How to better understand the context and the scope of the BCMS?

1
ATENÇÃO: O conteúdo desta apresentação é CONFIDENCIAL. Nada poderá ser divulgado por qualquer
forma ou meio, em qualquer tempo, sem a prévia autorização por escrito da STROHL Brasil.
Data Processing and Business
Continuity in 2040
February15th,2016
TO BE UPDATED BY PECB

2
Sidney R. Modenesi
Forum Leader
Sidney R. Modenesi is forum leader at Business Continuity Institute, also he
is PECB partner and trainer. Mr. Modenesi has more than 30 years’
experience in Business Continuity and a strong background in ICT.
Contact Information
+55 11 5583-0033
sidney_modenesi@strohlbrasil.com.br
www.strohlbrasil.com.br
https://br.linkedin.com/in/sidneymodenesi
mbci
https://twitter.com/Sidney_STROHL
https://www.facebook.com/strohlbrasil/

3
Agenda
In today´s webinar we will talk
about the challenges in “How to
Better Understand the Context
and the Scope of the BCMS” in
accordance with ISO 22301.
And also we will talk about:
 disruptive scenarios that may
impact key products, services
and processes;
 the needs and expectations of
interested parties;
 and the scope of the BCMS.
3

4
What is Business Continuity Management?
holistic management process that identifies
potential threats to an organization and the impacts
to business operations those threats, if realized,
might cause, and which provides a framework for
building organizational resilience with the capability
of an effective response that safeguards the
interests of its key stakeholders, reputation, brand
and value-creating activities.
(ISO 22301:2012 - Societal security – Business continuity
management systems – Requirements item 3.4)
4

5
Holistic
Dictionaries definitions:
• Cambridge Dictionary: dealing with
or treating the whole of something or someone and
not just a part
• Merriam-Webster: relating to or concerned with
complete systems rather than with individual parts
• Oxford Dictionaries: Characterized by the belief that
the parts of something are intimately interconnected
and explicable only by reference to the whole
In other words, to implement a BCMS we have to
analyze, initially, the entire organization.
5

6
High level topology of an organization
6
Call Center
Customers Main building
Products, services & processes
Data Center
Supply chain
Cloud

7
Macro disruptive scenarios
• Facilities: building seriously damaged or non
accessible …;
• People: pandemics, strike, riots, natural or man
made disaster …;
• ICT outage: severe failure in an ICT component,
Data Center outage or damage …;
• Information Security: network compromised,
virus, hacker, ransomware …;
• Supply Chain: outage, by any reason, of a key
vendor or supplier
7

8
8
Main building
Data CenterCustomers
Supply chain
Building N
Products, services
& processes

9
Macro disruptive scenarios
• Facilities: building seriously damaged or non
accessible …;
• People: pandemics, strike, riots, natural or man
made disaster …;
• ICT outage: severe failure in an ICT component,
Data Center outage or damage …;
• Information Security: network compromised,
virus, hacker, ransomware …;
• Supply Chain: outage, by any reason, of a key
vendor or supplier
9

10
Disruptive scenarios x impacts
Location Facilities People ICT IS Supply
Main
building
Products,
services &
processes?
Low Medium Very high Very high Low
Building #1
Products,
services &
processes?
Medium Medium Very high High Medium
...
Building #N
Products,
services &
processes?
Low Low Low Low Low
10
Potential candidate to be out of the BCMS scope

11
Useful supporting information
• Organizational chart, split by location
• Company portal: products or services offered
• Financial reports: revenues or profits per product
or service, split by location, if possible
• Strategic planning for the next x years
• Interviews with the MIS, compliance, strategic
planning, audit, legal, risk … departments
• Or a more holistic approach ...
A (Strategic) BIA
11

12
Key products, services, processes ...
4.1 Understanding of the organization and its
context
a) the organization’s activities, functions, services,
products, partnerships, supply chains, relationships with
interested parties, and the potential impact related to a
disruptive incident
Strategic BIA: To identify and prioritize the
organizations products and services, and understand
the organizations recovery timescales and disruption
tolerance levels.
(THE BUSINESS CONTINUITY INSTITUTE - GOOD PRACTICE
GUIDELINES 2013 - GLOBAL VERSION)
12

13
Strategic BIA findings
(very simple chart)
Site 1 Site 2 Site 3 Site 4 Site N
Strategic BIA Findings
Regulatory Operational Financial
13

14
4.1 Understanding of the organization and its context
• After the Strategic BIA we will have identified, in a
high level – strategic - view, the organization´s key
products, services, stakeholders, supply chain,
regulations and other regulatory requirements etc.
• Filter products and services findings with the
organization´s risk appetite (these will be the MTPD
and impacts findings in the Strategic BIA) per
location – disruptive incident scenarios;
• Review the key products, services with the
organization´s strategic planning, which ones will
increase, which ones will decrease …
14

15
4.2 Understanding the needs and expectations of interested parties
When establishing its BCMS, the organization shall
determine
a) the interested parties that are relevant to the BCMS, and
b) the requirements of these interested parties (i.e. their needs
and expectations whether stated, generally implied or
obligatory).
• 4.2.2 Legal and regulatory requirements
The organization shall establish, implement and maintain a
procedure(s) to identify, have access to, and assess the applicable
legal and regulatory requirements to which the organization
subscribes related to the continuity of its operations, products and
services, as well as the interests of relevant interested parties.
15

16
Understanding the organization
Strategic BIA
findings:
MTPD, MBCO,
Impacts,
Dependencies
…
Requirements
and
expectations of
the interest
parties
16

17
4.3 Determining the scope of the BCMS
4.3.2 Scope of the BCMS
The organization shall
a) establish the parts of the organization to be included in the
BCMS,
b) establish BCMS requirements, considering the
organization’s mission, goals, internal and external obligations
(including those related to interested parties), and legal and
regulatory responsibilities,
c) identify products and services and all related activities
within the scope of the BCMS,
d) take into account interested parties’ needs and interests,
such as customers, investors, shareholders, the supply chain,
public and/or community input and needs, expectations and
interests (as appropriate), and
e) define the scope of the BCMS in terms of and appropriate
to the size, nature and complexity of the organization.
17

18
4.3 Determining the scope of the BCMS
When defining the scope, the
organization shall document
and explain exclusions; any
such exclusions shall not
affect the organization’s ability
and responsibility to provide
continuity of business and
operations that meet the
BCMS requirements, as
determined by business
impact analysis or risk
assessment and applicable
legal or regulatory
requirements.
18

19
19
Main building
Data CenterCustomers
Supply chain
Building N
Products, services
& processes

20
Closing
If you are:
• Seeking a ISO 22301 certification for your
organization or
• Defining deterministically the scope of the BCMS or
• Phasing the BCMS implementation by a priority
criteria or …
A holistic understanding of the
organization is vital
20

ISO 22301 Training Courses
 ISO 22301 Introduction
1 Day Course
 ISO 22301 Foundation
2 Days Course
 ISO 22301 Lead Implementer
5 Days Course
 ISO 22301 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/iso-22301-training-courses| www.pecb.com/events

22
THANK YOU
?
+55 11 5583-0033
https://br.linkedin.com/in/sidneymodenesimbc
https://twitter.com/Sidney_STROHL
https://www.facebook.com/strohlbrasil/

How to better understand the context and the scope of the BCMS?

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (11)

Semelhante a How to better understand the context and the scope of the BCMS?

Semelhante a How to better understand the context and the scope of the BCMS? (20)

Mais de PECB

Mais de PECB (20)

Último

Último (20)

How to better understand the context and the scope of the BCMS?