Professional Documents
Culture Documents
Background
Contributors
Context
Source documents included
BS25999-2 NFPA 1600 ASIS OR standard
Singapore standards
ISO 27031 ISO Guide 73
ISOPAS22399
Publication Timeline
Q1 2011
ISO 22301 BCM Requirements
Q2 2011
Q3 Q4 2011 2011
FDIS
Q1 2012
FDIS Published
Q2 2012
Q3 2012
Q4 2012
Q1 2013
Development
Publication ???
ISO22301
0 Introduction
5 Leadership 1 Scope
6 Planning
7 Support 2 Normative References -Guide 73: Risk mgmt. vocab. -ISO 22300 Terminology
8 Operation 9 Performance Evaluation
10 Improvement
BS25999 3 Planning the BCMS -Scope, Objectives, Policy -Resources -Competency -Embedding -Documentation 4 Implementing and Operating the BCMS -BIA -Risk and Risk Choices* -Strategy -Incident response, IMP, BCP -Exercising, Review 5 Monitoring and Reviewing the BCMS Internal Audit Management Review 6 Maintaining and Improving the BCMS -Preventive*, Corrective & Improvement Actions
8 Operation
9 Performance Evaluation
10 Improvement
10
11
12
1 2
13
1 3
14
Interested party
Maximum acceptable outage (MAO)
15
1 5
Context
Requirement for documenting: links between the business continuity policy and the organizations objectives and other policies, including its overall risk management strategy; and the organizations risk appetite.
16
The requirement to have procedures which identify legal and regulatory requirements. There is also a requirement to keep this information up to date which must tie in with maintenance.
6. Planning
Section 6.1 talks about risks and 6.2 about objectives Standardized text but might confuse
Having fully understood the context of the organisation, planning activities are introduced to address the risks and opportunities of the business. This proactive approach, if carried out properly, will ensure a resilient BCM system as it will focus on planning for successfully achieving BCM objectives and realising opportunities for improvement. Ownership and accountability of BC objectives will be allocated and a clear direction to accomplishing these objectives will be agreed.
17
7. Support
7.2 Competence The organisation (generally acknowledged to be through its Top Management) has a responsibility to ensure that sufficient and appropriate resource is available for the BCMS. Appropriateness is often determined through competency analysis It is people who take action when an incident occurs
Competence relates both to operating the BCMS AND to performing following an incident Note also 7.3 d) everyone has to be aware of their role during disruptive incidents
18
Communication
external communication with customers, partner entities, local community, and other interested parties, including the media,
19
operating and testing of communications capabilities intended for use during disruption of normal communications.
BIA
a) identifying activities that support the provision of products and services;
20
2 0
Risk Assessment
The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. NOTE This process could be made in accordance with ISO 31000. The organization shall identify risks of disruption to the organizations prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, analyse them, evaluate and treat them.
21
2 1
Strategy
BS25999-2 had 4.1.3 Determining Choices and 4.2 Determining business continuity strategy
22
23
24
a) detecting an incident,
b) regular monitoring of an incident, c) internal communication within the organization d) receiving, documenting and responding to any national or regional risk advisory system or equivalent, e) assuring availability of the means of communication during a disruptive incident, f) facilitating structured communication with emergency responders, g) recording of vital information about the incident, actions taken and decisions made,
Recovery
The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident
25
26
Performance Evaluation
As with all management system standards there is a need to look back at what has been achieved. ISO 22301 also requires that this analysis is evaluated and conclusions drawn by the organisation. Performance metrics (to be selected by the business) are required in ISO 22301. Whilst this is a new requirement it is likely that organisations will already produce certain metrics and these may be able to be tailored to cover the BCMS performance.
27
Performance Evaluation
28
Internal audits and management review continue to be key methods of reviewing the performance of the BCMS and tools for its continual improvement.
Transition
Organizations who are currently certified to BS25999-2:2007 will be provided with:
A transition guideline
29
2 9
A transition timescale
Guidelines and timescales dependent upon UKAS. Certified organisations have 12 to 18 months to transition although could be up to 3 years
30
3 0