Uploaded byJustinBNickaf
PPTX, PDF178 views

ISO-22301-Presentation [Recovered]recent.pptx

The document outlines ISO 22301:2019, a standard for business continuity management systems that emphasizes the importance of maintaining essential functions during and after a disaster. It covers the principles and requirements of business continuity planning, including risk management, emergency response, and the need for a robust Business Continuity Plan (BCP) that details how organizations can resume operations following a disruption. The document highlights elements such as performance evaluation, training, and the collaboration between different departments to ensure organizational resilience and compliance with legal obligations.

Embed presentation

Downloaded 10 times
1 / 113
2 / 113
3 / 113
4 / 113
5 / 113
6 / 113
7 / 113
8 / 113
9 / 113
10 / 113
11 / 113
12 / 113
13 / 113
14 / 113
15 / 113
16 / 113
17 / 113
18 / 113
19 / 113
20 / 113
21 / 113
22 / 113
Most read
23 / 113
24 / 113
25 / 113
26 / 113
27 / 113
28 / 113
29 / 113
30 / 113
31 / 113
32 / 113
33 / 113
34 / 113
35 / 113
36 / 113
37 / 113
38 / 113
39 / 113
40 / 113
41 / 113
42 / 113
43 / 113
44 / 113
45 / 113
46 / 113
47 / 113
48 / 113
49 / 113
50 / 113
51 / 113
52 / 113
53 / 113
54 / 113
55 / 113
56 / 113
57 / 113
58 / 113
59 / 113
60 / 113
61 / 113
62 / 113
63 / 113
64 / 113
65 / 113
66 / 113
67 / 113
68 / 113
69 / 113
70 / 113
71 / 113
72 / 113
73 / 113
74 / 113
75 / 113
76 / 113
77 / 113
78 / 113
79 / 113
80 / 113
81 / 113
82 / 113
83 / 113
84 / 113
85 / 113
86 / 113
87 / 113
88 / 113
89 / 113
90 / 113
91 / 113
92 / 113
93 / 113
94 / 113
95 / 113
96 / 113
97 / 113
98 / 113
99 / 113
100 / 113
101 / 113
102 / 113
103 / 113
104 / 113
105 / 113
106 / 113
107 / 113
108 / 113
109 / 113
110 / 113
111 / 113
112 / 113
113 / 113
1 ISO 22301 :2019 :Security and resilience — Business continuity management systems — Requirements
Presentation outline • ISO • Business continuity • Importance of formalized business continuity management system • ISO 22301 • Principles and requirements of ISO 22301 2019
WHAT IS ISO?  Acronorm for the International Organization for Standardization  Derived from the Greek word isos, meaning equal  Founded 23 Feb 1947 by 25 countries in London  Headquarters in Geneva, Switzerland  Membership covers 97% of world population, about 173 countries  Members have equal voting rights  Standards are equal wherever applied  Standards cover products, processes and systems
About ISO • Founded in 1947 • Independent • Non-governmental organization • Global network of national standards bodies* • One member per country represented by NSBs • ISO membership comes with rights, benefits, obligations and good practice • Nigeria is represented by SON *NSB=National standard body : only national body must representative of standardization
The ISO brand  Democratic.  Voluntary  ISO itself does not regulate or legislate.  Market-driven  Consensus  ISO standards retain their position as the state of the art.  Globally relevant  ISO standards are technical agreements which provide the framework for compatible technology worldwide. They are designed to be globally relevant - useful everywhere in the world.  ISO standards are useful everywhere in the world.
What is business continuity and why is it important? • Business continuity is an organization's ability to maintain essential functions during and after a disaster has occurred. • Business continuity planning establishes risk management processes and procedures that aim to prevent interruptions to mission-critical services, and reestablish full function to the organization as quickly and smoothly as possible. • The most basic business continuity requirement is to keep essential functions up and running during a disaster and to recover with as little downtime as possible. • A business continuity plan considers various unpredictable events, such as natural disasters, fires, disease outbreaks, cyberattacks and other external threats.
What is business continuity and why is it important? • Business continuity is important for organizations of any size, but it might not be practical for any but the largest enterprises to maintain all functions for the duration of a disaster. • According to many experts, the first step in business continuity planning is deciding what functions are essential and allocating the available budget accordingly. Once crucial components have been identified, administrators can put failover mechanisms in place. • Technologies such as disk mirroring enable an organization to maintain up-to-date copies of data in geographically dispersed locations, not just in the primary data center. This enables data access to continue uninterrupted if one location is disabled and protects against data loss.
Why is business continuity important? • At a time when downtime is unacceptable, business continuity is critical. • Downtime comes from a variety of sources. Some threats, such as cyberattacks and extreme weather, seem to be getting worse. • It's important to have a business continuity plan in place that considers any potential disruptions to operations. • The plan should enable the organization to keep running at least at a minimal level during a crisis. Business continuity helps the organization maintain resiliency, in responding quickly to an interruption. • Strong business continuity saves money, time and company reputation. An extended outage risks financial, personal and reputational loss.
Why is business continuity important? • Business continuity requires an organization to take a look at itself, analyze potential areas of weakness and gather key information -- such as contact lists and technical diagrams of systems -- that can be useful outside of disaster situations. • In undertaking the business continuity planning process, an organization can improve its communication, technology and resilience. • Business continuity might even be a requirement for legal or compliance reasons. Especially in an era of increased regulation, it's important to understand which regulations affect a given organization.
What does business continuity include? • Business continuity is a proactive way to ensure mission-critical operations proceed during a disruption. • A comprehensive plan includes contact information, steps for what to do when faced with a variety of incidents and a guide for when to use the document. • Business continuity features clear guidelines for what an organization must do to maintain operations. If the time comes for response, there should be no question about how to move forward with business processes. The company, customers and employees are all potentially at stake.
What does business continuity include? • Proper business continuity includes different levels of response. Not everything is mission-critical, so it's important to lay out what is most vital to keep running, and what could stand to come back online at later times. • It's crucial to be honest about recovery time objectives and recovery point objectives. • The process includes the whole organization, from executive management on down. Although IT might drive the business continuity, it's essential to get buy-in from management and communicate key information to the entire organization. • One other important area of collaboration is with the security team - - although the two groups often work separately, an organization can gain a lot by sharing information across these departments. At the very least, everyone should know the basic steps for how the organization plans to respond.
What are the key elements of business continuity management? BCM is a holistic management process that integrates various elements, namely : • Business Continuity Plan (BCP), • Emergency Response, • Crisis Management, • Disaster Recovery, • Risk Management, • Business Impact Analysis, • Resilience and Reputation Management.
Three key components of a business continuity plan • A business continuity plan has three key elements: Resilience, recovery and contingency. • An organization can increase resilience by designing critical functions and infrastructures with various disaster possibilities in mind; this can include staffing rotations, data redundancy and maintaining a surplus of capacity. Ensuring resiliency against different scenarios can also help organizations maintain essential services on location and off site without interruption.
Three key components of a business continuity plan • Rapid recovery to restore business functions after a disaster is crucial. Setting recovery time objectives for different systems, networks or applications can help prioritize which elements must be recovered first. Other recovery strategies include resource inventories, agreements with third parties to take on company activity and using converted spaces for mission-critical functions. • A contingency plan has procedures in place for a variety of external scenarios and can include a chain of command that distributes responsibilities within the organization. These responsibilities can include hardware replacement, leasing emergency office spaces, damage assessment and contracting third-party vendors for assistance.
Business continuity vs. disaster recovery • Like a business continuity plan, disaster recovery planning specifies an organization's planned strategies for post-failure procedures. However, a disaster recovery plan is just a subset of business continuity planning. • Disaster recovery plans are mainly data focused, concentrating on storing data in a way that can be more easily accessed following a disaster. Business continuity takes this into account, but also focuses on the risk management, oversight and planning an organization needs to stay operational during a disruption.
Business continuity vs. disaster recovery
Business continuity development • Business continuity starts with initiating the planning project. Business impact analysis (BIA) and risk assessment are essential steps in gathering information for the plan. • Conducting a BIA can reveal any possible weaknesses, as well as the consequences of a disaster on various departments. The BIA report informs an organization of the most crucial functions and systems to prioritize in a business continuity plan.
Business continuity development • A risk assessment identifies potential hazards to an organization, such as natural disasters, cyberattacks or technology failures. Risks can affect staff, customers, building operations and company reputation. The assessment also details what or who a risk could harm, and the likeliness of the risks. • The BIA and risk assessment work hand in hand. The BIA provides details on potential effects to the possible disruptions outlined in the risk assessment.
Business continuity management • It's important to designate who will manage business continuity. It could be one person, if it's a small business, or it could be a whole team for a larger organization. Business continuity management software is also an option. Software -- either on premises or cloud-based -- helps conduct BIAs, create and update plans and pinpoint areas of risk. • Business continuity is an evolving process. As such, an organization's business continuity plan shouldn't just sit on a shelf. The organization should communicate its contents to as many people as possible. Implementation of business continuity isn't just for times of crisis; the organization should have training exercises, so employees know what they'll be doing in the event of an actual disruption.
Business continuity management • Business continuity testing is critical to its success. It's difficult to know if a plan is going to work if it hasn't been tested. A business continuity test can be as simple as a tabletop exercise, where staff discuss what will happen in an emergency. More rigorous testing includes a full emergency simulation. An organization can plan the test in advance or perform it without notice to better mimic a crisis. • Once the organization completes a test, it should review how it went and update the plan accordingly. It's likely that some parts of the plan will go well but other actions might need adjusting. A regular schedule for testing is helpful, especially if the business changes its operations and staff frequently. Comprehensive business continuity undergoes continual testing, review and updating.
2 Background How was the ISO22301 formed?
Contributors 3 : : : : : : : : : : ::: : : : : : : : : : : : : : : : : ... I I . I .. I . . . .• . .
4 Context • Source documents included – BS25999-2 – NFPA 1600 – ASIS OR standard – Singapore standards – ISO 27031 – ISO Guide 73 – ISOPAS22399 • So ISO 22301 is not simply an international version of BS25999
5 Publication Timeline… ISO 22301 BCM – Requirements DIS Public Commenting Period FDIS Development FDIS Published Final ISO Publicatio n ISO 22313 BCM – Guidelines Document out for public comment Publication ??? Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 2013 Q3 2011 2011 2011 2011 2012 2012 2012 2012 2019
7 ISO 22301 Key Points (Societal Security – BCMS) "...standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, amongst all interested parties."
8 4 Context of the organisation 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance Evaluation 10 Improvement ISO 22301 2019 structure * 0 Introduction 1 Scope 2 Normative References -Guide 73: Risk mgmt. vocab. -ISO 22300 Terminology 3 Terms and Definitions
10 Key Changes / Aspects… Notable shifts in emphasis from BS25999-2:2007; 2013 • Change in the way an organisation may be defined. • Top Management leadership shall be more demonstrable and active. • Preventive action has been replaced with “actions to address risks and opportunities” and features earlier. • ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics – aligning BC to top management strategic thinking.
11 Key Changes / Aspects… • Strong emphasis on performance evaluation & metrics. • Communication elements more demanding and there is a responsibility to the wider community defined. • BIA similar but with some changes to terminology. • There is a stronger link to the organisations approach to risk. • To reflect the Societal security approach some new terminology has been introduced, see ISO 22300.
Benefit of BCM -sudden disruption 12 2 Mitigation of impacts through effective BCM - sudden disruption Resum pt ion of activities at acceptable level within acceptable timef rame V l c 0 2. Shortened disruption 4 - 0 Target resumption t ime IMaximum acceptable time I I I I Time Figure 2 - Illustrat ion of BCM being effective for sudden disruption
Benefit of BCM -gradual disruption 3 0 Resumption of activities at acceptable level within acceptable timeframe I !Target resumption time ! IMaximum acceptable t ime -- ,- - - - - - - - - --+ ----- : - -- I +--- ---------------- I ' I I / 2. Shortened disruption I I I I I I Recowery with BCM ./ r I - - · · - - - - - - - - - - - - l - - - - - - - i - - - - - - - - - - - - - - - - - - - - - - - - - - . - . - . . .. - -- - - - - - - - - - - - - - - - - - , I , : • ......,...... ,,... · Minimu m acceptabl e level of ' - - - - - - - - - - - - - - - - - - - - - - - ' · - - - - - - - - ' '' ' ' , 1. Mitigating, responding to and managing impacts i I , , operations I I J' '-------------1 / i Recovery without BCM o I ...... ro !..... w c.. 0 1 -- - " - - - - - , 4 - 0 Controlled w > w .....J response Time Figure 3 - Ulustrat ion of BCM being effective for gradual disruption (e.g. approaching pandemic}
9 4 Context of the organisation 5 Leadership 6 Planning 7 Support 8 Operation 9 Performan ce Evaluation 10 Improvement BS25999 3 Planning the BCMS -Scope, Objectives, Policy -Resources -Competency -Embedding -Documentation 4Implementing and Operating the BCMS -BIA -Risk and Risk Choices* -Strategy -Incident response, IMP , BCP -Exercising, Review 5Monitoring and Reviewing the BCMS Internal Audit Management Review 6 Maintaining and Improving the BCMS -Preventive*, Corrective & Improvement Actions *
1.Scope • Specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. Applicable to all types and sizes of organizations that: • a) implement, maintain and improve a BCMS; • b) seek to ensure conformity with stated business continuity policy; • c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; • d) seek to enhance their resilience through the effective application of the BCMS.
2 Normative references • ISO 22300, Security and resilience — Vocabulary 3 Terms and definitions Activity: set of one or more tasks with a defined output Audit : systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled Business continuity : capability of an organizationto continue delivery of products and services within acceptable time frames at predefined capacity relating to a disruption.
Business continuity management system BCMS • management system for business continuity Business continuity plan • documented information that guides an organization to respond to a disruption and resume, recover and restore the delivery of products and services consistent with its business continuity objectives Business impact analysis • process of analyzing the impact of a disruption on the organization
Competence • ability to apply knowledge and skills to achieve intended results Conformity • fulfilment of a requirement Prioritized activity • activity to which urgency is given in order to avoid unacceptable impacts to the business during a disruption . Resilience : • ability to absorb and adapt in a changing environment
14 3. Terms & Definitions… • Business continuity plan • Correction • Corrective action • Interested party • Maximum acceptable outage (MAO) • Maximum tolerable period of disruption (MTPD) • Minimum business continuity objective (MBCO)
4 Context of the organization 4.1 Understanding of the organization and its context • The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. 4.2 Understanding the needs and expectations of interested parties 4.2.1 General When establishing its BCMS, the organization shall determine: • a) the interested parties that are relevant to the BCMS; • b) the requirements of these interested parties
4.2.2 Legal and regulatory requirements The organization shall: • a) implement and maintain a process to identify, have access to, and assess the applicable legal and regulatory requirements related to the continuity of its products and services, processes, activities and resources, as well as the interests of relevant interested parties; • b) ensure that these applicable legal, regulatory and other requirements are taken into account in implementing and maintaining its BCMS; • c) document this information and keep it up-to-date.
4.3 Determining the scope of the business continuity management system 4.3.1 General • The organization shall determine the boundaries and applicability of the BCMS to establish its scope. • When determining this scope, the organization shall consider:  a) the external and internal issues referred to in 4.1;  b) the requirements referred to in 4.2.  The scope shall be available as documented information.
4.3.2 Scope of the BCMS The organization shall: • a) consider its mission, goals, and internal and external obligations; • b) establish the parts of the organization to be included in the BCMS, taking into account its location(s), size, nature and complexity; • c) identify the products and services and their related processes, activities and resources to be included in the BCMS; • d) take into account interested parties' needs. When defining the scope, the organization shall document and explain exclusions; any such exclusions shall not affect the organization's ability and responsibility to provide business continuity, as determined by the business impact analysis or risk assessment and applicable legal or regulatory requirements.
4.4 Business continuity management system The organization shall establish, implement, maintain and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of the Standard, ISO 22301
15 Context - Interested Parties
5 Leadership 5.1 Leadership and commitment • Top management shall demonstrate leadership and commitment with respect to the BCMS by: • a) ensuring that the business continuity policy and business continuity objectives are established and • are compatible with the strategic direction of the organization; • b) ensuring the integration of the BCMS requirements into the organization's business processes; • c) ensuring that the resources needed for the BCMS are available; • d) communicating the importance of effective business continuity and conforming to the BCMS requirements; • e) ensuring that the BCMS achieves its intended outcome(s); • f) directing and supporting persons to contribute to the effectiveness of the BCMS; • g) supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility; • h) promoting continual improvement.
5.2.1 Top management shall establish a business continuity policy that: • a) is appropriate to the purpose of the organization; • b) provides a framework for setting business continuity objectives; • c) includes a commitment to satisfy applicable requirements; • d) includes a commitment to continual improvement of the BCMS.
5.2.2 The business continuity policy shall: • a) be available as documented information; • b) be communicated within the organization; • c) be available to interested parties, as appropriate.
5.3 Organizational roles, responsibilities and authorities Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. Top management shall assign the responsibility and authority for: • a) ensuring that the BCMS conforms to the requirements of this document; • b) reporting on the performance of the BCMS to top management
Evidencing Leadership to an Auditor • Top management are the group of individuals who set the strategic direction of an organization and approve the allocations of resources to the organization or business area within the scope of your BCMS. • Depending on the size and how your organization is structured, these individuals may or not be the day-to-day management team. • An auditor will typically test leadership commitment by interviewing one or more members of your top management and assessing their level of involvement and participation in the: • evaluation of risks and opportunities • establishment and communication of policies • setting and communication of objectives • review and communication of system performance • allocation of appropriate resources, accountabilities and responsibilities
6 Planning 6.1 Actions to address risks and opportunities • When planning for the BCMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: • a) give assurance that the management system can achieve its intended outcome(s); • b) prevent, or reduce, undesired effects; • c) achieve continual improvement. • The organization shall plan: • a) actions to address these risks and opportunities, • b) how to: • 1) integrate and implement the actions into its BCMS processes (see 8.1), • 2) evaluate the effectiveness of these actions (see 9.1).
17 6. Planning • Section 6.1 talks about risks and 6.2 about objectives • Standardized text but might confuse – Having fully understood the context of the organisation, planning activities are introduced to address the risks and opportunities of the business. – This proactive approach, if carried out properly, will ensure a resilient BCM system as it will focus on planning for successfully achieving BCM objectives and realising opportunities for improvement. – Ownership and accountability of BC objectives will be allocated and a clear direction to accomplishing these objectives will be agreed.
6.2 Business continuity objectives and planning to achieve them 6.2.1 The organization shall establish business continuity objectives at relevant functions and levels. • The business continuity objectives shall: • a) be consistent with the business continuity policy; • b) be measurable (if practicable); • c) take into account applicable requirements; • d) be monitored; • e) be communicated; • f) be updated as appropriate. • The organization shall retain documented information on the business continuity objectives.
16 Context Requirement for documenting: • links between the business continuity policy and the organization’s objectives and other policies, including its overall risk management strategy; and the organization’s risk appetite. • The requirement to have procedures which identify legal and regulatory requirements. • There is also a requirement to keep this information up to date which must tie in with maintenance.
6.2.2 When planning how to achieve its business continuity objectives, the organization shall determine: • a) what will be done; • b) what resources will be required; • c) who will be responsible; • d) when it will be completed; • e) how the results will be evaluated.
6.3 Planning of changes to the BCMS When the organization determines the need for changes to the BCMS, including those identified in • clause 10 improvement, the changes shall be carried out in a planned manner. • The organization shall consider: • a) the purpose of the changes and their potential consequences; • b) the integrity of the BCMS; • c) the availability of resources; • d) the allocation or reallocation of responsibilities and authorities
7 Support 7.1 Resources • The organization shall determine and provide the resources needed for the establishment, • implementation, maintenance and continual improvement of the BCMS
7.2 Competence The organization shall: • a) determine the necessary competence of person(s) doing work under its control that affects its • business continuity performance; • b) ensure that these persons are competent on the basis of appropriate education, training, or • experience; • c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness • of the actions taken; • d) retain appropriate documented information as evidence of competence.
18 7. Support 7.2 Competence • The organisation (generally acknowledged to be through its Top Management) has a responsibility to ensure that sufficient and appropriate resource is available for the BCMS. Appropriateness is often determined through competency analysis • It is people who take action when an incident occurs – Competence relates both to operating the BCMS AND to performing following an incident – Note also 7.3 d) – everyone has to be aware of their role during disruptive incidents
7.3 Awareness Persons doing work under the organization's control shall be aware of: • a) the business continuity policy; • b) their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity performance; • c) the implications of not conforming with the BCMS requirements; • d) their own role and responsibilities before, during and after disruptions.
7.4 Communication The organization shall determine the internal and external communications relevant to the BCMS including: • a) on what it will communicate; • b) when to communicate; • c) with whom to communicate; • d) how to communicate; • e) who will communicate.
19 Communication • external communication with customers, partner entities, local community, and other interested parties, including the media, • receiving, documenting, and responding to communication from interested parties, • adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, • ensuring availability of the means of communication during a disruptive incident, facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and • operating and testing of communications capabilities intended for use during disruption of normal communications.
7.5 Documented information 7.5.1 General • The organization's BCMS shall include: • a) documented information required by this document; • b) documented information determined by the organization as being necessary for the effectiveness of the BCMS.
7.5.2 Creating and updating When creating and updating documented information, the organization shall ensure appropriate: • a) identification and description (e.g. a title, date, author or reference number); • b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic), • c) review and approval for suitability and adequacy
7.5.3 Control of documented information 7.5.3.1 Documented information required by the BCMS and by this document shall be controlled to ensure: • a) it is available and suitable for use, where and when it is needed; • b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). 7.5.3.2 For the control of documented information, the organization shall address the following activities, as applicable: • a) distribution, access, retrieval and use; • b) storage and preservation, including preservation of legibility; • c) control of changes (e.g. version control); • d) retention and disposition. Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled
8 Operation 8.1 Operational planning and control • The organization shall plan, implement and control the processes needed to meet requirements, and to • implement the actions determined in 6.1, by: • a) establishing criteria for the processes; • b) implementing control of the processes in accordance with the criteria; • c) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. • The organization shall ensure that outsourced processes and the supply chain are controlled.
8.2 Business impact analysis and risk assessment 8.2.1 General • The organization shall implement and maintain a process for analyzing business impact and assessing risks of disruption that establishes the context, defines criteria and evaluates the potential impact of a disruption 8.2.2 Business impact analysis The organization shall implement and maintain a process for determining business continuity priorities and requirements that: • a) defines impact categories and criteria relevant to the organization’s context; • b) uses these impact categories and criteria for measuring impact; • c) identifies activities that support the provision of products and services;
• d) analyses the impacts over time resulting from disruption of these activities; • e) identifies the time within which the impacts of not resuming activities would become unacceptable to the organization • f) sets prioritized timeframes within the time identified in e) above for resuming disrupted activities at a specified minimum acceptable capacity;This may be referred to as recovery time objective (RTO) • g) uses the business impacts to identify prioritized activities; • h) determines which resources are needed to support prioritized activities; • i) determines the dependencies and interdependencies of prioritized activities.
BIA • a) identifying activities that support the provision of products and services; • b) assessing the impacts over time of not performing these activities; • c) setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and • d) identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.
8.2.3 Risk assessment The organization shall implement and maintain a systematic risk assessment process.This process can be made in accordance with ISO 31000. The organization shall: • a) identify risks of disruption to the organization's prioritized activities and to their supporting resources; • b) systematically analyse risks of disruption; • c) evaluate risks of disruption which require treatment.
21 Risk Assessment • This means the organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. • NOTE This process could be made in accordance with ISO 31000. • The organization shall • identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, analyse them, evaluate and treat them.
8.3 Business continuity strategies and solutions 8.3.1 General • The organization shall identify and select business continuity strategies based on the outputs from the business impact analysis and risk assessment. • The business continuity strategies shall be comprised of one or more solutions.
8.3.2 Identification and selection of strategies and solutions The organization shall identify and select appropriate business continuity strategies and solutions taking into consideration their associated costs for: • a) responding to disruptions; • b) continuing and recovering prioritized activities and their required resources to meet the delivery of products and services at the agreed capacity over time. For the prioritized activities, the organization shall identify and select strategies and solutions considering business continuity objectives and the amount and type of risk that the organization may or may not take that: • a) reduce the likelihood of disruption; • b) shorten the period of disruption; • c) limit the impact of disruption on the organization's products and services.
22 Strategy • BS25999-2 had 4.1.3 Determining Choices and 4.2 Determining business continuity strategy • ISO 22301 better defined – Decide what you are going to do to reduce the likelihood and impact as well as how to respond (these are not alternative approaches) – Set RTOs – Work out the resource requirements – Act on the protection and mitigation needed – Evaluate business continuity capability of suppliers
23 Incident Response Structure 2. broadly equivalent to 4.3.2 in BS25999 – “Impact thresholds” is new – Personnel to assess the incident – Communication mentions “authorities” and “media” explicitly – External communications a new requirement. Life safety explicitly mentioned.
8.3.3 Resource requirements The organization shall determine the resource requirements to implement the selected business continuity solutions. The types of resources considered shall include but not be limited to: • a) people; • b) information and data; • c) physical infrastructure such as buildings, work places or other facilities and associated utilities; • d) equipment and consumables; • e) information and communication technology (ICT) systems; • f) transportation; • g) finance; • h) partners and suppliers.
8.3.4 Implementation of solutions The organization shall implement selected business continuity solutions so they can be activated when needed. 8.4 Business continuity plans and procedures 8.4.1 General • The organization shall implement and maintain a structure that will enable timely warning and communication to relevant interested parties and provide plans and procedures to manage the organization during a disruption. • The plans and procedures shall be used when required to execute business continuity solutions.
The procedures shall: • a) be specific regarding the immediate steps that are to be taken during a disruption; • b) be flexible to respond to changing internal and external conditions of a disruption; • c) focus on the impact of incidents that potentially lead to disruption; • d) be effective in minimizing impact through implementation of appropriate solutions; • e) assign roles and responsibilities for tasks within it.
8.4.2 Response structure The organization shall implement and maintain a structure identifying one or more teams responsible for responding to disruptions. • The roles and responsibilities of each team and the relationships between the teams shall be clearly stated. • Collectively, the teams shall be prepared to: • a) assess the nature and extent of a disruption and its potential impact; • b) assess the impact against pre-defined thresholds that justify initiation of formal response; • c) activate an appropriate business continuity response; • d) plan actions that need to be undertaken;
• e) establish priorities (using life safety as the first priority); • f) monitor the effects of the disruption and the organization’s response; • g) activate the business continuity solutions; • h) communicate with relevant interested parties, authorities and the media. For each team there shall be: • a) identified personnel and their associates with the necessary responsibility, authority and competence to perform their designated role; • b) documented procedures to guide their actions (see 8.4.4) including those for the activation, operation, coordination and communication of the response.
8.4.3 Warning and communication 8.4.3.1 The organization shall document and maintain procedures for: a) communicating internally and externally to relevant interested parties, including what, when, with whom and how to communicate; b) receiving, documenting and responding to communications from interested parties, including any national or regional risk advisory system or equivalent; c) ensuring availability of the means of communication during a disruption; d) facilitating structured communication with emergency responders; e) details of the organization's media response following an incident, including a communications strategy; f) recording details of the disruption, actions taken and decisions made.
8.4.3.2 Where applicable the following shall also be considered and implemented: a) alerting interested parties potentially impacted by an actual or impending disruption; b) assuring the appropriate coordination and communication between multiple responding organizations; The communication and warning procedures shall be exercised as part of the organization’s exercise programme referred to in 8.5.
8.4.4 Business continuity plans 8.4.4.1 The business continuity plans shall provide guidance and information that will assist the teams to respond to a disruption and assist the organization with response and recovery. Collectively, the business continuity plans shall contain:  a) details of the actions that the teams will take in order to continue or recover prioritized activities within predetermined timeframes and to monitor the effects of the disruption and the organization’s response to it;  b) reference to the pre-defined threshold and process for activating the response;  c) procedures to enable the delivery of products and services at agreed capacity to interested parties;
d) details to manage the immediate consequences of a disruption giving due regard to: 1) the welfare of individuals; 2) prevention of further loss or unavailability of prioritized activities; 3) protection of the environment; e) a process for standing down once the incident is over
8.4.4.2 Each plan shall include: a) purpose and scope, and objectives; b) roles, responsibilities of the team that will implement the plan; c) actions and resources to implement the solutions; d) supporting information needed to activate (including activation criteria), operate, coordinate and communicate the team’s actions; e) internal and external interdependencies; f) resource requirements; g) reporting requirements. Each plan shall be usable and available at the time and place at which it is required.
24 Warning and Communication • In short the organization shall establish, implement and maintain procedures for • a) detecting an incident, • b) regular monitoring of an incident, • c) internal communication within the organization • d) receiving, documenting and responding to any national or regional risk advisory system or equivalent, • e) assuring availability of the means of communication during a disruptive incident, • f) facilitating structured communication with emergency responders, • g) recording of vital information about the incident, actions taken and decisions made,
8.4.5 Recovery The organization shall have documented processes to restore and return business activities from the temporary measures adopted to support normal business requirements during and after a disruption.
25 Recovery • The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident
8.5 Exercise programme The organization shall implement and maintain a programme of exercising and testing to validate over time the effectiveness of its business continuity strategies and solutions. The organization shall conduct exercises and tests that: • a) are consistent with its business continuity objectives; • b) are based on appropriate scenarios that are well planned with clearly defined aims and objectives; • c) develop teamwork, competence, confidence and knowledge for those who have roles to perform in relation to disruptions
• d) taken together over time validate the whole of its business continuity strategies; • e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to • implement improvements; • f) are reviewed within the context of promoting continual improvement; • g) are performed at planned intervals and when there are significant changes within the organization or the context in which it operates. The organization shall act on the results of its exercising and testing to implement changes and improvements
26 Exercising and Testing • Covers pretty much the same ground as BS25999-2 • It talks about exercises and tests. • Expect to see a programme – point is that over time these should provide objective assurance that the arrangements made will work as anticipated and when required: so does the programme really do this?
9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.1.1 General The organization shall determine: • a) what needs to be monitored and measured; • b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid • results; • c) when and by whom the monitoring and measuring shall be performed; • d) when and by whom the results from monitoring and measurement shall be analysed and evaluated. • The organization shall retain appropriate documented information as evidence of the results. • The organization shall evaluate the BCMS performance and the effectiveness of the BCMS.
27 Performance Evaluation… • As with all management system standards there is a need to look back at what has been achieved. ISO 22301 also requires that this analysis is evaluated and conclusions drawn by the organisation. • Performance metrics (to be selected by the business) are required in ISO 22301. Whilst this is a new requirement it is likely that organisations will already produce certain metrics and these may be able to be tailored to cover the BCMS performance.
9.1.2 Evaluation of business continuity plans, procedures and capabilities • The organization shall evaluate the suitability, adequacy and effectiveness of its business continuity plans, procedures and capabilities. • These evaluations shall be undertaken through periodic reviews, analysis, exercises, tests, post-incident reports and performance evaluations. • The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives. • The organization shall conduct evaluations at planned intervals after an incident or activation and when significant changes occur shall be updated in a timely manner.
9.2 Internal audit 9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the BCMS: • a) conforms to: • 1) the organization's own requirements for its BCMS, • 2) the requirements of this document; • b) is effectively implemented and maintained.
9.2.1 The organization shall: • a) plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; • b) define the audit criteria and scope for each audit; • c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; • d) ensure that the results of the audits are reported to relevant management; • e) retain documented information as evidence of the implementation of the audit programme and the audit results.
9.3 Management review 9.3.1 General • Top management shall review the organization's BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. 9.3.2 Management review input The management review shall include consideration of: • a) the status of actions from previous management reviews; • b) changes in external and internal issues that are relevant to the BCMS;
• c) information on the business continuity performance, including trends in: • 1) nonconformities and corrective actions; • 2) monitoring and measurement evaluation results; • 3) audit results; • d) feedback from interested parties; • e) the need for changes to the BCMS, including the policy and objectives; • f) procedures, and resources which could be used in the organization to improve the BCMS' performance and effectiveness
• g) information from the BIA and risk assessment; • h) risks or issues not adequately addressed in any previous risk assessment; • i) results of exercises and tests; • j) lessons learned and actions arising from near- misses and disruptions; • k)opportunities for continual improvement.
9.3.3 Management review outputs 9.3.3.1 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS to improve its efficiency and effectiveness and include the following: • a) variations to the scope of the BCMS; • b) update of the business impact analysis, risk assessment, business continuity strategies and solutions, and business continuity plans; • c) modification of procedures and controls to respond to internal or external issues that may impact the BCMS; • d) how the effectiveness of controls will be measured.
• 9.3.3.2 The organization shall retain documented information as evidence of the results of management reviews, and: • a) communicate the results of management review to relevant interested parties; • b) take appropriate action relating to those results.
• c) information on the business continuity performance, including trends in: • 1) nonconformities and corrective actions; • 2) monitoring and measurement evaluation results; • 3) audit results; • d) feedback from interested parties; • e) the need for changes to the BCMS, including the policy and objectives; • f) procedures, and resources which could be used in the organization to improve the BCMS' performance and effectiveness
28 Performance Evaluation… • Internal audits and management review continue to be key methods of reviewing the performance of the BCMS and tools for its continual improvement.
10 Improvement 10.1 Nonconformity and corrective action • 10.1.1 When nonconformity occurs, the organization shall: • a) react to the nonconformity, and, as applicable: • 1) take action to control and correct it; • 2) deal with the consequences. • b) evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere, by: • 1) reviewing the nonconformity; • 2) determining the causes of the nonconformity; • 3) determining if similar nonconformities exist, or could potentially occur
• c) implement any action needed; • d) review the effectiveness of any corrective action taken; • e) make changes to the BCMS, if necessary. • Corrective actions shall be appropriate to the effects of the nonconformities encountered. • 10.1.2 The organization shall retain documented information as evidence of: • a) the nature of the nonconformities and any subsequent actions taken; • b) the results of any corrective action. 10.2 Continual improvement • The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. • The organization shall consider the results of analysis and evaluation, and the outputs from management review, to determine if there are needs or opportunities that shall be addressed as part of continual improvement.
Root Cause Analysis Organizations are to investigate nonconformities to: • establish if the nonconformity exists elsewhere • identify the root cause of the nonconformity • identify any corrective action required to prevent a re- occurrence of the nonconformity • identify any changes to the BCMS required. Any corrective actions identified to address nonconformities are to be implemented without undue delay. The corrective action implemented is to be reviewed to determine its effectiveness.
26 Exercising and Testing • Covers pretty much the same ground as BS25999-2 • It talks about exercises and tests. • Expect to see a programme – point is that over time these should provide objective assurance that the arrangements made will work as anticipated and when required: so does the programme really do this?

More Related Content

PPTX
BCP awareness ISO 22301 2019 training .pptx
byshiva3305
 
PPTX
ISO-22301-Presentation Business Continuity Management System latest.pptx
byJustinNickaf3
 
PDF
Topic 5 Build In Quality (BIQ).pdf
bysarahsulaeman1
 
PPTX
Quality Training
byToyo Gustaman
 
PPTX
Teknik Penerapan 5S (1).pptx
byErwin196998
 
PDF
5 R DI TEMPAT KERJA
byAisyah Safitri Hayati
 
PPT
Biq built in quality
byYokvi Panjaitan
 
PPTX
Kaizen system guidance
byIdham Hanafiah
 
BCP awareness ISO 22301 2019 training .pptx
byshiva3305
 
ISO-22301-Presentation Business Continuity Management System latest.pptx
byJustinNickaf3
 
Topic 5 Build In Quality (BIQ).pdf
bysarahsulaeman1
 
Quality Training
byToyo Gustaman
 
Teknik Penerapan 5S (1).pptx
byErwin196998
 
5 R DI TEMPAT KERJA
byAisyah Safitri Hayati
 
Biq built in quality
byYokvi Panjaitan
 
Kaizen system guidance
byIdham Hanafiah
 

Similar to ISO-22301-Presentation [Recovered]recent.pptx

PPTX
BUSINESS-CONTINUITY-AND-DISASTER-RECOVERY.pptx
byJayLloyd8
 
PPTX
Bussiness continuity
byatharabbas
 
PPTX
Bcp task 8
byNorah Al Aslmey
 
PDF
Business Continuity Plan
byBizPlanss
 
PPTX
A Proactive Approach to Business Continuity
byDiana DePaola
 
PDF
The Ultimate Guide To Business Continuity
byEnvision Technology Advisors
 
PDF
ThinkGRC Introduction to Business Continuity for Middle Management
byThinkGRC
 
PPTX
Business Continuity as a Career
byBonnie Canal
 
PDF
Business continuity & disaster recovery
byGeorge Coutsoumbidis
 
PPT
Introduction of Business Continuity Pocesss.ppt
byJEANELYESPERANZA
 
PPTX
Business-Continuity-Management-Ensuring-Organizational-Resilience1.pptx
byMahmoudElmahdy32
 
PDF
Buss Cont.pdf
byshads Shads
 
PPSX
The Revere Group - Making A Case For Disaster Recovery
bycadavis22
 
DOCX
11152018 Strayer University Online Libraryhttpseds.b..docx
bydrennanmicah
 
PPTX
Business Continuity Management
byDiane Christina
 
PPSX
110430 bcm presentation v0.1 mj
byMike Jackson - LION
 
PDF
Promotion_of_Business_Continuity_Management_-_Plan_Guide_and_template.pdf
byCPittman3
 
PPTX
BCM Presentation - Investment or Expense?
bySidney Modenesi, MBCI
 
PPT
Business Continuity Workshop Final
byBill Lisse
 
PDF
Free Guide for Businesses Concerned about Business Continuity, Crisis Managem...
byTaylo999
 
BUSINESS-CONTINUITY-AND-DISASTER-RECOVERY.pptx
byJayLloyd8
 
Bussiness continuity
byatharabbas
 
Bcp task 8
byNorah Al Aslmey
 
Business Continuity Plan
byBizPlanss
 
A Proactive Approach to Business Continuity
byDiana DePaola
 
The Ultimate Guide To Business Continuity
byEnvision Technology Advisors
 
ThinkGRC Introduction to Business Continuity for Middle Management
byThinkGRC
 
Business Continuity as a Career
byBonnie Canal
 
Business continuity & disaster recovery
byGeorge Coutsoumbidis
 
Introduction of Business Continuity Pocesss.ppt
byJEANELYESPERANZA
 
Business-Continuity-Management-Ensuring-Organizational-Resilience1.pptx
byMahmoudElmahdy32
 
Buss Cont.pdf
byshads Shads
 
The Revere Group - Making A Case For Disaster Recovery
bycadavis22
 
11152018 Strayer University Online Libraryhttpseds.b..docx
bydrennanmicah
 
Business Continuity Management
byDiane Christina
 
110430 bcm presentation v0.1 mj
byMike Jackson - LION
 
Promotion_of_Business_Continuity_Management_-_Plan_Guide_and_template.pdf
byCPittman3
 
BCM Presentation - Investment or Expense?
bySidney Modenesi, MBCI
 
Business Continuity Workshop Final
byBill Lisse
 
Free Guide for Businesses Concerned about Business Continuity, Crisis Managem...
byTaylo999
 

More from JustinBNickaf

PPTX
IMS CLAUSES EXPLAINED.pptxnyergrated management systems clauses
byJustinBNickaf
 
PPTX
Nickaf_Revision-17065_.pptx Requirements for products certification
byJustinBNickaf
 
PDF
AI BASICS.pdfbasics of artificial inteligence
byJustinBNickaf
 
PPTX
How and processes for Improving_the_QMS_ISO 9001 2015.pptx
byJustinBNickaf
 
PPTX
Scope and Applicability of ISO 30414.pptx
byJustinBNickaf
 
PPT
product certificationISOIEC17065 Training.ppt
byJustinBNickaf
 
PPTX
Reporting Guidelines and Best Practices.pptx
byJustinBNickaf
 
PPTX
Integrating ISO 30414 with ISO 9001 (Quality.pptx
byJustinBNickaf
 
PPT
FULL INTEGRATED MANAGEMENT SYSTEMS IMPLEMENTATION TRAINING DANGOTE FERTILIZE...
byJustinBNickaf
 
PPTX
ISO30414-2018-11-Core-Areas Human resources performance measurement metrices...
byJustinBNickaf
 
PPTX
Linking performance management to organizational goals and Diversity ISO 3041...
byJustinBNickaf
 
PPTX
presentationoniso-iec17025-2017-COMPREHENSIVE AND DETAILED.pptx
byJustinBNickaf
 
PPTX
Overview of ISO_IEC 17025_2017.pdetailed requirements of ISO 17025 clause by ...
byJustinBNickaf
 
PPTX
ISO 17025 2017 ABRIDGED PRESENTATION.pptx
byJustinBNickaf
 
PPTX
8.14.2024_74-711HANDLING OF TEST ,CALIBRATION ITEMS ISO 17025.pptx
byJustinBNickaf
 
PPTX
8.29.2022_Option-A-B AS PRESENTED IN ISO 17025.pptx
byJustinBNickaf
 
PPTX
4.27.2023_Requirements-Section-7-2SELECTION & VALIDATION OF TEST METHODS ISO ...
byJustinBNickaf
 
PPTX
ISO 17025 2017 TRAINING FOR TSWANLAB [Autosaved].pptx
byJustinBNickaf
 
PPTX
Quality Control of Beer QC parameters .pptx
byJustinBNickaf
 
PPTX
ISO 45001 2018 REQUIREMENTS COMPREHENSIVE.pptx
byJustinBNickaf
 
IMS CLAUSES EXPLAINED.pptxnyergrated management systems clauses
byJustinBNickaf
 
Nickaf_Revision-17065_.pptx Requirements for products certification
byJustinBNickaf
 
AI BASICS.pdfbasics of artificial inteligence
byJustinBNickaf
 
How and processes for Improving_the_QMS_ISO 9001 2015.pptx
byJustinBNickaf
 
Scope and Applicability of ISO 30414.pptx
byJustinBNickaf
 
product certificationISOIEC17065 Training.ppt
byJustinBNickaf
 
Reporting Guidelines and Best Practices.pptx
byJustinBNickaf
 
Integrating ISO 30414 with ISO 9001 (Quality.pptx
byJustinBNickaf
 
FULL INTEGRATED MANAGEMENT SYSTEMS IMPLEMENTATION TRAINING DANGOTE FERTILIZE...
byJustinBNickaf
 
ISO30414-2018-11-Core-Areas Human resources performance measurement metrices...
byJustinBNickaf
 
Linking performance management to organizational goals and Diversity ISO 3041...
byJustinBNickaf
 
presentationoniso-iec17025-2017-COMPREHENSIVE AND DETAILED.pptx
byJustinBNickaf
 
Overview of ISO_IEC 17025_2017.pdetailed requirements of ISO 17025 clause by ...
byJustinBNickaf
 
ISO 17025 2017 ABRIDGED PRESENTATION.pptx
byJustinBNickaf
 
8.14.2024_74-711HANDLING OF TEST ,CALIBRATION ITEMS ISO 17025.pptx
byJustinBNickaf
 
8.29.2022_Option-A-B AS PRESENTED IN ISO 17025.pptx
byJustinBNickaf
 
4.27.2023_Requirements-Section-7-2SELECTION & VALIDATION OF TEST METHODS ISO ...
byJustinBNickaf
 
ISO 17025 2017 TRAINING FOR TSWANLAB [Autosaved].pptx
byJustinBNickaf
 
Quality Control of Beer QC parameters .pptx
byJustinBNickaf
 
ISO 45001 2018 REQUIREMENTS COMPREHENSIVE.pptx
byJustinBNickaf
 

Recently uploaded

PPTX
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 
PDF
Infrared Spectroscopy (IR spectroscopy).ppt
byLife sciences
 
PPTX
Exploring Higher education and its pathways
byEVAMAEBONGHANOY5
 
PPTX
MENTAL STATUS EXAMINATION Part-1.Shilpa hotakar.pptx
bySHILPA HOTAKAR
 
PPTX
Toba Tek Singh - Visualising Partition through Manto's Lens
byMiral Joshi
 
PPTX
" Jaya : Silence as Resistance " - That long silence
bydharabhandari35
 
PPTX
LEGAL AND RIGHTS ASPECTS OF FAMILY PLANNING.pptx
bysonia
 
PDF
Risks and opportunities of artificial intelligence in education: A critical view
byYannis
 
PDF
Problem Solving Agents in Artificial Intelligence with Examples and Water Jug...
byARTHIDEVARANIP
 
PPTX
Payment Follow-Up via WhatsApp in Odoo 18.1 Accounting
byCeline George
 
PPTX
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
PDF
VIVA or SHORT ANSWER QUESTIONS or 2 MARKS QUESTIONS CHILD HEALTH NURSING.pdf
byPRADEEP ABOTHU
 
PPTX
Drugs modulating serotonergic system.pptx
byNorman Arockiaraj G
 
PPTX
bundle of care.pptx Priti Bala @ BRD med
bypritibala13
 
PPTX
Setting Up and Processing Down Payments in Odoo 18 Sales
byCeline George
 
PDF
Oscillations /Revision notes prepared by K sandeep swamy (Msc,BEd)/For online...
bySandeep Swamy
 
PPTX
PREVENTIVE PEDIATRICS.pptx
byBANDITA PATRA
 
PPTX
christal dinesha (1).ppt seminar topic..
bychristaldinesha
 
PDF
U.S. Departments of Education and Treasury fact sheet
byMebane Rash
 
PPTX
Fruit Fermentation_ Ethanol & Sugar Estimation- Dr. Shikha Gaikwad
byinsighteduwithme
 
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 
Infrared Spectroscopy (IR spectroscopy).ppt
byLife sciences
 
Exploring Higher education and its pathways
byEVAMAEBONGHANOY5
 
MENTAL STATUS EXAMINATION Part-1.Shilpa hotakar.pptx
bySHILPA HOTAKAR
 
Toba Tek Singh - Visualising Partition through Manto's Lens
byMiral Joshi
 
" Jaya : Silence as Resistance " - That long silence
bydharabhandari35
 
LEGAL AND RIGHTS ASPECTS OF FAMILY PLANNING.pptx
bysonia
 
Risks and opportunities of artificial intelligence in education: A critical view
byYannis
 
Problem Solving Agents in Artificial Intelligence with Examples and Water Jug...
byARTHIDEVARANIP
 
Payment Follow-Up via WhatsApp in Odoo 18.1 Accounting
byCeline George
 
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
VIVA or SHORT ANSWER QUESTIONS or 2 MARKS QUESTIONS CHILD HEALTH NURSING.pdf
byPRADEEP ABOTHU
 
Drugs modulating serotonergic system.pptx
byNorman Arockiaraj G
 
bundle of care.pptx Priti Bala @ BRD med
bypritibala13
 
Setting Up and Processing Down Payments in Odoo 18 Sales
byCeline George
 
Oscillations /Revision notes prepared by K sandeep swamy (Msc,BEd)/For online...
bySandeep Swamy
 
PREVENTIVE PEDIATRICS.pptx
byBANDITA PATRA
 
christal dinesha (1).ppt seminar topic..
bychristaldinesha
 
U.S. Departments of Education and Treasury fact sheet
byMebane Rash
 
Fruit Fermentation_ Ethanol & Sugar Estimation- Dr. Shikha Gaikwad
byinsighteduwithme
 

ISO-22301-Presentation [Recovered]recent.pptx

  • 1.
    1 ISO 22301 :2019:Security and resilience — Business continuity management systems — Requirements
  • 2.
    Presentation outline • ISO •Business continuity • Importance of formalized business continuity management system • ISO 22301 • Principles and requirements of ISO 22301 2019
  • 3.
    WHAT IS ISO? Acronorm for the International Organization for Standardization  Derived from the Greek word isos, meaning equal  Founded 23 Feb 1947 by 25 countries in London  Headquarters in Geneva, Switzerland  Membership covers 97% of world population, about 173 countries  Members have equal voting rights  Standards are equal wherever applied  Standards cover products, processes and systems
  • 4.
    About ISO • Foundedin 1947 • Independent • Non-governmental organization • Global network of national standards bodies* • One member per country represented by NSBs • ISO membership comes with rights, benefits, obligations and good practice • Nigeria is represented by SON *NSB=National standard body : only national body must representative of standardization
  • 5.
    The ISO brand Democratic.  Voluntary  ISO itself does not regulate or legislate.  Market-driven  Consensus  ISO standards retain their position as the state of the art.  Globally relevant  ISO standards are technical agreements which provide the framework for compatible technology worldwide. They are designed to be globally relevant - useful everywhere in the world.  ISO standards are useful everywhere in the world.
  • 6.
    What is businesscontinuity and why is it important? • Business continuity is an organization's ability to maintain essential functions during and after a disaster has occurred. • Business continuity planning establishes risk management processes and procedures that aim to prevent interruptions to mission-critical services, and reestablish full function to the organization as quickly and smoothly as possible. • The most basic business continuity requirement is to keep essential functions up and running during a disaster and to recover with as little downtime as possible. • A business continuity plan considers various unpredictable events, such as natural disasters, fires, disease outbreaks, cyberattacks and other external threats.
  • 7.
    What is businesscontinuity and why is it important? • Business continuity is important for organizations of any size, but it might not be practical for any but the largest enterprises to maintain all functions for the duration of a disaster. • According to many experts, the first step in business continuity planning is deciding what functions are essential and allocating the available budget accordingly. Once crucial components have been identified, administrators can put failover mechanisms in place. • Technologies such as disk mirroring enable an organization to maintain up-to-date copies of data in geographically dispersed locations, not just in the primary data center. This enables data access to continue uninterrupted if one location is disabled and protects against data loss.
  • 8.
    Why is businesscontinuity important? • At a time when downtime is unacceptable, business continuity is critical. • Downtime comes from a variety of sources. Some threats, such as cyberattacks and extreme weather, seem to be getting worse. • It's important to have a business continuity plan in place that considers any potential disruptions to operations. • The plan should enable the organization to keep running at least at a minimal level during a crisis. Business continuity helps the organization maintain resiliency, in responding quickly to an interruption. • Strong business continuity saves money, time and company reputation. An extended outage risks financial, personal and reputational loss.
  • 9.
    Why is businesscontinuity important? • Business continuity requires an organization to take a look at itself, analyze potential areas of weakness and gather key information -- such as contact lists and technical diagrams of systems -- that can be useful outside of disaster situations. • In undertaking the business continuity planning process, an organization can improve its communication, technology and resilience. • Business continuity might even be a requirement for legal or compliance reasons. Especially in an era of increased regulation, it's important to understand which regulations affect a given organization.
  • 10.
    What does businesscontinuity include? • Business continuity is a proactive way to ensure mission-critical operations proceed during a disruption. • A comprehensive plan includes contact information, steps for what to do when faced with a variety of incidents and a guide for when to use the document. • Business continuity features clear guidelines for what an organization must do to maintain operations. If the time comes for response, there should be no question about how to move forward with business processes. The company, customers and employees are all potentially at stake.
  • 11.
    What does businesscontinuity include? • Proper business continuity includes different levels of response. Not everything is mission-critical, so it's important to lay out what is most vital to keep running, and what could stand to come back online at later times. • It's crucial to be honest about recovery time objectives and recovery point objectives. • The process includes the whole organization, from executive management on down. Although IT might drive the business continuity, it's essential to get buy-in from management and communicate key information to the entire organization. • One other important area of collaboration is with the security team - - although the two groups often work separately, an organization can gain a lot by sharing information across these departments. At the very least, everyone should know the basic steps for how the organization plans to respond.
  • 12.
    What are thekey elements of business continuity management? BCM is a holistic management process that integrates various elements, namely : • Business Continuity Plan (BCP), • Emergency Response, • Crisis Management, • Disaster Recovery, • Risk Management, • Business Impact Analysis, • Resilience and Reputation Management.
  • 13.
    Three key componentsof a business continuity plan • A business continuity plan has three key elements: Resilience, recovery and contingency. • An organization can increase resilience by designing critical functions and infrastructures with various disaster possibilities in mind; this can include staffing rotations, data redundancy and maintaining a surplus of capacity. Ensuring resiliency against different scenarios can also help organizations maintain essential services on location and off site without interruption.
  • 14.
    Three key componentsof a business continuity plan • Rapid recovery to restore business functions after a disaster is crucial. Setting recovery time objectives for different systems, networks or applications can help prioritize which elements must be recovered first. Other recovery strategies include resource inventories, agreements with third parties to take on company activity and using converted spaces for mission-critical functions. • A contingency plan has procedures in place for a variety of external scenarios and can include a chain of command that distributes responsibilities within the organization. These responsibilities can include hardware replacement, leasing emergency office spaces, damage assessment and contracting third-party vendors for assistance.
  • 15.
    Business continuity vs.disaster recovery • Like a business continuity plan, disaster recovery planning specifies an organization's planned strategies for post-failure procedures. However, a disaster recovery plan is just a subset of business continuity planning. • Disaster recovery plans are mainly data focused, concentrating on storing data in a way that can be more easily accessed following a disaster. Business continuity takes this into account, but also focuses on the risk management, oversight and planning an organization needs to stay operational during a disruption.
  • 16.
    Business continuity vs.disaster recovery
  • 17.
    Business continuity development •Business continuity starts with initiating the planning project. Business impact analysis (BIA) and risk assessment are essential steps in gathering information for the plan. • Conducting a BIA can reveal any possible weaknesses, as well as the consequences of a disaster on various departments. The BIA report informs an organization of the most crucial functions and systems to prioritize in a business continuity plan.
  • 18.
    Business continuity development •A risk assessment identifies potential hazards to an organization, such as natural disasters, cyberattacks or technology failures. Risks can affect staff, customers, building operations and company reputation. The assessment also details what or who a risk could harm, and the likeliness of the risks. • The BIA and risk assessment work hand in hand. The BIA provides details on potential effects to the possible disruptions outlined in the risk assessment.
  • 19.
    Business continuity management •It's important to designate who will manage business continuity. It could be one person, if it's a small business, or it could be a whole team for a larger organization. Business continuity management software is also an option. Software -- either on premises or cloud-based -- helps conduct BIAs, create and update plans and pinpoint areas of risk. • Business continuity is an evolving process. As such, an organization's business continuity plan shouldn't just sit on a shelf. The organization should communicate its contents to as many people as possible. Implementation of business continuity isn't just for times of crisis; the organization should have training exercises, so employees know what they'll be doing in the event of an actual disruption.
  • 20.
    Business continuity management •Business continuity testing is critical to its success. It's difficult to know if a plan is going to work if it hasn't been tested. A business continuity test can be as simple as a tabletop exercise, where staff discuss what will happen in an emergency. More rigorous testing includes a full emergency simulation. An organization can plan the test in advance or perform it without notice to better mimic a crisis. • Once the organization completes a test, it should review how it went and update the plan accordingly. It's likely that some parts of the plan will go well but other actions might need adjusting. A regular schedule for testing is helpful, especially if the business changes its operations and staff frequently. Comprehensive business continuity undergoes continual testing, review and updating.
  • 26.
    2 Background How was theISO22301 formed?
  • 27.
  • 28.
    4 Context • Source documentsincluded – BS25999-2 – NFPA 1600 – ASIS OR standard – Singapore standards – ISO 27031 – ISO Guide 73 – ISOPAS22399 • So ISO 22301 is not simply an international version of BS25999
  • 29.
    5 Publication Timeline… ISO 22301BCM – Requirements DIS Public Commenting Period FDIS Development FDIS Published Final ISO Publicatio n ISO 22313 BCM – Guidelines Document out for public comment Publication ??? Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 2013 Q3 2011 2011 2011 2011 2012 2012 2012 2012 2019
  • 30.
    7 ISO 22301 KeyPoints (Societal Security – BCMS) "...standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, amongst all interested parties."
  • 31.
    8 4 Context ofthe organisation 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance Evaluation 10 Improvement ISO 22301 2019 structure * 0 Introduction 1 Scope 2 Normative References -Guide 73: Risk mgmt. vocab. -ISO 22300 Terminology 3 Terms and Definitions
  • 32.
    10 Key Changes /Aspects… Notable shifts in emphasis from BS25999-2:2007; 2013 • Change in the way an organisation may be defined. • Top Management leadership shall be more demonstrable and active. • Preventive action has been replaced with “actions to address risks and opportunities” and features earlier. • ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics – aligning BC to top management strategic thinking.
  • 33.
    11 Key Changes /Aspects… • Strong emphasis on performance evaluation & metrics. • Communication elements more demanding and there is a responsibility to the wider community defined. • BIA similar but with some changes to terminology. • There is a stronger link to the organisations approach to risk. • To reflect the Societal security approach some new terminology has been introduced, see ISO 22300.
  • 34.
    Benefit of BCM-sudden disruption 12 2 Mitigation of impacts through effective BCM - sudden disruption Resum pt ion of activities at acceptable level within acceptable timef rame V l c 0 2. Shortened disruption 4 - 0 Target resumption t ime IMaximum acceptable time I I I I Time Figure 2 - Illustrat ion of BCM being effective for sudden disruption
  • 35.
    Benefit of BCM-gradual disruption 3 0 Resumption of activities at acceptable level within acceptable timeframe I !Target resumption time ! IMaximum acceptable t ime -- ,- - - - - - - - - --+ ----- : - -- I +--- ---------------- I ' I I / 2. Shortened disruption I I I I I I Recowery with BCM ./ r I - - · · - - - - - - - - - - - - l - - - - - - - i - - - - - - - - - - - - - - - - - - - - - - - - - - . - . - . . .. - -- - - - - - - - - - - - - - - - - - , I , : • ......,...... ,,... · Minimu m acceptabl e level of ' - - - - - - - - - - - - - - - - - - - - - - - ' · - - - - - - - - ' '' ' ' , 1. Mitigating, responding to and managing impacts i I , , operations I I J' '-------------1 / i Recovery without BCM o I ...... ro !..... w c.. 0 1 -- - " - - - - - , 4 - 0 Controlled w > w .....J response Time Figure 3 - Ulustrat ion of BCM being effective for gradual disruption (e.g. approaching pandemic}
  • 36.
    9 4 Context ofthe organisation 5 Leadership 6 Planning 7 Support 8 Operation 9 Performan ce Evaluation 10 Improvement BS25999 3 Planning the BCMS -Scope, Objectives, Policy -Resources -Competency -Embedding -Documentation 4Implementing and Operating the BCMS -BIA -Risk and Risk Choices* -Strategy -Incident response, IMP , BCP -Exercising, Review 5Monitoring and Reviewing the BCMS Internal Audit Management Review 6 Maintaining and Improving the BCMS -Preventive*, Corrective & Improvement Actions *
  • 38.
    1.Scope • Specifies requirementsto implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. Applicable to all types and sizes of organizations that: • a) implement, maintain and improve a BCMS; • b) seek to ensure conformity with stated business continuity policy; • c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; • d) seek to enhance their resilience through the effective application of the BCMS.
  • 39.
    2 Normative references •ISO 22300, Security and resilience — Vocabulary 3 Terms and definitions Activity: set of one or more tasks with a defined output Audit : systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled Business continuity : capability of an organizationto continue delivery of products and services within acceptable time frames at predefined capacity relating to a disruption.
  • 40.
    Business continuity managementsystem BCMS • management system for business continuity Business continuity plan • documented information that guides an organization to respond to a disruption and resume, recover and restore the delivery of products and services consistent with its business continuity objectives Business impact analysis • process of analyzing the impact of a disruption on the organization
  • 41.
    Competence • ability toapply knowledge and skills to achieve intended results Conformity • fulfilment of a requirement Prioritized activity • activity to which urgency is given in order to avoid unacceptable impacts to the business during a disruption . Resilience : • ability to absorb and adapt in a changing environment
  • 42.
    14 3. Terms &Definitions… • Business continuity plan • Correction • Corrective action • Interested party • Maximum acceptable outage (MAO) • Maximum tolerable period of disruption (MTPD) • Minimum business continuity objective (MBCO)
  • 43.
    4 Context ofthe organization 4.1 Understanding of the organization and its context • The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. 4.2 Understanding the needs and expectations of interested parties 4.2.1 General When establishing its BCMS, the organization shall determine: • a) the interested parties that are relevant to the BCMS; • b) the requirements of these interested parties
  • 44.
    4.2.2 Legal andregulatory requirements The organization shall: • a) implement and maintain a process to identify, have access to, and assess the applicable legal and regulatory requirements related to the continuity of its products and services, processes, activities and resources, as well as the interests of relevant interested parties; • b) ensure that these applicable legal, regulatory and other requirements are taken into account in implementing and maintaining its BCMS; • c) document this information and keep it up-to-date.
  • 45.
    4.3 Determining thescope of the business continuity management system 4.3.1 General • The organization shall determine the boundaries and applicability of the BCMS to establish its scope. • When determining this scope, the organization shall consider:  a) the external and internal issues referred to in 4.1;  b) the requirements referred to in 4.2.  The scope shall be available as documented information.
  • 46.
    4.3.2 Scope ofthe BCMS The organization shall: • a) consider its mission, goals, and internal and external obligations; • b) establish the parts of the organization to be included in the BCMS, taking into account its location(s), size, nature and complexity; • c) identify the products and services and their related processes, activities and resources to be included in the BCMS; • d) take into account interested parties' needs. When defining the scope, the organization shall document and explain exclusions; any such exclusions shall not affect the organization's ability and responsibility to provide business continuity, as determined by the business impact analysis or risk assessment and applicable legal or regulatory requirements.
  • 47.
    4.4 Business continuitymanagement system The organization shall establish, implement, maintain and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of the Standard, ISO 22301
  • 48.
  • 49.
    5 Leadership 5.1 Leadershipand commitment • Top management shall demonstrate leadership and commitment with respect to the BCMS by: • a) ensuring that the business continuity policy and business continuity objectives are established and • are compatible with the strategic direction of the organization; • b) ensuring the integration of the BCMS requirements into the organization's business processes; • c) ensuring that the resources needed for the BCMS are available; • d) communicating the importance of effective business continuity and conforming to the BCMS requirements; • e) ensuring that the BCMS achieves its intended outcome(s); • f) directing and supporting persons to contribute to the effectiveness of the BCMS; • g) supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility; • h) promoting continual improvement.
  • 50.
    5.2.1 Top managementshall establish a business continuity policy that: • a) is appropriate to the purpose of the organization; • b) provides a framework for setting business continuity objectives; • c) includes a commitment to satisfy applicable requirements; • d) includes a commitment to continual improvement of the BCMS.
  • 51.
    5.2.2 The businesscontinuity policy shall: • a) be available as documented information; • b) be communicated within the organization; • c) be available to interested parties, as appropriate.
  • 52.
    5.3 Organizational roles, responsibilitiesand authorities Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. Top management shall assign the responsibility and authority for: • a) ensuring that the BCMS conforms to the requirements of this document; • b) reporting on the performance of the BCMS to top management
  • 53.
    Evidencing Leadership toan Auditor • Top management are the group of individuals who set the strategic direction of an organization and approve the allocations of resources to the organization or business area within the scope of your BCMS. • Depending on the size and how your organization is structured, these individuals may or not be the day-to-day management team. • An auditor will typically test leadership commitment by interviewing one or more members of your top management and assessing their level of involvement and participation in the: • evaluation of risks and opportunities • establishment and communication of policies • setting and communication of objectives • review and communication of system performance • allocation of appropriate resources, accountabilities and responsibilities
  • 54.
    6 Planning 6.1 Actionsto address risks and opportunities • When planning for the BCMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: • a) give assurance that the management system can achieve its intended outcome(s); • b) prevent, or reduce, undesired effects; • c) achieve continual improvement. • The organization shall plan: • a) actions to address these risks and opportunities, • b) how to: • 1) integrate and implement the actions into its BCMS processes (see 8.1), • 2) evaluate the effectiveness of these actions (see 9.1).
  • 55.
    17 6. Planning • Section6.1 talks about risks and 6.2 about objectives • Standardized text but might confuse – Having fully understood the context of the organisation, planning activities are introduced to address the risks and opportunities of the business. – This proactive approach, if carried out properly, will ensure a resilient BCM system as it will focus on planning for successfully achieving BCM objectives and realising opportunities for improvement. – Ownership and accountability of BC objectives will be allocated and a clear direction to accomplishing these objectives will be agreed.
  • 56.
    6.2 Business continuityobjectives and planning to achieve them 6.2.1 The organization shall establish business continuity objectives at relevant functions and levels. • The business continuity objectives shall: • a) be consistent with the business continuity policy; • b) be measurable (if practicable); • c) take into account applicable requirements; • d) be monitored; • e) be communicated; • f) be updated as appropriate. • The organization shall retain documented information on the business continuity objectives.
  • 57.
    16 Context Requirement for documenting: •links between the business continuity policy and the organization’s objectives and other policies, including its overall risk management strategy; and the organization’s risk appetite. • The requirement to have procedures which identify legal and regulatory requirements. • There is also a requirement to keep this information up to date which must tie in with maintenance.
  • 58.
    6.2.2 When planninghow to achieve its business continuity objectives, the organization shall determine: • a) what will be done; • b) what resources will be required; • c) who will be responsible; • d) when it will be completed; • e) how the results will be evaluated.
  • 59.
    6.3 Planning ofchanges to the BCMS When the organization determines the need for changes to the BCMS, including those identified in • clause 10 improvement, the changes shall be carried out in a planned manner. • The organization shall consider: • a) the purpose of the changes and their potential consequences; • b) the integrity of the BCMS; • c) the availability of resources; • d) the allocation or reallocation of responsibilities and authorities
  • 60.
    7 Support 7.1 Resources •The organization shall determine and provide the resources needed for the establishment, • implementation, maintenance and continual improvement of the BCMS
  • 61.
    7.2 Competence The organizationshall: • a) determine the necessary competence of person(s) doing work under its control that affects its • business continuity performance; • b) ensure that these persons are competent on the basis of appropriate education, training, or • experience; • c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness • of the actions taken; • d) retain appropriate documented information as evidence of competence.
  • 62.
    18 7. Support 7.2 Competence •The organisation (generally acknowledged to be through its Top Management) has a responsibility to ensure that sufficient and appropriate resource is available for the BCMS. Appropriateness is often determined through competency analysis • It is people who take action when an incident occurs – Competence relates both to operating the BCMS AND to performing following an incident – Note also 7.3 d) – everyone has to be aware of their role during disruptive incidents
  • 63.
    7.3 Awareness Persons doingwork under the organization's control shall be aware of: • a) the business continuity policy; • b) their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity performance; • c) the implications of not conforming with the BCMS requirements; • d) their own role and responsibilities before, during and after disruptions.
  • 64.
    7.4 Communication The organizationshall determine the internal and external communications relevant to the BCMS including: • a) on what it will communicate; • b) when to communicate; • c) with whom to communicate; • d) how to communicate; • e) who will communicate.
  • 65.
    19 Communication • external communicationwith customers, partner entities, local community, and other interested parties, including the media, • receiving, documenting, and responding to communication from interested parties, • adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, • ensuring availability of the means of communication during a disruptive incident, facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and • operating and testing of communications capabilities intended for use during disruption of normal communications.
  • 66.
    7.5 Documented information 7.5.1General • The organization's BCMS shall include: • a) documented information required by this document; • b) documented information determined by the organization as being necessary for the effectiveness of the BCMS.
  • 67.
    7.5.2 Creating andupdating When creating and updating documented information, the organization shall ensure appropriate: • a) identification and description (e.g. a title, date, author or reference number); • b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic), • c) review and approval for suitability and adequacy
  • 68.
    7.5.3 Control ofdocumented information 7.5.3.1 Documented information required by the BCMS and by this document shall be controlled to ensure: • a) it is available and suitable for use, where and when it is needed; • b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). 7.5.3.2 For the control of documented information, the organization shall address the following activities, as applicable: • a) distribution, access, retrieval and use; • b) storage and preservation, including preservation of legibility; • c) control of changes (e.g. version control); • d) retention and disposition. Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled
  • 69.
    8 Operation 8.1 Operationalplanning and control • The organization shall plan, implement and control the processes needed to meet requirements, and to • implement the actions determined in 6.1, by: • a) establishing criteria for the processes; • b) implementing control of the processes in accordance with the criteria; • c) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. • The organization shall ensure that outsourced processes and the supply chain are controlled.
  • 70.
    8.2 Business impactanalysis and risk assessment 8.2.1 General • The organization shall implement and maintain a process for analyzing business impact and assessing risks of disruption that establishes the context, defines criteria and evaluates the potential impact of a disruption 8.2.2 Business impact analysis The organization shall implement and maintain a process for determining business continuity priorities and requirements that: • a) defines impact categories and criteria relevant to the organization’s context; • b) uses these impact categories and criteria for measuring impact; • c) identifies activities that support the provision of products and services;
  • 71.
    • d) analysesthe impacts over time resulting from disruption of these activities; • e) identifies the time within which the impacts of not resuming activities would become unacceptable to the organization • f) sets prioritized timeframes within the time identified in e) above for resuming disrupted activities at a specified minimum acceptable capacity;This may be referred to as recovery time objective (RTO) • g) uses the business impacts to identify prioritized activities; • h) determines which resources are needed to support prioritized activities; • i) determines the dependencies and interdependencies of prioritized activities.
  • 72.
    BIA • a) identifyingactivities that support the provision of products and services; • b) assessing the impacts over time of not performing these activities; • c) setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and • d) identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.
  • 73.
    8.2.3 Risk assessment Theorganization shall implement and maintain a systematic risk assessment process.This process can be made in accordance with ISO 31000. The organization shall: • a) identify risks of disruption to the organization's prioritized activities and to their supporting resources; • b) systematically analyse risks of disruption; • c) evaluate risks of disruption which require treatment.
  • 74.
    21 Risk Assessment • Thismeans the organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. • NOTE This process could be made in accordance with ISO 31000. • The organization shall • identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, analyse them, evaluate and treat them.
  • 76.
    8.3 Business continuitystrategies and solutions 8.3.1 General • The organization shall identify and select business continuity strategies based on the outputs from the business impact analysis and risk assessment. • The business continuity strategies shall be comprised of one or more solutions.
  • 77.
    8.3.2 Identification andselection of strategies and solutions The organization shall identify and select appropriate business continuity strategies and solutions taking into consideration their associated costs for: • a) responding to disruptions; • b) continuing and recovering prioritized activities and their required resources to meet the delivery of products and services at the agreed capacity over time. For the prioritized activities, the organization shall identify and select strategies and solutions considering business continuity objectives and the amount and type of risk that the organization may or may not take that: • a) reduce the likelihood of disruption; • b) shorten the period of disruption; • c) limit the impact of disruption on the organization's products and services.
  • 78.
    22 Strategy • BS25999-2 had4.1.3 Determining Choices and 4.2 Determining business continuity strategy • ISO 22301 better defined – Decide what you are going to do to reduce the likelihood and impact as well as how to respond (these are not alternative approaches) – Set RTOs – Work out the resource requirements – Act on the protection and mitigation needed – Evaluate business continuity capability of suppliers
  • 79.
    23 Incident Response Structure 2.broadly equivalent to 4.3.2 in BS25999 – “Impact thresholds” is new – Personnel to assess the incident – Communication mentions “authorities” and “media” explicitly – External communications a new requirement. Life safety explicitly mentioned.
  • 80.
    8.3.3 Resource requirements Theorganization shall determine the resource requirements to implement the selected business continuity solutions. The types of resources considered shall include but not be limited to: • a) people; • b) information and data; • c) physical infrastructure such as buildings, work places or other facilities and associated utilities; • d) equipment and consumables; • e) information and communication technology (ICT) systems; • f) transportation; • g) finance; • h) partners and suppliers.
  • 81.
    8.3.4 Implementation ofsolutions The organization shall implement selected business continuity solutions so they can be activated when needed. 8.4 Business continuity plans and procedures 8.4.1 General • The organization shall implement and maintain a structure that will enable timely warning and communication to relevant interested parties and provide plans and procedures to manage the organization during a disruption. • The plans and procedures shall be used when required to execute business continuity solutions.
  • 82.
    The procedures shall: •a) be specific regarding the immediate steps that are to be taken during a disruption; • b) be flexible to respond to changing internal and external conditions of a disruption; • c) focus on the impact of incidents that potentially lead to disruption; • d) be effective in minimizing impact through implementation of appropriate solutions; • e) assign roles and responsibilities for tasks within it.
  • 83.
    8.4.2 Response structure Theorganization shall implement and maintain a structure identifying one or more teams responsible for responding to disruptions. • The roles and responsibilities of each team and the relationships between the teams shall be clearly stated. • Collectively, the teams shall be prepared to: • a) assess the nature and extent of a disruption and its potential impact; • b) assess the impact against pre-defined thresholds that justify initiation of formal response; • c) activate an appropriate business continuity response; • d) plan actions that need to be undertaken;
  • 84.
    • e) establishpriorities (using life safety as the first priority); • f) monitor the effects of the disruption and the organization’s response; • g) activate the business continuity solutions; • h) communicate with relevant interested parties, authorities and the media. For each team there shall be: • a) identified personnel and their associates with the necessary responsibility, authority and competence to perform their designated role; • b) documented procedures to guide their actions (see 8.4.4) including those for the activation, operation, coordination and communication of the response.
  • 85.
    8.4.3 Warning andcommunication 8.4.3.1 The organization shall document and maintain procedures for: a) communicating internally and externally to relevant interested parties, including what, when, with whom and how to communicate; b) receiving, documenting and responding to communications from interested parties, including any national or regional risk advisory system or equivalent; c) ensuring availability of the means of communication during a disruption; d) facilitating structured communication with emergency responders; e) details of the organization's media response following an incident, including a communications strategy; f) recording details of the disruption, actions taken and decisions made.
  • 86.
    8.4.3.2 Where applicablethe following shall also be considered and implemented: a) alerting interested parties potentially impacted by an actual or impending disruption; b) assuring the appropriate coordination and communication between multiple responding organizations; The communication and warning procedures shall be exercised as part of the organization’s exercise programme referred to in 8.5.
  • 87.
    8.4.4 Business continuityplans 8.4.4.1 The business continuity plans shall provide guidance and information that will assist the teams to respond to a disruption and assist the organization with response and recovery. Collectively, the business continuity plans shall contain:  a) details of the actions that the teams will take in order to continue or recover prioritized activities within predetermined timeframes and to monitor the effects of the disruption and the organization’s response to it;  b) reference to the pre-defined threshold and process for activating the response;  c) procedures to enable the delivery of products and services at agreed capacity to interested parties;
  • 88.
    d) details tomanage the immediate consequences of a disruption giving due regard to: 1) the welfare of individuals; 2) prevention of further loss or unavailability of prioritized activities; 3) protection of the environment; e) a process for standing down once the incident is over
  • 89.
    8.4.4.2 Each planshall include: a) purpose and scope, and objectives; b) roles, responsibilities of the team that will implement the plan; c) actions and resources to implement the solutions; d) supporting information needed to activate (including activation criteria), operate, coordinate and communicate the team’s actions; e) internal and external interdependencies; f) resource requirements; g) reporting requirements. Each plan shall be usable and available at the time and place at which it is required.
  • 90.
    24 Warning and Communication •In short the organization shall establish, implement and maintain procedures for • a) detecting an incident, • b) regular monitoring of an incident, • c) internal communication within the organization • d) receiving, documenting and responding to any national or regional risk advisory system or equivalent, • e) assuring availability of the means of communication during a disruptive incident, • f) facilitating structured communication with emergency responders, • g) recording of vital information about the incident, actions taken and decisions made,
  • 91.
    8.4.5 Recovery The organizationshall have documented processes to restore and return business activities from the temporary measures adopted to support normal business requirements during and after a disruption.
  • 92.
    25 Recovery • The organizationshall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident
  • 93.
    8.5 Exercise programme Theorganization shall implement and maintain a programme of exercising and testing to validate over time the effectiveness of its business continuity strategies and solutions. The organization shall conduct exercises and tests that: • a) are consistent with its business continuity objectives; • b) are based on appropriate scenarios that are well planned with clearly defined aims and objectives; • c) develop teamwork, competence, confidence and knowledge for those who have roles to perform in relation to disruptions
  • 94.
    • d) takentogether over time validate the whole of its business continuity strategies; • e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to • implement improvements; • f) are reviewed within the context of promoting continual improvement; • g) are performed at planned intervals and when there are significant changes within the organization or the context in which it operates. The organization shall act on the results of its exercising and testing to implement changes and improvements
  • 95.
    26 Exercising and Testing •Covers pretty much the same ground as BS25999-2 • It talks about exercises and tests. • Expect to see a programme – point is that over time these should provide objective assurance that the arrangements made will work as anticipated and when required: so does the programme really do this?
  • 97.
    9 Performance evaluation 9.1Monitoring, measurement, analysis and evaluation 9.1.1 General The organization shall determine: • a) what needs to be monitored and measured; • b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid • results; • c) when and by whom the monitoring and measuring shall be performed; • d) when and by whom the results from monitoring and measurement shall be analysed and evaluated. • The organization shall retain appropriate documented information as evidence of the results. • The organization shall evaluate the BCMS performance and the effectiveness of the BCMS.
  • 98.
    27 Performance Evaluation… • Aswith all management system standards there is a need to look back at what has been achieved. ISO 22301 also requires that this analysis is evaluated and conclusions drawn by the organisation. • Performance metrics (to be selected by the business) are required in ISO 22301. Whilst this is a new requirement it is likely that organisations will already produce certain metrics and these may be able to be tailored to cover the BCMS performance.
  • 99.
    9.1.2 Evaluation ofbusiness continuity plans, procedures and capabilities • The organization shall evaluate the suitability, adequacy and effectiveness of its business continuity plans, procedures and capabilities. • These evaluations shall be undertaken through periodic reviews, analysis, exercises, tests, post-incident reports and performance evaluations. • The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives. • The organization shall conduct evaluations at planned intervals after an incident or activation and when significant changes occur shall be updated in a timely manner.
  • 100.
    9.2 Internal audit 9.2.1The organization shall conduct internal audits at planned intervals to provide information on whether the BCMS: • a) conforms to: • 1) the organization's own requirements for its BCMS, • 2) the requirements of this document; • b) is effectively implemented and maintained.
  • 101.
    9.2.1 The organizationshall: • a) plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; • b) define the audit criteria and scope for each audit; • c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; • d) ensure that the results of the audits are reported to relevant management; • e) retain documented information as evidence of the implementation of the audit programme and the audit results.
  • 102.
    9.3 Management review 9.3.1General • Top management shall review the organization's BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. 9.3.2 Management review input The management review shall include consideration of: • a) the status of actions from previous management reviews; • b) changes in external and internal issues that are relevant to the BCMS;
  • 103.
    • c) informationon the business continuity performance, including trends in: • 1) nonconformities and corrective actions; • 2) monitoring and measurement evaluation results; • 3) audit results; • d) feedback from interested parties; • e) the need for changes to the BCMS, including the policy and objectives; • f) procedures, and resources which could be used in the organization to improve the BCMS' performance and effectiveness
  • 104.
    • g) informationfrom the BIA and risk assessment; • h) risks or issues not adequately addressed in any previous risk assessment; • i) results of exercises and tests; • j) lessons learned and actions arising from near- misses and disruptions; • k)opportunities for continual improvement.
  • 105.
    9.3.3 Management review outputs 9.3.3.1The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS to improve its efficiency and effectiveness and include the following: • a) variations to the scope of the BCMS; • b) update of the business impact analysis, risk assessment, business continuity strategies and solutions, and business continuity plans; • c) modification of procedures and controls to respond to internal or external issues that may impact the BCMS; • d) how the effectiveness of controls will be measured.
  • 106.
    • 9.3.3.2 Theorganization shall retain documented information as evidence of the results of management reviews, and: • a) communicate the results of management review to relevant interested parties; • b) take appropriate action relating to those results.
  • 107.
    • c) informationon the business continuity performance, including trends in: • 1) nonconformities and corrective actions; • 2) monitoring and measurement evaluation results; • 3) audit results; • d) feedback from interested parties; • e) the need for changes to the BCMS, including the policy and objectives; • f) procedures, and resources which could be used in the organization to improve the BCMS' performance and effectiveness
  • 108.
    28 Performance Evaluation… • Internalaudits and management review continue to be key methods of reviewing the performance of the BCMS and tools for its continual improvement.
  • 109.
    10 Improvement 10.1 Nonconformityand corrective action • 10.1.1 When nonconformity occurs, the organization shall: • a) react to the nonconformity, and, as applicable: • 1) take action to control and correct it; • 2) deal with the consequences. • b) evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere, by: • 1) reviewing the nonconformity; • 2) determining the causes of the nonconformity; • 3) determining if similar nonconformities exist, or could potentially occur
  • 110.
    • c) implementany action needed; • d) review the effectiveness of any corrective action taken; • e) make changes to the BCMS, if necessary. • Corrective actions shall be appropriate to the effects of the nonconformities encountered. • 10.1.2 The organization shall retain documented information as evidence of: • a) the nature of the nonconformities and any subsequent actions taken; • b) the results of any corrective action. 10.2 Continual improvement • The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. • The organization shall consider the results of analysis and evaluation, and the outputs from management review, to determine if there are needs or opportunities that shall be addressed as part of continual improvement.
  • 112.
    Root Cause Analysis Organizationsare to investigate nonconformities to: • establish if the nonconformity exists elsewhere • identify the root cause of the nonconformity • identify any corrective action required to prevent a re- occurrence of the nonconformity • identify any changes to the BCMS required. Any corrective actions identified to address nonconformities are to be implemented without undue delay. The corrective action implemented is to be reviewed to determine its effectiveness.
  • 113.
    26 Exercising and Testing •Covers pretty much the same ground as BS25999-2 • It talks about exercises and tests. • Expect to see a programme – point is that over time these should provide objective assurance that the arrangements made will work as anticipated and when required: so does the programme really do this?