Business Continuity Management Systems

7/24/2019 Business Continuity Management Systems

1/61


2/61


3/61

BUSINESS CONTINUITYMANAGEMENT SYSTEMS


4/61

BCS, THE CHARTERED INSTITUTE FOR IT

Our mission as BCS, The Chartered Institute for IT, is to enable the information society. We

promote wider social and economic progress through the advancement of informationtechnology science and practice. We bring together industry, academics, practitioners andgovernment to share knowledge, promote new thinking, inform the design of new curricula,shape public policy and inform the public.

Our vision is to be a world-class organisation for IT. Our 70,000 strong membership includespractitioners, businesses, academics and students in the UK and internationally. We delivera range of professional development tools for practitioners and employees. A leading ITqualification body, we offer a range of widely recognised qualifications.

Further Information

BCS, The Chartered Institute for IT,First Floor, Block D,North Star House, North Star Avenue,Swindon, SN2 1FA, United Kingdom.T +44 (0) 1793 417 424F +44 (0) 1793 417 444www.bcs.org/contact


5/61

BUSINESS CONTINUITYMANAGEMENT SYSTEMSImplementation and certificationto ISO 22301

Hilary Estall


6/61

Hilary Estall 2012

The right of Hilary Estall to be identified as author of this Work has been asserted by her in accordance withsections 77 and 78 of the Copyright, Designs and Patents Act 1988.

All rights reserved. Apart from any fair dealing for the purposes of research or private study, or criticism or review,as permitted by the Copyright Designs and Patents Act 1988, no part of this publication may be reproduced, storedor transmitted in any form or by any means, except with the prior permission in writing of the publisher, or in thecase of reprographic reproduction, in accordance with the terms of the licences issued by the Copyright LicensingAgency. Enquiries for permission to reproduce material outside those terms should be directed to the publisher.

All trade marks, registered names etc. acknowledged in this publication are the property of their respective own-ers. BCS and the BCS logo are the registered trade marks of the British Computer Society charity number 292786(BCS).

Published by BCS Learning & Development Ltd, a wholly owned subsidiary of BCS The Chartered Institute for IT,First Floor, Block D, North Star House, North Star Avenue, Swindon, SN2 1FA, UK.www.bcs.org

ISBN: 978-1-78017-146-3PDF ISBN: 978-1-78017-147-0ePUB ISBN: 978-1-78017-148-7Kindle ISBN: 978-1-78017-149-4

British Cataloguing in Publication Data.A CIP catalogue record for this book is available at the British Library.

Disclaimer:The views expressed in this book are of the author(s) and do not necessarily reflect the views of the Institute orBCS Learning & Development Ltd except where explicitly stated as such. Although every care has been taken bythe authors and BCS Learning & Development Ltd in the preparation of the publication, no warranty is given by the

authors or BCS Learning & Development Ltd as publisher as to the accuracy or completeness of the informationcontained within it and neither the authors nor BCS Learning & Development Ltd shall be responsible or liablefor any loss or damage whatsoever arising by virtue of such information or any instructions or advice containedwithin this publication or by any of the aforementioned.

Typeset by Lapiz Digital Services, Chennai, India.Printed at CPI Antony Rowe Ltd, Chippenham, UK.

iv


7/61

CONTENTS

List of figures and tables vii Author viii Foreword ix

Acknowledgements xi Abbreviations xii

1 INTRODUCTION 1

Who should read this book? 1 The objective of this book 2 Reader beware! 2 How to use this book 2

2 MANAGEMENT SYSTEMS UNCOVERED 3 Purpose and objective 3

Terms and definitions 3 Management systems explained 4 Plan Do Check Act (PDCA) model 8 Mandatory requirements for management systems 10 Determining the scope of the management system 10 Top management responsibilities with respect to the management system 15 Management system documentation 17 Improvement 18 Writing policies and setting objectives 20 Allocation of suitable resources 23 Determining competencies 23

Evaluation of the performance and effectiveness of themanagement system 31

Alignment with or certification to ISO 22301? Which path should I choose? 33 Conclusion: should my organisation consider certification? 35 Summary 36

3 BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE 37 Purpose and objective 37 The BCM lifecycle 37 Positioning the BCM lifecycle with your BCMS 38 Summary 60

v


8/61

CONTENTS

4 COMPARING ISO 22301 WITH BS 25999 AND UNDERSTANDINGTHE DIFFERENCES 61

Purpose and objective 61

How BCMS standards are produced 61 The similarities between ISO 22301 and BS 25999 62 The differences between ISO 22301 and BS 25999 63 Certificate transition 71 Summary 74

5 THE CERTIFICATION PROCESS 75

Purpose and objective 75 Terms and definitions 75 Choosing a certification body 76 Audit stages 77

What to expect from the audit process 83 How to prepare for the audit 83 The audit experience 88 Maintaining momentum after the initial audit and between audits 92 Summary 95

APPENDIX A 97 Evaluating the performance of your business continuity

management system 97

APPENDIX B 102

ISO 22301 Self assessment checklist 102

REFERENCES 112

SOURCES OF FURTHER INFORMATION 113

Index 114

Additional action sheets 116

vi


9/61

LIST OF FIGURES AND TABLES

Figure 2.1 Application of PDCA model to BCMS processes 9Figure 3.1 The BCM lifecycle 38Figure 5.1 Audit stages 77

Figure A.1 Plan Do Check Act model 97

Table 2.1 The PDCA elements 9Table 2.2 Questions to ask before developing the BCMS scope 11Table 2.3 Questions to ask to determine the most important

products and services 12Table 2.4 Acceptable and unacceptable scopes 13Table 2.5 Identifying resources 24Table 2.6 Tracking BCMS competencies 26Table 3.1 Elements of business continuity management 39Table 3.2 Elements of understand the organisation 42

Table 3.3 Elements of determining BCM strategy 46Table 3.4 Elements of developing and implementing a BCM response 49Table 3.5 Elements of exercising, maintaining and reviewing BCM 54Table 3.6 Elements of embedding BCM in the organisations culture 58Table 5.1 Audit checklist 80Table 5.2 Maintaining focus 93

vii


10/61

AUTHOR

Hilary EstallSBCI is a respected authority on management system standards.Working for a leading certification body for more than 11 years and directly responsiblefor the development of its business continuity management system auditing

scheme, Hilary has amassed extensive experience since the publication ofBS 25999-2 in 2007.

Hilary is a member of the British Standards Institution (BSI) Technical StandardsCommittee BCM/1 and plays an active part in the ongoing maintenance ofBS 25999 Parts 1 and 2. In addition, as part of this committee, Hilary has reviewedand commented on ISO 22301 and ISO 22313 during the course of their respectivedevelopment stages.

Now running her own successful business continuity consultancy firm,Perpetual Solutions Limited (www.pslinfo.co.uk), Hilary works with a variety

of clients supporting them through the different stages of business continuitymanagement system implementation, certification and maintenance. Hilary is anIRCA (International Register of Certificated Auditors) registered BCMS (businesscontinuity management system) Lead Auditor and also continues to provideauditing services on behalf of a number of certification bodies, thus enablingher to maintain her professional qualification with the International Register ofCertificated Auditors.

viii


11/61

FOREWORD

The International Standard for Business Continuity ISO 22301 is now officiallyreleased and it comes at a time when the need for good BCM (business continuitymanagement) practice has never been greater.

The new standard has been developed in collaboration with experts from around theworld to ensure its international relevance and applicability, and to ensure it meetsthe needs of global organisations. It is hoped that the new standard will create apath for greater international consistency, and encourage worldwide adoption ofgood BCM practice by organisations of all sizes and in all sectors. Building on theexisting work of National Standard bodies in a number of countries, most signifi-cantly the work done in the UK by the British Standards Institution, ISO 22301provides an improved framework of good practice and a common language to helporganisations with operational activities in multiple countries to better comparebusiness continuity (BC) needs and capabilities globally.

Furthermore, ISO 22301 offers new clarity about the responsibilities of seniormanagement in BC as well as on the role of BC in risk mitigation and disasteravoidance. It demonstrates the need for a balanced relationship between riskmanagement and BC.

Because BC is spread across an entire organisation, it is particularly suitable fora formal management systems approach. This provides a consistent means ofmeasuring the effectiveness of an organisations BCM programme and how well it isembedded into its culture and business priorities. Certification against ISO 22301will demonstrate the importance placed on BC by senior management.

Similar management systems are used for other disciplines, such as informationsecurity (ISO 27001) and quality (ISO 9001), so this allows organisations to convergearound the common framework known as Plan, Do, Check, Act. ISO 22301is also spearheading the drive towards a consistent documentation framework forISO Management Systems standards as defined in ISO Guide 83.

We have come a long way since the first mention of BC in a management systemsstandard, in its debut as a single section in the Information Security standardBS 7799 (which rapidly became ISO 17799), nearly two decades ago. The growingBC community was less than satisfied with that positioning and actively promoted

the idea of a BCM standard in its own right. The early attempt at this was PAS 56,which was released to mixed reaction but nevertheless did encourage profession-als around the world to give serious thought to what BCM really was and how it

ix


12/61

FOREWORD

could be properly described and codified. The period from 2005 onwards has beena productive one for those wishing to construct BCM standards with much workundertaken at both national and international levels.

Although a positive development for the growth of the subject, it has had a downsidein terms of the take-up of formal standards by organisations that were becomingincreasingly confused by the myriad of terms and standards that were circulat-ing. ISO 22301 has been a long time coming and we all hope that it will end theuncertainty felt in recent years by many practitioners about the future role andpositioning of BCM in their organisations. One of the most important factors ofits success will be its take-up by organisations, and that will largely depend uponthe clarity in which its purpose and practical value is communicated. It is in thiscontext that the book by Hilary Estall is very important. I have known Hilary sincethe early years of developing BS 25999 when she was directly responsible for how

the emerging standard should be audited. We did not always agree, practitionersand auditors do not necessarily see things from the same standpoint, but I alwaysrespected her views and hopefully that was mutual. In fact, she must have foundthe subject as interesting as I do because she now runs a highly respected profes-sional BCM consultancy firm herself.

Reflecting on this book, it seemed to me that Hilary has an almost unique set of skillswhich enabled her to write it. She understands audit, she understands businesscontinuity and she knows how to put the two together, thus maximising the valueof the discipline to an organisation. I was particularly struck by her observationthat when implementing a BCMS, management system requirements and BCM

requirements are equally important. This is great advice. BCM is not just compli-ance or a tick-box exercise but neither is it a free for all for BCM practitioners toindulge their theories. Curiously enough, nearly 20 years ago my (and now Hilarys)institute, The Business Continuity Institute, coined the term The Art and Scienceof BCM. Little did we know then how well that phrase describes the conflictingneeds for imaginative BCM solutions to be balanced within a measurable consist-ent process and framework.

If you just want to know more about ISO 22301, I suggest this is the first (andperhaps only) book you need to read. If you are going further and want to become anISO 22301 certified company then it gives you the route, the dangers, the tips and

the confidence to succeed. Enjoy reading it, even if you previously thought BCMSwas a dry subject, you might well be very surprised.

Lyndon BirdFBCITechnical Development Director at the Business Continuity Institute (www.thebci.org).

x


13/61

ACKNOWLEDGEMENTS

Writing articles for various business continuity journals and websites gave me thecourage to develop my writing skills so when asked if I had ever thought of writinga book the idea was slightly less daunting than it might otherwise have been.

Nevertheless, I would not have been able to complete this book without the inputand support of Simon, Emma and David, all of whom have used their practicalknowledge of business continuity management systems to provide steerage whenI might otherwise have run off course.

Finally, I could not have written this book without the love and encouragement ofmy husband, Clive. His belief in me has kept me focused and committed to see itthrough to the end.

Permission to reproduce extracts from ISO 22301:2012, ISO 9000:2005,PAS 99:2006, ISO 19011:2011 and BS 25999-1:2006 is granted by BSI. British

Standards can be obtained in PDF or hard copy formats from the BSI online shop:www.bsigroup.com/Shop or by contacting BSI Customer Services for hardcopiesonly: Tel: +44 (0)20 8996 9001, Email: [email protected].

xi


14/61

ABBREVIATIONS

BC Business continuity

BCI Business Continuity Institute

BCM Business continuity management

BCMS Business continuity management system

BIA Business impact analysis

BSI The British Standards Institution

IRCA International Register of Certificated Auditors

MTPD Maximum tolerable period of disruption

PDCA Plan Do Check Act

RTO Recovery time objectiveUKAS United Kingdom Accreditation Service

xii


15/61

3 BUSINESS CONTINUITY FROM A

MANAGEMENT SYSTEM PERSPECTIVE

PURPOSE AND OBJECTIVE

In this chapter we focus on the practical elements of business continuitymanagement and consider them from a management system perspective: Whereshould the emphasis be when it comes to fitting your BCM arrangements into amanagement system?

We will use the six phases of the BCM lifecycle as our focal point and offer TopTips for you to consider when developing your BCMS. Unlike BS 25999, ISO 22301does not make reference to the lifecycle directly but provides an explanation ofthe PDCA model through its reference to the lifecycles constituent parts (Source:ISO 22301:2012 The Plan Do Check Act Model, Table 1). The lifecycles elements clearly commu-nicate the professional practices of BCM and therefore remain a useful tool. In

order for you to become familiar with ISO 22301 terminologies this section includesreference to both.

After reading this section you should be able to maximise the benefits of your BCMSwhilst ensuring you have a robust BCM programme in place.

Further, detailed, information can be found in The BCI Good PracticeGuidelines 2010.

THE BCM LIFECYCLE

The BCM lifecycle which we recognise today was published in BS 25999 Part 1,in 2006. It clearly depicts the six phased approach to developing and maintaining aBC programme and can be applied to any organisation, irrespective of its size andindustry sector (see Figure 3.1).

37


16/61

BUSINESS CONTINUITY MANAGEMENT SYSTEMS

Figure 3.1 The BCM Lifecycle

BCMProgrammeManagement

Emb

edd

ing

BCM

i n the

O rganization

s C

ulture

Understand the

organization

Exercising,

maintaining and

reviewing

Determining

BCM Strategy

Developing and

implementing a

BCM response

Source: BS 25999-1:2006

We will consider the phases in the following sequence:

(1) BCM programme management

(2) Understand the organisation

(3) Determining BCM strategy

(4) Developing and implementing a BCM response

(5) Exercising, maintaining and reviewing

(6) Embedding BCM in the organisations culture.

POSITIONING THE BCM LIFECYCLE WITH YOUR BCMS

Table 3.1 identifies the core elements of business continuity management andconsiders how each one should be treated in order to meet the requirements ofa BCMS.

38


17/61

BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE

Table3

.1

Elementsofbusinesscon

tinuitymanagement

Eleme

ntsofBCM

programmeman

agement

BCMSTop

Tips

TheBCM

programmewillbealigned

tothe

organisationsoverarchingstrategy,

businessplan

andobjectives.

Whenconsi

deringbusinesscontinuityobjectives,besuretodemonstrate

thatthereis

alinkbetweentheseandth

eorganisationsstrategicob

jectives

andresponsibilityforachievingthemis

allocatedandclearlyunders

tood.

Position

theprogrammesoitisinst

epwiththe

organisationscultureandstyleofm

anagement.

Howtheorg

anisationchoosestoapproa

chitsBCM

programmeandthe

requiremen

tsofthestandardshouldbe

comparablewiththecomple

xityof

thebusines

sandtheenvironmentinwh

ichitoperates.Thisisparticularly

thecasefor

smallerbusinessesnothav

ingthecapacityorneedfora

complexprogramme.

Tobeaccep

tedwithintheorganisation,yourBCMSshouldbedevelopedas

ifitwaspar

tofthecurrentfabricofthe

business.Staffaremorelike

lyto

buyintothe

newsystemifthereareelementsoffamiliaritytoit.

Understandthebenefitsoftheprogrammetoboth

internalandexternalstakeholdersa

ndidentify

waysto

maximisethesebenefits.

Havingacle

arviewofhowyouwishtoincludekeystakeholders/inte

rested

partieswith

inyourBCM

programmewillhelpyoudevelopamorerobust

systemfrom

theoutset.

DeterminethescopeoftheBCM

pro

gramme,

usually

intermsofproductsandser

vices,and

conside

rtheimpactofoutsourceda

ctivitiesand

whethertoincludethem.Considerationisalso

requiredabouttheroleplayedbyleg

islation,

regulationorcontractualresponsibilitiesinthe

propose

dBCM

programme.

Wheretheo

rganisationmakesadeliber

atechoicetolimititsscopew

itha

viewtoexte

ndingitlater,theorganisatio

nwillbenefitifitisabletop

lanthe

scopesexp

ansionintermsoftimeandresource.Suchaplanwillhe

lp

supportthe

caseforarestrictedscopet

ointernalandexternalstake

holders.

(Continued)

39


18/61


Table3.1

(Continued)

ElementsofBCM

programmeman

agement

BCMSTop

Tips

Identify

theBCM

resourceneededan

dhowitwill

workwithtopmanagementtoensur

eitsdirect

involvem

ent.

Theneedto

engagetopmanagementat

theearlieststage(preferablybefore

implementa

tionhasstarted)andtostresstheimportanceofitsvisib

le

leadershipo

ftheprogrammecannotbe

overemphasised.

BCMSroles,responsibilitiesandauthoritiesmustbeconsideredand

communicatedtotheincumbentandthe

irlinemanager.Theclearallocation

ofauthoritie

s,wherethesedifferfromro

utineworkiscriticalinorde

rfor

quickdecisionstobemadeduringanincident.

AclearmethodofestablishingcompetencyrequirementsforeachBCMS

roleisimpo

rtantandaroutetoachievingthese(withdocumentaryevidence

tosupportthis)isrequired.

Develop

mentandcommunicationof

aBCM

Policy

encomp

assingthekeyelementsoftheprogramme,

itsobjec

tivesandownershipbytopmanagement.

Theorganis

ationshouldcarefullyconsid

erhowitcommunicatesitsBCM

policysothatitisaccessibletoallintere

stedpartiesand,moreimpo

rtantly,

itsintentun

derstood.

Aclearimplementationprogramme,andamethod

forman

aginganddevelopingitssus

tainabilityin

linewith

businessneeds,isrequired

.

PeriodicalreviewsoftheBCM

programm

ewillensurethatitremains

inline

withthebus

inessneeds.Topmanageme

ntshouldtakeresponsibility

forthis.

Anongo

ingprogrammereviewprocessandflexible

attitude

towardsorganisationalchan

geisrequired.

Methodsofreviewingtheperformancea

ndeffectivenessoftheBCMS

includingBC

M

capabilitiesareprincipallythroughmanagementrevie

w,

internalaud

itandselfassessment.Metr

icstodetermineperformanc

elevels

shouldbealignedtotheneedsoftheorg

anisationandresultsofthe

analysis

recorded,co

nsideredandacteduponas

necessary.

BCM

documentationmustbeapprop

riateforthe

organisation,clear,accessibleandm

anageable.

Documentationmustbecontrolledtoen

sureitremainsuptodatean

d

accessible.Responsibilityforthisshould

beallocatedatthedevelopm

ent

stagesotha

tthereisvisibleownershipwithintheBCMS.

40


19/61


BCM programme managementProgramme management is at the core of BCM. It is not only critical to the devel-opment of a BCM capability but also to the ongoing success of it. In short, it gives

BCM purpose and direction.

ACTION SHEET

Make a note of any actions that you have thought of whilst reading about BCMprogramme management.

Understand the organisationIn order to develop an effective BCM programme, the organisation has to fullyunderstand its business objectives and strategic aims as well as its obligationstowards its stakeholders. It must also be clear how a disruption to business activi-ties might impact on its ability to continue trading. An appreciation of the contextof the organisation is also required.

To understand your organisation thoroughly, you need to undertake a BIA, review

resource requirements and conduct a risk assessment of your most important andtime-critical business activities (see Table 3.2).

41


20/61


Table3.2

Elementsofunderstand

theorganisation

Elementsofunderstandtheorganisation

BCMSTopTips

Seek

topmanagementsupportto

conductaBIA.

TheBIAisthebackboneof

ameaningfulBCM

programm

e.

Donotunderestimatethetimeandresourcerequiredto

getthemostoutofthispro

cessandmakesureyouget

top

managementbuy-inbefore

youstart!Thisincludesaclear

understandingofwhowillbeinvolved.

Deter

minethemostappropriatem

ethodofconductingaBIA

foryo

urorganisationandidentify

theresourcestodoit.

IfyouarecarryingoutaBIAforthefirsttime,keepitsim

ple.

Letitevolveandmatureov

ertime.

Agree

whethertheBIAwillbeund

ertakenafterthescopeof

theBCM

programmehasbeenagreedorwhetheritwillbe

used

todeterminethescopeafter

completionoftheexer-

cise.

Itmayhelptohaveanoutlinescopedefinedbefore

conductingtheBIA.Thiswi

llhelpwiththeallocationof

resources.IftheresultsoftheBIAshowupactivitiesno

t

initiallyconsideredapriority,thesemaybeaddedtothe

finalscope.

Identifyingtheimpactsofadisrup

tionatvariouslevelsofan

organ

isationwillidentifydifferent

issuesandinfluencehow

priori

tiesareset.

Byestablishingasystemat

icapproachtodefiningtheB

IAs

criteriaformeasuringtheimpactsadisruptionmayhaveon

theorganisation,thiscanb

eappliedacrossdifferentlevels

oftheorganisation.

Considerhowactivitiesareimpactedovertimeandhowthis

variesfordifferentactivities,productsandservices.

Thinkcarefullyhowyoupla

ntobrackettimeframeswithin

theBIA.Makesurethatthe

yreflectthenatureofthe

businessandtheneedsandexpectationsofinterested

parties.(Itistooeasytodefaulttotimescalesappliedby

otherswithoutunderstandingtheirpertinence.)

(Co

ntinued)

42


21/61


Table3.2

(Continued)


BCMSTopTips

Agree

amethodfordeterminingw

hatactivitiesaremost

timecriticaltotheorganisationan

dagreethebasisfortheir

priori

tisation.

Rememberthatwhatyouc

onsidertobealessimportant

activitytodaymaybecome

aprioritytomorrowandsho

uld

stillformpartofyourBIAr

eviewprocess.Donot

automaticallydisregardactivitieswhichyouhavenot

classifiedastoppriority.

Identifythedependenciesreliedupontocarryoutbusiness

activities.Thesemaybeinternala

ndexternaltothe

organ

isation.

Tryabrainstormingexercisetoidentifyalltheorganisa

tions

dependencies.Bybroadeni

ngthereachofthisthought

process,youwillbesurpris

edwhatgetsuncovered!

Identifytheresources(people,pre

mises,technology,

inform

ation,supplies,equipment,

stakeholders)requiredto

supporttheactivitiesuponresumption.

Remembertoconsiderhow

quicklybacklogscanoccur.This

willdependonthenatureo

ftheactivitybutwillneedto

be

builtintoresourceplannin

gduringinvocationandbeyo

nd.

Deter

minethemaximumtimeafterwhichtheorganisations

viabilityisirreparablydamagedif

productorservicedelivery

canno

tcontinue.Thiswillincludeestimatinghowlongyou

believ

eyourcustomerswillbepre

paredtotolerate

disruptiontotheirservicedelivery

fromyou.

Timescalesarelikelytovaryfordifferentproductsand

servicesandthisvariation

willhelptheorganisation

prioritiseitsrecoveryactivities.Thesearenotcastinstone

andreallifeincidentsandtheresultsofexerciseswill

providevaluableinsightint

otheirvalidity.Rememberth

at

youdonothavetowaitunt

ilascheduledreviewoftheBIA

tomakechangestoit.

Estab

lishareviewprocessoncetheBIAhasbeencompleted

ando

btaintopmanagementsignoffbeforeproceeding.

Tryandmaintainalevelof

independencewiththisrevie

w.

Considertheneedsoftheo

rganisationanditsoverall

strategyanddonotbeswa

yedbyindividualswhotryand

tellyouthatwhattheydoisthemostimportantthingin

the

business.

(Co

ntinued)

43


22/61


Table3.2

(Continued)


BCMSTopTips

BasedontheresultsoftheBIA,ca

rryoutariskassessment

ofthe

prioritisedactivities.Aswel

lasidentifyingparticular

threats,considerpossiblevulnera

bleresources.

Remembertofocusyourth

reatanalysisonhazardstha

tare

relevantandappropriate.Includelocalisedthreatsto

specificsitestodemonstra

tethatproperconsideration

has

beenappliedtothisproces

s.

Deter

mineasuitableriskmanage

mentmodelforyour

organ

isationtakingintoconsidera

tionanyexistingmethods

used.

Riskcriteriaandscoringsys

temsshouldbe

appro

priatefortheorganisationa

ndinlinewithitsrisk

appetite.

Donotovercomplicateyou

rriskmanagementmodel,

especiallyifyourorganisat

ionisnotusedtoproactive

risksreviews.Themodelcanbedevelopedovertime.

Beclearwithyourcriteriaandscoringsystemandmak

e

surethateveryoneinvolved

intheriskmanagementprocess

appliesthesamemodel.

Identifyrisksconsideredtobeuna

cceptabletothe

organ

isation(basedonthepredefinedscoringsystem),

reviewthem,agreeactiontomitig

atetheriskand/orreduce

theim

pactifrealised.

Whenassessingandprioritisingcontrolmeasures,take

into

accountthecostofsuchac

tionsandthepossible

consequenceofinactionin

ordertosupportthedecision

makingprocess.

Estab

lishaperiodicalriskreviewprocess.

Wherepossible,theorganisationsaimshouldbetored

uce,

manageoreliminatesignif

icantrisks.Riskswhichcontinue

tobeacceptedforprolong

edperiodsshouldbequestioned

tomakesurethatcomplacencydoesnotsetin.

44


23/61


ACTION SHEET

Make a note of any actions that you have thought of whilst reading about how to under-stand the organisation.

Determining BCM strategy

Following the completion of the understand the organisation phase, the business

is in a position to consider options available to it which will enable the restorationof prioritised operations affected by a disruption. Options should be considered onstrategic and tactical levels (see Table 3.3).

45


24/61


Table3.3

Elementsofdetermining

BCM

strategy

ElementsofdeterminingBCM

strategy

BCMSTopTips

BCMstrategiesshouldbeidentified

atbothcommercialand

operationallevels.

Examp

lesofcommercialstrategies

includetheconsideration

ofmultiplesiteoperation,alternativ

eoperationsiteseither

owned

orcontractedforbytheorganisationandto

subcon

tractoroutsourcesomeope

rations.

Examp

lesofoperational(tactical)s

trategiesincludethird

partyr

ecoverysitecontract,homeworking,duplicationof

supplie

s,backuppowerfacilities,m

ultiplesuppliersand

inform

ationanddatabackup.

Commercialstrategiesfocusonthe

productsandservices

within

theBCM

scopewhereasoperationalstrategiesfocuson

thetim

e-critical/prioritisedactivitie

ssupportingthose

produc

tsandservices.

BCMstrategiesaretobealignedto

theorganisationsrisk

appetite.

BereadytodemonstratehowyouhaveselectedyourBCM

strategiesatbothcommerci

alandoperationallevels.Wh

at

businessconsiderationsweretakenintoaccount,costve

rsus

benefitandhowtopmanage

mentcommitmentwasobta

ined.

BCMstrategiesaretobealignedto

theorganisations

strateg

icgoalsaswellascloselylinkedtotheresultsofthe

BIAandriskassessment.

MakesureBCM

strategiesre

flecthowtheorganisationh

as

prioritiseditsactivities.Forexample,ifyouarealawfirm

,you

willneedtofocusonyourpe

opleandtheirabilitytoacce

ss

clientandlegalinformationquickly.Yourstrategiesarelikely

tofocusonareassuchasIT

andtelecomsanddocument

storageoverfinanceandcorporatehospitality.

(Co

ntinued)

46


25/61


Table3.3

(Continued)

ElementsofdeterminingBCM

strategy

BCMSTopTips

BCMstrategiesmustbeinlinewith

recoverytimescales

identifiedwithintheBIA.

OftenBCM

strategieswillbe

chosenbasedonrecoverytime

objectivesidentifiedaspartoftheBIAprocesssothesem

ust

berealisticandwellconside

red.Remember,theshorter

the

recoverytimethemoreexpe

nsivetheoperationalstrategyis

likelytobe.

Beclea

rwhotheinterestedparties

arewhenselectingBCM

strateg

ies.

Youshouldconsidertheneedsofinterestedpartiesandtheir

expectationsofyourabilityt

ocontinuebusinessoperatio

ns

duringandimmediatelyafte

ranincident.Youmayneedto

prioritisetheactivitiesinord

ertomeettheseexpectation

s.

BCMstrategiesthatrequiretheallo

cationofresourcemust

notcon

flictwitheachother.

Youshouldapplystressteststothestrategiesyouhave

selectedtomakesurethatifmorethanoneisapplied

duringanincident,theresou

rcesneededforonewillnot

preventanotherstrategybeingdeployed.

BCMstrategiesmusthavethefulls

upportoftop

manag

ement.Whenmakingrecommendationstotop

manag

ement,includecostprojectio

nsandtheeffectof

inaction.

Berealisticwithyourcostprojectionsandprepareabusiness

casewhereaBCM

strategymayinvolvesignificantfinancial

commitment.Forexample,y

ourorganisationmightcons

ider

theneedtocontractwithar

ecoverysiteproviderandthecost

shouldbeweighedupagainstthecosttothebusinessif

it

wasunabletorecoveritsop

erationsquickly(inanotherway).

BCMstrategiesshouldbereviewed

atleastevery12months

toensu

retheycontinuetoreflectcurrentorganisational

require

ments.

Bemindfulofchangeswithintheorganisation.Forexample,

ifitacquiresadditionalbusin

essorsites,theneedfor

contractingtoalternativemanagedfacilitiesmaydiminis

h.

47


26/61


ACTION SHEET

Make a note of any actions that you have thought of whilst reading about BCM strategies.

Developing and implementing a BCM response

Having taken time to fully understand the organisation and develop BCMstrategies, the organisation is now in a position to develop business continuity

proceduresincluding its plan or plans. These plans will identify the resourcesand actions required to manage a disruption and resume prioritised activities(see Table 3.4).

48


27/61


Table3.4

ElementsofdevelopingandimplementingaBCM

res

ponse

Elementsofdevelopingandimple

mentingaBCM

response

BCMSTopTips

Thereareanumberofstagesforre

spondingtoanincident:

Em

ergencyresponse

Inc

identmanagement

BC

Recovery

Resumption.

Plansmustaddressthek

eystagesofrespondingtoan

incident.However,thesizeandcomplexityofthe

organisationwilldeterminehowtheplansarestructured

andintegrated.Thereisn

osetwayofstructuringplan

sbut

theyshouldsufficientlyaddresstheorganisationsres

ponse

needs.

Theextentoftheplan(s)shouldreflectthemakeupand

comple

xityoftheorganisationand

scopeofBCM

arrangements.

Plansshouldbeaccessibleandunderstoodbythosew

ith

BCM

responsibilities.Writ

ingplansthatarecomplexo

r

difficulttofollowwillresu

ltinthembeinglargelyignoredin

theeventofinvocation.

BCplans(thistermmaybeusedto

refertovariousplansaimed

atdiffe

rentlevelswithintheorganisation)willcoverstrategic

busine

ssareassuchasexternalco

mmunicationsand

stakeh

oldermanagement,andprio

ritisedoperationalactivities

suchaspayroll,projectmanagementortheprovisionofcertain

ITappl

ications.Theremayalsobes

pecificplanscoveringin

dividua

lthreats,suchaspandemic.

Generally,BCplansshouldbedevelopedtominimiset

he

impactofathreateningsituationtotheorganisationrather

thanaroundbroadscenariossuchasfire,floodor

earthquake.(Pandemicis

areasonableexceptiontoth

is.)

(C

ontinued)

49


28/61


Table3.4

(Continued)


mentingaBCM

response

BCMSTopTips

BCPlansshouldaddressthreetiersofbusinessactivity:

Strategic:Topmanagementtakedirectresponsibilityforissues

suchasmanagingthemedia,busin

essreputation,welfareof

individualsandenvironmental/widerimpactsfromanincident.

Tactical:Managementwilloversee

operationsduringan

inciden

tincludingtheoverallalloca

tionofresourceand

coordinationofactivities.

Operational:Businessunitlevelfocusoncontinuing

predeterminedprioritisedactivities

whichsupportthedelivery

ofkeyproductsandservices.

Howtheorganisationcho

osestoincorporatethethree

tiers

willbedeterminedbythe

sizeandcomplexityofthe

business(seefirsttip).

Theorganisationcannam

etheirtieredplansastheyw

ishto

suittheirculture.

BCplanscanbeproducedinanum

berofwaysandinvolve

differentpeople.Thebasisofdevelopingplansshouldbeto

include

:

Information

gatheredfromtheBIA

andRiskAssessment

pro

cesses

Lessonslearnedfrompreviousincidents

Localinformation

Theviewsofdifferentstaff/managers.

Itisimportanttodevelop

aBCplantemplatethatsuitsyour

organisationsneeds.Try

nottocutandpastetempla

tes

usedbyothersunlessthe

styleandformatreflectsyo

urown

requirements.

MuchoftheinformationinTacticalandOperationalBC

plans

maybegenerictotheorg

anisation.However,itshould

be

cleartouserswhichareasrelatespecificallytotheir

activities.Itshouldnotbe

lostamongstseveralpages

of

otherinformation.

MakesurethatBCplansr

emainflexiblesothattheyc

an

easilybeadaptedtodifferentincidentsituations.

(C

ontinued)

50


29/61


Table3.4

(Continued)


mentingaBCM

response

BCMSTopTips

Thekeyaspectsthatformthebasis

ofaBCplanare:

Purpose,scopeandobjectives

Rolesandresponsibilities

Inv

ocationandstanddownautho

rity

Communications

Me

etingpoints

Contactdetails

Keyinformationtosupporttherecoveryofprioritisedactivities

Setofassumptionsandknowninterdependencies.

Wherepossible,havemor

ethanonetestedmethodof

communicatingwithstaff

andotherstakeholdersduringan

incident.Forexampleema

ilandmobilephoneorpage

r.

Identifymorethanoneme

etingpoint.Oneonsiteandone

awayfromtheoffice.

Informationwhichissubjecttochangemaybeheldin

appendices.Thiswillredu

cetheneedtoreproducecomplete

planswhen,forexample,contactdetailschangeandn

eed

updating.

(C

ontinued)

51


30/61


Table3.4

(Continued)


mentingaBCM

response

BCMSTopTips

Action

sheetsandlogsshouldform

partoftheplan(possiblyas

append

ices).Theyshouldalsobein

cludedalongwithotherkey

inform

ation,inbattleboxesand/or

grabbags.

Makesurethatanybattle

boxes/grabbagsareplaced

in

accessibleandsecureloc

ations.Forexampleatasecurity

gate/officeandsecondary/thirdpartyrecoverylocatio

n.

Includeaninventoryinthebox/bagandensurethatw

hether

lockedornot,thecontentsareperiodicallychecked,equip-

mentremainsoperational(forexamplebatteriesrema

in

charged)andthatarecordiskeptoftheseinspections

(a

favouriteforauditors).

Allplansmustincludetheroles,responsibilitiesandauthorities

oftheresponseteam.

Theallocationofdutiesfo

rmanagingBCplansshould

be

carefullyconsideredbeforeappointment.LikeallBCM

roles,

theindividualmusthavethenecessarycompetencefo

rthe

role(whichyouwillhavepredetermined),availabilitya

ndthe

respectofhispeersandm

anagers.

Forexample,itdoesnota

utomaticallyhavetobethej

obof

thedepartmentmanager.

52


31/61


ACTION SHEET

Make a note of any actions that you have thought of whilst reading about developingand implementing a BCM response.

Exercising, maintaining and reviewing BCM

Having developed and implemented a BCM response, you must now rehearsethe arrangements to ensure those impacted by them become familiar with what

happens upon invocation and beyond. You should also have a maintenanceprogramme in place to make sure that your arrangements remain up to date andreflect current business needs (see Table 3.5).

53


32/61


Table3.5

Elementsofexercising,maintainingandreviewingBCM


BCMSTopTips

Anexe

rciseandtestprogrammesh

ouldbedevelopedwhich

covers

allBCplans,informationheldwithintheplansand

people

whomaybeimpactedbyinvocation.

Remembertoinvolveinterestedpartiesintheexercise

programme.

Thereareanumberofrecognisedmethodsofexercisingand

testing

BCM

arrangementsandthe

programmeshouldreflect

this.Th

eseinclude:

Calltreetest

ITtests

Desktopreview

Wa

lkthrough

Sim

ulation/scenario

Partialexerciseofprioritisedactivities

Fullexerciseincludingincidentm

anagementresponse.

Toensurethatyoubringsta

ffwithyouontheBCM

journ

ey,the

initialexercisesshouldbesimple.Youcanthenbuildonthem

asconfidencegrowsandthe

reisgreaterfamiliaritywith

BCM

arrangements.

Anestablishedexerciseprogrammeshouldcontinuetoinclude

abroadrangeofexercises.

Exercisescenariosshouldbepertinenttotheorganisatio

n,its

strategy(includingriskappe

tite)andtakeintoconsiderationany

localrequirements,suchas

logisticalissues.

Whendevelopinganexerciseandtestschedule,consider:

Theresultsofpreviousexercises

Knownthreats

Sta

keholderrequirements

Cost

Varietyinordertoretaininterest

andfocus.

Exercisesandtestsshouldb

eprogressive.Makesure

weaknessesareretestedun

tilremoved.Takeintoaccoun

tnew

risksfacingtheorganisation

asaresultofinternaland

externalchanges.Besureto

demonstratecontinual

improvementthroughyoure

xerciseprogramme.

(Continued)

54


33/61


Table3.5

(Continued)


BCMSTopTips

Theprogrammeshouldbeforasettimeframe,forexample

12monthshence.Itshouldbediscussedwith,and

approv

edby,topmanagementand

beinlinewith

budgetaryrequirements.

Exercisesshouldtakeplace

onanongoingbasis.Thiswillhelp

staffbecomefamiliarwithw

hatisexpectedofthemand

pro-

videassurancethatincident

sdonothavetobetoodisruptiveto

theirworklife.Byvaryingth

etypeandinvolvementofstaff,this

shouldnotimpacttheentire

organisationtoomuch.

Topma

nagementshouldtakeapro

activeroleinexercises.

Directinvolvementinexercisesbytopmanagementnotonly

ensurestheyremainfamilia

rwiththeirresponsibilities

duringanincident,butalsodemonstratestheirsupportf

orBCM

tostaff.

Ensure

thatexercisestonotexpose

theorganisationto

undue

risk.

Considertheschedulingofe

xercisessothattheydonotoccur

duringbusytimesforthebu

siness.Alsoconsiderwhatresource

willberequiredforeachexe

rciseortestsothatexcessiv

e

burdensarenotplacedonremainingstaff.

Eache

xerciseandtestshouldhave

apredeterminedobjective.

Remembertorevisittheobjectivewhencarryingoutthe

exercisereviewinordertoc

oncludewhetherithasbeen

met

(ornot).Makesureyoudocu

mentthisinyourreport.

Individualsrunningandobservingexercisesandtests

mustb

ecompetenttodoso.

AswithotherBCM

competencies,theseneedtobeprede

ter-

mined.Considerthesoftskillsthataresuitedtothisrole

,for

exampleoperatingunderstr

essfulcircumstancesandap

plying

attentiontodetail.

Organisationsmaychoosetoinvolveexternalprovidersduring

someofthemorecomplexe

xercises.Thisisfine,butideallythe

skillsrequiredshouldbedevelopedbythosewithinthe

organisationtosupportown

ershipoftheBCM

programm

e.

(Continued)

55


34/61


Table3.5

(Continued)


BCMSTopTips

Allexe

rcisesandtestsaretobefor

mallyreportedand

review

ed.

Tosupportthecontinualimp

rovementoftheBCMS,the

outcomesoftheexerciseor

testaretoberecordedalong

with

lessonslearned,improveme

ntareasandfollowupactions.

Confirmationofwhetherthe

originalobjectiveswereach

ievedis

alsorequired.

Itshouldbeevidentthattop

managementhassightofth

ese

reportsandtheopportunity

toprovideinputtothem.Itm

ayalso

beworthwhilesharingtheresultsofexercisesandtests

with

staffasawayofmaintainingtheirBCMSawareness.

ABCM

maintenanceprogrammeis

requiredinorderforall

aspectsofBCM

tobereviewedand

updated.Aminimum

review

periodshouldbeset(ideally

atleastannually)andbe

flexible

sothatchangesimpactingtheorganisationarealso

consideredandincorporatedwhere

necessary.

Encourageaculturewhichp

roactivelydevelopsyourBCMS

arrangements.Thiswillensurethattherearenotprolonged

periodswherechangesaffectingtheorganisationarenot

incorporatedintotheBCMSprogramme.

ManageorganisationalexpectationsthattheBIA,risk

assessment,strategyandBCplanswillallevolveandde

velop

overtime.

ThereshouldbeclearownershipoftheBCM

maintenanceand

review

programme.

ThereviewofBCplansshou

ldbethroughnamedplanow

ners.

Theywillhaveknowledgeof

localisedchangesandwillb

ebest

placedtokeepusersinformedofamendments.

56


35/61


ACTION SHEET

Make a note of any actions that you have thought of whilst reading about exercising,maintaining and reviewing BCM.

Embedding BCM in the organisations culture

To be fully effective, the BCM programme must be embedded in the organisationsculture. That means that BCM becomes part of the organisations core values.Understanding what the business expects in this respect, how it will achieve it and

measuring its effectiveness all form part of the embedding process. Its approach tocommunicationand BCM awarenessmust be flexible and maintained throughoutthe BCM Programmes existence (see Table 3.6).

57


36/61


Table3.6

Elementsofembedding

BCM

intheorganisationscu

lture

58

ElementsofembeddingBCM

intheorganisationsculture

BCMSTopTips

TodevelopasustainableBCM

culturewithinyourorganisation,y

oumust

firstha

veaclearideaofthecurrentawarenesslevelsofBCMwithinthe

business.Theresultsofanalysissh

ouldthenbecomparedtothe

levelof

awaren

esstheorganisationwishes

toachieve,afterwhichapro

gramme

canbe

developed.

Thisinformationwillinpartbecomeclearwhenyou

conductyourBIA

andRiskAssessment.

Expectationsshou

ldbemanagedcarefullyino

rderto

avoidfalsehopeo

rdisappointment.

Anorganisationsculturedevelopsovertimeandisheavilyinfluencedby

topma

nagementbehaviourandattitude.ToembedBCMintothe

organisationscultureeffectively,topmanagementmustvisiblysupport

thepro

grammeasmusttheremain

ingmanagementteamands

taff.

Where

necessary,existingbehaviou

rmaybechangedthrough

knowle

dgeandenlightenment.

Topmanagement

isexpectedtomaintainitss

upport

duringandaftert

heinitialstagesofBCM

prog

ramme

implementation.T

heeffortrequiredtoachieve

this

shouldnotbeund

erestimated.

ABCM

awarenessprogrammeshouldconsider:

Wh

owillberesponsibleforimplementingtheprogramme

Wh

attheprogrammewillconsis

tof

Wh

enandhowoftenspecificawarenessactivitiesaretobedep

loyed

Howtheeffectivenessoftheprogrammeismonitored

Thecostofrunningtheprogramme(programmerequirestop

ma

nagementpriorapproval)

Wh

eretheawareness,education

andtrainingwillbeobtained

from

Wh

attheacceptableminimumle

velsofachievementwillbeandby

wh

en.

Whatyoudecidet

oincorporateintoyourawar

eness

programmewills

ubconsciouslybedeterminedbythe

organisationsexi

stingculture.Youshouldcho

ose

methodsthatyou

believeyourstaffandintere

sted

partieswillbuyin

to.

Whatmethodsyourorganisationchoosesis

immaterial(withinreason!)aslongasyoucan

measuregreaterawarenessovertime,improv

ed

performanceduri

ngexercisesandrecoveryfr

om

incidents.


37/61


Examples of methods of embedding BCM in the organisations culture include:

General staff briefings across the organisation

Office poster campaigns

Conducting a BIA

Conducting risk assessments and maintaining a risk register

Communicating risk acceptance levels amongst managers

Writing BC plans

Participation (at whatever level) in exercises and tests

Participation in Business Continuity Awareness Week activities (in house or

external)

Specific BCM training, e.g. organising exercises, developing a BIA, auditingthe BCMS

BCM education courses

Awareness and understanding of the BC policy and objectives

Understanding the implications of not having BCM arrangements in place

Ensuring individuals understand the impact a disruption might have ontheir role

Communicating the results of exercises and feedback from a disruption.

ACTION SHEET

Make a note of any actions that you have thought of whilst reading about embeddingBCM in the organisations culture.

59


38/61


SUMMARY

(1) The BCM lifecycle should be viewed as an ongoing process rather than a one

off exercise. Whilst not directly referred to in ISO 22301, it remains a usefultool for BCM resource.

(2) Develop the BCMS in line with the businesss core strategy, aims andobjectives.

(3) Establish a practical BCM programme which is straightforward and clearto everyone involved.

(4) In order to have effective BCM arrangements you need to understand theorganisation, its key products and services, time-critical and prioritisedactivities and the needs and expectations of interested parties.

(5) BC strategies should reflect the needs and capabilities of the organisationand be aligned to its risk acceptance levels.

(6) Design your BCM response to sit comfortably with other operational require-ments. Do not overcomplicate it.

(7) Be clear when allocating roles, responsibilities and authorities andrehearse these.

(8) A good way to develop closer partnerships with key suppliers is to includethem in your exercise programme.

(9) Start your exercise programme with straight forward tests and develop theircomplexity over time.

(10) The post exercise review is equally important as the exercise itself.

(11) Embedding BCM into the organisations culture is an ongoing processand one which should involve everyone working under the organisationsdirection.

60


39/61

INDEX

accreditation, definition of 75accreditation bodies 72, 75action sheets

audit checklist 82 BCM programme

management 41 BCM response 53 BCM strategies 48 benefits of adopting ISO 22301

standard 8 certification to/alignment with

ISO 22301 standard 35 competency requirements 30 embedding BCM 59 evidence 87 exercising/maintaining/reviewing

BCM 57 improvements to management

systems 20 maintaining momentum 95 management system objectives

22, 32 performance metrics 67 reviewing BC plans 71 scope of management systems 14 staff strategy 70 transition process to

certification 73 understanding the

organisation 45 using 2allocation of duties (in BC plans) 52allocation of management systemresources 235

audit, definition of 75audit checklist 802audit plans 90audit reporting 912audit stages (in certificationprocess) 7782

audit teams 89awareness (in ISO 22301standard) 65

awareness programmes 58

battle boxes (in BC plans) 52BCM (Business ContinuityManagement)

communication of policy 40 determining strategy 458 developing/implementing

response 4853 embedding 579

exercising/maintaining/reviewing 537

lifecycle of 378 programme management 3941 requirements 7, 6770 self evaluation of 94 understanding the

organisation 415BIA (business impact analysis)26, 29, 414, 47, 68, 812

brainstorming 43BS 25999 standard

and BCM lifecycle 37 certification to 1 differences from ISO 22301

standard 6370 production of 612 similarities with ISO 22301

standard 623 transitioning from 713BS 5750 standard 4, 6Business Continuity Sponsors 15, 28

certification bodies 723, 7582commercial strategies 46commitment of top management1517

communication 40, 51, 65competence 3, 81context 41continual improvement 3, 5, 18, 89corrective action 3, 18, 32, 66critical activities (in terminology ofstandards) 63

cultural differences 7culture of organisations 579customer focus 5

determining management systemcompetencies 23

determining strategy (in BCMlifecycle) 458

developing/implementing response(in BCM lifecycle) 4853

documentation 3, 1718, 40

effectiveness, definition of 3embedding BCM 579emergency response (in BCMresponse) 49

engagement of top management 40evaluation of managementsystems 312

evidence 845exclusions 13exercise/test programmes 546, 65,6970

exercising/maintaining/reviewing(in BCM lifecycle) 537

experience of audits 8892experience of BCM 1

factual approach to decisionmaking 5

gap analysis (in certificationprocess) 7980

grab bags (in BC plans) 52

hazards 44health warnings (in certificationprocess) 79

improvement (in ISO 22301standard) 66

improvement (to managementsystems) 1820

incident management (in BCMresponse) 49

individual awareness 93initial audits 78interested party (in terminology ofstandards) 63

internal audit 4involvement of people 5ISO (International Organisation forStandardisation) 612, 63

ISO 22301 standardalignment with 33

and BCM lifecycle 37 benefits of 8 certification to

audit stages 7782 choosing a certification body

767 deciding on 1, 345 experience of audits 8892 maintaining momentum 925 preparing for audit 837 terminology 75 transition process 713 development of 5 differences from BS 25999

standard 6370 and management system

competencies 26

114


40/61

production of 612 self assessment 85, 10211 similarities with BS 25999

standard 623ISO 9000 series 45ISO 9001 standard 4, 6

leadership 5localised threats 44

maintaining momentum (inauditing process) 925maintenance and reviewprogrammes 56

management principles 56management review 31management systems

alignment with ISO 22301standard 33

certification to ISO 22301standard 1, 345

definition of 4 determining/tracking

competencies 23, 269 development of 3 and differences between

standards 635 documentation of 1718, 40 evaluation of 312 evolution of 6 improvements to 1820 local 7 and management principles 56 mandatory requirements of 10 origins of 45 and PDCA models 89, 20 resource allocation 235 scope of 1014 setting objectives 212 top management responsibilities

1517 two-part 67 writing policies 201matrices 23meeting points (in BC plans) 51mutually beneficial supplierrelationships 5

nonconformity 4, 18, 32, 66, 91

operational (tactical) strategies 46operational planning andcontrol 68

operational tier (in BC plans) 50organisational focus 93

PDCA (Plan Do Check Act) models89, 20, 31, 62, 978

performance evaluation (in ISO22301 standard) 656, 97101performance metrics 65, 67, 979performance reviews 40pitching to top management1517

policy, definition of 4preparing for audit 837preventive action (in terminology ofstandards) 63

prioritised activities (in terminologyof standards) 63

procedure, definition of 4process approach 5production of standards 612programme management (in BCMlifecycle) 3941

proof 84provision of evidence 845

raising audit findings 91recertification audit (in certificationprocess) 79

record, definition of 4recovery 47,49, 69representing organisations889

resumption (in BCM response) 49reviewing BCM strategies 47risks/opportunities assessment20, 41, 44,65, 68

rushing implementation 87

sample selection (in auditingprocess) 901

scope of management systems1014

self assessment 85, 10211self evaluation of BCM 94setting management systemobjectives 212

stakeholder (in terminology ofstandards) 63

strategic objectives 39strategic tier (in BC plans) 50structural requirements (ofmanagement systems) 6

surveillance audits 71, 789system approach tomanagement 5

systematic (in terminology ofstandards) 68

tactical tier (in BC plans) 50technical requirements (ofmanagement systems) 6

templates (in BC plans) 50terminology of standards 63threat analysis 44timescales 21, 423, 47, 72, 85top management

and auditing process 867, 89 and BCM response 50 and BCM strategies 467 and BIA 42 definition of 4 and embedding BCM 58 engagement of 40 and exercise/test programmes

556, 65 responsibilities of 1517, 645tracking management systemcompetencies 23, 269

transition process to certification713

understanding the organisation(in BCM lifecycle) 415

warning and communicationclause 69

workforce engagement 867writing management systempolicies 201

115


41/61

ACTION SHEET

To help support your organisations decision to implement a BCMS, create a summaryof the benefits of adopting ISO 22301 in order to help focus peoples minds andmanagement commitment.

116


42/61

ACTION SHEET

Taking into consideration what you have read about scoping a BCMS in this chapter,write down here the key considerations for your organisations BCMS scope.

117


43/61

ACTION SHEET

As your BCMS develops and you undertake more of the control requirements (audits,reviews, exercises etc.) make a note here of possible improvements to the system.

118


44/61

ACTION SHEET

Use this space to write down some ideas for what you want your BCMS objectives toachieve.

119


45/61

ACTION SHEET

Consider the BCMS roles you expect to create and, against each one, write down thecompetency requirements you consider appropriate.

120


46/61

ACTION SHEET

Make a note here of what you consider are the over arching objectives of your BCMSand what you expect to see as evidence that it is working effectively.

121


47/61

ACTION SHEET

Has your organisation made its decision about whether to seek alignment or certifica-tion to ISO 22301?

Either way, based on the information provided in this chapter (and any other relevantfactors), list what considerations you believe your organisation should take into accountwhen reaching its decision.

122


48/61

ACTION SHEET

Make a note of any actions that you have thought of whilst reading about BCMprogramme management.

123


49/61

ACTION SHEET

Make a note of any actions that you have thought of whilst reading about how to under-stand the organisation.

124


50/61

ACTION SHEET

Make a note of any actions that you have thought of whilst reading about BCM strategies.

125


51/61

ACTION SHEET

Make a note of any actions that you have thought of whilst reading about developingand implementing a BCM response.

126


52/61

ACTION SHEET

Make a note of any actions that you have thought of whilst reading about exercising,maintaining and reviewing BCM.

127


53/61

ACTION SHEET

Make a note of any actions that you have thought of whilst reading about embeddingBCM in the organisations culture.

128


54/61

ACTION SHEET

Consider how you will use performance metrics to demonstrate the effectiveness ofyour BCMS. Be selective in what you measure and ensure a clear link back to thebusiness strategy.

129


55/61

ACTION SHEET

Consider the human aspects of your continuity strategies. Taking into account thefindings of your BIA and risk assessment, list below what you need to include whenpreparing a strategy for the organisations most important resource, its staff.

You may find it helpful to refer to PD 25111:2010 Business Continuity ManagementGuidance on Human Aspects of Business Continuity.

130


56/61

ACTION SHEET

Take time to review your existing BC plans and compare the existing format andcontents to the requirements of ISO 22301. List below what you need to change or addto them.

131


57/61

ACTION SHEET

Write down here any actions that your organisation needs to take if it is consideringthe transition to ISO 22301. Add suggested time lines against each action and discussthem with your certification body as well as your BC sponsor.

132


58/61

ACTION SHEET

Having reviewed the suggested evidence list and undertaken your self assessment,make a list of the evidence that you will draw upon to demonstrate the effectivenessof your BCMS to the auditor.

133


59/61

ACTION SHEET

Having reviewed the suggested evidence list and undertaken your self assessment,make a list of the evidence that you will draw upon to demonstrate the effectivenessof your BCMS to the auditor.

134


60/61

ACTION SHEET

Note down here how you might maintain the momentum of your BCM arrangements.

Method Participants

135


61/61

Business Continuity Management Systems

Documents

Transcript of Business Continuity Management Systems