ISO 22301 Business Continuity Management

1. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems Ramiro Cid | @ramirocid ISO 22301 Societal Security - Business Continuity Management Systems

2. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 2 Index 1. Introduction Page 3 2. Comparison between ISO 22301 and BS 25999-2 Page 4 3. Basic terms used in the standard Page 6 4. Content of ISO 22301 Page 7 5. ISO 22301 explained Page 8 6. Mandatory documentation Page 12 7. Related standards Page 13 8. Societal security context Page 14 9. Projects under development Page 15 10. Benefits of ISO 22301 business continuity management Page 16

3. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 3 Introduction The full name of this standard is: “ISO 22301 Societal security - Business continuity management systems - Requirements” This standard was created by leading experts on this area to provide the best framework for business continuity management in an organization. Object: ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. Scope: The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity. Who can implement this standard? Any organization, large or small, with or nonprofit, private or public. The standard is conceived in such a way that it is applicable to any size or type of organization.

4. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 4 Comparison between ISO 22301 and BS 25999-2 The ISO 22301 has replaced 25999-2. These two standards are quite similar, but the ISO 22301 can be considered as an update of the BS 25999-2 ISO 22301 BS 25999-2 Complete name ISO 22301:2012 Societal security - Business continuity management systems - Requirements BS 25999-2 Business Continuity Management - Part 2: Specification Published by International Organization for Standardization British Standards Institution Published date 15/05/2012 20/11/2007 Total number of pages 24 28 Official recogment Internationally accepted by standards institutes on 163 countries Accepted only in United Kingdom only, but implemented worldwide

5. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 5 ISO 22301 is not that different from BS 25999-2 in most business continuity areas like business impact analysis, strategy or planning; the biggest changes are in the management part of the standard. ISO 22301 places much greater emphasis on understanding requirements, setting objectives and measuring performance. Therefore, it will be more easily accepted by top management, which in turn will contribute to the widespread adoption of this standard like ISO 27001, ISO 9001 or ISO 14001. Comparison between ISO 22301 and BS 25999-2 (continuation)

6. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 6 Basic terms used in the standard Business Continuity Management System (BCMS) – part of an overall management system that takes care business continuity is planned, implemented, maintained, and continually improved Maximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD) Recovery Time Objective (RTO) – the pre-determined time at which an activity must be resumed, or resources must be recovered Recovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data that needs to be restored Minimum Business Continuity Objective (MBCO) – the minimum level of services or products an organization needs to produce after resuming its business operations

7. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 7 Content of ISO 22301 Introduction 5 Leadership 8 Operation 0.1 General 5.1 General 8.1 Operational planning and control 0.2 The Plan-Do-Check-Act (PDCA) model 5.2 Management commitment 8.2 Business impact analysis and risk assessment 0.3 Components of PDCA in this International Standard 5.3 Policy 8.3 Business continuity strategy 1 Scope 5.4 Organizational roles, responsibilities and authorities 8.4 Establish and implement business continuity procedures 2 Normative references 6 Planning 8.5 Exercising and testing 3 Terms and definitions 6.1 Actions to address risks and opportunities 9 Performance evaluation 4 Context of the organization 6.2 Business continuity objectives and plans to achieve them 9.1 Monitoring, measurement, analysis and evaluation 4.1 Understanding of the organization and its context 7 Support 9.2 Internal audit 4.2 Understanding the needs and expectations of interested parties 7.1 Resources 9.3 Management review 4.3 Determining the scope of the management system 7.2 Competence 10 Improvement 4.4 Business continuity management system 7.3 Awareness 10.1 Nonconformity and corrective action 7.4 Communication 10.2 Continual improvement 7.5 Documented information Bibliography

8. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 8 ISO 22301 explained ISO 22301 is the second published management systems standard that has adopted the new high- level structure and standardized text agreed in ISO. This will ensure consistency with all future and revised management system standards and make integrated use easier with, for example, ISO 9001 (quality), ISO 14001 (environmental) and ISO/IEC 27001 (information security). The standard is divided into 10 main clauses, starting with scope, normative references, and terms and definitions. Following these are the standard’s requirements.

9. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 9 ISO 22301 explained Clause 4 – Context of the organization The first step involves getting to know the organization, both internal and external needs, and setting clear boundaries for the scope of the management system. In particular, this requires the organization to understand the requirements of relevant interested parties, such as regulators, customers and staff. It must in particular understand the applicable legal and regulatory requirements. This enables it to determine the scope of the business continuity management system (BCMS). Clause 5 – Leadership ISO 22301 places particular emphasis on the need for appropriate leadership of BCM. This is so that top management ensures appropriate resources are provided, establishes policy and appoints people to implement and maintain the BCMS. Clause 6 – Planning This requires the organization to identify risks to the implementation of the management system and set clear objectives and criteria that can be used to measure its success.

10. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 10 ISO 22301 explained Clause 7 – Support Since resources are required for implementation, Clause 7 introduces the important concept of competence. For business continuity to be successful, people with appropriate knowledge, skills and experience must be in place to both contribute to the BCMS and respond to incidents when they occur. It is also important that all staff are aware of their own role in responding to incidents and this clause deals with all of these areas. The need for communication about the BCMS – for instance in telling customers that the organization has appropriate BCM in place – and preparedness to communicate following an incident (when normal channels may be disrupted) is also covered here. Clause 8 – Operations This section contains the main body of business continuity-specific expertise. The organization must undertake business impact analysis to understand how its business is affected by disruption and how this changes over time. Risk assessment seeks to understand the risks to the business in a structured way and these inform the development of business continuity strategy. Steps to avoid or reduce the likelihood of incidents are developed alongside steps to be taken when incidents occur. As it is impossible to completely predict and prevent all incidents, the approach of balancing risk reduction and planning for all eventualities is complementary. It might be said, “hope for the best and plan for the worst”.

11. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 11 ISO 22301 explained Clause 9 – Evaluation For any management system, it is essential to evaluate performance against plan. ISO 22301 therefore requires that the organization select and measure itself against appropriate performance metrics. Internal audits must be conducted and there is a requirement that management review the BCMS and act on these reviews. Clause 10 – Improvement No management system is perfect at the outset, and organizations and their environments are constantly changing. Clause 10 defines actions to take to improve the BCMS over time and ensure that corrective actions arising from audits, reviews, exercises and so on are addressed.

12. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 12 Mandatory documentation If an organization wants to implement this standard, the following documentation is mandatory: List of applicable legal, regulatory and other requirements Scope of the BCMS Business Continuity Policy Business continuity objectives Evidence of personnel competences Records of communication with interested parties Business impact analysis Risk assessment, including risk appetite Incident response structure Business continuity plans Recovery procedures Results of preventive actions Results of monitoring and measurement Results of internal audit Results of management review Results of corrective actions

13. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 13 Related standards Other standards that are helpful in implementation of business continuity are: ISO/IEC 27031 – Guidelines for information and communication technology readiness for business continuity PAS 200 – Crisis management – Guidance and good practice PD 25666 – Guidance on exercising and testing for continuity and contingency programs PD 25111 – Guidance on human aspects of business continuity ISO/IEC 24762 – Guidelines for information and communications technology disaster recovery services ISO/PAS 22399 – Guideline for incident preparedness and operational continuity management ISO/IEC 27001 – Information security management systems – Requirements

14. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 14 Societal security context ISO 22301 has been developed by ISO/TC 223, Societal security The committee has previously published the following standards and other documents: ISO 22300:2012, Societal security – Terminology ISO 22320:2011, Societal security – Emergency management – Requirements for incident response ISO/TR 22312:2011, Societal security – Technological capabilities ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management

15. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 15 Projects under development ISO 22311, Societal security – Video-surveillance – Export interoperability ISO 22313, Societal security – Business continuity management systems – Guidance ISO 22315, Societal security – Mass evacuation ISO 22322, Societal security – Emergency management – Public warning ISO 22323, Organizational resilience management systems – Requirements with guidance for use ISO 22325, Societal security – Guidelines for emergency capability assessment for organizations ISO 22351, Societal security – Emergency management – Shared situation awareness ISO 22397, Societal security – Public Private Partnership – Guidelines to set up partnership agreements ISO 22398, Societal security – Guidelines for exercises and testing ISO 22324, Societal security – Emergency management – Colour-coded alert

16. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems 16 Benefits of ISO 22301 business continuity management What are the benefits of ISO 22301 business continuity management? Identify and manage current and future threats to your business Take a proactive approach to minimizing the impact of incidents Keep critical functions up and running during times of crises Minimize downtime during incidents and improve recovery time Demonstrate resilience to customers, suppliers and for tender requests

17. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO 22301 Societal security - Business continuity management systems Questions? Many thanks! ramiro@ramirocid.com @ramirocid http://www.linkedin.com/in/ramirocid http://ramirocid.com http://es.slideshare.net/RamiroCid http://www.youtube.com/user/cidramiro Ramiro Cid CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL

ISO 22301 Business Continuity Management

You are reading a preview.

Check these out next

ISO 22301 Business Continuity Management

More Related Content

Slideshows for you (20)

Viewers also liked (20)

Similar to ISO 22301 Business Continuity Management (20)

More from Ramiro Cid (20)

Recently uploaded (20)