2011
  • 8. BS25999-2• Business continuity management – Part 2: Specification (Nov 2007)• Specifies requirements for: – planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented BCMS within the context of managing an organization’s overall business risks It can be used for assessment and certification © 2011
  • 9. BS25999-1• Business continuity management – Part 1: Code of practice (Dec 2006)• Provides guidance on the implementation of the standard It cannot be used for assessment and certification © 2011
  • 10. BS25999-2 management clauses3 Planning the business continuity management system4 Implementing and operating the BCMS5 Monitoring and reviewing the BCMS6 Maintaining and improving the BCMS © 2011
  • 11. BS25999-2 Implementation3 Planning the business continuity management system4 Implementing and 3.1 General 3.2 Establishing and managing the BCMS operating the BCMS 3.2.1 Scope and objectives of the BCMS 3.2.2 BCM Policy5 Monitoring and 3.2.3 Provision of resources 3.2.4 Competency of BCM personnel reviewing the BCMS 3.3. Embedding BCM in the organization’s culture 3.4 BCMS documentation and records6 Maintaining and 3.4.1 General 3.4.2 Control of BCMS records improving the BCMS 3.4.3 Control of BCMS documentation © 2011
  • 12. BS25999-2 Implementation3 Planning the business continuity management 4.1 Understanding the organization system 4.1.1 Business impact analysis 4.1.2 Risk assessment 4.1.3 Determining choices4 Implementing and 4.2 Determining business continuity strategy 4.3 Developing and implementing a BCM response operating the BCMS 4.3.1 General 4.3.2 Incident response structure5 Monitoring and reviewing 4.3.3 Business continuity plans and incident management plans the BCMS 4.4 Exercising, maintaining and reviewing BCM arrangements6 Maintaining and improving 4.4.1 General 4.4.2 BCM exercising the BCMS 4.4.3 Maintaining and reviewing BCM arrangements © 2011
  • 13. 4.1 Understanding the Organization Output Identify Whom do we want to satisfy? Stakeholders What are they interested in? Identify Key What are the required activities, Products & Services assets and resources? What is the impact of disruption to Business Impact those activities?4.1.1 Analysis (BIA) What are the critical activities? What are the risks to those activities4.1.2 Risk Assessment (especially to the critical ones) What are the chosen risk4.1.3 Determine Choices treatments? © 2011
  • 14. BS25999-2 Implementation3 Planning the business continuity management system4 Implementing and operating the BCMS5 Monitoring and reviewing the BCMS6 Maintaining and improving the BCMS 5.1 Internal audit 5.2 Management review of the BCMS 5.2.1 General 5.2.2 Review input 5.2.2 Review output © 2011
  • 15. BS25999-2 Implementation3 Planning the business continuity management system4 Implementing and operating the BCMS5 Monitoring and reviewing the BCMS6 Maintaining and improving the BCMS 6.1 Preventive and corrective actions 6.1.1 General 6.1.2 Preventive action 6.1.3 Corrective action 6.2 Continual improvement © 2011
  • 16. BCM DocumentationScope and objectives of the BCMS and proceduresBCM policyProvision of resourceCompetency of BCM personnel and associated training recordsBusiness impact analysisRisk assessmentBusiness continuity strategyIncident response structureBusiness continuity plans and incident management plansBCM exercisingMaintenance and review of BCM arrangementsInternal auditManagement review of the BCMSPreventive and corrective actionsContinual improvement BS25999-2 Clause 3.4.1 © 2011
  • 17. ISO/IEC 27001:2005 controls for BCPAnnex A – Control Objective A.14 – Business Continuity Management Process – Business Continuity and Risk Assessment – Developing and Implementing Continuity Plans – Business Continuity Planning Framework – Testing, Maintaining and Reassessing Business Continuity Plans• ISO/IEC 27031 Information technology - Security techniques - Guidelines for information and communications technology readiness for business continuity (FDIS – Final Draft International Standard) © 2011
  • 18. Benefits of BS25999 Certification• Most highly recognized BCM standard – Competitive advantage, image, improved client confidence• Ensure effective and efficient use of business continuity technologies• Compliance with legal, regulatory, contractual requirements © 2011
  • 19. BS/ISO Guidelines• BS 25777:2008, Information and communications technology continuity management - Code of practice ($)• BS ISO/IEC 24762:2008, Information technology - Security techniques - Guidelines for information and Communications technology disaster recovery services ($)• ISO/PAS 22399:2007 – Guideline for incident preparedness and operational continuity management ($) © 2011
  • 20. BCM Related Standards and Guidelines (1)• Australia Standards/New Zeland Standars – AS/NZS 5050 : Business Continuity Managing disruption-related risk (Jun 2010) ($) – HB 221:2004 – Business Continuity Management Handbook ($) • Part One: What is Business Continuity Management • Part Two: The BCM Manual – HB 292-2006 – A practitioners guide to business continuity management – HB 293-2006 – Executive guide to business continuity management © 2011
  • 21. BCM Related Standards and Guidelines (2)• North America – National Fire Protection Association (NFPA) 1600:2007 Standard on Disaster/Emergency Management and Business Continuity Programs – American Society for Industrial Security ASIS SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management Systems• Singapore – SS540:2008 – Singapore Standard for Business continuity management (BCM) ($) © 2011