Professional Documents
Culture Documents
Presentation Slides
Welcome!
Safety - be aware of emergency exits Restroom and Telephones - nearest locations Contact Number - for urgent messages Personal Property - keep possessions secure Phones and Pagers - please avoid interruptions Recording Devices - not allowed in class Lunch and Breaks - please return on time p Smoking - not permitted in the classroom Special Needs - please inform the instructor
BCM-040-01-EN-US
Presentation Slides
Introductions
Name Organization and business sector Job role Knowledge of BS25999 (1 10 scale) Knowledge of auditing (1 10 scale) Your aim for attending this course g g yourself Something interesting about y
Learning Objectives
Upon completion of the course, students should be able to:
Lead and carry out an audit of a business continuity management system Explain the requirements of BS 25999-2:2007 Understand the Business Continuity Management Code of Practice Clarify the different purposes of BS 25999 Part 1 and Part 2 Articulate and present audit findings Manage successful audit communication and interviews Write a succinct audit report Conduct opening, closing, and follow-up audit meetings
BCM-040-01-EN-US
Presentation Slides
Business Continuity
BCM-040-01-EN-US
Presentation Slides
BCM-040-01-EN-US
Presentation Slides
BCM Standards
Code of Practice Best practice, not auditable Requirements Shall statements, auditable
10
BCM-040-01-EN-US
Presentation Slides
Introduction to Auditing
12
Auditing
What is an audit?
Systematic independent and documented process for Systematic, obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled
(ISO19011: 2002 clause 3.1)
Why audit? Requirement of BS 25999-2 Monitor and measure the management system Promote continual improvement of the management system f
BCM-040-01-EN-US
Presentation Slides
13
Benefits of Auditing
Verifies conformity to requirements Increases awareness and understanding Provides a measurement of effectiveness of the management system to top management Reduces risk of management system failure Identifies improvement opportunities Continual improvement if performed regularly
14
BCM-040-01-EN-US
Presentation Slides
16
Management Systems
Common components of management systems:
Policy Planning Implementation and operation Performance assessment Improvement Management review
BCM-040-01-EN-US
Presentation Slides
17
Interested Parties
Plan
Establish
Interested Parties
Act
Maintain and improve
Business Continuity requirements and expectations
Do
Implement and operate
Check
Monitor and review
Managed Business Continuity
Exercise 1
Business Continuity Management Lifecycle
BCM-040-01-EN-US
Presentation Slides
19
? ? ? ? ?
20
BCM-040-01-EN-US
10
Presentation Slides
21
Interested Parties
Plan Establish Act Maintain and improve Check Monitor and review Do Implement and operate
Interested Parties
22
Continually Improve
Implement
Maintain
BCM-040-01-EN-US
11
Presentation Slides
Exercise 2
Requirements of BS 25999-2:2007
Auditing BS 25999-2:2007
BCM-040-01-EN-US
12
Presentation Slides
25
Make effective business decisions Allocate necessary resources Improve business p p processes
26
ISO 19011:2002
ISO 19011:2002 provides guidance on:
Auditing principles Managing audit programs Conducting internal and external audits Competence of auditors
BCM-040-01-EN-US
13
Presentation Slides
27
28
BS EN ISO/IEC 17021:2006
The initial certification audit shall be conducted in two stages: g Stage 1:
Audit clients management system documentation Review the clients status and evaluate whether client is ready for stage 2 audit
Stage 2:
Evaluate implementation of the clients management system Shall take place at the site(s) of the client
BCM-040-01-EN-US
14
Presentation Slides
Exercise 3
Audit Definitions
30
Types of Audits
Registration/Certification Product Customer contract Gap assessment/Pre-assessment Surveillance Combined audit/Joint audit
BCM-040-01-EN-US
15
Presentation Slides
31
Dimensions of Auditing
Intent Implementation Does Top Management intend to implement a BCMS and how is this intent i t t communicated? i t d? Does the implementation of the BCMS reflect the intent of Top Management? Is the implementation effective (i.e., does it meet the parameters established by the intent)
Effectiveness
32
ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system audits
BCM-040-01-EN-US
16
Presentation Slides
33
34
BCM-040-01-EN-US
17
Presentation Slides
35
Process
(specific valuevalueadded activities)
36
BCM-040-01-EN-US
18
Presentation Slides
Exercise 4
Process Auditing and the Turtle Diagram
38
DO
CHECK
ACT
5.1
ESTABLISH
OBJECTIVES EXTENT ROLES RESOURCES PROCEDURES
IMPLEMENT
SCHEDULE AUDITS EVALUATE AUDITORS SELECT TEAMS DIRECT ACTIVITIES MAINTAIN RECORDS
IMPROVE
BCM-040-01-EN-US
19
Presentation Slides
39
Audit Program
Audit program includes:
One or more audits depending on, size, nature and complexity of the auditee All activities necessary for planning, organizing, and providing resources to conduct audits
40
Audit Program
Top management should authorize responsibility for p g program management g Those assigned responsibility should:
Establish, implement, monitor, review, and improve the audit program Identify the necessary resources and ensure they are provided
BCM-040-01-EN-US
20
Presentation Slides
41
Audit Program
Audit program processes should include:
Planning and scheduling audits Assuring competence of auditors and audit teams Conducting audits and audit follow-up Monitoring the performance of the audit program
Program should be managed by a member of the organization Keep appropriate audit records to monitor and review the audit program
42
BCM-040-01-EN-US
21
Presentation Slides
Exercise 5
Considerations of the Audit Program
44
Audit Activities
Initiating the Audit Conducting Document Review Preparing for On-site Activities Conducting On-site Activities Preparing, Approving, Distributing Audit Report Completing the Audit Conducting Audit Follow-up
6.1
BCM-040-01-EN-US
22
Presentation Slides
45
46
BCM-040-01-EN-US
23
Presentation Slides
47
48
BCM-040-01-EN-US
24
Presentation Slides
49
50
Auditor Responsibilities
Document and support all findings Keep auditee informed Safeguard all documents Maintain confidentiality Be objective and ethical Verify corrective actions, if required
BCM-040-01-EN-US
25
Presentation Slides
51
Auditor Competence
Auditor competence is based on:
Personal attributes Application of knowledge and skills
7.1
52
Auditor Competence
Personal Attributes
Ethical Open-minded Diplomatic Observant Perceptive Versatile Tenacious Decisive Self-reliant
7.2
BCM-040-01-EN-US
26
Presentation Slides
53
Auditor Competence
Generic Knowledge and Skills
Audit principles, procedures, and techniques:
7.3.1
Apply principles, procedures, and techniques Plan and organize work Conduct audit within time schedule Collect information through interviewing, listening, observing, and reviewing documents Understand sampling techniques Confirm evidence to support findings Prepare audit reports Maintain confidentiality and security
54
Auditor Competence
Generic Knowledge and Skills
Organizational situations:
Size, structure, functions, and relationships , , , p Business processes and terminology Cultural and social customs
7.3.1
BCM-040-01-EN-US
27
Presentation Slides
55
Auditor Competence
BCM Knowledge and Skills
Knowledge and skills BCM should cover:
Techniques used to develop and implement the BCM process Analysis methods and techniques to examine business impact and risk assessment Understanding of strategy development Understanding of planning techniques to examine the development and implementation of BCM responses and exercises Understanding of training and awareness programs for BCM
56
BS EN ISO/IEC 17021:2006
The initial certification audit shall be conducted in two stages: g Stage 1:
Audit clients management system documentation Review the clients status and evaluate whether client is ready for stage 2 audit
Stage 2:
Evaluate implementation of the clients management system Shall take place at the site(s) of the client
BCM-040-01-EN-US
28
Presentation Slides
57
58
BCM-040-01-EN-US
29
Presentation Slides
Exercise 6
Document Review (Stage 1 Audit)
60
BCM-040-01-EN-US
30
Presentation Slides
61
Audit Planning
Determine the objective of the audit Identify specified requirements Determine audit duration and resources needed Select the team Contact the auditee agree the date(s) Draw up audit plan Brief the team Prepare work documents
Exercise 7
Creating an Audit Plan
BCM-040-01-EN-US
31
Presentation Slides
63
64
Checklists Benefits
Keeps audit scope and objectives clear Provides evidence of audit planning Maintains audit pace and continuity Reduces auditor bias Reduces workload during audit Provides space for auditor notes Identifies expected evidence p
BCM-040-01-EN-US
32
Presentation Slides
65
66
Checklists Preparation
One approach is to:
Identify audit scope and process(es) within scope Identify applicable factors (inputs, outputs, measures, resources, etc.) Use these points and other requirements (BS 25999-2, system documentation, etc.) to:
Plan what to look at Pl what t l k f ( dit evidence) Plan h t to look for (audit id )
Prepare checklist
BCM-040-01-EN-US
33
Presentation Slides
67
Checklist Structure
Audit checklist structure:
Process/Activity Audited: Requirement BS 25999-2 Clause # or other requirement Source What to look at Evidence What to look for Notes
Notes
Exercise 8
Creating Audit Work Documents
BCM-040-01-EN-US
34
Presentation Slides
69
70
Opening Meeting
Hold opening meeting with auditee top management and those responsible for g p processes audited Meeting may range from informal (1st party) to formal (3rd party) Chaired by team leader Audit team present Purpose is to confirm all prior arrangements
6.5.1
BCM-040-01-EN-US
35
Presentation Slides
71
Opening Meeting
1. 2. 3. 4. 5. 6. 7. 8. 8 9. 10. Introduction / roles / attendance Objective / scope / criteria Documentation status Audit plan confirmation Audit methods Sampling Communication channels Language of audit Audit progress Closing / interim meetings
: 6.5.1
72
Opening Meeting
11. 12. 12 13. 14. 15. 16. 17. Logistics: Resources, safety, security, etc. Confidentiality Availability of guides Reporting methods including nonconformities Conditions for audit termination Appeal system: Audit conduct / conclusions Restrictions / questions q
6.5.1
BCM-040-01-EN-US
36
Presentation Slides
Exercise 9
Conducting an Opening Meeting
74
Collect by appropriate sampling & verification Audit evidence Evaluate against audit criteria Audit findings Review
Audit conclusions
BCM-040-01-EN-US
37
Presentation Slides
75
Auditing Process
Collect and Verify Information
Collect information relevant to:
Audit objectives, scope, and criteria objectives scope Interfaces between functions, activities and processes
6.5.4
Collect audit evidence by appropriate sampling and verify and record it Be aware of sampling limitations, if acting on the audit conclusion Use only information that is verifiable as audit evidence
76
Auditing Process
Techniques to Obtain Audit Evidence
Interview:
Personnel that manage perform and manage, perform, verify activities Also ensure they are responsible for the activity being audited Listen carefully to responses
Observe:
Identity, status, condition, processes, y, , ,p , equipment, activities, environment, and people
BCM-040-01-EN-US
38
Presentation Slides
77
Review business continuity records for evidence of conformity to documents Review records, statements of fact, or other information which are relevant to the audit criteria and verifiable Audit evidence may be qualitative or quantitative
78
BCM-040-01-EN-US
39
Presentation Slides
79
80
Questioning Techniques
Open question:
Using why who what where when or how gets more why, who, what, where, when, than a yes or no answer
Expansive question:
Further elaborates the current point
Opinion question:
Asks opinion about current point
BCM-040-01-EN-US
40
Presentation Slides
81
Questioning Techniques
Repetitive question:
Repeats back response in form of a question
Hypothetical question
Uses what if, suppose that, etc.
Closed question:
Gets a yes or no answer Avoid using too often Used for confirmation
Silence:
Draws more information
82
Note Taking
Notes could be used as reference for:
Immediate investigation Investigation later Use by a colleague Subsequent audits
BCM-040-01-EN-US
41
Presentation Slides
83
Note Taking
Notes taken during an audit are a record of:
The audit sample taken What was reported What was observed
84
BCM-040-01-EN-US
42
Presentation Slides
85
86
BCM-040-01-EN-US
43
Presentation Slides
87
88
Establish why a nonconformity or otherwise State who (if relevant) - preferably by job title Obtain agreement with the facts
BCM-040-01-EN-US
44
Presentation Slides
89
90
Nonconformity
Non-fulfillment of a specified requirement:
Not doing it Partially doing it Doing it the wrong way
6.5.5
Specified requirements:
Conditions of customer contract BC standard (BS 25999-2) Business Continuity management system Statutory or regulatory requirements
BCM-040-01-EN-US
45
Presentation Slides
Exercise 10
Auditing Live Wild Logistics
92
BCM-040-01-EN-US
46
Presentation Slides
93
Nonconformity Minor
Failure to comply with a requirement which (based on j g judgement and experience) is not likely to result in p ) y BCMS failure Single observed lapse or isolated incident Minimal risk of nonconforming product or service Examples:
A two month lapse in the exercise program A training record not available No actions taken to improve or review BCM arrangements after exercises
94
Nonconformity Major
Absence or total breakdown of a system to meet a requirement q A number of minors related to the same clause or requirement A nonconformity that experience and judgement indicate will likely result in BCMS failure or significantly reduce its ability to assure controlled processes and products
BCM-040-01-EN-US
47
Presentation Slides
95
Nonconformity Major
Examples:
No documented procedure for a required BS 25999-2:2007 process/activity Document changes routinely made without authorization No awareness program for the business continuity management system No future planned internal audits Insufficient scope Numerous minor nonconformities found in the business continuity plan
96
Nonconformity
Classifying the Nonconformity
Consider the Seriousness:
What could go wrong if the nonconformity remains uncorrected? Is it likely the system would detect it before the customer is affected? If you are not certain it is a nonconformity, it is not. You must have: A requirement that has been broken Proof that it has been broken
BCM-040-01-EN-US
48
Presentation Slides
97
98
Nonconformity Report
Incident Number: 1
Company under A di XYZ I C d Audit: XYZ, Inc. Area under Review: BCP Category: Major Minor BS 25999-2 Clause Number: 4.3.3.3
Requirement: Clause 4.3.3.3 of BS 25999-2:2007 states that the business continuity plan must identify lines of communication. Nonconformity Finding: Upon review of the business continuity plan for XYZ, Inc. Issue 2, it was found that the contact information for the BCP still names employees that have left XYZ, Inc.
BCM-040-01-EN-US
49
Presentation Slides
Exercise 11
Writing Nonconformities
100
BCM-040-01-EN-US
50
Presentation Slides
101
To prepare the audit report and recommendations If included in audit plan, to discuss audit follow-up
102
Audit Report
Prepare, Approve and Distribute
1. 2. 2 3. 4. 5. 6. Audit reference Client and Auditee details Audit team details List of auditee representatives Objectives, scope, and criteria Audit plan dates, places, areas audited and timing 7. Summary of audit process 8. Audit Summary 9. Uncertainty due to sampling
6.6.1
6.6.2
BCM-040-01-EN-US
51
Presentation Slides
103
Audit Report
Prepare, Approve and Distribute
10. 11. 11 12. 13. 14. 15. 16. 17.
6.6.1 Nonconformity reports Recommendation 6.6.2 Obstacles encountered Any areas in audit scope not covered Any unresolved issues between the auditee and team Confirmation that audit objectives accomplished y Confidentiality statement Distribution list
104
BCM-040-01-EN-US
52
Presentation Slides
105
106
BCM-040-01-EN-US
53
Presentation Slides
Exercise 12
Creating the Audit Report
108
Closing Meeting
Hold closing meeting (with auditee, audit client, and other parties) to p p ) present audit findings g and conclusions Cover situations encountered during audit that may decrease reliance on audit conclusions Discuss and resolve diverging audit findings and conclusions Keep a record if not resolved Provide recommendations for improvement where specified by audit objectives. Keep minutes and attendance records
6.5.7
BCM-040-01-EN-US
54
Presentation Slides
109
Closing Meeting
Team Leader prepares and works to an agenda and controls the meeting: g
Attendees Thanks Objective / Scope Reporting system Limitations Confidentiality Audit Summary Nonconformities Agreement (sign) Recommendation Clarification Depart
6.5.7
Exercise 13
Conducting the Closing Meeting
BCM-040-01-EN-US
55
Presentation Slides
111
112
BCM-040-01-EN-US
56
Presentation Slides
113
114
BCM-040-01-EN-US
57
Presentation Slides
Exercise 14
Conducting Audit Follow-up
Exercise 15
Sample Exam
BCM-040-01-EN-US
58
Presentation Slides
Conclusion
118
BCM-040-01-EN-US
59
Presentation Slides
119
120
Questions?
BCM-040-01-EN-US
60
Presentation Slides
BCM-040-01-EN-US
61