An organization should enable continual operation of its information security after each incident. That means that information security and business continuity have one thing in common, which is the protection of the availability of information.
Amongst others, the webinar covers:
• ISO27001 ‘Information Security Management System’ Overview
• ISO22301 ‘Business Continuity Management System’ Overview
• Improving an ISO27001 Continuity Plan with ISO22301
Presenters:
Rod Crowder
Rod is the Founder, Managing Director & Principal Consultant of OpsCentre, a boutique provider of: Risk Management, Crisis and Business Continuity, IT Disaster Recovery, Information Security and IT
Service Management Consultancy & Training. He is the Australia and New Zealand Country Representative & the Lead Instructor for Disaster Recovery Institute International, the
oldest and largest NFP organization serving resilience professionals. He has over 25 years experience in Risk, Resilience, BCP, ITDRP & Information Security projects across Asia Pacific, for 140+ clients and
over 420 client consultancy projects.
He chairs the Adaptive Business Continuity Advisory Group; an international think-tank committed to developing new resilience and business continuity methodologies and practices.
Rudy Shoushany
Rudy is a motivational digital leader and Keynote speaker. He has a wide experience in Digital transformation in the financial sector Field, with over 22 years of experience in assisting organizations.
His specialty ICT Strategies in Digital Transformation, Governance, Compliance, Blockchain, and CyberSecurity. Rudy is a Certified professional with many achievements and awards skilled in executive leadership & Coaching by PWC. Graduated from University of South Africa, with Certification from Stanford in Cybersecurity Strategies and Boston University in Digital Transformation.
Rudy has been lately selected to be on the Forbes Technology Council and selected as top 25 Global Thought leader and Influencer in Technology and Top 100 Leaders in Governance in the digital transformation innovations. He serves as Board Member, coach, Judge and mentor for different Organizations and startups.
Date: September 14, 2022
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection
https://pecb.com/article/business-continuity-management-advice-for-employers--covid-19-coronavirus-outbreak
https://pecb.com/article/investing-in-information-security-awareness
Webinars: https://pecb.com/webinars
5. What is ISO/IEC 27001 ISMS?
• ISO 27001 is the international standard for
information security
• It sets out the specification for an
Information Security Management System
(ISMS)
• ISO27001 helps organizations manage
information security via people, process
and technology
• Certification to ISO27001 is recognised
worldwide
6. Four Key Benefits of ISO/IEC 27001
Compliance
Reduced
Expenses
Marketing
Edge
Place you
organisation
in order
7. ISO/IEC 27001: A Global Standard on ISMS
ISO/IEC 27001 has:
• 14 Control Areas (or ‘Domains’)
• 34 Control Objectives
• 114 Individual Control Points
10. ISO/IEC 27001 describes
the structure of the
framework and uses
the Plan-Do-Check-
Act cycle (PDCA-cycle).
ISO/IEC 27001 PDCA Cycle
11.
12. HOW WILL 2022 CHANGES
AFFECT MY CURRENT ISO/IEC
27001 CERTIFICATE?
In our opinion, the best way to comply with
these changes is:
1.To update your risk treatment process with
new controls
2.To update your Statement of Applicability
3.To adapt certain sections in your existing
policies and procedures.
2022 Changes to ISO/IEC 27001
15. What is Business Continuity Management?
Business Continuity Management assists an
organization to continue its critical business
operations in the event of a significant incident
or business disruption.
A Business Continuity Framework provides a structured response to an incident,
minimizing the overall impact to the organsation and it’s key internal and external
stakeholders
16. Scope of ISO 22301
“The ISO 22301 International Standard
for business continuity management
specifies requirements to plan,
establish, implement, operate, monitor,
review, maintain and continually
improve a documented management
system
The goal is to protect against, reduce
the likelihood of occurrence, prepare
for, respond to, and recover from
disruptive incidents when they arise.”
17. Business Disruption Incidents
Business Continuity Plans focus on what resources are impacted
rather than what incident has happened
Loss
of,
or
impact
to
Premises • Fire
• Flood
• Utility Loss
• Denial of Access
• Civil disturbance
Loss
of,
or
impact
to
People
• Pandemic or
Epidemic
• Unexpected loss
or absence of
key Personnel
• Large scale of
people impacted
• Travel/transport
incident
Loss
of,
or
impact
to
ICT
• Local/external
network
• Data centre
outage
• Communications
• Hardware
software failure
• Cyber security
incident
Loss
of,
or
impact
to
Key
Suppliers
• Key suppliers
experience an
event/disaster
• Product supply
impact
• Industry-wide
impact
18. Similar to ISO/IEC 27001, ISO 2230 specifies the requirements for setting up and managing a BCMS
ISO 22301 Structure
Requirements (Sections 4 to 10)
• Section 4 Context of the Organisation
• Section 5 Leadership
• Section 6 Planning
• Section 7 Support
• Section 8 Operations
• 8.1 Operational Planning & Control
• 8.2 Business Impact Analysis and Risk Assessment
• 8.3 Business Continuity Strategy
• 8.4 Establish and Implement Business Continuity Procedures
• 8.5 Exercising & Testing
• Section 9 Performance Evaluation
• Section 10 Improvement
• Section 7 Support
• Section 8 Operations
• Section 9 Performance Evaluation
• Section 10 Improvement
19. Similar to ISO/IEC 27001, ISO 22301 specifies the requirements for setting up and managing a BCMS
ISO 22301 Structure
Requirements (Sections 4 to 10)
• Section 4 Context of the Organisation
• Section 5 Leadership
• Section 6 Planning
• Section 7 Support
• Section 8 Operations
• 8.1 Operational Planning & Control
• 8.2 Business Impact Analysis and Risk Assessment
• 8.3 Business Continuity Strategy
• 8.4 Establish and Implement Business Continuity Procedures
• 8.5 Exercising & Testing
• Section 9 Performance Evaluation
• Section 10 Improvement
• Section 7 Support
• Section 8 Operations
• Section 9 Performance Evaluation
• Section 10 Improvement
Key Business Continuity Content ‘Section 8:Operations’
• 8.1 Operational Planning & Control
• 8.2 Business Impact Analysis and Risk Assessment
• 8.3 Business Continuity Strategy
• 8.4 Establish/Implement Business Continuity Procedures
• 8.5 Exercising & Testing
20. ISO 22301 & ISO/IEC 27001 Mapping
Source: https://www.isaca.org/resources/isaca-journal/issues/2015/volume-2/simultaneous-implementation-of-an-integrated-isms-and-a-bcms
1. Both ISO's protect Availability - but
ISO 27001 also focuses on
Confidentiality and Integrity
2. Both are based on Plan Do Check Act
(PDCA) Cycle
3. Both work towards Risk Management
with different objectives, but similar
goals
21. ISO 22301 & ISO/IEC 27001 Differences
Focuses on preserving the CIA
(Confidentiality, Integrity and
Availability) of Information
Focuses on recovery and restoration of
critical business functions and
processes after a disaster/incident
Technology/Information focus Business-wide focus (People,
Technology, Premises & 3rd Parties)
Protection / Pre-Incident focus Response / Post-Incident focus
ISO22301 Business Continuity
ISO27001 Information Security
Common Management System
4 – Context of the Organisation 5 – Leadership 6 – Planning 7 -Support 8 – Operation 9 – Performance Evaluation 10 – Improvement
Domain A.17
Information Security Continuity
ISO22301 Provides implementation to
guidance for ISO27001 A.17
23. How ISO 22301 supports ISO/IEC 27001
A.17.1.1 Determine its requirements for information security
and the continuity of information security management in
adverse situations
ISO 22301 Supporting Guidance
ISO/IEC 27001 Information Security Requirements
A.17.1.2 Establish, document, implement and maintain
processes, procedures and controls to ensure the required
level of continuity for information security during an adverse
situation;’
A.17.1.3 Verify the established and implemented
information security controls at regular intervals in order to
ensure that they are valid and effective during adverse
situations’
8.2.2 – Business Impact Analysis
8.2.3 – Business Continuity Strategy
8.3.2 – Establishing Resource Requirements
8.4.1 – Establish & Implement BC Procedures
8.4.2 – Incident Response Structure
8.4.4 – Business Continuity Plans
8.5 – Exercising & Testing
9.1 – Performance Evaluation
10.0 – Improvement
24. A.17.1.1 Determine Requirements
8.2.2 – Business Impact Analysis
8.3.1 – Business Continuity Strategy
8.3.2 – Establish Resource Requirements
‘A.17.1.1. Determine requirements for information security and the continuity of information security management in adverse situations’
ISO 22301
Guidance
Determine Key
Activities by time and
their criticality, including
peak periods and time
variables
Key Resources
People, IT Systems &
Applications,
information, records,
and supply chains to
achieve objectives
Inter-dependencies
and how they may be
affected by a disruption
Possible impacts
(i.e. financial, customer,
legal, reputation,
compliance, staffing)
Risk Assessment
identify and analyse
disruption-related risks
that need treatment
Determine Strategies to protect
activities, respond to incidents,
prioritise resumption
timeframes
Determine Resources needed
(people, information, data,
premises, IT systems and
applications, finance, 3rd party
partners and suppliers)
Consider Proactive Measures to
reduce the likelihood, shorten
the disruption and limit the
impact
Business
Impact
Assessment
Business
Continuity
Strategies
Business
Continuity
Resource
Requirements
25. A.17.1.2 Establish Plans
8.4.1 – Establish Process & Procedures
8.4.2 – Incident Response Structure
8.4.4 – Business Continuity Plans
ISO 22301
Guidance
‘A.17.1.2 Establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for
information security during an adverse situation’
Establish Processes
& Procedures
• Establish
Communications
• Determine
Immediate Steps
• Respond to
unanticipated
threats
• Focus on
disruptive events
• Minimise
consequences
Incident Response
Structure
• Identify incident
thresholds
• Activate BC
Response
• Define processes
and procedures
• Ensure resources
are available
• Communicate
with stakeholders
Business Continuity
Plans
• Define Roles &
Responsibilities
• Response
activation
• Manage
immediate
incident
consequences
• Recover
prioritised
activities
• Define
Communications
Strategy
• Post incident
stand-down
ISO22301 provides guidance to:
• Establish Processes and
Procedures
• Define an Incident Response
Structure
• Develop business Continuity
Plans
26. A.17.1.3 Verify Controls
‘A.17.1.3 Verify the information security controls at regular intervals to ensure that they are valid and effective during adverse situations’’
8.5 – Exercising & Testing
9.1 – Performance Evaluation
10.0 – Improvement
ISO 22301
Guidance
Exercise &
Test
Appropriate
Scenarios
Validate BCMS
requirements
minimise risk of
disruption
Develop post-
exercise reports
Review for
Continual
Improvement
Conduct at
planned intervals
Performance
Evaluation
What should be
monitored?
Monitoring
Methods
Monitoring
Frequency
Analysis of
Results
Improvement Identify
Nonconformities
React to
Nonconformities
Eliminate
Nonconformity
causes
Implement
corrective actions
Review
effectiveness of
corrective actions
Update BCMS if
needed
ISO22301 provides guidance for :
• Exercising & Testing
• Evaluating Performance
• Continual Improvement
29. Culture of the
company
Top Management
commitment
Scope effort ( Time and
Resources)
Risk assessment and
Treatment
ISO/IEC 27001 Implementation Challenges
Webinar Invite
How can we make an ISO/IEC 27001 business continuity plan smother and easier with ISO 22301?
For an organization to have a proper information security management system in place and to ensure that the business runs the same, even after incidents, it should be able to have a business continuity plan implemented as well.
Register for our upcoming webinar and learn more on the mapping of ISO/IEC 27001 and ISO 22301.
15 mins Rudy (ISO27001)
15 mins Rod (22301)
15 mins Focused Discussion - How can we make an ISO/IEC 27001 business continuity plan smother and easier with ISO 22301
Audience Questions
Case studies, implementation examples, implementation challenges etc ?
Rudy Shoushany Strategist in Governance of Cybersecurity & Digital Transformation
Rod Crowder Author, Speaker, and Managing Director at OpsCentre
ISO22301 specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). A BCMS emphasizes the importance of:
understanding the organization’s needs and the necessity for establishing business continuity management policy and objectives,
implementing and operating controls and measures for managing an organization’s overall capability to manage disruptive incidents,
monitoring and reviewing the performance and effectiveness of the BCMS, and
continual improvement based on objective measurement.
ISO27001 specifies the requirements for setting up and managing an effective Information Security Management System (ISMS); which preserves the Confidentiality, Integrity and Availability (CIA) of information by applying a Risk Management process and gives confidence to interested parties that risks are adequately managed.
What is ISO 27001?
Originally published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 makes up the core framework for the ISO 27000 series—a collection of documents outlining standards for information security management.ISO 27001, also known as ISO/IEC 27001, is the central set of certification standards for planning, implementing, operating, monitoring, and improving an information security management system (ISMS). The goal of ISO 27001 certification is the effective establishment and management of an ISMSInformation Security Management Systems (ISMS)An ISMS is a holistic approach to securing the confidentiality, integrity, and availability (CIA) of corporate information assets.
An ISO 27001 ISMS consists of policies, procedures and other controls involving people, processes, and technology.
Informed by regular information security risk assessments, an ISMS is an efficient, risk-based, and technology-neutral approach to keeping your information assets secure.
many use ISO 27001 as a guiding framework for developing and implementing information security best practices.
It is built around
v14 domains
114 controls
Four Key Benefits of ISO 27001
In today’s market, competition is more, and it is challenging to find something that protect your organization’s information and data from your customers.
ISO 27001 is a unique certification and could be indeed selling point, especially if the organization required to handle customer’s database and information.
Compliance: The first benefit of ISO 27001, is compliance, it might seem odd to list this as the top benefit, but it often shows the fastest “Return on Investment (ROI)” — if any of the organization must comply to various regulations regarding Data privacy, data protection, and IT governance (particularly for such industries like health, banking, and government agencies), then ISO 27001 can bring in the methodology which allows to do it most efficient way
Marketing Edge: and business opportunities In today’s market, the competition is more; it is challenging to find something that protects your organization’s information and data of your customers. ISO 27001 is a unique certification and could be indeed selling point, especially if the organization required to handle customer database and sensitive information
Reduce the expenses: EGS offers a broad range of network infrastructure, web applications, and mobile application security assessment services designed to detect and gauge security vulnerabilities. Take the FREE VAPT for up to 10 external IPs, worth $5,000 and get a customized report!
Placing your organization in order: Many of the companies which have been growing sharply for the last few years, you might experience problems like — who is responsible for certain information assets, who has to decide what, who has to authorize access to infosec, etc. Here, ISO 27001 is and excellent service to soring these things out — it will force you to define both roles and responsibilities very accurately, and therefore, strengthen your internal organization.
How to Implement ISMS in your organization?
Following is a generic process for implementing a ISO 27001 based ISMS in your organization:
STEP 1:Build a team responsible for ISMS. It should be from all relevant departments.
STEP 2: Identify all assets. Assign a valus to each asset – The value to asset can be acquisition value or loss value. Identify owner of each asset. Assets can be of many kinds such as
Information Assets
Hardware Assets
People Assets
Building Assets
Software Assets
STEP 3 : identify and finalize a risk analysis technique. Train your ISMS team in this risk analysis technique.
STEP4: Conduct a risk analysis and evaluate risks to all assets
STEP 5: Select controls and apply them
STEP6 : conduct Internal Audit
STEP 7 Conduct management review
14 domains 114 controls
A5 Information Security Policy (2 controls)
Management needs to provide direction and support for information security in accordance with business requirements and relevant laws and regulations.In essence, your InfoSec team needs to create an information security policy. This document defines how your organization will set up your ISMS. It should contain a set of policies for management to communicate with employees and external parties (such suppliers, customers).
A6 Organizing information security (7 controls)
Setting up a management framework to initiate, control the and operation of information security within the organization.Your organization should think about the roles and responsibilities as well as the segregation of duties. Who and how should you communicate with special interest groups and authorities? What about the security during teleworking and the use of mobile devices?
A7 Human resource security (6 controls)
Information security within Human Resources is defined under section A7 of ISO 27001. It is divided into different stages: before, during, and termination or change of employment. All these requirements make sense within HR related processes, including prospective employee screening, communicating the terms and conditions of employment, disciplinary processes, and information and security awareness training.
A8 Asset management (10 controls)
Your company needs to create an inventory of all assets associated with information (including non-digital assets) and assigned ownership. You also should think about the acceptable use, return, labelling, handling, and classification of those assets. Your organization will have to implement controls for media removal and define how to transfer or dispose of media.
A9 Access control (14 controls)
This set of controls handles access control to systems, documents, and software of users. Your organization will need to write an access control policy, manage user access through registration, review and adjust access rights on a regular base. This topic also includes password management, source code restrictions, and the use of secret authentication information.
A10 Cryptography (2 controls)
The cryptographic controls are needed to ensure the protection of the confidentiality, authenticity, and the integrity of the information. Make sure you think about a mature encryption solution for hard disks and review your external information sharing solution(s). Encrypting (personal) information is also an obligation of the GDPR regulation.
A11 Physical and environmental security (15 controls)
The goals of the implementation of these controls is to prevent unauthorised access, damage and interference to information and facilities (buildings, IT rooms, development environment, etc.). It covers secure areas and equipment of the organization. These controls include physical access controls, such as issuing key(s) (badges) or access codes to authorised personnel, and protection against natural disasters, malicious attacks and accidents.
Another set of controls in this section covers how to handle equipment issues such as regularly scheduled maintenance, clean desk and screen policies, delivery of equipment. It also asks for guidelines on how to ensure appropriate protection for unattended equipment.
A12 Operations security (14 controls)
The Operations control of ISO 27001 covers the securing of all operational matters of the processes within the scope of the ISMS. From documentation of procedures and event logging to protection against malware and management of technical vulnerabilities. Change and capacity management also deserve the necessary attention here. Taking and maintaining backups of information and software are also part of these controls.
As an organization, you have a lot of work to do!
A13 Communications security (7 controls)
Within this chapter, a high-level network topology is an added value. Starting from this high-level map, you can dive more in depth to check the settings on firewalls, switches, access point, VLANs. Think also about network architecture and data flow diagrams. In a clear policy you should define how information can be transferred between parties depending on their information classification. Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.
A14 System acquisition, development, and maintenance (13 controls)
A14 aims to build security into the infrastructure of information systems. This includes requirements for information systems throughout the entire lifecycle, including design, testing, implementation, and analysis. Controls under A14 include securing applications used on public networks (A14.1.2) and protecting application services transactions (A14.1.3).
This is also where the agreements and principles are drawn up about the safe development of software. Most of these checks apply to your developers and system engineers.
A15 Supplier relationships (5 controls)
With these 5 controls on supplier relationships, you must address security within supplier agreements, regularly monitor and assess supplier services, and manage supplier (service) changes to mitigate risk. Here lies the cause of the famous long Information Security Questionnaires you receive.
A16 Information security incident management (7 controls)
A16 is all about management of information security incidents, events and weaknesses. The objective in this Annex A area is to ensure a consistent and effective approach to the lifecycle of incidents, events and weaknesses. First of all, you should have the proper procedures for handling security incidents, including incidents where personal information is involved. (GDPR art 33 & 34) in place. In practice you should be able to demonstrate your reporting on security incidents. When it happened; what was the impact; what was the quick fix you put in place to eliminate the incident? What was the corrective action you implemented after a Root Cause Analysis?
A17 Information security aspects of business continuity management (4 controls)This is where we will see with Rod more on the BC side and the mapping
One of the main reasons for implementing ISO 27001 is to guarantee the availability of the information (systems). A good business continuity plan, inclusive regular tests are key to achieve a level of peace of mind. Redundant equipment where appropriate also always contributes to the availability of information.
A18 Compliance (8 controls)
Follow your own rules! These controls ask your organization to avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security. Basically, it asks that the organization makes sure that it complies with the policies and procedures laid out in the above requirements. A (yearly) penetration testing contributes also to the latest technical compliance.
Pitfalls
The goal of the ISO 27001 Certification includes the following:
Develop a security culture in an Organization
Protect the company’s brand reputation
Minimize information security risks
Protect the company personnel information and data
Ensure Confidentiality, Integrity and Availability
Preserve the integrity of data
Promote the availability of data for an authorized user
Preserve the integrity of data
Promote the availability of data for an authorized user
Promote the availability of data for an authorized user
Secure exchange of information between interested parties
Save time and money.
The ISO 27001 standard focused on the requirements for an information security framework that relies on confidentiality (information is only available to authorized users); integrity (information is accurate and complete) and availability (authorized users have access to information when they need it).
Technology/Information focus
Protection / Pre-Incident focus
What is ISO 27002?
ISO 27002, or ISO/IEC 27002:2022, provides guidance on the selection, implementation, and management of security controls based on an organization's information security risk environment. In other words, it is a supplementary standard supporting ISO 27001 that goes into greater detail about the information security controls an organization may apply from the ISO 27001 list.ISO 27002 organizes the controls into 14 main groups, described under clauses 5-18:
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development, and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance
According to the International Organization for Standardization, ISO 27002 is designed to be used by organizations that intend to:
Select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
Implement commonly accepted information security controls;
Develop their own information security management guidelines.
What is ISO 27003?
ISO 27003, also called ISO/IEC 27003:2017, provides guidance for implementing an ISMS based on ISO 27001.ISO 27003 covers the process of ISMS specification and design from inception to planning. It describes how to:
obtain management approval to implement an ISMS
define an ISMS implementation project
plan the ISMS project
As a result, organizations that follow ISO 27003 will produce a final ISMS project implementation plan.Clauses 4 through 10 mirror the organization of ISO 27001, making them easy to compare and reference. The descriptions follow the same structure throughout:
Required activity: Outlines key activities required in the corresponding subclause of ISO/IEC 27001.
Explanation: Explains what the requirements of ISO/IEC 27001 imply.
Guidance: Provides additional details and supporting information to implement the “required activity,” with examples.
Other information: Supplies further information that can be considered.
ISO 27001 vs. ISO 27002
The main difference between ISO 27001 and ISO 27002 is that ISO 27002 is a detailed supplementary guide to the security controls in the ISO 27001 framework.ISO 27002 provides best-practices guidance on selecting and implementing the controls listed in ISO 27001. These controls are referenced in ISO 27001 documentation in Appendix A, which includes 114 security controls divided into 14 control sets. But where ISO 27001 provides a brief outline of key information security controls, ISO 27002 describes them in depth, explaining how each control works, its purpose and objectives, and how it can be implemented. In other words, ISO 27002 is a supporting document and should be read alongside ISO 27001.
ISO 27001 vs. ISO 27003
ISO 27003 provides basic but comprehensive guidance for all the requirements of an information security management system described under ISO 27001. This includes recommendations (‘should’), possibilities (‘can’), and permissions (‘may’) related to those requirements. However, ISO 27003 is not a certification standard like ISO 27001—organizations are under no obligation to follow the guidance in ISO 27003.
HOW WILL 2022 CHANGES AFFECT MY CURRENT ISO 27001 CERTIFICATE?
The new updates do not impact your existing certification against ISO 27001 standard. Instead, the accreditation bodies will jointly work with the certification companies on a transition period to allow organisations with ISO 27001 certification to shift to the newer version efficiently.Still, until the updated version of ISO 27001 is officially released, your Statement of Applicability (SoA) should refer to the controls contained in Annex A of ISO 27001:2013. ISO 27002:2022 should only be used as a reference to other controls.
The updated iso This has been restructured Will be having 93 controls
Business Continuity Management is a program that assists an organisation to continue its critical business operations in the event of a significant incident or business disruption. This is achieved by identifying the critical business functions, processes and resources to build a Business Continuity Plan that provides response and recovery strategies.
A Business Continuity Framework provides a structured response to an incident, minimising the overall impact to the organsation and it’s key internal and external stakeholders (employees, clients, community, public, government, suppliers and other stakeholders).
ISO22301 specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). A BCMS emphasizes the importance of:
understanding the organization’s needs and the necessity for establishing business continuity management policy and objectives,
implementing and operating controls and measures for managing an organization’s overall capability to manage disruptive incidents,
monitoring and reviewing the performance and effectiveness of the BCMS, and
continual improvement based on objective measurement.
Business Continuity Management is a program that assists an organisation to continue its critical business operations in the event of a significant incident or business disruption. This is achieved by identifying the critical business functions, processes and resources to build a Business Continuity Plan that provides response and recovery strategies.
A Business Continuity Framework provides a structured response to an incident, minimising the overall impact to the organsation and it’s key internal and external stakeholders (employees, clients, community, public, government, suppliers and other stakeholders).
ISO22301 specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). A BCMS emphasizes the importance of:
understanding the organization’s needs and the necessity for establishing business continuity management policy and objectives,
implementing and operating controls and measures for managing an organization’s overall capability to manage disruptive incidents,
monitoring and reviewing the performance and effectiveness of the BCMS, and
continual improvement based on objective measurement.
Requirements (Sections 4 to 10)
Section 4 Context of the Organisation
Section 5 Leadership
Section 6 Planning
Section 7 Support
Section 8 Operations
8.1 Operational Planning & Control
8.2 Business Impact Analysis and Risk Assessment
8.3 Business Continuity Strategy
8.4 Establish and Implement Business Continuity Procedures
8.5 Exercising & Testing
Section 9 Performance Evaluation
Section 10 Improvement
Section 7 Support
Section 8 Operations
Section 9 Performance Evaluation
Section 10 Improvement
A.17 defines Information Security Continuity but does not provide any details of how to achieve it. This is where 22301 supports 27001.
ISO22301:
Business Focus, not just Information/Technology Focus
Responds to multiple types of Events – People, Technology, Presmises and Third-Parties
Can be used to support implementation of IS27001 ISMS Control A.17
Workarounds and/or preventative countermeasures that can be implemented in the event of a major business disruption
1 – Exercise and Test Security Controls
2 – Undertake Management Reviews
3 – Implement Continual Improvement
Pitfalls
ISO 27001 documentation can be the biggest “chunk” of the implementation. Because the management system requires more procedural documents such as policies, the focus on writing those policies takes up a lot of time. But setting up the infrastructure for regularly scheduled reviews, such as access control, also requires time and commitment from all involved within the company.
To avoid writing this documentation (policies, procedures, work instructions) all by yourself, you can work with a consultant who provides templates and guidelines to mature your organization’s awareness quickly.
Bear in mind that an audit is sample-based, but your controls need to continue to operate between annual audits. Otherwise, it’s likely that your organization will risk non-compliance and create more work when the time comes to be audited again. ISMS is a story of continuous improvement!