The document outlines the Business Continuity Management System (BCMS) based on ISO 22301:2019, detailing its purpose, definitions, and necessary components for effective implementation. It emphasizes the importance of planning and preparing for potential disruptions to ensure an organization's ability to continue delivering products and services. Key topics include risk assessment, impact analysis, and the continuous improvement of business continuity strategies and procedures.

1. BUSINESS CONTINUITY
MANAGEMENT SYSTEM
BY
PARABAKARAN

2.  SCOPE AND TERMS OF BCMS
 PURPOSE AND BENEFITS OF BCMS
 BCMS FAMILY OF STANDARDS
 CLAUSE ISO 22301:2019

3. SCOPE
• THIS DOCUMENT SPECIFIES REQUIREMENTS TO PLAN, ESTABLISH, IMPLEMENT, OPERATE,
MONITOR, REVIEW, MAINTAIN AND CONTINUALLY IMPROVE A MANAGEMENT SYSTEM TO
PROTECT AGAINST, REDUCE THE LIKELIHOOD OF OCCURRENCE, PREPARE FOR, RESPOND TO,
AND RECOVER FROM DISRUPTIONS WHEN THEY ARISE.

5. TERMS AND DEFINITION
• BUSINESS CONTINUITY, CAPABILITY OF AN ORGANIZATION (3.31) TO CONTINUE DELIVERY OF
PRODUCTS AND SERVICES (3.41) WITHIN ACCEPTABLE TIME FRAMES AT PREDEFINED CAPACITY
RELATING TO A DISRUPTION (3.12)
• [SOURCE: ISO 22300:2018, 3.24, MODIFIED.].
• BUSINESS CONTINUITY MANAGEMENT SYSTEM, BCMS, MANAGEMENT SYSTEM (3.25) FOR
BUSINESS CONTINUITY (3.3)
• NOTE 1 TO ENTRY: THE MANAGEMENT SYSTEM INCLUDES ORGANIZATIONAL STRUCTURE,
POLICIES, PLANNING (3.36) ACTIVITIES (3.1), RESPONSIBILITIES, PROCEDURES (3.39),
PROCESSES (3.40) AND RESOURCES
• [SOURCE: ISO 22300:2018, 3.26, MODIFIED]

6. • BUSINESS CONTINUITY PLAN DOCUMENTED INFORMATION (3.13) THAT GUIDES AN
ORGANIZATION (3.31) TO RESPOND TO A DISRUPTION (3.12) AND RESUME, RECOVER AND
RESTORE THE DELIVERY OF PRODUCTS AND SERVICES CONSISTENT WITH ITS BUSINESS
CONTINUITY OBJECTIVES
• [SOURCE: ISO 22300:2018, 3.27, MODIFIED. NOTE 1 TO ENTRY DELETED.]
• BUSINESS IMPACT ANALYSIS PROCESS (3.40) OF ANALYZING THE IMPACT (3.18) OF A
DISRUPTION (3.12) ON THE ORGANIZATION (3.31)
• NOTE 1 TO ENTRY: THE OUTCOME IS A STATEMENT AND JUSTIFICATION OF BUSINESS
CONTINUITY (3.3) REQUIREMENTS (3.45).
• [SOURCE: ISO 22300:2018, 3.29, MODIFIED. NOTE 1 TO ENTRY ADDED.]

7. • INCIDENT EVENT (3.16) THAT CAN BE, OR COULD LEAD TO, A
DISRUPTION (3.12), LOSS, EMERGENCY (3.15) OR CRISIS
• [SOURCE: ISO 22300:2018, 3.111, MODIFIED.]
• DISRUPTION INCIDENT (3.19), WHETHER ANTICIPATED OR
UNANTICIPATED, THAT CAUSES AN UNPLANNED, NEGATIVE
DEVIATION FROM THE EXPECTED DELIVERY OF PRODUCTS AND
SERVICES (3.41) ACCORDING TO AN ORGANIZATION’S (3.31)
OBJECTIVES (3.30)
• [SOURCE: ISO 22300:2018, 3.70, MODIFIED.]

8. • CRISIS MANAGEMENT
• HOLISTIC MANAGEMENT (3.135) PROCESS (3.180) THAT IDENTIFIES POTENTIAL IMPACTS (3.107)
THAT THREATEN AN
• ORGANIZATION (3.158) AND PROVIDES A FRAMEWORK FOR BUILDING RESILIENCE (3.192), WITH
THE CAPABILITY FOR
• AN EFFECTIVE RESPONSE THAT SAFEGUARDS THE INTERESTS OF THE ORGANIZATION’S KEY
INTERESTED PARTIES (3.124),
• REPUTATION, BRAND AND VALUE-CREATING ACTIVITIES (3.1), AS WELL AS EFFECTIVELY
RESTORING OPERATIONAL
• CAPABILITIES
• NOTE 1 TO ENTRY: CRISIS MANAGEMENT ALSO INVOLVES THE MANAGEMENT OF PREPAREDNESS
(3.172), MITIGATION (3.146) RESPONSE, AND CONTINUITY (3.49) OR RECOVERY (3.187) IN THE
EVENT OF AN INCIDENT (3.111), AS WELL AS MANAGEMENT OF THE OVERALL PROGRAM
THROUGH TRAINING (3.265), REHEARSALS AND REVIEWS (3.197) TO ENSURE THE PREPAREDNESS,
RESPONSE AND CONTINUITY PLANS STAY CURRENT AND UP-TO-DATE. (ISO 22300:2018)

9. • RECOVERY TIME OBJECTIVE
• RTO PERIOD OF TIME FOLLOWING AN INCIDENT (3.111) WITHIN WHICH A PRODUCT OR
SERVICE (3.181) OR AN ACTIVITY (3.1)
• IS RESUMED, OR RESOURCES (3.193) ARE RECOVERED
• NOTE 1 TO ENTRY: FOR PRODUCTS, SERVICES AND ACTIVITIES, THE RECOVERY TIME OBJECTIVE
IS LESS THAN THE TIME IT WOULD TAKE FOR THE ADVERSE IMPACTS (3.107) THAT WOULD
ARISE AS A RESULT OF NOT PROVIDING A PRODUCT/SERVICE OR PERFORMING AN ACTIVITY
TO BECOME UNACCEPTABLE.
• SOURCE ISO 22300:2018

10. • RECOVERY POINT OBJECTIVE
• RPO POINT TO WHICH INFORMATION (3.116) USED BY AN ACTIVITY (3.1) IS RESTORED TO
ENABLE THE ACTIVITY TO OPERATE ON RESUMPTION
• NOTE 1 TO ENTRY: CAN ALSO BE REFERRED TO AS “MAXIMUM DATA LOSS”.
• SOURCE ISO 22300:2018

11. WHAT IS AN BCMS?
• BUSINESS CONTINUITY IS THE CAPABILITY OF THE ORGANIZATION TO CONTINUE DELIVERY OF
PRODUCTS OR SERVICES AT ACCEPTABLE PREDEFINED LEVELS FOLLOWING A DISRUPTIVE
INCIDENT. BUSINESS CONTINUITY MANAGEMENT (BCM) IS THE PROCESS OF ACHIEVING BUSINESS
CONTINUITY AND IS ABOUT PREPARING AN ORGANIZATION TO DEAL WITH DISRUPTIVE
INCIDENTS THAT MIGHT OTHERWISE PREVENT IT FROM ACHIEVING ITS OBJECTIVES.
• PLACING BCM WITHIN THE FRAMEWORK AND DISCIPLINES OF A MANAGEMENT SYSTEM CREATES
A BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) THAT ENABLES BCM TO BE CONTROLLED,
EVALUATED AND CONTINUALLY IMPROVED.
• ANY INCIDENT, LARGE OR SMALL, NATURAL, ACCIDENTAL OR DELIBERATE HAS THE POTENTIAL TO
CAUSE MAJOR DISRUPTION TO THE ORGANIZATION’S OPERATIONS AND ITS ABILITY TO DELIVER
PRODUCTS AND SERVICES. HOWEVER, IMPLEMENTING BUSINESS CONTINUITY BEFORE A
DISRUPTIVE INCIDENT OCCURS, RATHER THAN WAITING FOR THIS TO HAPPEN WILL ENABLE THE
ORGANIZATION TO RESUME OPERATIONS BEFORE UNACCEPTABLE LEVELS OF IMPACT ARISE.

12. FUNDAMENTAL PRINCIPLES
• A) AWARENESS OF THE NEED FOR BCMS
• B) ASSIGNMENT OF RESPONSIBILITY FOR BCMS
• C) INCORPORATING MANAGEMENT COMMITMENT AND THE INTERESTS OF STAKEHOLDERS
• D) ENHANCING SOCIETAL VALUES
• E) RISK ASSESSMENTS DETERMINING APPROPRIATE CONTROLS TO REACH ACCEPTABLE LEVELS OF RISK
• F) SECURITY INCORPORATED AS AN ESSENTIAL ELEMENT OF BCMS
• G) ACTIVE PREVENTION AND DETECTION OF BUSINESS CONTINUITY INCIDENTS
• H) ENSURING A COMPREHENSIVE APPROACH TO BUSINESS CONTINUITY MANAGEMENT
• I) CONTINUAL REASSESSMENT OF BUSINESS CONTINUITY AND MAKING OF MODIFICATIONS AS
APPROPRIATE.

13. STEPS:
1. BEING CLEAR ON THE ORGANIZATION’S KEY PRODUCTS AND SERVICES
AND THE ACTIVITIES THAT DELIVER THEM
2. KNOWING THE PRIORITIES FOR RESUMING ACTIVITIES AND THE
RESOURCES THEY REQUIRE
3. HAVING A CLEAR UNDERSTANDING OF THE THREATS TO THESE ACTIVITIES,
INCLUDING THEIR DEPENDENCIES, AND KNOWING THE IMPACTS OF NOT
RESUMING THEM
4. HAVING TRIED AND TRUSTED ARRANGEMENTS IN PLACE TO RESUME THESE
ACTIVITIES FOLLOWING A DISRUPTIVE INCIDENT; AND
5. MAKING SURE THAT THESE ARRANGEMENTS ARE ROUTINELY REVIEWED
AND UPDATED SO THAT THEY WILL BE EFFECTIVE IN ALL CIRCUMSTANCES

14. PURPOSE BCMS
• BY FOCUSING ON THE IMPACT OF DISRUPTION RATHER THAN THE CAUSE,
BUSINESS CONTINUITY IDENTIFIES THOSE ACTIVITIES ON WHICH THE
ORGANIZATION DEPENDS FOR ITS SURVIVAL, AND ENABLES THE ORGANIZATION
TO DETERMINE WHAT IS REQUIRED TO CONTINUE TO MEET ITS OBLIGATIONS.
• THROUGH BUSINESS CONTINUITY, AN ORGANIZATION CAN RECOGNIZE WHAT
NEEDS TO BE DONE TO PROTECT ITS RESOURCES (E.G. PEOPLE, PREMISES,
TECHNOLOGY AND INFORMATION), SUPPLY CHAIN, INTERESTED PARTIES AND
REPUTATION, BEFORE A DISRUPTIVE INCIDENT OCCURS. WITH THAT RECOGNITION,
THE ORGANIZATION IS ABLE TO TAKE A REALISTIC VIEW ON THE RESPONSES THAT
ARE LIKELY TO BE NEEDED AS AND WHEN A DISRUPTION OCCURS, SO THAT IT CAN
BE CONFIDENT OF MANAGING THE CONSEQUENCES AND AVOID UNACCEPTABLE
IMPACTS

15. BENEFITS
PROTECTS BUSINESS FROM A RANGE OF THREATS
ENSURES BUSINESS CONTINUITY
MINIMIZES FINANCIAL LOSS
OPTIMIZES RETURN ON INVESTMENTS
INCREASES BUSINESS OPPORTUNITIES

19. BCMS FAMILY STANDARD
ISO 22300, SECURITY AND RESILIENCE — VOCABULARY
ISO/IEC 22301, BUSINESS CONTINUITY MANAGEMENT SYSTEMS — REQUIREMENTS
ISO/IEC 22313, SOCIETAL SECURITY — BUSINESS CONTINUITY MANAGEMENT SYSTEMS —
GUIDANCE

20. CLAUSE ISO 22301:2019

22. MAIN DIFFERENCE TO OTHER ISO STANDARD ARE
• 4.2.2 LEGAL AND REGULATORY REQUIREMENTS
• AND CLAUSE 8

23. CLAUSE 8 OPERATION
• 8.1 OPERATIONAL PLANNING AND CONTROL
• 8.2 BUSINESS IMPACT ANALYSIS AND RISK ASSESSMENT
• 8.2.1 GENERAL
• 8.2.2 BUSINESS IMPACT ANALYSIS
• 8.2.3 RISK ASSESSMENT
• 8.3 BUSINESS CONTINUITY STRATEGIES AND SOLUTIONS..
• 8.3.1 GENERAL
• 8.3.2 IDENTIFICATION AND SELECTION OF STRATEGIES AND SOLUTIONS
• 8.3.3 RESOURCE REQUIREMENTS
• 8.3.4 IMPLEMENTATION OF SOLUTIONS

24. • 8.4 BUSINESS CONTINUITY PLANS AND PROCEDURES
• 8.4.1 GENERAL.
• 8.4.2 RESPONSE STRUCTURE
• 8.4.3 WARNING AND COMMUNICATION
• 8.4.4 BUSINESS CONTINUITY PLANS
• 8.4.5 RECOVERY
• 8.5 EXERCISE PROGRAMME

25. 8.2.2 BIA, PROCESS (3.40) OF ANALYZING THE IMPACT (3.18)
OF A DISRUPTION (3.12) ON THE ORGANIZATION (3.31)
• A) DEFINES IMPACT CATEGORIES AND CRITERIA RELEVANT TO THE ORGANIZATION’S CONTEXT;
• B) USES THESE IMPACT CATEGORIES AND CRITERIA FOR MEASURING IMPACT;
• C) IDENTIFIES ACTIVITIES THAT SUPPORT THE PROVISION OF PRODUCTS AND SERVICES;
• D) ANALYSES THE IMPACTS OVER TIME RESULTING FROM DISRUPTION OF THESE ACTIVITIES;
• E) IDENTIFIES THE TIME WITHIN WHICH THE IMPACTS OF NOT RESUMING ACTIVITIES WOULD BECOME UNACCEPTABLE TO
THE ORGANIZATION;
• NOTE THIS MAY BE REFERRED TO AS MAXIMUM TOLERABLE PERIOD OF DISRUPTION (MTPD)
• F) SETS PRIORITIZED TIMEFRAMES WITHIN THE TIME IDENTIFIED IN E) ABOVE FOR RESUMING DISRUPTED ACTIVITIES AT A
SPECIFIED MINIMUM ACCEPTABLE CAPACITY;
• NOTE THIS MAY BE REFERRED TO AS RECOVERY TIME OBJECTIVE (RTO)
• G) USES THE BUSINESS IMPACTS TO IDENTIFY PRIORITIZED ACTIVITIES;
• H) DETERMINES WHICH RESOURCES ARE NEEDED TO SUPPORT PRIORITIZED ACTIVITIES;
• I) DETERMINES THE DEPENDENCIES AND INTERDEPENDENCIES OF PRIORITIZED ACTIVITIES.

27. BIA

31. SELF ASSESSMENT BIA
• IS THERE A FORMAL RISK ASSESSMENT PROCESS FOR ANALYZING THE RISK OF DISRUPTIVE
INCIDENTS?
• DOES THIS RISK ASSESSMENT METHOD IDENTIFY RISK TREATMENTS APPROPRIATE TO BC
OBJECTIVES?
• IS THERE EVIDENCE OF PRIORITIZING RISK TREATMENTS WITH COSTS IDENTIFIED?
• SOURCE BSI SELF ASSESSMENT BIA

32. 8.2.3 RISK ASSESSMENT
• THE ORGANIZATION SHALL IMPLEMENT AND MAINTAIN A SYSTEMATIC RISK ASSESSMENT PROCESS.
• NOTE THIS PROCESS CAN BE MADE IN ACCORDANCE WITH ISO 31000.
• THE ORGANIZATION SHALL:
• A) IDENTIFY RISKS OF DISRUPTION TO THE ORGANIZATION'S PRIORITIZED ACTIVITIES AND TO
THEIR SUPPORTING RESOURCES;
• B) SYSTEMATICALLY ANALYSE RISKS OF DISRUPTION;
• C) EVALUATE RISKS OF DISRUPTION WHICH REQUIRE TREATMENT

33. RISK ASSESSMENT

36. 8.3 BUSINESS CONTINUITY STRATEGIES AND
SOLUTIONS
• BUSINESS CONTINUITY
• CAPABILITY OF AN ORGANIZATION (3.158) TO CONTINUE THE DELIVERY OF PRODUCTS OR
SERVICES (3.181) AT ACCEPTABLE PREDEFINED LEVELS FOLLOWING A DISRUPTION (3.70)
• CONTINUITY
• STRATEGIC AND TACTICAL CAPABILITY, PRE-APPROVED BY MANAGEMENT (3.135), OF AN
ORGANIZATION (3.158) TO PLAN FOR AND RESPOND TO CONDITIONS, SITUATIONS AND
EVENTS (3.82) IN ORDER TO CONTINUE OPERATIONS AT AN ACCEPTABLE PREDEFINED LEVEL

37. • BASED ON THE OUTPUTS FROM THE BUSINESS IMPACT ANALYSIS AND RISK ASSESSMENT. THE
ORGANIZATION SHALL IDENTIFY AND SELECT BUSINESS CONTINUITY STRATEGIES THAT
CONSIDER OPTION FOR BEFORE, DURING AND AFTER DISRUPTION.
• 8.3.2 IDENTIFICATION OF STRATEGIES AND SOLUTION
• 8.3.3 SELECTION OF STRATEGIES AND SOLUTIONS
• 8.3.3 RESOURCE REQUIREMENTS
• 8.3.4 IMPLEMENTATION OF SOLUTIONS

38. • THE ORGANIZATION SHALL IDENTIFY AND SELECT APPROPRIATE BUSINESS CONTINUITY
STRATEGIES AND SOLUTIONS TAKING INTO CONSIDERATION THEIR ASSOCIATED COSTS FOR
(GOAL FOR BC STRATEGY):
• A) RESPONDING TO DISRUPTIONS;
• B) CONTINUING AND RECOVERING PRIORITIZED ACTIVITIES AND THEIR REQUIRED RESOURCES TO
MEET THE DELIVERY OF PRODUCTS AND SERVICES AT THE AGREED CAPACITY OVER TIME.
• FOR THE PRIORITIZED ACTIVITIES, THE ORGANIZATION SHALL IDENTIFY AND SELECT STRATEGIES
AND SOLUTIONS CONSIDERING BUSINESS CONTINUITY OBJECTIVES AND THE AMOUNT AND
TYPE OF RISK THAT THE ORGANIZATION MAY OR MAY NOT TAKE THAT:
• A) REDUCE THE LIKELIHOOD OF DISRUPTION;
• B) SHORTEN THE PERIOD OF DISRUPTION;
• C) LIMIT THE IMPACT OF DISRUPTION ON THE ORGANIZATION'S PRODUCTS AND SERVICES

40. SELF ASSESSMENT BC STRATEGY
• IS THE BC STRATEGY BASED ON THE OUTPUTS OF THE BIA AND RISK ASSESSMENT?
• DOES THE BC STRATEGY PROTECT PRIORITIZED ACTIVITIES AND PROVIDE APPROPRIATE
CONTINUITY AND RECOVERY OF THEM, THEIR DEPENDENCIES AND RESOURCES?
• DOES THE BC STRATEGY PROVIDE FOR MITIGATING, RESPONDING TO AND MANAGING
IMPACTS?
• HAVE PRIORITIZED TIME FRAMES BEEN SET FOR THE RESUMPTION OF ALL ACTIVITIES?
• HAVE THE BC CAPABILITIES OF SUPPLIERS BEEN EVALUATED?
• HAVE THE RESOURCE REQUIREMENTS FOR THE SELECTED STRATEGY OPTIONS BEEN
DETERMINED, INCLUDING PEOPLE, INFORMATION AND DATA, INFRASTRUCTURE, FACILITIES,
CONSUMABLES, IT, TRANSPORT, FINANCE AND PARTNER/SUPPLIER SERVICES?
• HAVE MEASURES TO REDUCE THE LIKELIHOOD, DURATION OR IMPACT OF A DISRUPTION FOR
IDENTIFIED RISKS BEEN CONSIDERED AND IMPLEMENTED, AND ARE THESE IN ACCORDANCE
WITH THE ORGANIZATION’S RISK APPETITE?

41. 8.4 BUSINESS CONTINUITY PLANS AND
PROCEDURES
• THE ORGANIZATION SHALL IMPLEMENT AND MAINTAIN A STRUCTURE THAT WILL ENABLE TIMELY
WARNING AND COMMUNICATION TO RELEVANT INTERESTED PARTIES. IT SHALL PROVIDES PLANS
AND PROCEDURES TO MANAGE THE ORGANIZATION DURING A DISRUPTION. THE PLANS AND
PROCEDURES SHALL BE USED WHEN REQUIRED TO ACTIVATE BUSINESS CONTINUITY SOLUTIONS.
• THE PROCEDURES SHALL:
• A) BE SPECIFIC REGARDING THE IMMEDIATE STEPS THAT ARE TO BE TAKEN DURING A DISRUPTION;
• B) BE FLEXIBLE TO RESPOND TO CHANGING INTERNAL AND EXTERNAL CONDITIONS OF A
DISRUPTION;
• C) FOCUS ON THE IMPACT OF INCIDENTS THAT POTENTIALLY LEAD TO DISRUPTION;
• D) BE EFFECTIVE IN MINIMIZING IMPACT THROUGH IMPLEMENTATION OF APPROPRIATE SOLUTIONS;
• E) ASSIGN ROLES AND RESPONSIBILITIES FOR TASKS WITHIN IT.

42. SELF ASSESSMENT BCP
• HAVE BC PROCEDURES BEEN PUT IN PLACE TO MANAGE A DISRUPTIVE INCIDENT, AND HAVE
CONTINUITY ACTIVITIES BASED ON RECOVERY OBJECTIVES BEEN IDENTIFIED IN THE BIA?
• ARE THE BUSINESS CONTINUITY PROCEDURES DOCUMENTED?
• HAVE INTERNAL AND EXTERNAL COMMUNICATION PROTOCOLS BEEN ESTABLISHED AS PART
OF THESE PROCEDURES?
• SOURCE BSI SELF ASSESSMENT ISO 22301

43. 8.4.2 RESPONSE STRUCTURE
• THE ORGANIZATION SHALL IMPLEMENT AND MAINTAIN A STRUCTURE IDENTIFYING ONE OR
MORE TEAMS RESPONSIBLE FOR RESPONDING TO DISRUPTIONS
• FOR EACH TEAM THERE SHALL BE:
• A) IDENTIFIED PERSONNEL AND THEIR ASSOCIATES WITH THE NECESSARY RESPONSIBILITY,
AUTHORITY AND COMPETENCE TO PERFORM THEIR DESIGNATED ROLE;
• B) DOCUMENTED PROCEDURES TO GUIDE THEIR ACTIONS (SEE 8.4.4) INCLUDING THOSE FOR
THE ACTIVATION, OPERATION, COORDINATION AND COMMUNICATION OF THE RESPONSE.

44. SELF ASSESSMENT INCIDENT RESPONSE STRUCTURE
(IRS)
• IS THERE THE MANAGEMENT STRUCTURE AND TRAINED PERSONNEL IN PLACE TO RESPOND TO
A DISRUPTIVE INCIDENT?
• DOES THE IRS AND ASSOCIATED PROCEDURES INCLUDE THRESHOLDS, ASSESSMENT,
ACTIVATION, RESOURCE PROVISION AND COMMUNICATION?
• DO THE PEOPLE IN YOUR IRS HAVE THE NECESSARY COMPETENCY TO PERFORM THEIR DUTIES,
AND HAVE YOU KEPT RECORDS TO DEMONSTRATE THEIR COMPETENCE?

45. 8.4.3 WARNING AND COMMUNICATION
• 8.4.3.1 THE ORGANIZATION SHALL DOCUMENT AND MAINTAIN PROCEDURES FOR:
• A) COMMUNICATING INTERNALLY AND EXTERNALLY TO RELEVANT INTERESTED PARTIES, INCLUDING WHAT,
WHEN, WITH WHOM AND HOW TO COMMUNICATE;
• NOTE THE ORGANIZATION MAY DOCUMENT AND MAINTAIN PROCEDURES FOR HOW, AND UNDER WHAT
CIRCUMSTANCES, THE ORGANIZATION COMMUNICATES WITH EMPLOYEES AND THEIR EMERGENCY CONTACTS.
• B) RECEIVING, DOCUMENTING AND RESPONDING TO COMMUNICATIONS FROM INTERESTED PARTIES,
INCLUDING ANY NATIONAL OR REGIONAL RISK ADVISORY SYSTEM OR EQUIVALENT;
• C) ENSURING AVAILABILITY OF THE MEANS OF COMMUNICATION DURING A DISRUPTION;
• D) FACILITATING STRUCTURED COMMUNICATION WITH EMERGENCY RESPONDERS;
• E) DETAILS OF THE ORGANIZATION'S MEDIA RESPONSE FOLLOWING AN INCIDENT, INCLUDING A
COMMUNICATIONS STRATEGY;
• F) RECORDING DETAILS OF THE DISRUPTION, ACTIONS TAKEN AND DECISIONS MADE
• THE COMMUNICATION AND WARNING PROCEDURES SHALL BE EXERCISED AS PART OF THE ORGANIZATION’S
EXERCISE PROGRAMME REFERRED TO IN 8.5.

46. SELF ASSESSMENT INCIDENT COMMUNICATIONS
AND WARNINGS
1. IS THERE A PROCEDURE FOR DETECTING AND MONITORING INCIDENTS?
2. IS THERE A PROCEDURE FOR MANAGING INTERNAL COMMUNICATIONS AND EXTERNAL COMMUNICATIONS
FROM INTERESTED PARTIES DURING A DISRUPTIVE INCIDENT?
3. IS THERE A PROCEDURE FOR RECEIVING AND RESPONDING TO WARNINGS FROM OUTSIDE AGENCIES AND
EMERGENCY RESPONDERS?
4. IS THERE A STRUCTURE TO COMMUNICATE WITH EMERGENCY RESPONDERS AND OTHER AUTHORITIES
DURING AN INCIDENT, OR FOR RESPONDING ORGANIZATIONS ARE COMMUNICATIONS INTEROPERABLE
WITH OTHERS?
5. IS THERE A PROCEDURE FOR RECORDING VITAL INFORMATION ABOUT THE INCIDENT, ACTIONS TAKEN AND
DECISIONS MADE?
6. IS THERE A PROCEDURE FOR ISSUING ALERTS AND WARNINGS IF APPROPRIATE?
7. ARE THE ORGANIZATION’S COMMUNICATION AND WARNING SYSTEMS REGULARLY EXERCISED, AND
RECORDS KEPT OF THE RESULTS?

47. 8.4.4 BUSINESS CONTINUITY PLANS
• 8.4.4.1 THE BUSINESS CONTINUITY PLANS SHALL PROVIDE GUIDANCE AND INFORMATION THAT WILL ASSIST
THE TEAMS TO RESPOND TO A DISRUPTION AND ASSIST THE ORGANIZATION WITH RESPONSE AND RECOVERY.
• COLLECTIVELY, THE BUSINESS CONTINUITY PLANS SHALL CONTAIN:
• A) DETAILS OF THE ACTIONS THAT THE TEAMS WILL TAKE IN ORDER TO CONTINUE OR RECOVER PRIORITIZED
ACTIVITIES WITHIN PREDETERMINED TIMEFRAMES AND TO MONITOR THE EFFECTS OF THE DISRUPTION AND THE
ORGANIZATION’S RESPONSE TO IT;
• B) REFERENCE TO THE PRE-DEFINED THRESHOLD AND PROCESS FOR ACTIVATING THE RESPONSE;
• C) PROCEDURES TO ENABLE THE DELIVERY OF PRODUCTS AND SERVICES AT AGREED CAPACITY TO INTERESTED
PARTIES;
• D) DETAILS TO MANAGE THE IMMEDIATE CONSEQUENCES OF A DISRUPTION GIVING DUE REGARD TO:
• 1) THE WELFARE OF INDIVIDUALS;
• 2) PREVENTION OF FURTHER LOSS OR UNAVAILABILITY OF PRIORITIZED ACTIVITIES;
• 3) PROTECTION OF THE ENVIRONMENT;
• E) A PROCESS FOR STANDING DOWN ONCE THE INCIDENT IS OVER.

48. BUSINESS CONTINUITY PLAN SHALL HAS
1. PURPOSE AND SCOPE, AND OBJECTIVES;
2. ROLES, RESPONSIBILITIES OF THE TEAM THAT WILL IMPLEMENT THE PLAN;
3. ACTIONS AND RESOURCES TO IMPLEMENT THE SOLUTIONS;
4. SUPPORTING INFORMATION NEEDED TO ACTIVATE (INCLUDING ACTIVATION CRITERIA),
OPERATE, COORDINATE AND COMMUNICATE THE TEAM’S ACTIONS;
5. INTERNAL AND EXTERNAL INTERDEPENDENCIES;
6. RESOURCE REQUIREMENTS;
7. REPORTING REQUIREMENTS.
• EACH PLAN SHALL BE USABLE AND AVAILABLE AT THE TIME AND PLACE AT WHICH IT IS
REQUIRED

49. SELF ASSESSMENT BUSINESS CONTINUITY RESPONSE
AND RECOVERY PLANS
1. ARE THERE DOCUMENTED PLANS/PROCEDURES FOR RESTORING BUSINESS OPERATIONS AFTER AN INCIDENT?
2. DO THESE PLANS REFLECT THE NEEDS OF THOSE WHO WILL USE THEM?
3. DO THE PLANS DEFINE ROLES AND RESPONSIBILITIES?
4. DO THE PLANS DEFINE A PROCESS FOR ACTIVATING THE RESPONSE?
5. DO THE PLANS CONSIDER THE MANAGEMENT OF THE IMMEDIATE CONSEQUENCES OF A DISRUPTION, IN
PARTICULAR THE WELFARE OF INDIVIDUALS, OPTIONS FOR RESPONSE AND FURTHER LOSS PREVENTION?
6. DO THE PLANS DETAIL HOW TO COMMUNICATE WITH THE VARIOUS INTERESTED PARTIES DURING THE DISRUPTION?
7. DO THE PLANS CONTAIN DETAILS ON HOW PRIORITIZED ACTIVITIES WILL BE CONTINUED OR RECOVERED WITHIN
PREDETERMINED TIME FRAMES?
8. IS THERE A PLANNED MEDIA RESPONSE TO AN INCIDENT?
9. DO THE PLANS INCLUDE A PROCEDURE FOR STANDING DOWN THE RESPONSE?
10. DOES EACH PLAN CONTAIN THE ESSENTIAL INFORMATION TO USE IT EFFECTIVELY?

50. 8.4.5 RECOVERY
• THE ORGANIZATION SHALL HAVE DOCUMENTED PROCESSES TO RESTORE AND RETURN
BUSINESS ACTIVITIES FROM THE TEMPORARY MEASURES ADOPTED TO SUPPORT NORMAL
BUSINESS REQUIREMENTS DURING AND AFTER A DISRUPTION.

51. SELF ASSESSMENT EXERCISING AND TESTING
1. HAVE BUSINESS CONTINUITY PROCEDURES BEEN TESTED TO ENSURE THEY ARE CONSISTENT
WITH YOUR BC OBJECTIVES?
2. DO TOP MANAGEMENT “ACTIVELY ENGAGE” IN TESTING AND EXERCISING THE BCMS?
3. ARE THE TEST EXERCISES CLEARLY DEFINED, CONSISTENT WITH THE SCOPE OF THE BCMS AND
BUSINESS CONTINUITY OBJECTIVES, AND BASED ON APPROPRIATE SCENARIOS?
4. WILL THE TEST EXERCISES THAT HAVE BEEN CONDUCTED OVER TIME VALIDATE THE WHOLE OF
THE ORGANIZATION’S BUSINESS CONTINUITY ARRANGEMENTS?
5. ARE THE TEST EXERCISES DESIGNED TO MINIMIZE THE RISK OF DISRUPTION TO OPERATIONS?
6. HAVE FORMAL POST-EXERCISE REPORTS BEEN PRODUCED FOR THE CONDUCTED TESTS?
7. ARE THE OUTCOMES OF EXERCISES REVIEWED TO ENSURE THEY LEAD TO IMPROVEMENT?
8. ARE TEST EXERCISES UNDERTAKEN AT PLANNED INTERVALS, AND WHEN SIGNIFICANT CHANGES
OCCUR IS THIS PROCESS DOCUMENTED WITHIN THE BCMS?

52. 8.5 EXERCISE PROGRAMME
• THE ORGANIZATION SHALL IMPLEMENT AND MAINTAIN A PROGRAM OF EXERCISING AND TESTING TO
VALIDATE OVER TIME THE EFFECTIVENESS OF ITS BUSINESS CONTINUITY STRATEGIES AND SOLUTIONS.
• THE ORGANIZATION SHALL CONDUCT EXERCISES AND TESTS THAT:
• A) ARE CONSISTENT WITH ITS BUSINESS CONTINUITY OBJECTIVES;
• B) ARE BASED ON APPROPRIATE SCENARIOS THAT ARE WELL PLANNED WITH CLEARLY DEFINED AIMS AND
OBJECTIVES;
• C) DEVELOP TEAMWORK, COMPETENCE, CONFIDENCE AND KNOWLEDGE FOR THOSE WHO HAVE ROLES TO
PERFORM IN RELATION TO DISRUPTIONS;
• D) TAKEN TOGETHER OVER TIME VALIDATE THE WHOLE OF ITS BUSINESS CONTINUITY STRATEGIES;
• E) PRODUCE FORMALIZED POST-EXERCISE REPORTS THAT CONTAIN OUTCOMES, RECOMMENDATIONS AND
ACTIONS TO IMPLEMENT IMPROVEMENTS;
• F) ARE REVIEWED WITHIN THE CONTEXT OF PROMOTING CONTINUAL IMPROVEMENT;
• G) ARE PERFORMED AT PLANNED INTERVALS AND WHEN THERE ARE SIGNIFICANT CHANGES WITHIN THE
ORGANIZATION OR THE CONTEXT IN WHICH IT OPERATES.
• THE ORGANIZATION SHALL ACT ON THE RESULTS OF ITS EXERCISING AND TESTING TO IMPLEMENT CHANGES
AND IMPROVEMENTS

53. SHORT-TERM GOALS AND PERFORMANCE OBJECTIVES SHOULD BE ESTABLISHED AND
INCLUDE THE FOLLOWING:
• (1) RECOVERY OF CRITICAL OR TIME-SENSITIVE PERSONNEL, SYSTEMS, OPERATIONS, RECORDS,
AND EQUIPMENT
• (2) AGREED-UPON PRIORITIES FOR RESTORATION AND MITIGATION
• (3) LENGTH OF DOWNTIME ACCEPTABLE BEFORE RESTORATION TO A MINIMAL LEVEL IS
REQUIRED
• (4) MINIMAL ACCEPTABLE LEVEL OF RESOURCES NEEDED TO PROVIDE FOR THE RESTORATION
OF FACILITIES, PROCESSES, PROGRAMS, SERVICES, AND INFRASTRUCTURE

54. CERTIFICATION

56. INTERRELATION ISO 27001
• A.17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
• A.17.1 INFORMATION SECURITY CONTINUITY
• OBJECTIVE: INFORMATION SECURITY CONTINUITY SHALL BE EMBEDDED IN THE
ORGANIZATION’S BUSINESS CONTINUITY MANAGEMENT SYSTEMS.
• A.17.1.1 PLANNING INFORMATION SECURITY CONTINUITY
• CONTROL
• THE ORGANIZATION SHALL DETERMINE ITS REQUIREMENTS FOR INFORMATION SECURITY AND
THE CONTINUITY OF INFORMATION SECURITY MANAGEMENT IN ADVERSE SITUATIONS, E.G.
DURING A CRISIS OR DISASTER.

57. • A.17.1.2
• IMPLEMENTING INFORMATION SECURITY CONTINUITY
• CONTROL
• THE ORGANIZATION SHALL ESTABLISH, DOCUMENT, IMPLEMENT AND MAINTAIN PROCESSES, PROCEDURES
AND CONTROLS TO ENSURE THE REQUIRED LEVEL OF CONTINUITY FOR INFORMATION SECURITY DURING AN
ADVERSE SITUATION.
• A.17.1.3
• VERIFY, REVIEW AND EVALUATE INFORMATION SECURITY CONTINUITY
• CONTROL
• THE ORGANIZATION SHALL VERIFY THE ESTABLISHED AND IMPLEMENTED INFORMATION SECURITY
CONTINUITY CONTROLS AT REGULAR INTERVALS IN ORDER TO ENSURE THAT THEY ARE VALID AND EFFECTIVE
DURING ADVERSE
• SITUATIONS.

59. ISO 22301 MANDATORY DOCUMENTS
• LIST OF LEGAL, REGULATORY AND OTHER REQUIREMENTS (CLAUSE 4.2.2) – LISTS EVERYTHING YOU NEED TO COMPLY
WITH.
• SCOPE OF THE BCMS AND EXPLANATION OF EXCLUSIONS (CLAUSE 4.3) – DEFINES WHERE YOUR BCMS WILL BE
IMPLEMENTED.
• BUSINESS CONTINUITY POLICY (CLAUSE 5.2) – DEFINES MAIN RESPONSIBILITIES, AND THE INTENT OF THE MANAGEMENT.
• BUSINESS CONTINUITY OBJECTIVES (CLAUSE 6.2) – DEFINES MEASURABLE OBJECTIVES THAT ARE TO BE ACHIEVED WITH
BUSINESS CONTINUITY.
• COMPETENCIES OF PERSONNEL (CLAUSE 7.2) – DEFINES KNOWLEDGE AND SKILLS NEEDED.
• BUSINESS CONTINUITY PLANS AND PROCEDURES (CLAUSE 8.4) – INCLUDES PLANS AND PROCEDURES FOR RESPONSE,
COMMUNICATION, RECOVERY (INCLUDING DISASTER RECOVERY PLANS), RESTORE AND RETURN ACTIVITIES.
• DOCUMENTED COMMUNICATION WITH INTERESTED PARTIES (CLAUSE 8.4.3.1) – THESE COULD BE EMAILS, BUT ALSO
OFFICIAL COMMUNICATION FROM SOURCES SUCH AS GOVERNMENT AGENCIES AND OTHERS.
• RECORDS OF IMPORTANT INFORMATION ABOUT THE DISRUPTION, ACTIONS TAKEN AND DECISIONS MADE (CLAUSE
8.4.3.1) – NORMALLY THESE RECORDS ARE DONE THROUGH MINUTES OR BY FILLING OUT CHECKLISTS OF PERFORMED
ACTIVITIES.

60. • DATA AND RESULTS OF MONITORING AND MEASUREMENT (CLAUSE 9.1.1) – THIS IS THE
EVALUATION ON WHETHER YOUR BCMS MET THE OBJECTIVES.
• INTERNAL AUDIT PROGRAM (CLAUSE 9.2)
• RESULTS OF INTERNAL AUDIT (CLAUSE 9.2) – NORMALLY, THIS IS THE INTERNAL AUDIT REPORT.
• RESULTS OF MANAGEMENT REVIEW (CLAUSE 9.3) – USUALLY, THIS IS IN THE FORM OF
MINUTES OR PERHAPS DOCUMENTED DECISIONS.
• NATURE OF NONCONFORMITIES AND ACTIONS TAKEN (CLAUSE 10.1) – THIS IS A DESCRIPTION
OF NONCONFORMITIES, AND THEIR CAUSE.
• RESULTS OF CORRECTIVE ACTIONS (CLAUSE 10.1) – THIS IS A DESCRIPTION OF WHAT HAS
BEEN DONE TO ELIMINATE THE CAUSE OF A NONCONFORMITY.
• SOURCE ADVISERA
HTTPS://ADVISERA.COM/27001ACADEMY/KNOWLEDGEBASE/MANDATORY-DOCUMENTS-RE
QUIRED-BY-ISO-22301/

61. COMMONLY USED NON-MANDATORY BCMS
DOCUMENTS AND RECORDS
• PROCEDURE FOR IDENTIFICATION OF APPLICABLE LEGAL AND REGULATORY REQUIREMENTS
(CLAUSE 4.2.2)
• IMPLEMENTATION PLAN FOR ACHIEVING THE BUSINESS CONTINUITY OBJECTIVES (CLAUSE 6.2)
• TRAINING AND AWARENESS PLAN (CLAUSES 7.2 AND 7.3)
• PROCEDURE FOR CONTROL OF DOCUMENTED INFORMATION (CLAUSE 7.5)
• CONTRACTS AND SERVICE LEVEL AGREEMENTS (SLAS) WITH SUPPLIERS AND OUTSOURCING
PARTNERS (CLAUSE 8.1)
• PROCESS FOR BUSINESS IMPACT ANALYSIS AND RISK ASSESSMENT (CLAUSE 8.2.1)
• RESULTS OF BUSINESS IMPACT ANALYSIS (CLAUSE 8.2.2)
• RESULTS OF RISK ASSESSMENT (CLAUSE 8.2.3)

62. • STRATEGIES AND SOLUTIONS FOR BUSINESS CONTINUITY (CLAUSE 8.3.3)
• INCIDENT SCENARIOS (CLAUSE 8.5)
• EXERCISE AND TESTING PLANS (CLAUSE 8.5)
• POST-EXERCISE REPORTS (CLAUSE 8.5)
• RESULTS OF POST-INCIDENT REVIEW (CLAUSE 8.6)
• METHODS FOR MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION (CLAUSE 9.1.1)
• PROCEDURE FOR INTERNAL AUDIT (CLAUSE 9.2)
• PROCEDURE FOR CORRECTIVE ACTION (CLAUSE 10.1)
• SOURCE ADVISERA
HTTPS://ADVISERA.COM/27001ACADEMY/KNOWLEDGEBASE/MANDATORY-DOCUMENTS-RE
QUIRED-BY-ISO-22301

63. DIFFERENCE ISO 22301:2012 TO 22301:2019
• • THE 2019 EDITION IS SIGNIFICANTLY LESS DETAILED AND PRESCRIPTIVE THAN ITS
PREDECESSOR. HOWEVER, IN THE PROCESS OF REMOVING THE DETAIL AND PROVIDING LESS
DIRECTION, THE STANDARD PLACES GREATER EMPHASIS ON THE SKILLS AND COMPETENCE OF
THOSE INDIVIDUALS WHO ARE RESPONSIBLE FOR DESIGNING AND IMPLEMENTING THE
MANAGEMENT SYSTEM PROCESSES. THERE ARE NO SUBSTANTIAL CHANGES IN THE PROCESSES
THAT MAKE UP A BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) AND THE SAME END
RESULTS ARE REQUIRED.
• • CLAUSE 6.1.2 NOW MAKES IT CLEAR THAT THE RISKS (AND OPPORTUNITIES) THAT NEED TO BE
ADDRESSED RELATE TO THE EFFECTIVENESS OF THE BCMS, AS OPPOSED TO THE RISKS OF
DISRUPTION, WHICH ARE ADDRESSED BY CLAUSE 8.2.3. THE SAME RELATIONSHIP IS INTENDED
IN OTHER STANDARDS SUCH AS ISO 27001 AND IF YOU ARE IMPLEMENTING A BCMS, YOU
WILL NEED TO WORK OUT HOW TO MEET THE REQUIREMENTS OF THIS CLAUSE.
• SOURCE: HTTPS://WWW.URMCONSULTING.COM/2019/12/10/ISO-223012019-RELEASED-5-
KEY-CHANGES/

64. • • THE REQUIREMENTS FOR CONDUCTING THE PIVOTAL BUSINESS IMPACT ANALYSIS (BIA) ARE
NOW CLEARER. THE RELATIONSHIP BETWEEN UNACCEPTABLE IMPACT, MAXIMUM TOLERABLE
PERIOD OF DISRUPTION AND PRIORITIZED TIMEFRAMES FOR ACTIVITY RESUMPTION IS DEFINED
AS WELL AS USING THE BIA TO IDENTIFY ‘PRIORITIZED ACTIVITIES’. THE 2012 EDITION REQUIRED
PRIORITIZED TIMEFRAMES SIMPLY TO CONSIDER IMPACT. IT SHOULD BE NOTED THAT THERE IS
NO SPECIFIC REQUIREMENT WITH THE 2019 VERSION TO DOCUMENT THE BIA PROCESS.
• • A KEY ASSURANCE PROCESS, EVALUATION OF PROCEDURES, SPECIFICALLY REQUIRES THE
SUITABILITY, ADEQUACY AND EFFECTIVENESS OF BIAS AND RISK ASSESSMENTS TO BE
EVALUATED. THIS WAS PREVIOUSLY ONLY AN IMPLICIT REQUIREMENT IN THE NAME OF
EFFECTIVENESS, BUT POINTS TO THE KEY ROLE PLAYED BY BIAS AND RISK ASSESSMENTS.
• • THE CONCEPT OF MINIMUM ACTIVITY LEVELS HAS SHIFTED, FROM THE NEED TO IDENTIFY
MINIMUM LEVELS OF PRODUCTS AND SERVICES AND MINIMUM ACCEPTABLE LEVELS OF
ACTIVITY, THE LINKING OF WHICH IS IMPLICIT, TO THE MINIMUM ACCEPTABLE CAPACITY OF
RESUMED ACTIVITIES.

65. PHASES OF BUSINESS CONTINUITY
PLANNING
BUSINESS IMPACT ANALYSIS BIA
65

66. PHASES OF BUSINESS CONTINUITY PLANNING
• BC PLANNING TYPICALLY INCLUDES FIVE PHASES :
• 1. BCP GOVERNANCE
• 2. BUSINESS IMPACT ANALYSIS (BIA)
• 3. DOCUMENTS , CONTROLS , MEASURES, AND ARRANGEMENTS FOR BC
• 4. READINESS ACTIVITIES
• 5. ASSESSMENT PROCESS
66 |

67. 1- BCP GOVERNANCE
 TO ESTABLISH CONTROL
 THE GOVERNANCE STRUCTURE IS OFTEN IN THE FORM OF A STEERING
COMMITTEE AND A LIST OF APPROPRIATE COMMITTEES, WORKING GROUPS
AND TEAMS TO DEVELOP AND EXECUTE THE PLAN (S) / DOCUMENTS
 TEAM MEMBERS SHOULD BE SELECTED FROM TRAINED AND EXPERIENCED
PERSONNEL WHO ARE KNOWLEDGEABLE ABOUT THEIR RESPONSIBILITIES.
 THE NUMBER AND SCOPE OF THE TEAMS WILL VARY DEPENDING ON
ORGANIZATION'S SIZE, FUNCTION AND STRUCTURE
67 |

68.  IT MAY BE NECESSARY TO BE MULTITASK TEAMS AND PROVIDE
CROSS-TEAM TRAINING.
 THE TEAMS DATA SHALL BE DOCUMENTED IN THE PLANS/
DOCUMENTS
 CONSIDER DECENTRALIZATION AS A WAY TO PROVIDE BETTER
RESILIENCY
68 |

69. • EXAMPLES :
 AN ALTERNATE SITE COORDINATION TEAM
 CONTRACTING AND PROCUREMENT TEAM
 DAMAGE ASSESSMENT TEAM
 CRISIS MANAGEMENT TEAM
 FINANCE AND ACCOUNTING TEAM
 HAZARDOUS MATERIALS TEAM
 INSURANCE TEAM
 LEGAL ISSUES TEAM
 TELECOMMUNICATIONS / ALTERNATE COMMUNICATIONS TEAM
 EQUIPMENT TEAM
 PUBLIC AND MEDIA RELATIONS TEAM
 TRANSPORT COORDINATION TEAM
 RECORDS MANAGEMENT TEAM
69 |

70.  THE DUTIES AND RESPONSIBILITIES FOR EACH TEAM MUST BE
DEFINED, AND INCLUDE IDENTIFYING:
1. THE TEAM LEADER
2. THE TEAM MEMBERS
3. IDENTIFYING THE SPECIFIC TEAM TASKS
4. MEMBER'S AUTHORITY, AND RESPONSIBILITIES
5. IDENTIFYING POSSIBLE ALTERNATE MEMBERS.
6. CREATION OF CONTACT LIST
70 |

71. BUSINESS CONTINUITY PLANNING
• 1. BCP GOVERNANCE
• 2. BUSINESS IMPACT ANALYSIS (BIA)
• 3. DOCUMENTS , CONTROLS , MEASURES, AND ARRANGEMENTS FOR BC
• 4. READINESS ACTIVITIES
• 5. ASSESSMENT
71 |

72. 2- BUSINESS IMPACT ANALYSIS (BIA)
 PROCESS OF ANALYZING THE ACTIVITIES & THE EFFECT THAT THE BUSINESS
DISRUPTION MIGHT HAVE UPON THEM (SOURCE: ISO 22301:2019)
 BIA IS ALL ABOUT DATA ANALYSIS TO IDENTIFY
1) THE ORGANIZATION'S MANDATE AND CRITICAL SERVICES OR PRODUCTS
2) THE PRIORITY OF SERVICES OR PRODUCTS FOR CONTINUOUS DELIVERY
OR RAPID RECOVERY
3) THE POSSIBLE INTERNAL AND EXTERNAL THREATS AND
4) THE IMPACT OF THE THREATS:.
72 |

74. 1. INFORMATION OF THE ORGANIZATION'S MANDATE AND CRITICAL SERVICES OR
PRODUCTS CAN BE OBTAINED FROM THE
2. MISSION STATEMENT OF THE ORGANIZATION
3. LEGAL REQUIREMENTS FOR DELIVERING SPECIFIC SERVICES AND PRODUCTS.
4. CONTRACTS AND OTHER OBLIGATIONS
5. CRITICAL SERVICES OR PRODUCTS MUST BE PRIORITIZED BASED ON MINIMUM
ACCEPTABLE DELIVERY LEVELS AND THE MAXIMUM PERIOD OF TIME WITHOUT
DELIVERY
6. IDENTIFY IMPACTS OF DISRUPTIONS TO DETERMINE
7. HOW LONG THE ORGANIZATION COULD FUNCTION WITHOUT THE SERVICE /
PRODUCT PROVISION , AND
8. HOW LONG CLIENTS WOULD ACCEPT ITS SERVICES OR PRODUCTS UNAVAILABILITY.
74 |

75. 75 |

76. BIA RELATED ACTIVITIES
1) SUPPLY CHAIN ANALYSIS
2) ASSESSMENT OF THE MOST CRITICAL BUSINESS COMPONENTS
3) IT CONTINUITY ANALYSIS
4) IDENTIFY AREAS OF POTENTIAL REVENUE LOSS
5) IDENTIFY ANY ADDITIONAL EXPENSES
6) IDENTIFY INTANGIBLE LOSSES
7) IDENTIFY INSURANCE REQUIREMENTS
8) IDENTIFY DEPENDENCIES
9) ANALYZE CURRENT RECOVERY CAPABILITIES 76 |

77. 1- SUPPLY CHAIN ANALYSIS
77 |

78. • CONDUCT SUPPLY CHAIN IMPACT ANALYSIS TO
• THE EVALUATION METRICS MAY INCLUDE THE FOLLOWING :
1) REVENUE IMPACT
2) REPUTATION IMPACT
3) OPERATIONAL IMPACT
4) PRODUCTION IMPACT
5) DELIVERY IMPACT
6) RESEARCH AND DEVELOPMENT IMPACT
7) DELAY IMPACT
8) STAFFING IMPACT
• FIND OUT IF THESE MEMBERS IN THE SUPPLY CHAIN HAVE BC/DR PLANS AND IF YOU CAN REVIEW
THEM / SHARE WITH THEM.
• IDENTIFY & EVALUATE EACH LINK IN TERMS OF BUSINESS IMPACT TO FIND THE HIGH-IMPACT LINK(S)
78 |

79. • 2- ASSESSMENT OF THE MOST CRITICAL BUSINESS COMPONENTS
 TO CREATE A COMPLETE BUSINESS CONTINUITY PLAN, YOU NEED TO ASSESS THE
IMPACT OF INTERRUPTION ON FOUR COMPONENTS:
1)PEOPLE (KEY PERSONS - KEY COMPETENCIES )
2)PHYSICAL PROPERTY (EQUIPMENT – STORAGE- ALTERNATE FACILITIES -………)
3)SYSTEMS (HARDWARE, SOFTWARE, EMAIL, PHONE SYSTEMS ,COMMUNICATION
STATIONS,……..)
4)DATA (CRITICAL TO RUN YOUR BUSINESS)
 BOTH DATA AND SYSTEMS ARE IT SYSTEMS (IT CONTINUITY)
79 |

80. 3- CONDUCT IT CONTINUITY ANALYSIS
• IS TO DECIDE ABOUT WHICH OF THE ORGANIZATION'S IT FUNCTIONS / ASSETS
ARE ESSENTIAL FOR BUSINESS CONTINUITY.
• IS TO DECIDE ABOUT HOW TO MANAGE THE TECHNOLOGY SYSTEMS IN THE
EVENT OF A MAJOR DISRUPTION.
• THE EXISTENCE AND SUITABILITY OF IS POLICIES / PROCEDURES / IT CONTINUITY
PLANS
• REVIEW COMPUTER DATA BACKUPS – CABLING – IT SERVICE PROVIDERS
CAPABILITIES -………….
80 |

81. • 4- IDENTIFY AREAS OF POTENTIAL REVENUE LOSS
 DETERMINE WHICH PROCESSES AND FUNCTIONS THAT
SUPPORT SERVICE OR PRODUCT DELIVERY ARE INVOLVED
WITH THE CREATION OF REVENUE.
 IF THESE PROCESSES AND FUNCTIONS ARE NOT PERFORMED,
IS REVENUE LOST? HOW MUCH? AND FOR WHAT LENGTH OF
TIME?
 IF CLIENTS CANNOT ACCESS CERTAIN SERVICES OR PRODUCTS
WOULD THEY THEN NEED TO GO TO ANOTHER PROVIDER,
RESULTING IN FURTHER LOSS OF REVENUE? 81 |

82. • 5- IDENTIFY ADDITIONAL EXPENSES
• IF A BUSINESS FUNCTION OR PROCESS IS INOPERABLE
1) HOW LONG WOULD IT TAKE BEFORE ADDITIONAL EXPENSES WOULD START TO
ADD UP?
2) HOW LONG COULD THE FUNCTION BE UNAVAILABLE BEFORE EXTRA PERSONNEL
WOULD HAVE TO BE HIRED?
3) WOULD PENALTIES FROM BREACHES OF LEGAL RESPONSIBILITIES, AGREEMENTS, OR
GOVERNMENTAL REGULATIONS BE AN ISSUE, AND IF SO,
4) WHAT ARE THE PENALTIES?
82 |

83. • 6- IDENTIFY INTANGIBLE LOSSES
•
ESTIMATES ARE REQUIRED TO DETERMINE THE APPROXIMATE COST
OF
 THE LOSS OF CONSUMER
 INVESTOR CONFIDENCE
 DAMAGE TO REPUTATION
 LOSS OF COMPETITIVENESS
 REDUCED MARKET SHARE
 VIOLATION OF LAWS AND REGULATIONS
 BUSINESS RELATIONSHIPS WITH VENDORS
83 |

84.  INCREASED INSURANCE COST
 LOSS OF EMPLOYEES
 LOSS OF FINANCIAL SUPPORT AND CASH FLOW
 LOSS OF COMMUNITY SUPPORT
 COST OF EQUIPMENT AND FACILITIES USED DURING RECOVERY
 REPLACEMENT, RESTORATION, RECOVERY COSTS NOT ADJUSTED
FOR INFLATION
 INCREASED COST WHEN OPERATIONS RESUME
84 |

85. • 7- IDENTIFY INSURANCE REQUIREMENTS
 WHAT NEEDS INSURANCE
 THE EXISTING INSURANCE
 THE LEVEL OF COVERAGE.
 WHAT ASPECTS MAY HAVE OVER OR UNDER INSURANCE.
 IS THERE A POLICY/ DOCUMENT IN PLACE RELATED THE
INSURANCE 85 |

86. • 8- IDENTIFY DEPENDENCIES
 IDENTIFY THE INTERNAL AND EXTERNAL DEPENDENCIES OF CRITICAL SERVICES
OR PRODUCTS,
 IDENTIFY THE EXPECTED IMPACTS FROM A DISRUPTION TO THOSE
DEPENDENCIES.
 INTERNAL DEPENDENCIES INCLUDE
1.EMPLOYEE ( AVAILABILITY – COMPETENCIES)
2.CORPORATE ASSETS SUCH AS EQUIPMENT, FACILITIES, COMPUTER
APPLICATIONS, DATA, TOOLS, VEHICLES.
3.SUPPORT SERVICES SUCH AS FINANCE, HUMAN RESOURCES, SECURITY ,AND IT
SUPPORT. 86 |

87.  EXTERNAL DEPENDENCIES INCLUDE:
1. SUPPLIERS
2. ANY EXTERNAL CORPORATE ASSETS SUCH AS EQUIPMENT, FACILITIES, COMPUTER APPLICATIONS, DATA,
TOOLS, AND VEHICLES.
3. ANY EXTERNAL SUPPORT SERVICES SUCH AS
 FACILITY MANAGEMENT
 UTILITIES
 COMMUNICATIONS
 TRANSPORTATION
 FINANCE INSTITUTIONS
 INSURANCE PROVIDERS
 GOVERNMENT SERVICES
 LEGAL SERVICES
 HEALTH AND SAFETY SERVICE.
87 |

88. • 9- ANALYZE CURRENT RECOVERY CAPABILITIES
 ANALYZE CURRENT RECOVERY CAPABILITIES THE ORGANIZATION
ALREADY HAS IN PLACE, AND THEIR CONTINUED APPLICABILITY
 TRY TO ANSWER THE FOLLOWING QUESTIONS
1) CAN EMPLOYEES WORK FROM HOME OR ANOTHER
LOCATION?
2) DO I NEED A PRE-DETERMINED ALTERNATE FACILITY?
3) DO I HAVE ENOUGH SPARE PARTS / IT EQUIPMENT ?
4) DO CRITICAL VENDORS AND SUPPLIERS HAVE THEIR
BUSINESS CONTINUITY PLANS/DOCUMENT?
88 |

89. BUSINESS CONTINUITY PLANNING
• 1. BCP GOVERNANCE
• 2. BUSINESS IMPACT ANALYSIS (BIA)
• 3. DOCUMENTS , CONTROLS , MEASURES, AND ARRANGEMENTS FOR BC
• 4. READINESS ACTIVITIES
• 5. ASSESSMENT
89 |

90. 3. DOCUMENTS , CONTROLS , MEASURES, AND ARRANGEMENTS FOR BC
 THIS STEP CONSISTS OF THE PREPARATION OF THE MANAGEMENT SYSTEM
DOCUMENTATION INCLUDING:
1) DETAILED RESPONSE PLANS / RECOVERY PLANS
2) POLICIES / OBJECTIVES
3) ARRANGEMENTS
 CONSIDER THE CRITICAL VENDORS AND SUPPLIERS BUSINESS CONTINUITY PLANS.
 FOCUS ON THREE CATEGORIES OF PROTECTION / SAFETY TO HELP SURVIVE A DISASTER:
1. HUMAN RESOURCES
2. PHYSICAL RESOURCES
3. BUSINESS OPERATIONS.
90 |

91. • 1- HUMAN RESOURCES
 CONSIDER THE POSSIBLE IMPACT A DISASTER MAY HAVE ON YOUR EMPLOYEES’
ABILITY TO RETURN TO WORK
 ALTERNATE STAFFING PLANS (TO ENSURE YOUR BUSINESS STAYS FUNCTIONAL
WHEN A LARGE PERCENT OF YOUR STAFF IS UNABLE TO COME TO WORK)
 CONSIDER HOW YOUR CUSTOMERS CAN REACH YOU OR RECEIVE YOUR GOODS
/ SERVICES
 CREATE EVACUATION PLANS
 DEVELOP AND POST EVACUATION ROUTES / ASSEMBLY LOCATIONS / CREATE A
PHONE-TREE / CONSIDER HAVING AN EMPLOYEE EMERGENCY NUMBER
91 |

92. • 2- PHYSICAL RESOURCES
 BUILDING (MAINTENANCE - FIRE SYSTEM -……………)
 INTERIOR, EXTERIOR COMPONENTS ( EQUIPMENT – HARD WARE /SOFT WARE)
 MATERIALS / SPARE PARTS
 ALTERNATE FACILITIES (THREE TYPES)
• 1- COLD SITE (THE LEAST EXPENSIVE OPTION)
• 2- WARM SITE (MORE EXPENSIVE THAN COLD
SITES)
• 3- HOT SITE (THE MOST EXPENSIVE OPTION)
92 |

93. • 3- BUSINESS OPERATIONS / PROCESSES
1)CRITICAL INPUTS – THINGS NEEDED TO DO YOUR JOB
2)CRITICAL OUTPUTS – THINGS YOU PRODUCE THAT OTHERS WANT OR NEED TO DO THEIR JOB
3)OUTSOURCED PROCESSES
93 |

94. • EXAMPLES FOR RESILIENCY PLANS / DOCUMENTS AND ARRANGEMENTS
:
1) AN ALTERNATE TELECOMMUNICATION PROVIDER
2) EMERGENCY BACKUP GENERATOR IN CASE OF A POWER OUTAGE
3) AGREEMENTS WITH FUEL PROVIDER
4) ALTERNATE WORK SITE AND EQUIPMENT.
5) ANNUALLY MEETING WITH CRITICAL VENDORS TO DISCUSS THEIR RECOVERY
OPERATIONS AND LOCATIONS
6) DEVELOP THE RELATIONSHIPS WITH CONTRACTORS / VENDORS
7) CREATE MANUAL PROCESSES TO BE USED IN CASE OF THE COMPUTERS ARE
UNAVAILABLE
8) MITIGATING THE DIFFERENT THREATS
94 |

95. • THE RESPONSE PREPARATION PROCEDURES TO ANSWER
1) “WHAT TO DO BEFORE A DISRUPTION OCCURS?” (PROACTIVE
ACTIVITIES)
2) “WHAT TO DO WHEN A DISRUPTION OCCURS?” (RESPONSE –
RECOVERY – CONTINUITY)
3) “WHAT TO DO AFTER A DISRUPTION OCCURS?” (LEARNED
LESSONS / CHANGE MANAGEMENT)
95 |

96. 96 |

97. BUSINESS CONTINUITY PLANNING
• 1. BCP GOVERNANCE
• 2. BUSINESS IMPACT ANALYSIS (BIA)
• 3. DOCUMENTS , CONTROLS , MEASURES, AND ARRANGEMENTS FOR BC
• 4. READINESS ACTIVITIES
• 5. ASSESSMENT
97 |

98. 4- READINESS ACTIVITIES
AWARENESS
INDIVIDUAL AND TEAM – TASK TRAINING
PROCEDURES EXERCISES – TESTING
POST-EXERCISE EVALUATION
98 |

99. GOALS OF PROCEDURES EXERCISES – TESTING
1. TEST ALL COMPONENTS OF THE PLAN, INCLUDING HARDWARE,
SOFTWARE, PERSONNEL, DATA AND VOICE COMMUNICATIONS, ETC.
2. ENSURE THE UNDERSTANDING AND WORKABILITY OF DOCUMENTED
RECOVERY PROCEDURES.
3. ADAPT AND UPDATE EXISTING PLANS TO ENCOMPASS NEW
REQUIREMENTS.
4. TRAIN TEAM LEADERS AND MEMBERS IN THE PROCEDURES OF EXECUTING
THE CONTINUITY PLAN.
5. OBTAIN INFORMATION ABOUT RECOVERY STRATEGY IMPLEMENTATION.
6. VERIFY THAT RECOVERY STRATEGIES ARE VIABLE.
7. DEMONSTRATE THAT OUTPUT PERFORMANCE OF THE BACKUP SYSTEMS
AND NETWORKS ARE CONSISTENT WITH PRODUCTION SYSTEMS AND
99 |

100. BUSINESS CONTINUITY PLANNING
• 1. BCP GOVERNANCE
• 2. BUSINESS IMPACT ANALYSIS (BIA)
• 3. DOCUMENTS , CONTROLS , MEASURES, AND ARRANGEMENTS FOR BC
• 4. READINESS ACTIVITIES
• 5. ASSESSMENT
100 |

101. 5- ASSESSMENT
• HOW TO ASSESS THE PLAN'S ACCURACY, AND EFFECTIVENESS
• HOW TO CONDUCT THE INTERNAL OR EXTERNAL AUDIT (BC
READINESS AUDIT)
• IDENTIFY NEEDED IMPROVEMENT
101 |

102. HOW TO PERFORM BC READINESS AUDIT
1. CHECK FOR THE EXISTENCE OF THE FOLLOWING
DOCUMENTS / INFORMATION :
• EMERGENCY PROCEDURES
• EVACUATION PLAN
• FIRE PROTECTION PLAN
• ENVIRONMENTAL POLICIES
• SAFETY AND HEALTH PROGRAM
• SECURITY PROCEDURES
• FINANCE / PURCHASING PROCEDURES
• FACILITY CLOSING POLICY
• PROCESS SAFETY ASSESSMENT
102 |

103. • MUTUAL AID AGREEMENTS
• HOT / COLD SITE AGREEMENTS
• CAPITAL IMPROVEMENT PROGRAM
• HAZARD MATERIALS / WASTE DISPOSAL
• ALTERNATIVE OR MANUAL PROCEDURES
• DISASTER RECOVERY PLANS FOR INFORMATION RESOURCES
103 |

104. • BASED ON THE REVIEW, ASK THE FOLLOWING QUESTIONS HOW WOULD YOUR
ORGANIZATION RESUME OPERATIONS AFTER

LOSS OF ACCESS TO YOUR FACILITY

LOSS OF ACCESS TO YOUR INFORMATION RESOURCES (IR), OR

LOSS OF KEY PERSONNEL?
• HAVE ANY AUDIT FINDINGS BEEN REPORTED FROM INTERNAL OR EXTERNAL
AUDITORS?
• WOULD MOST INDIVIDUALS KNOW HOW TO REPORT OR RESPOND TO AN EVENT?
• IF POLICIES RELATIVE TO RECOVERY EFFORTS ARE IN PLACE, WHO KNOWS ABOUT
THEM?
• DO PEOPLE KNOW IF THEY HAVE RECOVERY RESPONSIBILITIES? ARE PROGRAM
MANAGERS AWARE OF THEIR OWNER AND USER SECURITY RESPONSIBILITIES?
104 |

105. • HAS TESTING BEEN DONE TO SEE HOW PEOPLE WOULD REACT
DURING A RECOVERY EFFORT IN THE FOLLOWING AREAS:
• SENIOR MANAGEMENT
• MANAGEMENT INFORMATION SYSTEMS/ SECURITY
INFORMATION TECHNOLOGY
• RISK MANAGEMENT
• INTERNAL DEPARTMENTS
• AUDITING
• VENDORS
• TELECOMMUNICATIONS
105 |

106. • 12. CHECK TO SEE IF
 COMPUTER BACKUPS (PC, LAN, MAINFRAME) ARE BEING TAKEN OFF-SITE
ACCORDING TO POLICY
 ALTERNATE WORK LOCATIONS ARE AVAILABLE;
 ITEMS REQUIRED TO BE OFF-SITE ARE REALLY THERE;
 SECURITY MEASURES ARE BEING FOLLOWED;
 EMERGENCY EQUIPMENT (GENERALLY UPS, BATTERIES, ETC.) IS WORKING
CORRECTLY;
 EMERGENCY LIGHTING IS IN GOOD WORKING ORDER AND IN THE CORRECT
PLACES.
106 |

107. • 8.2.3 RISK ASSESSMENT
• THE ORGANIZATION SHALL ESTABLISH, IMPLEMENT, AND
MAINTAIN A FORMAL DOCUMENTED RISK ASSESSMENT PROCESS
THAT SYSTEMATICALLY IDENTIFIES, ANALYSES, AND EVALUATES
THE RISK OF DISRUPTIVE INCIDENTS TO THE ORGANIZATION.
•
• NOTE THIS PROCESS COULD BE MADE IN ACCORDANCE WITH ISO 31000.
•
107 |

108. • THE ORGANIZATION SHALL
• A) IDENTIFY RISKS OF DISRUPTION TO THE ORGANIZATION’S
PRIORITIZED ACTIVITIES AND THE PROCESSES, SYSTEMS,
INFORMATION, PEOPLE, ASSETS, OUTSOURCE PARTNERS AND
OTHER RESOURCES THAT SUPPORT THEM,
• B) SYSTEMATICALLY ANALYSE RISK,
• C) EVALUATE WHICH DISRUPTION RELATED RISKS REQUIRE
TREATMENT, AND;
• D) IDENTIFY TREATMENTS COMMENSURATE (‫)مناسبة‬WITH
BUSINESS CONTINUITY OBJECTIVES AND IN ACCORDANCE
WITH THE ORGANIZATION’S RISK APPETITE.
•
108 |

109. 109 |

110. Risk Criteria
 REFERENCE AGAINST WHICH THE SIGNIFICANCE OF A RISK IS EVALUATED TO DETERMINE THE
LEVEL OF RISK
 RISK CRITERIA CAN BE DERIVED FROM
1) STANDARDS
2) LAWS
3) POLICIES
4) ANY OTHER REQUIREMENTS (INTERESTED PARTIES).
 RISK CRITERIA ARE BASED ON ORGANIZATIONAL OBJECTIVES, AND CONTEXT
 LEVEL OF RISK IS THE MAGNITUDE OF A RISK OR COMBINATION OF RISKS, EXPRESSED IN
TERMS OF THE COMBINATION OF CONSEQUENCES AND THEIR LIKELIHOOD 110 |

111.  THE RISK CRITERIA INCLUDES :
1) RISK EVALUATION CRITERIA
2) RISK IMPACT CRITERIA
3) RISK ACCEPTANCE CRITERIA.
111 |

112. Consequences
Moderate
UNIMPORTANT
RISK
ACCEPTABLE
RISK
UNCONTROLLED
RISK
UNCONTROLLED
RISK
IMPORTANT
RISK
UNACCEPTA
RISK
Likelihood
Slightly High
Low Unimportant Uncontrolled
Risk
Medium Acceptable
Risk
High Important Risk
Unacceptable
Risk
Acceptable
Risk
Uncontrolled
Risk
Uncontrolled
Risk
Important
Risk
112

113. RISK MATRIX CONTROL PLAN
113 |
Risk Level Action and Timescale
Unimportant No action is required and no documented records needed to be kept.
Acceptable
risk
No additional controls are required. Consideration may be given to a
more cost-effective solution or improvement that imposes no additional
cost burden. Monitoring is required to ensure that the controls are
maintained.
Uncontrolled
risk
Efforts should be made to reduce the risk, but the costs of prevention
should be carefully measured and limited. Risk reduction measures should
be implemented within a defined time period.
Where the moderate risk is associated with extremely harmful
consequences, further assessment may be necessary to establish more
precisely the likelihood of harm as a basis for determining the need for
improved control measures.
Important risk Work should not be started until the risk has been reduced. Considerable
resources may have to be allocated to reduce the risk. Where the risk
involves work in progress, urgent action should be taken.
Unacceptable
risk
Work should not be started or continued until the risk has been reduced. If
it is not possible to reduce risk even with unlimited resources, work has
to remain prohibited.

114. P
r
o
b
a
b
i
l
i
t
y
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
1 2 3 4 5
Consequence
Legend
≥
20 E
:
Extreme risk - immediate action
required
>
10
&
<
20 H
: High risk - urgent management attention needed
>
5
≤ &
10 M
:
Medium risk - management attention as soon as
possible
<
5 L
: Low Risk – periodical evaluation
114

115. Impact / Consequences
Rank
Financial
loss
Strategic
directions and
objectives
Customer Legal OHS Env. InfSec.
5
Very
High
>1M
Negative
Impact on
strategic
directions
execution
Contract
termination
Closure
Fatality /
Catastroph
e / Fatal
Occupation
al Illness
Permanent
damage
Permanent
loss of the
service
4
High
250K to
1M
Negative
Impact on
execution 2
objectives
Major
product
/Service
recall
Non-
renewal of
one of
legal
documents
Partial /
Complete
Incapacity
Long time
damage
Long time
non-
availability
of the
service
3
Moderat
e
50K to
250K
Negative
Impact on
execution 1
objective
Minor
Product /
Service
recall
Formal
Violations
Lost
Working
Days /
Work
Related
Illness
Limited
damage /
Kills fauna ,
flora,
Concerns
global issues,
Temporary
non-
availability
of the
service
2
Slight negative Complaint
Notice /
Medical
Treatment
Case /
Restricted
Aspect
causes slight
impact on
fauna or
Slight
impact on
the service
115

116. Impact Reputation (Corpora
te)
Financia
l (Site)
Legal
Custo
mer
Very High
Regional media
coverage over
multiple days Or
Global media
coverage
More than
$100 M
More than
$10 M
closure
notice
Ending the
contract
High
National media
coverage over
multiple days Or
Single regional
media coverage
$10 - $100M $1 - $10M
no renewal
of operating
permit
Major
product
recall
Moderate
Local media
coverage over
multiple days Or
Single national
media coverage
$1 - $10M $100K - $1M
violation
notice
payment
partial
product
recall
Low
Single local media
coverage
$100K - $1M $10K - $100K
violation
notice
explanation
product
price
concession
Verbal
116

117. BEST PRACTICE FOR BCMS

118. AGENDA
• BUSINESS CONTINUITY PLANNING
• BUSINESS CONTINUITY IMPLEMENTATION ROADMAP
• BCP IN TIMES OF COVID-19
• CHALLENGES AND BEST PRACTICES

119. Business Continuity Planning
• “Planning to to continue the Business”
• Not a new concept. A fancy name for common sense. In reality, we have
been performing Business Continuity Planning for centuries
• But still, many organizations struggled to restart operations during
COVID-19
• So we need more than just common sense. We need a structured and
formal implementation of common sense.

120. What we do not fully do in BAU common sense
1. Agree timelines, worst case and best case (MTPD and RTO)
2. Base it fully on facts and data (consequences of downtime)
3. Consultative process involving all interested parties
4. Comprehensive, documented and signed off
5. Communicate to all who need to know, including relevant third parties
and service providers
6. Practice, Test & exercise. Review. Maintain & continually Improve
Amazingly, this works…!!

121. Challenges for cyber professionals
• An uneven battle against an unknown enemy who has nothing
better to do
• You have other matters to focus on but they have a single point
agenda – to damage
• You constantly focus on getting better and better - but so do they
• By the sheer law of averages, once in a while they will succeed
• At those times, your best best is to be able to restart fast and within
minimum loss. So you need the world’s best Business Continuity
readiness
 Have you formally put in place the 6 Rs (Reduce, Respond,
Recover, Resume, Restore Return)?
 When did you last practice them?

122. Challenges for cyber professionals
Economic Times, June 24 2020

123. SOME REASONS FOR OUTAGES (GLOBAL DATA)
123
Flood/Water
Power surge
Hurricane
Fire
Hardware error
Earthquake
Network Outage
Human Error
Bombing
Others
Power Outage
Storm Damage
8.5%
8.2%
7.2%
6.6%
5.6%
4.3%
3.6%
3.5%
2.5%
7.4%
31.1%
11.5%
Including:
Software Error 1.2%
Employee sabotage 1.2%
Burst water pipe 1.2%
Miscellaneous 3.8%
Source: Contingency Planning Research Inc.

124. BUSINESS CONTINUITY IS A WISE INVESTMENT
• MINIMIZE BUSINESS DISRUPTIONS AND QUICKLY RECOVER
• RETAIN BUSINESS MODEL AND INCREASE MARKET SHARE AND PROFITS
• PROTECT THE ORGANIZATION’S VALUE AND REPUTATION
• CORPORATE GOVERNANCE AND SHAREHOLDER COMMITMENT
• NATIONAL REQUIREMENTS
• CONTRACTUAL COMMITMENTS, LEGAL AND REGULATORY COMPLIANCE
• MORAL AND SOCIAL RESPONSIBILITIES
• DEMONSTRATE “BEST PRACTICE”
• REDUCE INSURANCE LIABILITIES
124 |
Lack of BCP is self goal

125. TYPICAL STEPS
Business Continuity Implementation Roadmap

126. INTERNATIONAL BCM STANDARD – ISO 22301
126
Clause 1 : Scope
Clause 2 : Normative references
Clause 3 : Terms and definitions
Clause 4 : Context of the organisation
Clause 5 : Leadership
Clause 6 : Planning
Clause 7 : Support
Clause 8 : Operation
Clause 9 : Performance evaluation
Clause 10 : Improvement

127. Please implement a BCMS – not just BCM
• “Part of the overall management
system that establishes, implements,
operates, monitors, reviews,
maintains and improves business
continuity”– ISO 22301
• Ensure continual improvement via
the PDCA cycle

128. BCP in times of COVID-19
COVID-19 is different from a typical Business Continuity situation
• Much longer duration
• No clarity on final resolution
• Triggered not by damage to resources
• Entire ecosystem is impacted
SOME POSITIVES
• Realization by all
• Even the PM asked entities to
implement Business Continuity
• Tolerance – “It’s Ok”
• Permanent mindset changes

129. Suggestions for professionals
• Don’t stop now – complete the journey
• Protect yourself against other new threats - implement the full BCM
cycle
• Use this opportunity to create permanent BCM readiness and
awareness across all segments
• Get your people ISO22301 trained and your organization ISO22301
compliant – or even ISO22301 certified

130. IMPLEMENT THE FULL
BCM LIFECYCLE
Commitment of
Top Management
Competency of
all resources
Right
communication
and tools
Clearly defined
roles,
responsibilities,
and authorities
Continued
management
focus on the BCM
Program
Choose
the right
people
Provide effective
training in advance
of the
implementation
Best Practices

131. Customers
Citizens
Distributors
Shareholders
Investors
Owners
Insurers
Government
Regulators
Recovery Services
Suppliers
Competitors
Media
Commentators
Trade Groups
Neighbours
Pressure Groups
Emergency Services
Transport Services
Other Response
Agencies
Dependents of staff
THE ORGANIZATION
Top Management
Those who establish policies and
objectives for the BCMS
Those who set up & manage BC
Those who maintain BC Procedures
Owners of business
continuity procedures
Incident Response Personnel
Those with authority to invoke
Appropriate spokespeople
Response Teams
Other Staff Contractors
Build culture across all Interested Parties ..

132. Group/ Audience Training
Top Management Awareness, Crisis Management, Crisis
Communication
Core BCM Team CBCI/ Lead Implementer, Lead Auditor
Core BCM Team Specialised courses (BIA, RA, Plan Writing,
Testing etc.)
Department Coordinator/ BC
Champions
Implementer, Internal Auditor
Audit Team Internal Auditor, Lead Auditor
All Employees Awareness
Build Culture via Training and Awareness

133. Review/
Walkthrough
Table Top Call Tree Simulation IT/ Work Area
Recovery
Integrated
0
1
2
3
4
5
6
7
Cost
Complexity
Risk (of distrurabnce due Test)
Assurance
Frequency
GRAPH NOT TO SCALE
Cost
Complexity
Risk
Assurance
Frequency
Build Culture via tests and exercises

134. ENSURE REVIEW, MAINTENANCE AND IMPROVEMENT
• MAINTENANCE
• ADVANCED TESTING AND EXERCISING
• ONGOING AWARENESS AND TRAINING
• INTERNAL AUDIT AND SELF ASSESSMENT
• MANAGEMENT REVIEW
• SUPPLIER REVIEW
• CORRECTIONS AND CORRECTIVE ACTIONS
• BENCHMARKING
• CONTINUAL IMPROVEMENT
• INSTILLING A BCM MINDSET
134 |

135. Way Forward=> Organizational Resilience
THE ABILITY OF AN ORGANISATION TO ABSORB AND ADAPT IN A CHANGING ENVIRONMENT (BCI GPG 2018/ ISO
22316:2017)