Rethinking Business Continuity: Applying ISO 22301 to improve resiliency, manage risk, and drive...

RethinkingBusinessContinuity:ApplyingISO22301toimproveresiliency,managerisk,anddriveprofitabilityinyourorganization

BryanStrawser,MBCP,MBCI,CEM,CPP,CISSP,PMPPrincipalConsultant&CEO,BryghtpathLLC

2

BryghtpathLLC

Weareastrategicadvisory firmthatspecializesinglobalrisk,businesscontinuity,emergencymanagement, crisiscommunications, andpublicaffairs

3

BryanStrawserCEO,BryghtpathLLC

• ISO22301LeadImplementer/Instructor• MasterBusinessContinuityProfessional(MBCP)• Member,BusinessContinuity Institute

• FormerlyBS25999• Adoptedgloballyin2012• IntersectswithotherISO

Standards– Ex:ISO27001

• EstablishandmaintainaBusinessContinuityManagementSystem

• Accreditation• Certification

– Implementer/Lead– Auditor/Lead

4

ISO22301:2012SocietalSecurity– BusinessContinuityManagementSystems

Copyright©2015byBryghtpath LLC|bryghtpath.com |+1-612-235-6435|[email protected]

• Scope• Termsanddefinition• OrganizationalContext• Leadership• Planning• Support• Operation• PerformanceEvaluation• Improvement

5

ISO22301ContentStructureandContentofISO22301

Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]

“SettingupandmanaginganeffectiveBusinessContinuityManagementSystem(BCMS)”

ABCMSemphasizestheimportanceof:

• ThenecessityforestablishingaBCMpolicy&objectives

• Implementingandoperatingcontrolsandmeasuresformanaginganorganization’soverallcapabilitytomanagedisruptiveincidents

• Monitoring&reviewingthepeformanceandeffectivenessoftheBCMS

• Continualimprovementbasedonobjectivemeasurement

6

ISO22301:0.1WhatisaBCMS?


a) Apolicyb) Peoplewithdefinedresponsibilitiesc) Managementprocessesrelatingto

1. Policy2. Planning3. Implementation&operation4. Performanceassessment5. Managementreview6. Improvement

d) Documentationprovidingauditableevidencee) Anybusinesscontinuitymanagementprocesses

relevanttotheorganization

7

ISO22301:0.1ABCMShasseveralkeycomponents


8

ISO22301:0.2ThePlan-Do-Check-Act(PDCA)Model


“…specifiesrequirementstoplan,establish,implement,operate,monitor,review,maintain,andcontinuallyimproveadocumentedmanagementsystemtoprotectagainst,reducethelikelihoodof

occurrence,preparefor,respondto,andrecoverfromdisruptiveincidentswhentheyarise...

9

ISO22301:Clause1ScopeofISO22301


ThisInternationalStandardisapplicabletoalltypesandsizesoforganizationsthatwishto:

a) Establish,implement,andimproveaBCMS

b) Ensureconformitywithstatedbusinesscontinuitypolicy

c) Demonstrateconformitytoothers

d) Seekcertification/registrationofitsBCMSbyanaccreditedthirdpartycertificationbody

e) Makeaself-determinationandself-declarationofconformitywiththisInternationalStandard

10

ISO22301:Clause1Applicability


BusinessContinuityCapabilityoftheorganizationtocontinuedeliveryofproductsorservicesatacceptablepredefinedlevelsfollowingadisruptiveincident

BusinessContinuityPlanDocumentedproceduresthatguideorganizationstorespond,recover,resume,andrestoretoapre-definedlevel ofoperationfollowingadisruption

BusinessImpactAnalysisProcessofanalyzingactivitiesandtheeffectthatabusinessdisruptionmighthaveuponthem

11

ISO22301:Clause3

KeyDefinitions


ExerciseProcesstotrainfor,assess,practice,andimproveperformanceinanorganization

IncidentSituationthatmightbe,orcouldleadto,adisruption,loss,emergency,orcrisis

12

ISO22301:Clause3KeyDefinitions


Theorganizationshallidentifyanddocument:• Theorganization’sactivities,functions,services,products,

partnerships,supplychains,relationshipswithinterestedparties,andthepotentialimpactrelatedtoadisruptiveincident

• Linksbetweenthebusinesscontinuitypolicyandtheorganization'sobjectivesandotherpolicies,includingitsoverallriskmanagementstrategy

• Theorganization’sriskappetite

13

ISO22301:Clause4TheOrganizationanditscontext


Inestablishingthecontext,theorganizationshall:

1) Articulateitsobjectives,includingthoseconcernedwithbusinesscontinuity

2) Definetheexternalandinternalfactorsthatcreatetheuncertaintythatgivesrisetorisk

3) Setriskcriteriatakingintoaccounttheriskappetite4) DefinethepurposeoftheBCMS

14

ISO22301:Clause4TheOrganizationanditscontext


Primarilyfocusesonlegal&regulatoryrequirements:• Maintainprocedurestoreview&understandregulatory

requirements• Understandtheinterestofotherrelevantthirdparties

Thisisanareathatisbecomingmoreofafocusinrecentyears

15

ISO22301:Clause4TheNeeds&ExpectationsofInterestedParties


5.1: PersonsintopmanagementandotherrelevantmanagementrolesthroughouttheorganizationshalldemonstrateleadershipwithrespecttotheBCMS.

5.2: TopmanagementshalldemonstratecommitmentwithrespecttotheBCMSby:

• Ensuringthatpoliciesandobjectivesareestablished…• EnsuringtheintegrationoftheBCMS...• Ensuringtheresourcesneeded[...]areavailable• EnsuringtheBCMSachievesitsintendedoutcomes

16

ISO22301:Clause5Leadership,Management,andCommitment


5.3:Policy

a) Isappropriatetothepurposeoftheorganizationb) Providesaframeworkforsettingbusinesscontinuityobjectivesc) Includesacommitmenttosatisfyapplicablerequirementsd) IncludesacommitmenttocontinualimprovementoftheBCMS

5.4:Organizationalroles,responsibilities,andauthorities

Topmanagementshallensurethattheresponsibilitiesandauthoritiesforrelevantrolesareassignedandcommunicatedwithintheorganization

17

ISO22301:Clause5Policy&Roles,Responsibilities,andAuthorities


6.1:Actionstoaddressrisksandopportunities• Organizationshalldeterminetherisksandopportunitiesto

– EnsuretheBCMScanachieveitsintendedoutcomes(s)– Preventorreduceundesiredeffects– Achievecontinualimprovement

6.2:Businesscontinuityobjectivesandplanstomeetthem• Topmanagementshallensurethatobjectivesareestablishedand

communicatedforrelevantfunctionsandlevels– Musttakeaccountoftheminimumlevelofproductsandservicesthatare

acceptabletotheorganizationtoachieveitsobjectives– Mustbemeasurable– Musttakeintoaccountapplicablerequirement– Mustbemonitoredandupdatedasappropriate

18

ISO22301:Clause6Planning


Again:• Whowillberesponsible• Whatwillbedone• Whatresourceswillberequired• Whenitwillbecompleted• Howtheresultswillbeevaluated

19

ISO22301:Clause6Planning


Clause7containsanumberofstatementsrelatedtoprovidingsupportthroughresources,competence,andawareness.

• Providingtheresourcesneededfortheestablishment,implementation,maintenance,andcontinualimprovementoftheBCMS

• EnsuringthecompetenceofeachpersoninvolvedindoingBCMSwork(training,mentoring,oroutsourcing)

• AwarenessoftheBCMSatalllevelsoftheorganization

• Internalandexternalcommunications

20

ISO22301:Clause7Support


7.5:DocumentedInformation

• Theorganization’sBCMSshallinclude:– DocumentedinformationrequiredbythisInternationalStandard– Documentedinformationdeterminedbytheorganizationasbeing

necessaryfortheeffectivenessoftheBCMS

• Informationshallbecontrolledtoensure:– Itisavailableandsuitableforuse,whereandwhenitisneeded– Itisadequatelyprotected(e.g.fromlossofconfidentiality,improper

use,orlossofintegrity)

21

ISO22301:Clause7Documentation


8.2:BusinessImpactAnalysis(BIA)andRiskAssessment

• 8.2.2BusinessImpactAnalysis– Identifyingactivities thatsupporttheprovisionofproductsandservices– Assessing theimpactsovertimeofnotperformingtheseactivities– Settingprioritizedtimeframesforresumingtheseactivities– Identifyingdependencies andsupportingresources

• 8.2.3RiskAssessment– Identifyrisksofdisruptiontotheorganization’sprioritizedactivities– Systematicallyanalyzerisk– Evaluatewhichdisruptionrelatedrisksrequirementtreatment– Identifytreatmentscommensuratewithbusiness continuityobjectives

andinaccordancewiththeorganization’sriskappetite

22

ISO22301:Clause8Operations


8.3:BusinessContinuityStrategy

• Theorganizationshalldetermineanappropriatebusinesscontinuitystrategyfor– Protectingprioritizedactivities– Recoveringprioritizedactivities– Mitigating,respondingto,andmanagingimpacts

• Theorganizationshalldeterminetheresourcerequirementstoimplementtheselectedstrategies(people,information,data,facilities,technology,finance,partners,thirdparties)

• Foridentifiedrisksrequiringtreatment,theorganizationshallconsiderproactivemeasures

23

ISO22301:Clause8BusinessContinuityStrategy


8.4:Establishandimplementbusinesscontinuityprocedures

Procedurestomanageadisruptiveincident andcontinueitsactivitiesbasedonrecoveryobjectivesasidentifiedinthebusinessimpactanalysis• Incidentresponsestructure• Warning&communicating• Businesscontinuityplans

– Documentedproceduresforrespondingtoadisruptiveincident– Howprioritizedactivitieswillberecoveredwithinapredeterminedtimeframe

• Recovery– Documentedprocedurestorestoreandreturnbusinessactivitiesfromthetemporary

measuresadoptedtosupportnormalbusinessrequirementsafteranincident

24

ISO22301:Clause8BusinessContinuityProcedures


CrisisManagementFramework

25

SituationalAwareness


ExecutiveCrisisTeam(C-Suite&CEODirects)

Cross-FunctionalCrisisTeam(Business lines&support teams)

CrisisManagementTeam

StrategicDecisionMaking

DaytodayoperationsRecommendations toExecutives

HorizontalCommunication

SubjectmatterexpertsSituationalawarenessupstream

Full-time/volunteer

CrisisManagementFramework

26



RoutineIncidentHOLYS$@!

Whatjusthappened?!

Protocols&ProcessesIncidentSpecificPlansPreparednessSteps

SituationalAwarenessCollaborativecross-functionaldiscussion

StrategicviewFrameworkfor

collaborativedecisionmaking&communication

CrisisLeadership

27



• What’shappening?• Whatdoweknowaboutit?• Whatimpactisithavingonourbusiness?• Whatdon’tweknowwhatweneedtoknow?

• Allplansshouldbeexercisedatleastannually:– Notification– TableTop– Recovery– Fullyintegrated

• DisasterRecovery– TestingDRplansandstrategies

• Definedprocessforcapturinglessonslearnedandapplyingtoplansandstrategies

28

ISO22301– Clause8:Exercise,Testing,&MaturingHowwillIexerciseandtestmyplans? Basedonthoseresults,howwillIimprove?


• Clause9coverstheneedfortheorganizationtohaveaperformanceevaluation(ormetrics)strategy– Whatismonitored?– Howwillitbemonitored?– How/whenwillitbeanalyzedandevaluated?

• Regularevaluationofproceduresandcapabilities

• Periodicreviews

• Complianceevaluationtopolicy,standards,andindustrybestpractices

• Evaluationsshallbeconductedatplannedintervalsandwhensignificantchangesintheorganizationoccur

29

ISO22301:Clause9PerformanceEvaluation


• 9.2:InternalAudit– Theorganizationshallhaveanauditprogram– InternalAuditsshallbeconducted atplannedintervalstoensurethattheBCMS

conformstotherequirementsofthisstandard– andtotheorganization’srequirementsforBCMS

• 9.3:ManagementReview– Topmanagementshallreviewtheorganization’sBCMSatplannedintervalstoensure

itscontinuingsuitability,adequacy,andeffectiveness– Typically,theBCMSisbriefedatleaseonceannuallytotheBoardofDirectorsorthe

Board’sAuditCommittee.

30

ISO22301:Clause9InternalAudits&ManagementReview


• 10.1:Non-Conformity– Identifyandreact– Evaluatetheneedforaction– Implementactions– MakechangestotheBCMSifneeded

• 10.2:ContinualImprovement– Theorganizationshallcontinuallyimprovethesuitability,adequacy,oreffectivenessof

theBCMS

31

ISO22301:Clause10Improvement


32

CaseStudy:HurricaneSandy(2012)

HurricaneSandyTimeline

34

October– November2012


October24th

• Firstwarningsareissued

October29th

• StormmakeslandfallinNewJersey

October30th

• Stormfadesaway

CrisisManagementasaCompetitiveAdvantage

37

Source:2012HurricaneSandyRILASurvey


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

10/29 10/30 10/31 11/1 11/2 11/3

Target(195) Sears/K-Mart(236) Macy's(200) Walmart(294) BestBuy(125)

ReputationImpactofaCrisis

38

HurricaneSandy- 2012


InternationalBusinessTimes–11/3

GlobalStandards

BusinessContinuity• ISO22301(formerlyBS25999)• NFPA1600• ASISBusinessContinuityManagementStandard• ASISSPC.1:OrganizationalResilience

USGovernment• FederalContinuityDirectives(FCD1/FCD2)• ContinuityGuidanceCirculators(CGC1/CGC2)

39

BusinessContinuityandEmergencyManagement


ProfessionalCertifications

BusinessContinuity• DisasterRecoveryInstituteInternational

– AssociateBusinessContinuityProfessional(ABCP)– CertifiedBusinessContinuityProfessional(CBCP)– MasterBusinessContinuityProfessional(MBCP)

• BusinessContinuity Institute– Member,BusinessContinuityInstitute(MBCI)– Fellow,BusinessContinuityInstitute(FBCI)

• BusinessContinuityManagementInstitute(Singapore)– Multiplecertifications

EmergencyManagement• InternationalAssociationofEmergencyManagers

– AssociateEmergencyManager(AEM)– CertifiedEmergencyManager(CEM)

40

BusinessContinuityandEmergencyManagement


ContactInformation

ContactBryan:BryanStrawserPrincipalConsultant&CEOPhone: +1-612-235-6435E-Mail: [email protected]: @bryanstrawser

LearnmoreaboutBryghtpathLLCWebsite: www.bryghtpath.comTwitter: @bryghtpathFacebook: /bryghtpathllc

41

Bryghtpath LLC


OurConsultingServicesInclude:BusinessContinuity

Crisis/EmergencyManagementEnterpriseRiskManagementExerciseDesign&FacilitationGlobalIntelligence&SecurityISOTraining&Certification

Project&ProgramManagementTravelRisk&Security

Rethinking Business Continuity: Applying ISO 22301 to improve resiliency, manage risk, and drive...

Leadership & Management

Transcript of Rethinking Business Continuity: Applying ISO 22301 to improve resiliency, manage risk, and drive...