You are on page 1of 22

BCM Continuous Improvement

Audit and Other Initiatives


Business & IT ResilienceSummit Dubai
Rolf von RoessingCISA, CISM, CGEIT, CISSP, FBCI
Session Overview
ContinuousImprovement Tools
Audit UniverseandScoping
ApplicableStandards
Audit Programme
BCMS andLife Cycle
BCM Controls
Sourcesof Further Information andQ & A
CONTINUOUSIMPROVEMENT
TOOLS
BCM ContinuousImprovement Audit andOther Initiatives
ContinuousImprovement Tools
ProcessModel
Continuous
Improvement Process
Ad hoc Improvement
Process
PDCA (Plan Do Check Act
ISO-basedversionof
DemingCycle
Pervasivethroughout
ISO 22301, 27031 etc.
Coexistencewith
BCM Life Cycle
Audit andReview
1st Line of Defence:
Management Review
2nd Line of Defence:
Independent Review
3rd Line of Defence:
Audit
Improvement Processes
ContinuousImprovement Process useto
improvetheBCMS (i.e. theToolbox) in a
controlledandregular manner
CIP isneededtomaintaintheBCMS uptodate
andin linewithrecognisedstandards
Ad hoc Improvement Process usetoaddress
operational improvementsfromvarioussources:
Test / exerciseresults
Audit findings
Local regulatorychanges
etc.
PDCA Cycle
Embedded in most standardsaddressingBCM
andITSCM, e.g. ISO 22301 andISO 27031
Links BCM toother disciplinessuch asIT Security,
ITIL / ISO 20000, Quality Mgmt etc.
The phasesPlan, Do, Check, Act areprojected
ontotheelementsof thelifecyclein ISO 22313,
ISO 27031 andtheBCI GoodPractice Guidelines
Your processes, controlsandindicatorsshould
alwayslink toat least onephaseof thePDCA
cycletomaintainalignment
AUDIT UNIVERSEANDSCOPING
Auditing Business Continuity
BCM Developments
2009
Information Security
IT Service Continuity Mgmt
BCM
Critical Infrastructure Prot.
ORM
Corporate Governance
Civil Defence
Business Information / Technology Strategy
Enterprise Risk Management
2010 2011
Public / Private
Technical
Resilience
Business
Resilience
Integrated
Resilience
Model
20xx
Security
Audit UniverseandScoping
Control Design
BCMS andLife Cycle (includingPDCA)
Templates, Standards Alignment etc.
BC Organisation, Resources
Control Effectiveness
Contents of documents, e. g. strategy, BC plans
Key performanceindicators
BC aspart of theinternal control system
APPLICABLESTANDARDS
Auditing Business Continuity
11
ISO 22300 Roadmap
BCI Prof. Practices
Joint Standards
BS 7799
ISO 17799
BS PAS 56
(2003)
BS PAS 77
ISO 27001
ISO PAS 22399-1
BS 25777
BS 25999
(2006)
ISO 22301
ISO 27031
ApplicableStandards
ISO andGPG (2013) notethenewlifecycle!
IncludesubsidiaryISO 223xx standardsasthey
arepublished
Sector-specific:
Banking / Basel III andInsurance / SolvencyII, e.g.
High level principlesfor businesscontinuity(2006)
Includeinternational (indirect) regulations, e. g. MAS
in Singapore
If IT isinvolved: ISO 27031, ISO 24762 (for
outsourcingDR)
AUDIT PROGRAMME
Auditing Business Continuity
Audit Programme
AP must bemodular lifecyclephasesandBCMS
form thehighest level
Defineclear drill-down pathslinkedtoriskand
maturity
Definetheaudit questiontobeanswered
(compliance? feasibilitystudy? due diligence?
forensic?)
Select appropriatesubset of global audit
programme
Communicatetoauditeeandmakenecessary
adjustments
Audit Mode
Point in time traditional methodof auditingasat a
certaindate:
financial year end
asymmetric, for instancetowardsa certificationdate
Project-based in linewithdeliveringv1.0 of an initiative
or project
oftenusedin theearlystages
pre-implementation, post-implementation, accompanyingthe
project
Continuous comparativelynewmethodof auditing, taken
fromfinancial andIT audit
Cooperativeinvolvement of auditorsat anytime
Audit andadviceconverge
BCMS ANDLIFE CYCLE
Auditing Business Continuity
BCMS andLife Cycle
Take a maturityandriskbasedapproach
Top-down approachrecommended
Audit phasesof thelifecycleAND thePDCA
cycle
Adapt your audit programmein linewithself-
assessmentsdeliveredbytheauditee
organisation
BCM CONTROLS
Auditing Business Continuity
BCM Controls
BIA completeness, plausibility(relative), links tobalancesheet
andP/L aswell aspreviousevents
RA methodandprocedure(not theindividual risks)
Strategy completeness, method, adequacy
Plans completeness, adequacy, timeliness, strategyalignment
Test strategy completenessandadequacy(maturitybased)
Test andexercisemaster plan alignment withtest strategy
Individual testingandexercising planning, deployment
(observation), post exerciseanalysis, reporting
Continuousimprovement PDCA alignment, timeliness,
completeness
1st and2nd linesof defence ensurethat reviewsandauditshave
beenperformedadequatelyandcomprehensively
FURTHER INFORMATION, Q & A
Auditing Business Continuity
Further Information
BCM audit isexplainedin detail (about 700
pages) in the2nd editionof Auditing Business
Continuity: Global Best Practices, tobe
publishedbyRothsteinAssociates soon
Sequel tothe1st (2002) edition, nowincludes
all relevant laws, regulations, standards
Enhanced andextendedstandardaudit
programme
More web-basedsupport, e. g. audit library
Contact Details
ForfaAG providesindependentadviceon ITSCM / BCM andbusinessresilience.
Wefurtherconsultin Governance, RiskandCompliance (GRC) andall aspects
ofsecurity
ForfaAG Holding
Andhauser Str. 62
8572 Berg TG, Switzerland
Phone: +41 71 636 1770
mobile: +49 172 6712322
rvr@scmltd.com
Weform a networkwith
Controllit AG
Stresemannstr. 342
22761 Hamburg, Germany
Phone: +49 40 890 66 46 0
mrosenberg@controll-it.de
JANUS Consulting GmbH
Max-Planck-Str. 6
63128 Dietzenbach, Germany
Phone: +49 6074 729 348 0
bernd.buehler@janusconsulting.de
also visibleon LinkedIn, XING (but
definitelynot on Facebook)

You might also like