Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ISO’s Newest Standard – The BIA (ISO 22317)


Published on

This webinar was delivered in May 2015 by Brian Zawada, leader of the BCI USA chapter.

Published in: Business

ISO’s Newest Standard – The BIA (ISO 22317)

  1. 1. ISO’s Newest Standard – The BIA (ISO 22317)
  2. 2. Introductions 2 Brian Zawada, FBCI President, USA Chapter of the BCI Project Team Leader – ISO 22317 Director of Consulting, Avalution Consulting
  3. 3. Agenda 3 • BCI Overview • ISO 22317 • Background • Relationship to ISO 22301 • Relationship to the BCI GPGs • BIA Process Review and Outcomes • Questions / Discussion
  4. 4. BCI Overview 4 • Founded in 1994, a Member-Owned, Not-for-Profit Professional Association of Business Continuity Professionals • A global membership and certifying organization for business continuity professionals • Over 8,000 members in more than 120 countries working in an estimated 3,000 organizations in the public and private sectors • We stand for excellence in the business continuity profession • Our certified grades provide unequivocal assurance of technical and professional competency
  5. 5. • Provide fundamental business continuity skills and specialized business continuity training to develop individual knowledge, skills, and capabilities. • Provide members with access to peer-based networking opportunities, enabling them to share experiences and knowledge. • Encourage members to maintain or enhance their professional capabilities throughout their careers by updating their knowledge and skills and maintaining a record of this progress via a Continuing Professional Development program. • Exploit all learning technologies, including online training, virtual workshops, social media and distance learning, thereby providing access to products and services to all members. 5 What are the BCI’s Objectives? BCI Overview
  6. 6. • Founded in 2008, the USA arm of the BCI • 900+ members and growing rapidly • Our chapter’s strategic goal is to grow BCI membership in the USA by communicating and influencing the products and services offered by the BCI, and building new products/services to help USA members better achieve their professional objectives USA Chapter Board Members: • Brian Zawada (President) • Stacy Gardner (VP) • Eric Staffin (Treasurer) • Paul Kirvan (Secretary) • Rich Bogle • Ted Brown • John Jackson • Kathleen Lucey • Margaret Millett • Ann Pickren • Belinda Wilson • Doug Weldon • Ginnie Stouffer 6 BCI USA Chapter
  7. 7. 1. Internationally Respected Certification 2. Professional Growth 3. Networking 4. Content 5. “Much More” 7 Why the BCI?
  8. 8. ISO 22317 – Business continuity management systems – Business impact analysis 8
  9. 9. • In January 2014, ISO Technical Committee 223 (now 292) began the process of developing a new “technical specification” on the topic of Business Impact Analysis (BIA) • The new technical specification is titled ISO 22317 and it is designed to complement ISO 22301, but can also be a “stand alone” standard • In March 2015, the ISO 22317 project team finalized the technical specification, which will be published in Q2 2015 Background 9
  10. 10. Background 10 22301 22313 22317 Requirements Guidance Technical Specification
  11. 11. The organization shall establish, implement and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. The business impact analysis shall include the following: a) identifying activities that support the provision of products and services; b) assessing the impacts over time of not performing these activities; c) Setting priorities timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and d) Identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. ISO 22301 – BIA Content
  12. 12. 225 versus 8570 ISO 22301 vs 22317 Content
  13. 13. This Technical Specification provides guidance for an organization to establish, implement, and maintain a formal and documented business impact analysis (BIA) process. This Technical Specification does not prescribe a uniform process for performing a BIA, but will assist an organization to design a BIA process that is appropriate to its needs. This Technical Specification is applicable to all organizations regardless of type, size, and nature of the organization, whether in the private, public, or not-for-profit sectors. The guidance can be adapted to the needs, objectives, resources, and constraints of the organization. ISO 22317 Scope Statement
  14. 14. • Scope • Normative references • Terms and definitions • Prerequisites • Performing the BIA – Product and service prioritization – Process prioritization – Activity prioritization – Analysis and consolidation – Obtain top management endorsement of results – After the BIA • BIA Process Monitoring and Review • Annex A – BIA Within 22301 • Annex B – Terminology Mapping • Annex C – Information Collecting Methods • Annex D – Other uses ISO 22317 Table of Contents
  15. 15. GPG / ISO 22317 Cross-Walk BCI GPG 2013 ISO 22317 Initial BIA Prerequisites (Clause 4) Strategic BIA Product and Service Prioritization (Clause 5.3) Tactical BIA Process Prioritization (Clause 5.4) Operational BIA Activity Prioritization (Clause 5.5)
  16. 16. The BIA process analyzes the consequences of a disruptive incident on the organization. The outcome is a statement of justification of business continuity requirements. Note: business continuity requirements has the same meaning as continuity and recovery priorities, objectives, and targets ISO 22317 Preview: BIA Definition 16
  17. 17. • Endorsement or modification of the organization’s BC program scope • Identification of legal, regulatory, and contractual requirements (obligations) and their effect on business continuity requirements • Evaluation of impacts on the organization over time, which serves as the justification for business continuity requirements (time and capability) • Identification and confirmation of product/service delivery requirements following a disruptive incident, which then sets the prioritized timeframes for activities and resources • Identification of, and establishment of, the relationships between products/services, processes, activities, and resources • Determination of the resources needed to perform prioritized activities (e.g. facilities; people; equipment; information, communication and technology assets; supplies; and financing) • Understanding of the dependencies on other activities, supply chains, partners, and other interested parties • Determination of how up to date the information needs to be ISO 22317 Preview: BIA Outcomes 17
  18. 18. ISO 22317: BIA Process 18
  19. 19. Of the ISO 22301 management system processes and requirements, the ISO 22317 project team identified four necessary BIA process prerequisites: – Context and Scope – Roles – Commitment – Resources Prerequisites BIA Value Proposition: 1. ensuring the appropriate and most cost effective strategies are selected by determining the correct business continuity requirements; 2. providing evidence to management that business continuity requirements align with organizational objectives; 3. ensuring the organization meets its legal, contractual, and customer requirements during a disruptive incident; 4. identifying linkages between products and services and process, activities, and resources
  20. 20. • “Management should agree on the priority of products and services following a disruptive incident which may threaten the achievement of their objectives.” • Outcomes: – Endorsement or modification of the organization’s BC program scope – Identification of legal, regulatory, and contractual requirements (obligations) – Evaluation of impacts over time as it relates to a failure to deliver products/services, which serves as the justification for business continuity requirements – Confirmation of product and service delivery requirements (that may include time, quality, quantity, service levels, and capability specifications) following a disruptive incident that then sets the priorities for activities and resources – Identification of processes (that deliver the products and services) – Nomination of lead personnel to assist in identifying which processes deliver products and services – Documentation of a list of prioritized products and services (grouped by timeframe or customer) Product and Service Prioritization
  21. 21. Impact Categories Examples of Impacts Financial Financial losses due to fines, penalties, lost profits, or diminished market share Reputational Negative opinion or brand damage Legal and Regulatory Litigation liability and withdrawal of license to trade Contractual Breach of contracts or obligations between organizations Business Objectives Failure to deliver on objectives or take advantage of opportunities ISO 22317: Impact Category Examples 21
  22. 22. Process Prioritization • “A process is a set of interrelated or interacting activities which transform inputs into outputs (ISO 22300); the priority is determined by the priority of the products and services which are its output.“ • Outcomes: – Identification of the relationship between product and services, processes, and activities – Identification of dependencies on other business processes – Evaluation of impacts over time of a process failure – Priorities of processes – Interdependency analysis of the processes that deliver products and services to customers – Interdependency analysis of the activities that deliver processes – Documented list of prioritized processes that deliver products and services – Initial documented list of activities that deliver processes
  23. 23. Activity Prioritization • “Organizations should perform activity level prioritization to obtain a detailed understanding of day-to-day resource requirements, enabling the organization to identify the quantity and timing of resources necessary for recovery and to help confirm impact-related conclusions developed at the process level.“ • Resource-related information includes: – People/skills/roles – Facilities and equipment (including special tools, spare parts, and consumables) – Records – Financing – Information and communications technologies (including applications, data, telephony, and networks) – Supplies, supply chains, and partners
  24. 24. Activity Prioritization • Outcomes: – Confirmation of impacts over time, which serves as justification for business continuity requirements (time and capability) – Resource needs to perform each prioritized activity – How up to date the information needs to be – Dependencies – Documented list of activities and their prioritized timeframes that support processes – Documented list of resources and their prioritized timeframes that enable activities
  25. 25. • Drawing conclusions that lead to business continuity requirements Analysis and Consolidation Quantitative Analytic Techniques Qualitative Analytic Techniques • Interdependency Analysis • Financial Analysis Approaches • Common Sense and Cross Checks • Stress Testing • Review of Post-Incident Reviews and Recommendations • Supplier-Input-Process-Output-Customer (SIPOC) • Fishbone (Ishikawa) Diagrams
  26. 26. • Outcomes: – Confirmation of impacts over time – Review and confirmation of resource dependencies and requirements – Consolidation of resource requirements – Review and confirmation of the interdependencies of processes and activities, and their relation to the delivery of products and services, that serve as the input to business continuity strategy selection Analysis and Consolidation
  27. 27. • “The organization should seek management endorsement of results, including product and service, process, activity, and resource prioritization following one or more individual BIAs“ • Outcomes: – The endorsement of the BIA results by top management should be documented according to established document management practices – The BIA results can then be passed to the business continuity strategy selection process Top Management Endorsement
  28. 28. • “Approved business continuity requirements enable the organization to determine and select appropriate business continuity strategies to enable an effective response and recovery from a disruptive incident.“ • Examples include: – Alternate workplace arrangements – Alternate supply chain arrangements – IT recovery options – Alternate sources of people – Alternate sources of equipment – Workarounds and alternate procedures • Reconsideration… After the BIA
  29. 29. • Periodic basis… • A review of different components of the BIA process may be triggered by the following considerations: – Strategic directional change – Product or service change – Regulatory change – Customer and/or contractual change – Operational change, including resources – Structural change – Following a business continuity exercise or disruptive incident BIA Monitoring and Review
  30. 30. • ISO 22317 offers flexible guidance regarding the performance of a BIA process • Consistent with ISO 22301 and the GPGs (just with different words at times) • Enables the identification of business continuity requirements that matter to the organization and its stakeholders Conclusions
  31. 31. Questions / Discussion Tel: 703.637.4407 Email: LinkedIn: BCI USA – The Business Continuity Institute US Chapter Twitter: @BCI_US_Chapter