1

Introducing ISO 22301

Background

How was the ISO22301 formed?

Contributors

Context
Source documents included
BS25999-2 NFPA 1600 ASIS OR standard

Singapore standards
ISO 27031 ISO Guide 73

ISOPAS22399

So ISO 22301 is not simply an international version of BS25999

Publication Timeline

Q1 2011
ISO 22301 BCM Requirements

Q2 2011

Q3 Q4 2011 2011
FDIS

Q1 2012
FDIS Published

Q2 2012

Q3 2012

Q4 2012

Q1 2013

DIS Public Commenting Period

Final ISO Publication

Development

ISO 22313 BCM Guidelines

Document out for public comment

Publication ???

Summary of ISO FDIS 22301:2012

ISO is currently developing a high level structure (Guide 83) and standardised text suitable for all ISO management system standards, ISO 22301 is the first to be developed to this new structure. The intention is standardise terminology and requirements for essentially what are the fundamental elements of a management system. As ISO 22301 will be the first new ISO management system standard it will be the vanguard for all new and revised versions of existing ISO standards

ISO 22301 Key Points (Societal Security BCMS)

"...standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, amongst all interested parties."

ISO22301

0 Introduction

4 Context of the organisation

5 Leadership 1 Scope
6 Planning

7 Support 2 Normative References -Guide 73: Risk mgmt. vocab. -ISO 22300 Terminology
8 Operation 9 Performance Evaluation

3 Terms and Definitions

10 Improvement

4 Context of the organisation 5 Leadership 6 Planning 7 Support

BS25999 3 Planning the BCMS -Scope, Objectives, Policy -Resources -Competency -Embedding -Documentation 4 Implementing and Operating the BCMS -BIA -Risk and Risk Choices* -Strategy -Incident response, IMP, BCP -Exercising, Review 5 Monitoring and Reviewing the BCMS Internal Audit Management Review 6 Maintaining and Improving the BCMS -Preventive*, Corrective & Improvement Actions

8 Operation

9 Performance Evaluation

10 Improvement

Key Changes / Aspects

Notable shifts in emphasis from BS25999-2:2007:

10

Change in the way an organisation may be defined.

Top Management leadership shall be more demonstrable and active. Preventive action has been replaced with actions to address risks and opportunities and features earlier. ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics aligning BC to top management strategic thinking.

Key Changes / Aspects

Strong emphasis on performance evaluation & metrics. Communication elements more demanding and there is a responsibility to the wider community defined. BIA similar but with some changes to terminology. There is a stronger link to the organisations approach to risk. To reflect the Societal security approach some new terminology has been introduced, see ISO 22300.

11

Benefit of BCM sudden disruption

12

1 2

Benefit of BCM gradual disruption

13

1 3

3. Terms & Definitions

Business continuity plan Correction Corrective action

14

Interested party
Maximum acceptable outage (MAO)

Maximum tolerable period of disruption (MTPD)

Minimum business continuity objective (MBCO)

Context - Interested Parties

15

1 5

Context
Requirement for documenting: links between the business continuity policy and the organizations objectives and other policies, including its overall risk management strategy; and the organizations risk appetite.

16

The requirement to have procedures which identify legal and regulatory requirements. There is also a requirement to keep this information up to date which must tie in with maintenance.

6. Planning
Section 6.1 talks about risks and 6.2 about objectives Standardized text but might confuse
Having fully understood the context of the organisation, planning activities are introduced to address the risks and opportunities of the business. This proactive approach, if carried out properly, will ensure a resilient BCM system as it will focus on planning for successfully achieving BCM objectives and realising opportunities for improvement. Ownership and accountability of BC objectives will be allocated and a clear direction to accomplishing these objectives will be agreed.

17

7. Support
7.2 Competence The organisation (generally acknowledged to be through its Top Management) has a responsibility to ensure that sufficient and appropriate resource is available for the BCMS. Appropriateness is often determined through competency analysis It is people who take action when an incident occurs
Competence relates both to operating the BCMS AND to performing following an incident Note also 7.3 d) everyone has to be aware of their role during disruptive incidents

18

Communication

external communication with customers, partner entities, local community, and other interested parties, including the media,

19

receiving, documenting, and responding to communication from interested parties,

adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, ensuring availability of the means of communication during a disruptive incident, facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and

operating and testing of communications capabilities intended for use during disruption of normal communications.

BIA
a) identifying activities that support the provision of products and services;

20

2 0

b) assessing the impacts over time of not performing these activities;

c) setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and d) identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.

Risk Assessment
The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. NOTE This process could be made in accordance with ISO 31000. The organization shall identify risks of disruption to the organizations prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, analyse them, evaluate and treat them.

21

2 1

Strategy
BS25999-2 had 4.1.3 Determining Choices and 4.2 Determining business continuity strategy

22

ISO 22301 better defined

Decide what you are going to do to reduce the likelihood and impact as well as how to respond (these are not alternative approaches) Set RTOs Work out the resource requirements Act on the protection and mitigation needed Evaluate business continuity capability of suppliers

Incident Response Structure

8.4.2 broadly equivalent to 4.3.2 in BS25999
Impact thresholds is new Personnel to assess the incident Communication mentions authorities and media explicitly External communications a new requirement. Life safety explicitly mentioned.

23

Warning and Communication

The organization shall establish, implement and maintain procedures for

24

a) detecting an incident,
b) regular monitoring of an incident, c) internal communication within the organization d) receiving, documenting and responding to any national or regional risk advisory system or equivalent, e) assuring availability of the means of communication during a disruptive incident, f) facilitating structured communication with emergency responders, g) recording of vital information about the incident, actions taken and decisions made,

Recovery
The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident

25

Exercising and Testing

Covers pretty much the same ground as BS25999-2

26

It talks about exercises and tests.

Expect to see a programme point is that over time these should provide objective assurance that the arrangements made will work as anticipated and when required: so does the programme really do this?

Performance Evaluation
As with all management system standards there is a need to look back at what has been achieved. ISO 22301 also requires that this analysis is evaluated and conclusions drawn by the organisation. Performance metrics (to be selected by the business) are required in ISO 22301. Whilst this is a new requirement it is likely that organisations will already produce certain metrics and these may be able to be tailored to cover the BCMS performance.

27

Performance Evaluation

28

Internal audits and management review continue to be key methods of reviewing the performance of the BCMS and tools for its continual improvement.

Transition
Organizations who are currently certified to BS25999-2:2007 will be provided with:
A transition guideline

29

2 9

A transition timescale

Widely expected that transitions will be conducted during a CAV visit.

Guidelines and timescales dependent upon UKAS. Certified organisations have 12 to 18 months to transition although could be up to 3 years

30

3 0