Many organizations have adopted the ISO 22301 standard for their business continuity management systems. Recently, ISO has released the new ISO 22317 Standard for Business Impact Analysis. In this webinar, learn about several different strategies to build an effective BIA that will help you advance your business continuity strategies.
The instructor for this webinar is Bryan Strawser, Founder and CEO of Bryghtpath LLC, a strategic advisory firm specializing in crisis management, business continuity, global risk, crisis communications, and public affairs.
PECB Webinar: Estructura de la norma ISO 22301:2012. Un enfoque estratégico.
Similar to Assessing the impact of a disruption: Building an effective business impact analysis (BIA) approach using ISO 22301 and the new ISO 22317 BIA Standard
Similar to Assessing the impact of a disruption: Building an effective business impact analysis (BIA) approach using ISO 22301 and the new ISO 22317 BIA Standard (20)
2. 2
Bryan Strawser
Principal Consultant & CEO
Bryan Strawser is Principal Consultant & CEO at Bryghtpath LLC, who has more than 21
years of experience.
.
+1-612-235-6435
bryan.strawser@bryghtpath.com
www.bryghtpath.com
linkedin.com/in/bryanstrawser
twitter.com/bryanstrawser
5. • Formerly BS25999
• Adopted globally in 2012
• Intersects with other ISO
Standards
– Ex: ISO 27001
• Establish and maintain a
Business Continuity
Management System
• Accreditation
• Certification
– Implementer / Lead
– Auditor / Lead
5
ISO 22301:2012
Societal Security – Business Continuity Management Systems
6. • Scope
• Terms and definition
• Organizational Context
• Leadership
• Planning
• Support
• Operation
• Performance Evaluation
• Improvement
6
ISO 22301 Content
Structure and Content of ISO 22301
8. 8.2: Business Impact Analysis (BIA) and Risk Assessment
• 8.2.2 Business Impact Analysis
– Identifying activities that support the provision of products and services
– Assessing the impacts over time of not performing these activities
– Setting prioritized timeframes for resuming these activities
– Identifying dependencies and supporting resources
• 8.2.3 Risk Assessment
– Identify risks of disruption to the organization’s prioritized activities
– Systematically analyze risk
– Evaluate which disruption related risks requirement treatment
– Identify treatments commensurate with business continuity objectives
and in accordance with the organization’s risk appetite
8
ISO 22301: Clause 8
Operations
10. • Be the basis for continually improving the organization’s BIA
– Ongoing review
– Event-triggered activities
• Guide the organization in planning, conducting, and reporting on the BIA
• Assist the organization in its BIA in a manner consistently reflecting good
practices
• Provides for proper coordination between the BIA and the overarching
business continuity program (or BCMS)
10
ISO 22317
The Basics
11. • Financial
– Lost profits, diminished market share, fines, penalties
• Reputational
– Damage to the brand, negative public opinion
• Legal & Regulatory
– Loss of license, litigation, increased operational costs
• Contractual
– Breach of contract or service obligation
• Business Objectives
– Failing to deliver on objectives, unable to take advantage of opportunities
11
ISO 22317
Looking at the BIA
12. • Endorsing or modifying the overall scope of your BCMS
• Focusing & identifying your governing obligations
• Setting timeframes and priorities for restoring the business
following a disruptive incident
• Identifying and articulating the relationships between everything
the business does
• Determining the people, facilities, equipment needed to do what is
necessary to get the business up and running
12
ISO 22317
The “Outputs” of your BIA process
19. Initial Analysis - Survey
• E-mailed survey using internal tool to midlevel managers
– Organizational information, technology usage/dependencies,
interconnectedness with other teams
– Connectivity to corporate strategies, impact of disruption
– Tolerance of downtime
• Analysis completed on data received through survey tool
• Impact information was used to create tiers for recovery – business and
technology
Follow-on Analysis – In-person / small group meetings
• Small group discussions for validation of received data
• Approximately 30% of teams defined as “critical” were selected for
follow-on analysis
Senior leadership validation
19
Example ISO 22317 BIA Process
Fortune 50 Global Retailer