Aligning Your BCM Program to ISO 22301 · 3/27/2015 1 Aligning Your BCM Program to ISO 22301...

3/27/2015

1

Aligning Your BCM Program to ISO 22301

Presented by: Lynnda Nelson, President

The International Consortium for Organizational Resilience

April 20-22, 2015Talking Stick Resort ● Scottsdale, AZ

Next Generation Resilience

Step up your Game!

Many BCM practitioners have developed a “standard” way that BCM is implemented at their individual organizations.

With the ISO 22301 standard now available it is time to “step up your game” and align your program to requirements determined by international experts.

13th Annual Continuity Insights Management Conference: Next Generation Resilience

The Standards

ISO 22301: Requirements

• Applicable to all types and sizes of organizations that wish to:• Establish, implement, maintain, &

improve a BCMS;• Assure conformance with stated

BCM policy;• Demonstrate conformance to

others;• Seek certification/registration of

its BCMS by an accredited third party certification body; or

• Make a self-determination and self-declaration of conformance with this International Standard.

ISO 22313: Guidance

• This International Standard provides guidance to ISO 22301 for setting up and managing an effective business continuity management system (BCMS)


Review of ISO 22301 by Clause

1. Scope of the Standard

2. Normative References

3. Terms and definitions

4. Context of the Organization

5. Leadership

6. Planning

7. Support

8. Operation*

9. Performance evaluation

10. Improvement

*contains bulk of the requirements


Requirements of the Standard

3/27/2015

2

Changed Term


Old: Stakeholders

New:Interested

Parties

Changed Term


Maximum Allowable Outage / Downtime

Maximum Allowable Period of Disruption

New Term: How Bad is “Bad?”


Clause 4: Context of the Organization

What internal factors will impact the organization’s ability to continue operations?

What external factors will impact the organization’s ability to continue operations?


3/27/2015

3

Clause 4: Objectives of the BCMS

What are the organization’s objectives?

Ensure that the BC objectives support the organization’s

objectives.


Clause 4: Risk Appetite

What is the Organization’s Risk

Appetite?

Are they risk averse?

Or do they live on the edge – ready to try

anything?


Clause 4: Understanding Needs & Expectations of Interested Parties


Incident Response Personnel

Middle Management

Top Management

Those accountable for BCM policy and

its implementation

Those who maintain BC procedures

Those with authority to

invoke

Response teams

Owners of BC procedures

Spokespeople

Customers

Investors

Insurers

Regulators

Recovery service

providers

Neighbors

Response agencies

Suppliers

Dependents of staff

Shareholders

Clause 4: Legal & Other Requirements

The organization shall establish, implement and maintain a procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements to which the organization subscribes related to the continuity of its operations, products and services, as well as the interests of relevant interested parties.

The organization shall ensure that these applicable legal, regulatory and other requirements to which the organization subscribes are taken into account in establishing, implementing and maintaining its BCMS.

The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties.


3/27/2015

4

Clause 4: Scope of the BCMS

Based on recovery priorities for particular products and

services and the impact of non-delivery

Include or exclude certain locations and sites – as long

as the site does not play a part in the delivery of a

product or service


Based on mission, goals, internal & external obligations

Take into accounts needs & interests of interested

parties

Clause 4: Exclusions from Scope of BCMS

Also consider:1. The views of all interested parties2. Any reputation damage that may result from an interruption or

termination of a product3. The reliability of any risk assessment4. Impact on regulated activities

1. Product/service nearing end of life (would be terminated if supply

interrupted)

2. Product/service with low margins

(termination or outsourced)

3. A perceived low-risk location


Clause 5: Leadership & Governance

Demonstrated

Management Commitment

BCM Policy

Roles, Responsibilities & Authorities

Defined

Management Shall Demonstrate Leadership


Clause 5: Requirements of a BC Policy

Is appropriate to the purpose of the

organization

Provides a framework for setting BC objectives

Includes a commitment to satisfy applicable

needs and requirements

Includes a commitment to continual

improvement of the BCMS


3/27/2015

5

Clause 5: Assignment of Responsibilities

Strategic, tactical & operational level teams to contribute to plans and respond In an incident

BCM Program Board or Steering Committee to give advice, guidance, and management oversight


Representatives throughout the organization to support program development and management

Clause 6: Planning

• Ensure the BCMS can achieve its intended outcomes

• Prevent or reduce undesired effects

• Achieve continual improvement

• Plan actions to address these risks and opportunities

• Plan how to integrate and implement the actions into its BCMS processes

• Plan how to evaluate the effectiveness of these actions

6.1 Actions to Address Risks

& Opportunities


Clause 6: Planning

• Be consistent with policy

• Take account of the minimum level of products and services acceptable to achieve its objectives

• Be measurable

• Take into account requirements

• Be monitored and updated as appropriate

• The organization shall retain documented information on the BC objectives

BC Objectives & Plans to

Achieve Them


Clause 7: Resources

The organization needs to determine the resources it needs for the BCMS and ensure availability

Achieve

policy &

objectives

Manage

change

Demonstrate

continual

improvementEnable effective

communication


3/27/2015

6

Clause 7: Competence

Determine competence needed

Retain documentation as evidence of actions taken

Acquire competence & evaluate effectiveness

Provide necessary education,

training & experience


Clause 7: Awareness

BCM PolicyBenefits of

Improved BCM Performance

Implications of not

Conforming

Persons working under the organization’s control should have appropriate awareness of the BCMS – ensuring they are aware of

their role during disruptive incidents.


Clause 7: Communication

Operating & Testing of

Communication Capabilities

Internal:

Employees & Interested

Parties External: Customers,

Partners, Community, &

Media

Receiving, documenting, & responding to

communications from interested

partiesAdapting threat advisory

systems as needed

Ensuring availability of the

means of communication

during a disruptive incident

Facilitating structured

communications with appropriate

authorities

What to

Communicate?

To whom will it

communicate?

When to

Communicate?13th Annual Continuity Insights Management Conference:


Clause 7: Documented Information

All BCMS information should be documented


3/27/2015

7

Clause 8: Change Management

•Reviewing revised time and resource estimates with project teams and members

•Validating the capability of project teams to accomplish revised goals and resource requirements

•Obtaining directions from management and the Steering Committee to update plans


Clause 8: The BIA & Risk Assessment

The organization must have a formal and documented process for business impact analysis and risk assessment

BIA & RA

Establishes context of

assessment

Defines criteria

Evaluates potential impact of a disruptive

incident

Accounts for legal and

other requirements

Is

systematic

Prioritization of risk treatments

and costs

Defines required output

Information is kept up to date and confidential


Estimate of how long it would take for the impacts to become unacceptable

Sets prioritized timeframes for resuming interrupted activities at a minimum acceptable level

Identifies dependencies between activities

Identifies each activity’s dependency on supporting resources – internal and external


Clause 8: BIA Requirements Clause 8: Risk Assessment Requirements


Establish Context

Identify threats & describe risk

2

Analyze risk3

Evaluate risk4

Treat risk5

1

Communication and

consultation, monitoring and

evaluation

3/27/2015

8

Determination and selection of strategy shall be based on the outputs from the business

impact analysis and risk assessment.

Clause 8: Strategy


Clause 8: Strategy

Limit the impact of a disruption on the organization’s key services

Shorten the period of disruption

Reduce the likelihood of a disruption

As a result of completing the BIA and RA, the organization should identify measures that

The organization shall choose and implement appropriate risk treatments in accordance with its risk appetite.


Clause 8: Establish Resource Requirements

Facilities, Equipment, Utilities & Consumables

Information, Data, Technology & ICT Systems

People

Transportation, Partners & SuppliersReputation

©2012 ICOR ALL RIGHTS RESERVED

Financial & administrative

procedures

Clause 8: Establish & Implement BC Procedures

Establish an appropriate internal and external communications protocol

Be specific regarding the immediate steps that are to be taken during a disruption

Be flexible to respond to unanticipated threats and changing internal and external conditions

Focus on the impact of events that could potentially disrupt operations

Be developed based on stated assumptions and an analysis of interdependencies

Be effective in minimizing consequences through implementation of appropriate mitigation strategies


http://images.google.com/imgres?imgurl=http://enrichmentjournal.ag.org/images/200303_images/200303_080_beglad.jpg&imgrefurl=http://enrichmentjournal.ag.org/200303/200303_080_BrooklynTab.cfm&h=336&w=300&sz=22&hl=en&start=11&sig2=q8K2_IWLevgB7R4Rnbe_tg&tbnid=SC3W7-S63Ken3M:&tbnh=119&tbnw=106&ei=tZPJR57uOIeOigGPip2IDg&prev=/images?q=loss+of+people&gbv=2&hl=en&sa=G

http://images.google.com/imgres?imgurl=http://enrichmentjournal.ag.org/images/200303_images/200303_080_beglad.jpg&imgrefurl=http://enrichmentjournal.ag.org/200303/200303_080_BrooklynTab.cfm&h=336&w=300&sz=22&hl=en&start=11&sig2=q8K2_IWLevgB7R4Rnbe_tg&tbnid=SC3W7-S63Ken3M:&tbnh=119&tbnw=106&ei=tZPJR57uOIeOigGPip2IDg&prev=/images?q=loss+of+people&gbv=2&hl=en&sa=G

3/27/2015

9

Clause 8: Incident Response Structure


Activate appropriate response / procedures

Provide resources

Communicate to Interested Parties & Media

Identify impact thresholds & Assess extent of disruption

Mobilize Teams

Clause 8: Warning & Communication

Detect incidentReceive & respond to communications

Respond to advisory systems

Monitor incident


Means of communicating

Communication with emergency

responders

Record vital information about

the incident, actions taken and decisions

made

Media Communications

Communications Facility

Communications Exercising

Clause 8: Business Continuity Plans & Recovery

Prioritized activities to be

resumed

Timescales within which they are to be

resumed Recovery levels needed for each prioritized

activity

Situations in which the procedures may be utilized


Process for activating the

response

Continuity & recovery

procedures

Procedures for welfare of individuals

A process for standing down

Clause 8: Business Continuity Plans

Each plan shall define:• Purpose and scope;

• Objectives;

• Activation criteria and procedures;

• Implementation procedures;

• Roles responsibilities and authorities;

• Communication requirements and procedures;

• Internal and external interdependencies and interactions

• Resource requirements; and

• Information flow and documentation process


3/27/2015

10

Clause 8: Exercising & testing

4. Game

6. Functional

7. Full-Scale

• Consistent with scope of BCMS• Appropriate scenarios, aims, and objectives• Validate the BCMS• Minimize risk of disruption• Produce post exercise reports

• Promote continual improvement• Conducted at planned intervals

1. Seminar

5. Drill

2. Workshop

3. Tabletop


Clause 9: Performance Evaluation

What methods will be used to ensure valid results?

What should be monitored and measured?

When is the analysis performed and when are the results evaluated?


Analyzing impact of changes

Updating plans as required

Advising others as needed



Internal and / or External Audit Self-Assessment Quality Assurance

Performance Appraisal

Supplier Performance



3/27/2015

11

Clause 9: Management Review

Follow-up actions from previous management reviews;

The need for changes to the BCMS, including the policy and objectives;

Opportunities for improvement;

Results of BCMS audits and reviews, including those of key suppliers and partners where appropriate;

Techniques, products or procedures, which could be used in the organization to improve the BCMS' performance and effectiveness;

Status of corrective actions;

Results of exercising and testing;

Risks or issues not adequately addressed in any previous risk assessment;

Any changes that could affect the BCMS, whether internal or external to the scope of the BCMS;

Adequacy of policy; Recommendations for improvement;

Lessons learned and actions arising from disruptive incidents; and

Emerging good practice and guidance.


Clause 10: Improvement

Conformities

Non-Conformities


1. Understand

the Standard

2. Determine

Scope

3. Determine

Readiness

The Certification Process

What does it require?

What part of the

organization?

What are we

missing?


Methods of Certification Under ISO 22301

• First-Party Self-Declaration of Conformity

• Third-Party Certification by Accredited Certifying Bodies


http://theicor.org/ISO22301SDoC/Information/

3/27/2015

12

ICOR Verification of Self-Declaration

1. Online application

2. Submission of the Self-Assessment with an overall score of 2.5 or higher

3. Document review• Policy, BIA report, RA report, Plan, & Exercise report

4. Self-Declaration valid for 3 years5. Total cost: $2,495.00 USD

• $ 995.00 Self-Assessment

• $1,500.00 Application

For more information: http://theicor.org/ISO22301SDoC/Information/


ISO 22301 Self-Assessment


Methods of Certification Under ISO 22301

• First-Party Self-Declaration of Conformity

• Third-Party Certification by Accredited Certifying Bodies


For More Information

ContactLynnda Nelson, President

The International Consortium for Organizational Resilience

[email protected]

866-765-8321


http://theicor.org/ISO22301SDoC/Information/

../BCM 5000/BCM 5000_2014/BCM 5000_Instructor materials_2014/ISO 22301 Maturity Model_Self-Declaration_3.0.xlsx

../BCM 5000/BCM 5000_2014/BCM 5000_Instructor materials_2014/ISO 22301 Maturity Model_Self-Declaration_3.0.xlsx

http://anabdirectory.remoteauditor.com/

Aligning Your BCM Program to ISO 22301 · 3/27/2015 1 Aligning Your BCM Program to ISO 22301...

Documents

Transcript of Aligning Your BCM Program to ISO 22301 · 3/27/2015 1 Aligning Your BCM Program to ISO 22301...