The document provides information about ISO 22301, which is an international standard for business continuity management systems (BCMS). Some key points covered include: - ISO 22301 helps organizations implement a BCMS to meet stakeholder requirements and be resilient during disruptions. - A BCMS aims to establish, implement, maintain and improve business continuity processes. It specifies requirements around preparing for, responding to and recovering from disruptions. - Other concepts discussed include business impact analysis, business continuity plans, maximum acceptable outage times, and residual risks after risk reduction efforts. - Two case studies are presented about data center outages - one from cooling failures during a heat wave, and another from an electrical explosion that injured

1. 1
Business Continuity Management System(BCMS)
ISO 22301
- Pradeepraj K

2.  The ISO 22301:2019 business continuity standard helps organizations in
implementing a business continuity management system) which is
appropriate to its needs and meets its stakeholders’ requirements.
 BCM needs are shaped by its size and structure, its stakeholders, and
regulatory, industry and organizational factors.
 The international standard is vital to protect and help organizations respond
effectively and recover from disruption when an incident occurs.
 BCMS is a management system that aims to implement, operate, monitor,
and improve business processes and procedures. It should provide business
continuity.
Objectives:
BCMS specifies requirement to implement, maintain and improve a
management system to protect against, reduce the likelihood of the
occurrence of, prepare for, respond to and recover from distributions when
they arise.
2
What is ISO 22301?

3. 3
Some of the core concepts of ISO 22301
Concepts Comments
Context of the
organization
The environment in which the organization operates including internal and external
factors that can have an effect on your business continuity plans.
Interested parties A person or organization that can affect, be affected by, or perceive themselves
to be affected by a decision or activity. Examples include suppliers, customers or
competitors. You may refer to them as stakeholders
Leadership Requirements specific to top management who are defined as a person or group of
people who directs and controls an organization at the highest level.
Performance evaluation The measurement of performance and effectiveness of the BCMS, covering the
methods for monitoring, measurement, analysis and evaluation, as applicable, to
ensure valid results.
Maximum Acceptable
Outage (MAO)
The time it would take for adverse impacts to become unacceptable. This is the same
as ‘maximum tolerable period of disruption (MTPD)’.
Minimum Business
Continuity Objective
(MBCO)
The minimum level of services and/or products that is acceptable to the organization
to achieve its business objectives during a disruption.

4. 4
Details about BIA and BCP
 A business impact analysis (BIA) predicts the consequences of
disruption of a business function and process and gathers
information needed to develop recovery strategies.
 Potential loss scenarios should be identified during a risk
assessment.
 A business continuity plan (BCP) is a document that consists of the
critical information an organization needs to continue operating
during an unplanned event.
 The BCP states the essential functions of the business, identifies
which systems and processes must be sustained, and details how
to maintain them.

5.  RTO is the goal your organization sets for the maximum length of
time it should take to restore normal operations following an
outage or data loss.
 Recovery time objective (RTO) is the set maximum time a business
function or service can be disrupted / not available before it causes
serious and irreversible impact on the organization.
 Maximum Allowable Outage (MAO) is the timeframe during which a
recovery mist become effective before an outage compromises the
ability of an organization to achieve its business objectives and or
survival. Thus, MAO is the same as RTO.
 The Minimum Business Continuity Objective (MBCO) defines the
minimum level of services or production that should be achieved
following disruption to achieve an acceptable proportion of the
business objectives.
5
Details about RPO,RTO,MAO,MBCO

6.  Resilience is about addressing the root causes of crises while
strengthening the capacities and resources of a system.
 The disaster risk that remains in unmanaged form, even when
effective disaster risk reduction.
 Residual risk is what remains after efforts to identify and
eliminate risks have been made. Learn how to calculate this
important type of risk.
 There will always be some level of residual risk, but it should
be as low as you can reasonably be expected to make it.
 Residual risk is important for several reasons. First to consider
is that residual risk is the risk "left over" after security controls
and process improvements have been applied.
6
Residual Risks and Resilience

7.  We, at Sify, are committed to our customers in particular and society at large, specifically in our
business continuity strategy for Data Center Co-Location Services, in line with all existing regulatory,
operational and other civic requirements of all stake holders.
 We shall have set objectives to achieve them over period of time, improvising businesses with
resilience, for global sustainability, by adapting technology innovations as required.
7
BCMS Policy of Sify

8.  Cooling failed at a Google Cloud data center in London on the
day when the UK experienced a record-breaking temperature
of more than 40C (104F). Oracle's London region also suffered
cooling issues.
 Multiple Google services were brought down on Tuesday at
18:13 local time (01:13 ET), according to the Google status
page, which described the failure as "cooling related.“
 Google said the outage only affected a small number of
customers - including DCD - and it persisted at least till 2200
BST.
 "There was a cooling-related failure in one of our buildings that
hosts a portion of capacity for zone Europe-west2-a, for region
Europe-west2, that is now resolved," said the status report.
 Among the services affected were Google Cloud, Persistent
Disk, and Autoscaling. By 22:00 BST, some users still faced
impact with HDD-backed Persistent Disk volumes showing IO
errors.
8
Case Study I : Data Center
Google, Oracle Data Centers Knocked Offline by London Heat

9.  A total of three people sustained serious burns yesterday
following an electrical explosion at a Google data center in
Iowa.
 First responders were sent to Google’s data center in Council
Bluffs, Iowa, Monday afternoon to respond to a report of an
electrical explosion with three people critically injured.
 All three victims were taken to the Nebraska Medical Center,
with two taken by ambulance and one taken by helicopter.
 Data centers can be knocked offline for a slew of different
reasons.
 In fact, just last month data centers owned by Google and
Oracle were forced offline in the U.K. due to the record-
breaking heat wave.
 Both companies cited problems with their data center’s
cooling systems for causing the outages as temperatures
topped 104 degrees Fahrenheit.
9
Case Study II : Data Center
GOOGLE DATA CENTER EXPLOSION CAUSES INJURIES

11. SIFY INTERNAL AUDIT TEAM SERVICE CATALOGUE
Internal
Audit
QMS
Maintenance
Facilitation of the
External
Certifications
QMS Training
and Awareness
QMS Manual
Development
Risk Register
Management
Quality Impact
Assessment
Bespoke
You can find us at Sify_IA@sifycorp.com

12. Case Study I Link:
https://www.datacenterdynamics.com/en/news/cooling-failure-brings-down-google-cloud-data-center-in-
london-on-uks-hottest-day/#:~:text=Outages-
,Cooling%20failure%20brings%20down%20Google%20Cloud%20data,London%20on%20UK's%20hottest%20d
ay&text=Cooling%20failed%20at%20a%20Google,region%20also%20suffered%20cooling%20issues
Case Study II Link:
Google Data Center Explosion Causes Injuries | CRN
External Reference

13. Thank you