Managing Business Continuity withBS25999 – Beyond Technologies                 Dr. Almerindo Graziano                 CEO,...
About Silensec• IT Governance  – Approved BSI    Associate    Consultants• Penetration Testing• Security Training• E-fraud...
Offices          Sheffield (UK)          Bucharest (Romania)          Nairobi (Kenya)                            © 2011
Business Continuity   Strategic and tactical capability of the  organization to plan for and respond toincidents and busin...
BCM and Incident Management                              © 2011
BCM is NOT Disaster Recovery• Disaster Recovery is an integral part of a Business  Continuity plan   – REACTIVE process fo...
BCMS• A Business Continuity Management System (BCMS) is  the set of processes, people and controls aimed at  guaranteeing ...
BS25999-2• Business continuity management – Part 2: Specification  (Nov 2007)• Specifies requirements for:   – planning, e...
BS25999-1• Business continuity management – Part 1: Code of  practice (Dec 2006)• Provides guidance on the implementation ...
BS25999-2 management clauses3 Planning the business continuity management system4 Implementing and operating the BCMS5 Mon...
BS25999-2 Implementation3 Planning the business continuity management system4 Implementing and        3.1 General         ...
BS25999-2 Implementation3 Planning the business continuity management        4.1 Understanding the organization system    ...
4.1 Understanding the Organization                              Output             Identify         Whom do we want to sat...
BS25999-2 Implementation3 Planning the business continuity management system4 Implementing and operating the BCMS5 Monitor...
BS25999-2 Implementation3 Planning the business continuity management system4 Implementing and operating the BCMS5 Monitor...
BCM DocumentationScope and objectives of the BCMS and proceduresBCM policyProvision of resourceCompetency of BCM personnel...
ISO/IEC 27001:2005 controls for BCPAnnex A – Control Objective A.14   –   Business Continuity Management Process   –   Bus...
Benefits of BS25999 Certification• Most highly recognized  BCM standard   – Competitive advantage,     image, improved cli...
BS/ISO Guidelines• BS 25777:2008, Information and communications  technology continuity management - Code of practice ($)•...
BCM Related Standards             and Guidelines (1)• Australia Standards/New Zeland Standars  – AS/NZS 5050 : Business Co...
BCM Related Standards            and Guidelines (2)• North America  – National Fire Protection Association (NFPA)    1600:...
Upcoming SlideShare
Loading in …5
×

27ian2011 silensec

889 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
889
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

27ian2011 silensec

  1. 1. Managing Business Continuity withBS25999 – Beyond Technologies Dr. Almerindo Graziano CEO, Silensec al@silensec.com © 2011
  2. 2. About Silensec• IT Governance – Approved BSI Associate Consultants• Penetration Testing• Security Training• E-fraud and Cybercrime Services• Computer Forensics Services © 2011
  3. 3. Offices Sheffield (UK) Bucharest (Romania) Nairobi (Kenya) © 2011
  4. 4. Business Continuity Strategic and tactical capability of the organization to plan for and respond toincidents and business disruptions in order to continue business operations at an acceptable predefined level © 2011
  5. 5. BCM and Incident Management © 2011
  6. 6. BCM is NOT Disaster Recovery• Disaster Recovery is an integral part of a Business Continuity plan – REACTIVE process focused on restoring the organization to business as usual after a disaster occurs• Business Continuity is PROACTIVE – its focus is to avoid or mitigate the impact of a risk © 2011
  7. 7. BCMS• A Business Continuity Management System (BCMS) is the set of processes, people and controls aimed at guaranteeing the continuity of a business in case of a disaster © 2011
  8. 8. BS25999-2• Business continuity management – Part 2: Specification (Nov 2007)• Specifies requirements for: – planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented BCMS within the context of managing an organization’s overall business risks It can be used for assessment and certification © 2011
  9. 9. BS25999-1• Business continuity management – Part 1: Code of practice (Dec 2006)• Provides guidance on the implementation of the standard It cannot be used for assessment and certification © 2011
  10. 10. BS25999-2 management clauses3 Planning the business continuity management system4 Implementing and operating the BCMS5 Monitoring and reviewing the BCMS6 Maintaining and improving the BCMS © 2011
  11. 11. BS25999-2 Implementation3 Planning the business continuity management system4 Implementing and 3.1 General 3.2 Establishing and managing the BCMS operating the BCMS 3.2.1 Scope and objectives of the BCMS 3.2.2 BCM Policy5 Monitoring and 3.2.3 Provision of resources 3.2.4 Competency of BCM personnel reviewing the BCMS 3.3. Embedding BCM in the organization’s culture 3.4 BCMS documentation and records6 Maintaining and 3.4.1 General 3.4.2 Control of BCMS records improving the BCMS 3.4.3 Control of BCMS documentation © 2011
  12. 12. BS25999-2 Implementation3 Planning the business continuity management 4.1 Understanding the organization system 4.1.1 Business impact analysis 4.1.2 Risk assessment 4.1.3 Determining choices4 Implementing and 4.2 Determining business continuity strategy 4.3 Developing and implementing a BCM response operating the BCMS 4.3.1 General 4.3.2 Incident response structure5 Monitoring and reviewing 4.3.3 Business continuity plans and incident management plans the BCMS 4.4 Exercising, maintaining and reviewing BCM arrangements6 Maintaining and improving 4.4.1 General 4.4.2 BCM exercising the BCMS 4.4.3 Maintaining and reviewing BCM arrangements © 2011
  13. 13. 4.1 Understanding the Organization Output Identify Whom do we want to satisfy? Stakeholders What are they interested in? Identify Key What are the required activities, Products & Services assets and resources? What is the impact of disruption to Business Impact those activities?4.1.1 Analysis (BIA) What are the critical activities? What are the risks to those activities4.1.2 Risk Assessment (especially to the critical ones) What are the chosen risk4.1.3 Determine Choices treatments? © 2011
  14. 14. BS25999-2 Implementation3 Planning the business continuity management system4 Implementing and operating the BCMS5 Monitoring and reviewing the BCMS6 Maintaining and improving the BCMS 5.1 Internal audit 5.2 Management review of the BCMS 5.2.1 General 5.2.2 Review input 5.2.2 Review output © 2011
  15. 15. BS25999-2 Implementation3 Planning the business continuity management system4 Implementing and operating the BCMS5 Monitoring and reviewing the BCMS6 Maintaining and improving the BCMS 6.1 Preventive and corrective actions 6.1.1 General 6.1.2 Preventive action 6.1.3 Corrective action 6.2 Continual improvement © 2011
  16. 16. BCM DocumentationScope and objectives of the BCMS and proceduresBCM policyProvision of resourceCompetency of BCM personnel and associated training recordsBusiness impact analysisRisk assessmentBusiness continuity strategyIncident response structureBusiness continuity plans and incident management plansBCM exercisingMaintenance and review of BCM arrangementsInternal auditManagement review of the BCMSPreventive and corrective actionsContinual improvement BS25999-2 Clause 3.4.1 © 2011
  17. 17. ISO/IEC 27001:2005 controls for BCPAnnex A – Control Objective A.14 – Business Continuity Management Process – Business Continuity and Risk Assessment – Developing and Implementing Continuity Plans – Business Continuity Planning Framework – Testing, Maintaining and Reassessing Business Continuity Plans• ISO/IEC 27031 Information technology - Security techniques - Guidelines for information and communications technology readiness for business continuity (FDIS – Final Draft International Standard) © 2011
  18. 18. Benefits of BS25999 Certification• Most highly recognized BCM standard – Competitive advantage, image, improved client confidence• Ensure effective and efficient use of business continuity technologies• Compliance with legal, regulatory, contractual requirements © 2011
  19. 19. BS/ISO Guidelines• BS 25777:2008, Information and communications technology continuity management - Code of practice ($)• BS ISO/IEC 24762:2008, Information technology - Security techniques - Guidelines for information and Communications technology disaster recovery services ($)• ISO/PAS 22399:2007 – Guideline for incident preparedness and operational continuity management ($) © 2011
  20. 20. BCM Related Standards and Guidelines (1)• Australia Standards/New Zeland Standars – AS/NZS 5050 : Business Continuity Managing disruption-related risk (Jun 2010) ($) – HB 221:2004 – Business Continuity Management Handbook ($) • Part One: What is Business Continuity Management • Part Two: The BCM Manual – HB 292-2006 – A practitioners guide to business continuity management – HB 293-2006 – Executive guide to business continuity management © 2011
  21. 21. BCM Related Standards and Guidelines (2)• North America – National Fire Protection Association (NFPA) 1600:2007 Standard on Disaster/Emergency Management and Business Continuity Programs – American Society for Industrial Security ASIS SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management Systems• Singapore – SS540:2008 – Singapore Standard for Business continuity management (BCM) ($) © 2011

×