Aligning Your BCM Program to ISO 22301 · 3/27/2015 1 Aligning Your BCM Program to ISO 22301...
Transcript of Aligning Your BCM Program to ISO 22301 · 3/27/2015 1 Aligning Your BCM Program to ISO 22301...
3/27/2015
1
Aligning Your BCM Program to ISO 22301
Presented by: Lynnda Nelson, President
The International Consortium for Organizational Resilience
April 20-22, 2015Talking Stick Resort ● Scottsdale, AZ
Next Generation Resilience
Step up your Game!
Many BCM practitioners have developed a “standard” way that BCM is implemented at their individual organizations.
With the ISO 22301 standard now available it is time to “step up your game” and align your program to requirements determined by international experts.
13th Annual Continuity Insights Management Conference: Next Generation Resilience
The Standards
ISO 22301: Requirements
• Applicable to all types and sizes of organizations that wish to:• Establish, implement, maintain, &
improve a BCMS;• Assure conformance with stated
BCM policy;• Demonstrate conformance to
others;• Seek certification/registration of
its BCMS by an accredited third party certification body; or
• Make a self-determination and self-declaration of conformance with this International Standard.
ISO 22313: Guidance
• This International Standard provides guidance to ISO 22301 for setting up and managing an effective business continuity management system (BCMS)
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Review of ISO 22301 by Clause
1. Scope of the Standard
2. Normative References
3. Terms and definitions
4. Context of the Organization
5. Leadership
6. Planning
7. Support
8. Operation*
9. Performance evaluation
10. Improvement
*contains bulk of the requirements
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Requirements of the Standard
3/27/2015
2
Changed Term
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Old: Stakeholders
New:Interested
Parties
Changed Term
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Maximum Allowable Outage / Downtime
Maximum Allowable Period of Disruption
New Term: How Bad is “Bad?”
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 4: Context of the Organization
What internal factors will impact the organization’s ability to continue operations?
What external factors will impact the organization’s ability to continue operations?
13th Annual Continuity Insights Management Conference: Next Generation Resilience
3/27/2015
3
Clause 4: Objectives of the BCMS
What are the organization’s objectives?
Ensure that the BC objectives support the organization’s
objectives.
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 4: Risk Appetite
What is the Organization’s Risk
Appetite?
Are they risk averse?
Or do they live on the edge – ready to try
anything?
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 4: Understanding Needs & Expectations of Interested Parties
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Incident Response Personnel
Middle Management
Top Management
Those accountable for BCM policy and
its implementation
Those who maintain BC procedures
Those with authority to
invoke
Response teams
Owners of BC procedures
Spokespeople
Customers
Investors
Insurers
Regulators
Recovery service
providers
Neighbors
Response agencies
Suppliers
Dependents of staff
Shareholders
Clause 4: Legal & Other Requirements
The organization shall establish, implement and maintain a procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements to which the organization subscribes related to the continuity of its operations, products and services, as well as the interests of relevant interested parties.
The organization shall ensure that these applicable legal, regulatory and other requirements to which the organization subscribes are taken into account in establishing, implementing and maintaining its BCMS.
The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties.
13th Annual Continuity Insights Management Conference: Next Generation Resilience
3/27/2015
4
Clause 4: Scope of the BCMS
Based on recovery priorities for particular products and
services and the impact of non-delivery
Include or exclude certain locations and sites – as long
as the site does not play a part in the delivery of a
product or service
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Based on mission, goals, internal & external obligations
Take into accounts needs & interests of interested
parties
Clause 4: Exclusions from Scope of BCMS
Also consider:1. The views of all interested parties2. Any reputation damage that may result from an interruption or
termination of a product3. The reliability of any risk assessment4. Impact on regulated activities
1. Product/service nearing end of life (would be terminated if supply
interrupted)
2. Product/service with low margins
(termination or outsourced)
3. A perceived low-risk location
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 5: Leadership & Governance
Demonstrated
Management Commitment
BCM Policy
Roles, Responsibilities & Authorities
Defined
Management Shall Demonstrate Leadership
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 5: Requirements of a BC Policy
Is appropriate to the purpose of the
organization
Provides a framework for setting BC objectives
Includes a commitment to satisfy applicable
needs and requirements
Includes a commitment to continual
improvement of the BCMS
13th Annual Continuity Insights Management Conference: Next Generation Resilience
3/27/2015
5
Clause 5: Assignment of Responsibilities
Strategic, tactical & operational level teams to contribute to plans and respond In an incident
BCM Program Board or Steering Committee to give advice, guidance, and management oversight
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Representatives throughout the organization to support program development and management
Clause 6: Planning
• Ensure the BCMS can achieve its intended outcomes
• Prevent or reduce undesired effects
• Achieve continual improvement
• Plan actions to address these risks and opportunities
• Plan how to integrate and implement the actions into its BCMS processes
• Plan how to evaluate the effectiveness of these actions
6.1 Actions to Address Risks
& Opportunities
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 6: Planning
• Be consistent with policy
• Take account of the minimum level of products and services acceptable to achieve its objectives
• Be measurable
• Take into account requirements
• Be monitored and updated as appropriate
• The organization shall retain documented information on the BC objectives
BC Objectives & Plans to
Achieve Them
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 7: Resources
The organization needs to determine the resources it needs for the BCMS and ensure availability
Achieve
policy &
objectives
Manage
change
Demonstrate
continual
improvementEnable effective
communication
13th Annual Continuity Insights Management Conference: Next Generation Resilience
3/27/2015
6
Clause 7: Competence
Determine competence needed
Retain documentation as evidence of actions taken
Acquire competence & evaluate effectiveness
Provide necessary education,
training & experience
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 7: Awareness
BCM PolicyBenefits of
Improved BCM Performance
Implications of not
Conforming
Persons working under the organization’s control should have appropriate awareness of the BCMS – ensuring they are aware of
their role during disruptive incidents.
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 7: Communication
Operating & Testing of
Communication Capabilities
Internal:
Employees & Interested
Parties External: Customers,
Partners, Community, &
Media
Receiving, documenting, & responding to
communications from interested
partiesAdapting threat advisory
systems as needed
Ensuring availability of the
means of communication
during a disruptive incident
Facilitating structured
communications with appropriate
authorities
What to
Communicate?
To whom will it
communicate?
When to
Communicate?13th Annual Continuity Insights Management Conference:
Next Generation Resilience
Clause 7: Documented Information
All BCMS information should be documented
13th Annual Continuity Insights Management Conference: Next Generation Resilience
3/27/2015
7
Clause 8: Change Management
•Reviewing revised time and resource estimates with project teams and members
•Validating the capability of project teams to accomplish revised goals and resource requirements
•Obtaining directions from management and the Steering Committee to update plans
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 8: The BIA & Risk Assessment
The organization must have a formal and documented process for business impact analysis and risk assessment
BIA & RA
Establishes context of
assessment
Defines criteria
Evaluates potential impact of a disruptive
incident
Accounts for legal and
other requirements
Is
systematic
Prioritization of risk treatments
and costs
Defines required output
Information is kept up to date and confidential
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Estimate of how long it would take for the impacts to become unacceptable
Sets prioritized timeframes for resuming interrupted activities at a minimum acceptable level
Identifies dependencies between activities
Identifies each activity’s dependency on supporting resources – internal and external
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 8: BIA Requirements Clause 8: Risk Assessment Requirements
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Establish Context
Identify threats & describe risk
2
Analyze risk3
Evaluate risk4
Treat risk5
1
Communication and
consultation, monitoring and
evaluation
3/27/2015
8
Determination and selection of strategy shall be based on the outputs from the business
impact analysis and risk assessment.
Clause 8: Strategy
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 8: Strategy
Limit the impact of a disruption on the organization’s key services
Shorten the period of disruption
Reduce the likelihood of a disruption
As a result of completing the BIA and RA, the organization should identify measures that
The organization shall choose and implement appropriate risk treatments in accordance with its risk appetite.
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 8: Establish Resource Requirements
Facilities, Equipment, Utilities & Consumables
Information, Data, Technology & ICT Systems
People
Transportation, Partners & SuppliersReputation
©2012 ICOR ALL RIGHTS RESERVED
Financial & administrative
procedures
Clause 8: Establish & Implement BC Procedures
Establish an appropriate internal and external communications protocol
Be specific regarding the immediate steps that are to be taken during a disruption
Be flexible to respond to unanticipated threats and changing internal and external conditions
Focus on the impact of events that could potentially disrupt operations
Be developed based on stated assumptions and an analysis of interdependencies
Be effective in minimizing consequences through implementation of appropriate mitigation strategies
13th Annual Continuity Insights Management Conference: Next Generation Resilience
3/27/2015
9
Clause 8: Incident Response Structure
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Activate appropriate response / procedures
Provide resources
Communicate to Interested Parties & Media
Identify impact thresholds & Assess extent of disruption
Mobilize Teams
Clause 8: Warning & Communication
Detect incidentReceive & respond to communications
Respond to advisory systems
Monitor incident
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Means of communicating
Communication with emergency
responders
Record vital information about
the incident, actions taken and decisions
made
Media Communications
Communications Facility
Communications Exercising
Clause 8: Business Continuity Plans & Recovery
Prioritized activities to be
resumed
Timescales within which they are to be
resumed Recovery levels needed for each prioritized
activity
Situations in which the procedures may be utilized
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Process for activating the
response
Continuity & recovery
procedures
Procedures for welfare of individuals
A process for standing down
Clause 8: Business Continuity Plans
Each plan shall define:• Purpose and scope;
• Objectives;
• Activation criteria and procedures;
• Implementation procedures;
• Roles responsibilities and authorities;
• Communication requirements and procedures;
• Internal and external interdependencies and interactions
• Resource requirements; and
• Information flow and documentation process
13th Annual Continuity Insights Management Conference: Next Generation Resilience
3/27/2015
10
Clause 8: Exercising & testing
4. Game
6. Functional
7. Full-Scale
• Consistent with scope of BCMS• Appropriate scenarios, aims, and objectives• Validate the BCMS• Minimize risk of disruption• Produce post exercise reports
• Promote continual improvement• Conducted at planned intervals
1. Seminar
5. Drill
2. Workshop
3. Tabletop
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 9: Performance Evaluation
What methods will be used to ensure valid results?
What should be monitored and measured?
When is the analysis performed and when are the results evaluated?
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Analyzing impact of changes
Updating plans as required
Advising others as needed
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 9: Performance Evaluation
Internal and / or External Audit Self-Assessment Quality Assurance
Performance Appraisal
Supplier Performance
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 9: Performance Evaluation
3/27/2015
11
Clause 9: Management Review
Follow-up actions from previous management reviews;
The need for changes to the BCMS, including the policy and objectives;
Opportunities for improvement;
Results of BCMS audits and reviews, including those of key suppliers and partners where appropriate;
Techniques, products or procedures, which could be used in the organization to improve the BCMS' performance and effectiveness;
Status of corrective actions;
Results of exercising and testing;
Risks or issues not adequately addressed in any previous risk assessment;
Any changes that could affect the BCMS, whether internal or external to the scope of the BCMS;
Adequacy of policy; Recommendations for improvement;
Lessons learned and actions arising from disruptive incidents; and
Emerging good practice and guidance.
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Clause 10: Improvement
Conformities
Non-Conformities
13th Annual Continuity Insights Management Conference: Next Generation Resilience
1. Understand
the Standard
2. Determine
Scope
3. Determine
Readiness
The Certification Process
What does it require?
What part of the
organization?
What are we
missing?
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Methods of Certification Under ISO 22301
• First-Party Self-Declaration of Conformity
• Third-Party Certification by Accredited Certifying Bodies
13th Annual Continuity Insights Management Conference: Next Generation Resilience
3/27/2015
12
ICOR Verification of Self-Declaration
1. Online application
2. Submission of the Self-Assessment with an overall score of 2.5 or higher
3. Document review• Policy, BIA report, RA report, Plan, & Exercise report
4. Self-Declaration valid for 3 years5. Total cost: $2,495.00 USD
• $ 995.00 Self-Assessment
• $1,500.00 Application
For more information: http://theicor.org/ISO22301SDoC/Information/
13th Annual Continuity Insights Management Conference: Next Generation Resilience
ISO 22301 Self-Assessment
13th Annual Continuity Insights Management Conference: Next Generation Resilience
Methods of Certification Under ISO 22301
• First-Party Self-Declaration of Conformity
• Third-Party Certification by Accredited Certifying Bodies
13th Annual Continuity Insights Management Conference: Next Generation Resilience
For More Information
ContactLynnda Nelson, President
The International Consortium for Organizational Resilience
866-765-8321
Next Generation Resilience