7/24/2019 Business Continuity Management Systems
1/61
7/24/2019 Business Continuity Management Systems
2/61
7/24/2019 Business Continuity Management Systems
3/61
BUSINESS CONTINUITYMANAGEMENT SYSTEMS
7/24/2019 Business Continuity Management Systems
4/61
BCS, THE CHARTERED INSTITUTE FOR IT
Our mission as BCS, The Chartered Institute for IT, is to enable the information society. We
promote wider social and economic progress through the advancement of informationtechnology science and practice. We bring together industry, academics, practitioners andgovernment to share knowledge, promote new thinking, inform the design of new curricula,shape public policy and inform the public.
Our vision is to be a world-class organisation for IT. Our 70,000 strong membership includespractitioners, businesses, academics and students in the UK and internationally. We delivera range of professional development tools for practitioners and employees. A leading ITqualification body, we offer a range of widely recognised qualifications.
Further Information
BCS, The Chartered Institute for IT,First Floor, Block D,North Star House, North Star Avenue,Swindon, SN2 1FA, United Kingdom.T +44 (0) 1793 417 424F +44 (0) 1793 417 444www.bcs.org/contact
7/24/2019 Business Continuity Management Systems
5/61
BUSINESS CONTINUITYMANAGEMENT SYSTEMSImplementation and certificationto ISO 22301
Hilary Estall
7/24/2019 Business Continuity Management Systems
6/61
Hilary Estall 2012
The right of Hilary Estall to be identified as author of this Work has been asserted by her in accordance withsections 77 and 78 of the Copyright, Designs and Patents Act 1988.
All rights reserved. Apart from any fair dealing for the purposes of research or private study, or criticism or review,as permitted by the Copyright Designs and Patents Act 1988, no part of this publication may be reproduced, storedor transmitted in any form or by any means, except with the prior permission in writing of the publisher, or in thecase of reprographic reproduction, in accordance with the terms of the licences issued by the Copyright LicensingAgency. Enquiries for permission to reproduce material outside those terms should be directed to the publisher.
All trade marks, registered names etc. acknowledged in this publication are the property of their respective own-ers. BCS and the BCS logo are the registered trade marks of the British Computer Society charity number 292786(BCS).
Published by BCS Learning & Development Ltd, a wholly owned subsidiary of BCS The Chartered Institute for IT,First Floor, Block D, North Star House, North Star Avenue, Swindon, SN2 1FA, UK.www.bcs.org
ISBN: 978-1-78017-146-3PDF ISBN: 978-1-78017-147-0ePUB ISBN: 978-1-78017-148-7Kindle ISBN: 978-1-78017-149-4
British Cataloguing in Publication Data.A CIP catalogue record for this book is available at the British Library.
Disclaimer:The views expressed in this book are of the author(s) and do not necessarily reflect the views of the Institute orBCS Learning & Development Ltd except where explicitly stated as such. Although every care has been taken bythe authors and BCS Learning & Development Ltd in the preparation of the publication, no warranty is given by the
authors or BCS Learning & Development Ltd as publisher as to the accuracy or completeness of the informationcontained within it and neither the authors nor BCS Learning & Development Ltd shall be responsible or liablefor any loss or damage whatsoever arising by virtue of such information or any instructions or advice containedwithin this publication or by any of the aforementioned.
Typeset by Lapiz Digital Services, Chennai, India.Printed at CPI Antony Rowe Ltd, Chippenham, UK.
iv
7/24/2019 Business Continuity Management Systems
7/61
CONTENTS
List of figures and tables vii Author viii Foreword ix
Acknowledgements xi Abbreviations xii
1 INTRODUCTION 1
Who should read this book? 1 The objective of this book 2 Reader beware! 2 How to use this book 2
2 MANAGEMENT SYSTEMS UNCOVERED 3 Purpose and objective 3
Terms and definitions 3 Management systems explained 4 Plan Do Check Act (PDCA) model 8 Mandatory requirements for management systems 10 Determining the scope of the management system 10 Top management responsibilities with respect to the management system 15 Management system documentation 17 Improvement 18 Writing policies and setting objectives 20 Allocation of suitable resources 23 Determining competencies 23
Evaluation of the performance and effectiveness of themanagement system 31
Alignment with or certification to ISO 22301? Which path should I choose? 33 Conclusion: should my organisation consider certification? 35 Summary 36
3 BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE 37 Purpose and objective 37 The BCM lifecycle 37 Positioning the BCM lifecycle with your BCMS 38 Summary 60
v
7/24/2019 Business Continuity Management Systems
8/61
CONTENTS
4 COMPARING ISO 22301 WITH BS 25999 AND UNDERSTANDINGTHE DIFFERENCES 61
Purpose and objective 61
How BCMS standards are produced 61 The similarities between ISO 22301 and BS 25999 62 The differences between ISO 22301 and BS 25999 63 Certificate transition 71 Summary 74
5 THE CERTIFICATION PROCESS 75
Purpose and objective 75 Terms and definitions 75 Choosing a certification body 76 Audit stages 77
What to expect from the audit process 83 How to prepare for the audit 83 The audit experience 88 Maintaining momentum after the initial audit and between audits 92 Summary 95
APPENDIX A 97 Evaluating the performance of your business continuity
management system 97
APPENDIX B 102
ISO 22301 Self assessment checklist 102
REFERENCES 112
SOURCES OF FURTHER INFORMATION 113
Index 114
Additional action sheets 116
vi
7/24/2019 Business Continuity Management Systems
9/61
LIST OF FIGURES AND TABLES
Figure 2.1 Application of PDCA model to BCMS processes 9Figure 3.1 The BCM lifecycle 38Figure 5.1 Audit stages 77
Figure A.1 Plan Do Check Act model 97
Table 2.1 The PDCA elements 9Table 2.2 Questions to ask before developing the BCMS scope 11Table 2.3 Questions to ask to determine the most important
products and services 12Table 2.4 Acceptable and unacceptable scopes 13Table 2.5 Identifying resources 24Table 2.6 Tracking BCMS competencies 26Table 3.1 Elements of business continuity management 39Table 3.2 Elements of understand the organisation 42
Table 3.3 Elements of determining BCM strategy 46Table 3.4 Elements of developing and implementing a BCM response 49Table 3.5 Elements of exercising, maintaining and reviewing BCM 54Table 3.6 Elements of embedding BCM in the organisations culture 58Table 5.1 Audit checklist 80Table 5.2 Maintaining focus 93
vii
7/24/2019 Business Continuity Management Systems
10/61
AUTHOR
Hilary EstallSBCI is a respected authority on management system standards.Working for a leading certification body for more than 11 years and directly responsiblefor the development of its business continuity management system auditing
scheme, Hilary has amassed extensive experience since the publication ofBS 25999-2 in 2007.
Hilary is a member of the British Standards Institution (BSI) Technical StandardsCommittee BCM/1 and plays an active part in the ongoing maintenance ofBS 25999 Parts 1 and 2. In addition, as part of this committee, Hilary has reviewedand commented on ISO 22301 and ISO 22313 during the course of their respectivedevelopment stages.
Now running her own successful business continuity consultancy firm,Perpetual Solutions Limited (www.pslinfo.co.uk), Hilary works with a variety
of clients supporting them through the different stages of business continuitymanagement system implementation, certification and maintenance. Hilary is anIRCA (International Register of Certificated Auditors) registered BCMS (businesscontinuity management system) Lead Auditor and also continues to provideauditing services on behalf of a number of certification bodies, thus enablingher to maintain her professional qualification with the International Register ofCertificated Auditors.
viii
7/24/2019 Business Continuity Management Systems
11/61
FOREWORD
The International Standard for Business Continuity ISO 22301 is now officiallyreleased and it comes at a time when the need for good BCM (business continuitymanagement) practice has never been greater.
The new standard has been developed in collaboration with experts from around theworld to ensure its international relevance and applicability, and to ensure it meetsthe needs of global organisations. It is hoped that the new standard will create apath for greater international consistency, and encourage worldwide adoption ofgood BCM practice by organisations of all sizes and in all sectors. Building on theexisting work of National Standard bodies in a number of countries, most signifi-cantly the work done in the UK by the British Standards Institution, ISO 22301provides an improved framework of good practice and a common language to helporganisations with operational activities in multiple countries to better comparebusiness continuity (BC) needs and capabilities globally.
Furthermore, ISO 22301 offers new clarity about the responsibilities of seniormanagement in BC as well as on the role of BC in risk mitigation and disasteravoidance. It demonstrates the need for a balanced relationship between riskmanagement and BC.
Because BC is spread across an entire organisation, it is particularly suitable fora formal management systems approach. This provides a consistent means ofmeasuring the effectiveness of an organisations BCM programme and how well it isembedded into its culture and business priorities. Certification against ISO 22301will demonstrate the importance placed on BC by senior management.
Similar management systems are used for other disciplines, such as informationsecurity (ISO 27001) and quality (ISO 9001), so this allows organisations to convergearound the common framework known as Plan, Do, Check, Act. ISO 22301is also spearheading the drive towards a consistent documentation framework forISO Management Systems standards as defined in ISO Guide 83.
We have come a long way since the first mention of BC in a management systemsstandard, in its debut as a single section in the Information Security standardBS 7799 (which rapidly became ISO 17799), nearly two decades ago. The growingBC community was less than satisfied with that positioning and actively promoted
the idea of a BCM standard in its own right. The early attempt at this was PAS 56,which was released to mixed reaction but nevertheless did encourage profession-als around the world to give serious thought to what BCM really was and how it
ix
7/24/2019 Business Continuity Management Systems
12/61
FOREWORD
could be properly described and codified. The period from 2005 onwards has beena productive one for those wishing to construct BCM standards with much workundertaken at both national and international levels.
Although a positive development for the growth of the subject, it has had a downsidein terms of the take-up of formal standards by organisations that were becomingincreasingly confused by the myriad of terms and standards that were circulat-ing. ISO 22301 has been a long time coming and we all hope that it will end theuncertainty felt in recent years by many practitioners about the future role andpositioning of BCM in their organisations. One of the most important factors ofits success will be its take-up by organisations, and that will largely depend uponthe clarity in which its purpose and practical value is communicated. It is in thiscontext that the book by Hilary Estall is very important. I have known Hilary sincethe early years of developing BS 25999 when she was directly responsible for how
the emerging standard should be audited. We did not always agree, practitionersand auditors do not necessarily see things from the same standpoint, but I alwaysrespected her views and hopefully that was mutual. In fact, she must have foundthe subject as interesting as I do because she now runs a highly respected profes-sional BCM consultancy firm herself.
Reflecting on this book, it seemed to me that Hilary has an almost unique set of skillswhich enabled her to write it. She understands audit, she understands businesscontinuity and she knows how to put the two together, thus maximising the valueof the discipline to an organisation. I was particularly struck by her observationthat when implementing a BCMS, management system requirements and BCM
requirements are equally important. This is great advice. BCM is not just compli-ance or a tick-box exercise but neither is it a free for all for BCM practitioners toindulge their theories. Curiously enough, nearly 20 years ago my (and now Hilarys)institute, The Business Continuity Institute, coined the term The Art and Scienceof BCM. Little did we know then how well that phrase describes the conflictingneeds for imaginative BCM solutions to be balanced within a measurable consist-ent process and framework.
If you just want to know more about ISO 22301, I suggest this is the first (andperhaps only) book you need to read. If you are going further and want to become anISO 22301 certified company then it gives you the route, the dangers, the tips and
the confidence to succeed. Enjoy reading it, even if you previously thought BCMSwas a dry subject, you might well be very surprised.
Lyndon BirdFBCITechnical Development Director at the Business Continuity Institute (www.thebci.org).
x
7/24/2019 Business Continuity Management Systems
13/61
ACKNOWLEDGEMENTS
Writing articles for various business continuity journals and websites gave me thecourage to develop my writing skills so when asked if I had ever thought of writinga book the idea was slightly less daunting than it might otherwise have been.
Nevertheless, I would not have been able to complete this book without the inputand support of Simon, Emma and David, all of whom have used their practicalknowledge of business continuity management systems to provide steerage whenI might otherwise have run off course.
Finally, I could not have written this book without the love and encouragement ofmy husband, Clive. His belief in me has kept me focused and committed to see itthrough to the end.
Permission to reproduce extracts from ISO 22301:2012, ISO 9000:2005,PAS 99:2006, ISO 19011:2011 and BS 25999-1:2006 is granted by BSI. British
Standards can be obtained in PDF or hard copy formats from the BSI online shop:www.bsigroup.com/Shop or by contacting BSI Customer Services for hardcopiesonly: Tel: +44 (0)20 8996 9001, Email: [email protected].
xi
7/24/2019 Business Continuity Management Systems
14/61
ABBREVIATIONS
BC Business continuity
BCI Business Continuity Institute
BCM Business continuity management
BCMS Business continuity management system
BIA Business impact analysis
BSI The British Standards Institution
IRCA International Register of Certificated Auditors
MTPD Maximum tolerable period of disruption
PDCA Plan Do Check Act
RTO Recovery time objectiveUKAS United Kingdom Accreditation Service
xii
7/24/2019 Business Continuity Management Systems
15/61
3 BUSINESS CONTINUITY FROM A
MANAGEMENT SYSTEM PERSPECTIVE
PURPOSE AND OBJECTIVE
In this chapter we focus on the practical elements of business continuitymanagement and consider them from a management system perspective: Whereshould the emphasis be when it comes to fitting your BCM arrangements into amanagement system?
We will use the six phases of the BCM lifecycle as our focal point and offer TopTips for you to consider when developing your BCMS. Unlike BS 25999, ISO 22301does not make reference to the lifecycle directly but provides an explanation ofthe PDCA model through its reference to the lifecycles constituent parts (Source:ISO 22301:2012 The Plan Do Check Act Model, Table 1). The lifecycles elements clearly commu-nicate the professional practices of BCM and therefore remain a useful tool. In
order for you to become familiar with ISO 22301 terminologies this section includesreference to both.
After reading this section you should be able to maximise the benefits of your BCMSwhilst ensuring you have a robust BCM programme in place.
Further, detailed, information can be found in The BCI Good PracticeGuidelines 2010.
THE BCM LIFECYCLE
The BCM lifecycle which we recognise today was published in BS 25999 Part 1,in 2006. It clearly depicts the six phased approach to developing and maintaining aBC programme and can be applied to any organisation, irrespective of its size andindustry sector (see Figure 3.1).
37
7/24/2019 Business Continuity Management Systems
16/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
Figure 3.1 The BCM Lifecycle
BCMProgrammeManagement
Emb
edd
ing
BCM
i n the
O rganization
s C
ulture
Understand the
organization
Exercising,
maintaining and
reviewing
Determining
BCM Strategy
Developing and
implementing a
BCM response
Source: BS 25999-1:2006
We will consider the phases in the following sequence:
(1) BCM programme management
(2) Understand the organisation
(3) Determining BCM strategy
(4) Developing and implementing a BCM response
(5) Exercising, maintaining and reviewing
(6) Embedding BCM in the organisations culture.
POSITIONING THE BCM LIFECYCLE WITH YOUR BCMS
Table 3.1 identifies the core elements of business continuity management andconsiders how each one should be treated in order to meet the requirements ofa BCMS.
38
7/24/2019 Business Continuity Management Systems
17/61
BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE
Table3
.1
Elementsofbusinesscon
tinuitymanagement
Eleme
ntsofBCM
programmeman
agement
BCMSTop
Tips
TheBCM
programmewillbealigned
tothe
organisationsoverarchingstrategy,
businessplan
andobjectives.
Whenconsi
deringbusinesscontinuityobjectives,besuretodemonstrate
thatthereis
alinkbetweentheseandth
eorganisationsstrategicob
jectives
andresponsibilityforachievingthemis
allocatedandclearlyunders
tood.
Position
theprogrammesoitisinst
epwiththe
organisationscultureandstyleofm
anagement.
Howtheorg
anisationchoosestoapproa
chitsBCM
programmeandthe
requiremen
tsofthestandardshouldbe
comparablewiththecomple
xityof
thebusines
sandtheenvironmentinwh
ichitoperates.Thisisparticularly
thecasefor
smallerbusinessesnothav
ingthecapacityorneedfora
complexprogramme.
Tobeaccep
tedwithintheorganisation,yourBCMSshouldbedevelopedas
ifitwaspar
tofthecurrentfabricofthe
business.Staffaremorelike
lyto
buyintothe
newsystemifthereareelementsoffamiliaritytoit.
Understandthebenefitsoftheprogrammetoboth
internalandexternalstakeholdersa
ndidentify
waysto
maximisethesebenefits.
Havingacle
arviewofhowyouwishtoincludekeystakeholders/inte
rested
partieswith
inyourBCM
programmewillhelpyoudevelopamorerobust
systemfrom
theoutset.
DeterminethescopeoftheBCM
pro
gramme,
usually
intermsofproductsandser
vices,and
conside
rtheimpactofoutsourceda
ctivitiesand
whethertoincludethem.Considerationisalso
requiredabouttheroleplayedbyleg
islation,
regulationorcontractualresponsibilitiesinthe
propose
dBCM
programme.
Wheretheo
rganisationmakesadeliber
atechoicetolimititsscopew
itha
viewtoexte
ndingitlater,theorganisatio
nwillbenefitifitisabletop
lanthe
scopesexp
ansionintermsoftimeandresource.Suchaplanwillhe
lp
supportthe
caseforarestrictedscopet
ointernalandexternalstake
holders.
(Continued)
39
7/24/2019 Business Continuity Management Systems
18/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
Table3.1
(Continued)
ElementsofBCM
programmeman
agement
BCMSTop
Tips
Identify
theBCM
resourceneededan
dhowitwill
workwithtopmanagementtoensur
eitsdirect
involvem
ent.
Theneedto
engagetopmanagementat
theearlieststage(preferablybefore
implementa
tionhasstarted)andtostresstheimportanceofitsvisib
le
leadershipo
ftheprogrammecannotbe
overemphasised.
BCMSroles,responsibilitiesandauthoritiesmustbeconsideredand
communicatedtotheincumbentandthe
irlinemanager.Theclearallocation
ofauthoritie
s,wherethesedifferfromro
utineworkiscriticalinorde
rfor
quickdecisionstobemadeduringanincident.
AclearmethodofestablishingcompetencyrequirementsforeachBCMS
roleisimpo
rtantandaroutetoachievingthese(withdocumentaryevidence
tosupportthis)isrequired.
Develop
mentandcommunicationof
aBCM
Policy
encomp
assingthekeyelementsoftheprogramme,
itsobjec
tivesandownershipbytopmanagement.
Theorganis
ationshouldcarefullyconsid
erhowitcommunicatesitsBCM
policysothatitisaccessibletoallintere
stedpartiesand,moreimpo
rtantly,
itsintentun
derstood.
Aclearimplementationprogramme,andamethod
forman
aginganddevelopingitssus
tainabilityin
linewith
businessneeds,isrequired
.
PeriodicalreviewsoftheBCM
programm
ewillensurethatitremains
inline
withthebus
inessneeds.Topmanageme
ntshouldtakeresponsibility
forthis.
Anongo
ingprogrammereviewprocessandflexible
attitude
towardsorganisationalchan
geisrequired.
Methodsofreviewingtheperformancea
ndeffectivenessoftheBCMS
includingBC
M
capabilitiesareprincipallythroughmanagementrevie
w,
internalaud
itandselfassessment.Metr
icstodetermineperformanc
elevels
shouldbealignedtotheneedsoftheorg
anisationandresultsofthe
analysis
recorded,co
nsideredandacteduponas
necessary.
BCM
documentationmustbeapprop
riateforthe
organisation,clear,accessibleandm
anageable.
Documentationmustbecontrolledtoen
sureitremainsuptodatean
d
accessible.Responsibilityforthisshould
beallocatedatthedevelopm
ent
stagesotha
tthereisvisibleownershipwithintheBCMS.
40
7/24/2019 Business Continuity Management Systems
19/61
BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE
BCM programme managementProgramme management is at the core of BCM. It is not only critical to the devel-opment of a BCM capability but also to the ongoing success of it. In short, it gives
BCM purpose and direction.
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about BCMprogramme management.
Understand the organisationIn order to develop an effective BCM programme, the organisation has to fullyunderstand its business objectives and strategic aims as well as its obligationstowards its stakeholders. It must also be clear how a disruption to business activi-ties might impact on its ability to continue trading. An appreciation of the contextof the organisation is also required.
To understand your organisation thoroughly, you need to undertake a BIA, review
resource requirements and conduct a risk assessment of your most important andtime-critical business activities (see Table 3.2).
41
7/24/2019 Business Continuity Management Systems
20/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
Table3.2
Elementsofunderstand
theorganisation
Elementsofunderstandtheorganisation
BCMSTopTips
Seek
topmanagementsupportto
conductaBIA.
TheBIAisthebackboneof
ameaningfulBCM
programm
e.
Donotunderestimatethetimeandresourcerequiredto
getthemostoutofthispro
cessandmakesureyouget
top
managementbuy-inbefore
youstart!Thisincludesaclear
understandingofwhowillbeinvolved.
Deter
minethemostappropriatem
ethodofconductingaBIA
foryo
urorganisationandidentify
theresourcestodoit.
IfyouarecarryingoutaBIAforthefirsttime,keepitsim
ple.
Letitevolveandmatureov
ertime.
Agree
whethertheBIAwillbeund
ertakenafterthescopeof
theBCM
programmehasbeenagreedorwhetheritwillbe
used
todeterminethescopeafter
completionoftheexer-
cise.
Itmayhelptohaveanoutlinescopedefinedbefore
conductingtheBIA.Thiswi
llhelpwiththeallocationof
resources.IftheresultsoftheBIAshowupactivitiesno
t
initiallyconsideredapriority,thesemaybeaddedtothe
finalscope.
Identifyingtheimpactsofadisrup
tionatvariouslevelsofan
organ
isationwillidentifydifferent
issuesandinfluencehow
priori
tiesareset.
Byestablishingasystemat
icapproachtodefiningtheB
IAs
criteriaformeasuringtheimpactsadisruptionmayhaveon
theorganisation,thiscanb
eappliedacrossdifferentlevels
oftheorganisation.
Considerhowactivitiesareimpactedovertimeandhowthis
variesfordifferentactivities,productsandservices.
Thinkcarefullyhowyoupla
ntobrackettimeframeswithin
theBIA.Makesurethatthe
yreflectthenatureofthe
businessandtheneedsandexpectationsofinterested
parties.(Itistooeasytodefaulttotimescalesappliedby
otherswithoutunderstandingtheirpertinence.)
(Co
ntinued)
42
7/24/2019 Business Continuity Management Systems
21/61
BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE
Table3.2
(Continued)
Elementsofunderstandtheorganisation
BCMSTopTips
Agree
amethodfordeterminingw
hatactivitiesaremost
timecriticaltotheorganisationan
dagreethebasisfortheir
priori
tisation.
Rememberthatwhatyouc
onsidertobealessimportant
activitytodaymaybecome
aprioritytomorrowandsho
uld
stillformpartofyourBIAr
eviewprocess.Donot
automaticallydisregardactivitieswhichyouhavenot
classifiedastoppriority.
Identifythedependenciesreliedupontocarryoutbusiness
activities.Thesemaybeinternala
ndexternaltothe
organ
isation.
Tryabrainstormingexercisetoidentifyalltheorganisa
tions
dependencies.Bybroadeni
ngthereachofthisthought
process,youwillbesurpris
edwhatgetsuncovered!
Identifytheresources(people,pre
mises,technology,
inform
ation,supplies,equipment,
stakeholders)requiredto
supporttheactivitiesuponresumption.
Remembertoconsiderhow
quicklybacklogscanoccur.This
willdependonthenatureo
ftheactivitybutwillneedto
be
builtintoresourceplannin
gduringinvocationandbeyo
nd.
Deter
minethemaximumtimeafterwhichtheorganisations
viabilityisirreparablydamagedif
productorservicedelivery
canno
tcontinue.Thiswillincludeestimatinghowlongyou
believ
eyourcustomerswillbepre
paredtotolerate
disruptiontotheirservicedelivery
fromyou.
Timescalesarelikelytovaryfordifferentproductsand
servicesandthisvariation
willhelptheorganisation
prioritiseitsrecoveryactivities.Thesearenotcastinstone
andreallifeincidentsandtheresultsofexerciseswill
providevaluableinsightint
otheirvalidity.Rememberth
at
youdonothavetowaitunt
ilascheduledreviewoftheBIA
tomakechangestoit.
Estab
lishareviewprocessoncetheBIAhasbeencompleted
ando
btaintopmanagementsignoffbeforeproceeding.
Tryandmaintainalevelof
independencewiththisrevie
w.
Considertheneedsoftheo
rganisationanditsoverall
strategyanddonotbeswa
yedbyindividualswhotryand
tellyouthatwhattheydoisthemostimportantthingin
the
business.
(Co
ntinued)
43
7/24/2019 Business Continuity Management Systems
22/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
Table3.2
(Continued)
Elementsofunderstandtheorganisation
BCMSTopTips
BasedontheresultsoftheBIA,ca
rryoutariskassessment
ofthe
prioritisedactivities.Aswel
lasidentifyingparticular
threats,considerpossiblevulnera
bleresources.
Remembertofocusyourth
reatanalysisonhazardstha
tare
relevantandappropriate.Includelocalisedthreatsto
specificsitestodemonstra
tethatproperconsideration
has
beenappliedtothisproces
s.
Deter
mineasuitableriskmanage
mentmodelforyour
organ
isationtakingintoconsidera
tionanyexistingmethods
used.
Riskcriteriaandscoringsys
temsshouldbe
appro
priatefortheorganisationa
ndinlinewithitsrisk
appetite.
Donotovercomplicateyou
rriskmanagementmodel,
especiallyifyourorganisat
ionisnotusedtoproactive
risksreviews.Themodelcanbedevelopedovertime.
Beclearwithyourcriteriaandscoringsystemandmak
e
surethateveryoneinvolved
intheriskmanagementprocess
appliesthesamemodel.
Identifyrisksconsideredtobeuna
cceptabletothe
organ
isation(basedonthepredefinedscoringsystem),
reviewthem,agreeactiontomitig
atetheriskand/orreduce
theim
pactifrealised.
Whenassessingandprioritisingcontrolmeasures,take
into
accountthecostofsuchac
tionsandthepossible
consequenceofinactionin
ordertosupportthedecision
makingprocess.
Estab
lishaperiodicalriskreviewprocess.
Wherepossible,theorganisationsaimshouldbetored
uce,
manageoreliminatesignif
icantrisks.Riskswhichcontinue
tobeacceptedforprolong
edperiodsshouldbequestioned
tomakesurethatcomplacencydoesnotsetin.
44
7/24/2019 Business Continuity Management Systems
23/61
BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about how to under-stand the organisation.
Determining BCM strategy
Following the completion of the understand the organisation phase, the business
is in a position to consider options available to it which will enable the restorationof prioritised operations affected by a disruption. Options should be considered onstrategic and tactical levels (see Table 3.3).
45
7/24/2019 Business Continuity Management Systems
24/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
Table3.3
Elementsofdetermining
BCM
strategy
ElementsofdeterminingBCM
strategy
BCMSTopTips
BCMstrategiesshouldbeidentified
atbothcommercialand
operationallevels.
Examp
lesofcommercialstrategies
includetheconsideration
ofmultiplesiteoperation,alternativ
eoperationsiteseither
owned
orcontractedforbytheorganisationandto
subcon
tractoroutsourcesomeope
rations.
Examp
lesofoperational(tactical)s
trategiesincludethird
partyr
ecoverysitecontract,homeworking,duplicationof
supplie
s,backuppowerfacilities,m
ultiplesuppliersand
inform
ationanddatabackup.
Commercialstrategiesfocusonthe
productsandservices
within
theBCM
scopewhereasoperationalstrategiesfocuson
thetim
e-critical/prioritisedactivitie
ssupportingthose
produc
tsandservices.
BCMstrategiesaretobealignedto
theorganisationsrisk
appetite.
BereadytodemonstratehowyouhaveselectedyourBCM
strategiesatbothcommerci
alandoperationallevels.Wh
at
businessconsiderationsweretakenintoaccount,costve
rsus
benefitandhowtopmanage
mentcommitmentwasobta
ined.
BCMstrategiesaretobealignedto
theorganisations
strateg
icgoalsaswellascloselylinkedtotheresultsofthe
BIAandriskassessment.
MakesureBCM
strategiesre
flecthowtheorganisationh
as
prioritiseditsactivities.Forexample,ifyouarealawfirm
,you
willneedtofocusonyourpe
opleandtheirabilitytoacce
ss
clientandlegalinformationquickly.Yourstrategiesarelikely
tofocusonareassuchasIT
andtelecomsanddocument
storageoverfinanceandcorporatehospitality.
(Co
ntinued)
46
7/24/2019 Business Continuity Management Systems
25/61
BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE
Table3.3
(Continued)
ElementsofdeterminingBCM
strategy
BCMSTopTips
BCMstrategiesmustbeinlinewith
recoverytimescales
identifiedwithintheBIA.
OftenBCM
strategieswillbe
chosenbasedonrecoverytime
objectivesidentifiedaspartoftheBIAprocesssothesem
ust
berealisticandwellconside
red.Remember,theshorter
the
recoverytimethemoreexpe
nsivetheoperationalstrategyis
likelytobe.
Beclea
rwhotheinterestedparties
arewhenselectingBCM
strateg
ies.
Youshouldconsidertheneedsofinterestedpartiesandtheir
expectationsofyourabilityt
ocontinuebusinessoperatio
ns
duringandimmediatelyafte
ranincident.Youmayneedto
prioritisetheactivitiesinord
ertomeettheseexpectation
s.
BCMstrategiesthatrequiretheallo
cationofresourcemust
notcon
flictwitheachother.
Youshouldapplystressteststothestrategiesyouhave
selectedtomakesurethatifmorethanoneisapplied
duringanincident,theresou
rcesneededforonewillnot
preventanotherstrategybeingdeployed.
BCMstrategiesmusthavethefulls
upportoftop
manag
ement.Whenmakingrecommendationstotop
manag
ement,includecostprojectio
nsandtheeffectof
inaction.
Berealisticwithyourcostprojectionsandprepareabusiness
casewhereaBCM
strategymayinvolvesignificantfinancial
commitment.Forexample,y
ourorganisationmightcons
ider
theneedtocontractwithar
ecoverysiteproviderandthecost
shouldbeweighedupagainstthecosttothebusinessif
it
wasunabletorecoveritsop
erationsquickly(inanotherway).
BCMstrategiesshouldbereviewed
atleastevery12months
toensu
retheycontinuetoreflectcurrentorganisational
require
ments.
Bemindfulofchangeswithintheorganisation.Forexample,
ifitacquiresadditionalbusin
essorsites,theneedfor
contractingtoalternativemanagedfacilitiesmaydiminis
h.
47
7/24/2019 Business Continuity Management Systems
26/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about BCM strategies.
Developing and implementing a BCM response
Having taken time to fully understand the organisation and develop BCMstrategies, the organisation is now in a position to develop business continuity
proceduresincluding its plan or plans. These plans will identify the resourcesand actions required to manage a disruption and resume prioritised activities(see Table 3.4).
48
7/24/2019 Business Continuity Management Systems
27/61
BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE
Table3.4
ElementsofdevelopingandimplementingaBCM
res
ponse
Elementsofdevelopingandimple
mentingaBCM
response
BCMSTopTips
Thereareanumberofstagesforre
spondingtoanincident:
Em
ergencyresponse
Inc
identmanagement
BC
Recovery
Resumption.
Plansmustaddressthek
eystagesofrespondingtoan
incident.However,thesizeandcomplexityofthe
organisationwilldeterminehowtheplansarestructured
andintegrated.Thereisn
osetwayofstructuringplan
sbut
theyshouldsufficientlyaddresstheorganisationsres
ponse
needs.
Theextentoftheplan(s)shouldreflectthemakeupand
comple
xityoftheorganisationand
scopeofBCM
arrangements.
Plansshouldbeaccessibleandunderstoodbythosew
ith
BCM
responsibilities.Writ
ingplansthatarecomplexo
r
difficulttofollowwillresu
ltinthembeinglargelyignoredin
theeventofinvocation.
BCplans(thistermmaybeusedto
refertovariousplansaimed
atdiffe
rentlevelswithintheorganisation)willcoverstrategic
busine
ssareassuchasexternalco
mmunicationsand
stakeh
oldermanagement,andprio
ritisedoperationalactivities
suchaspayroll,projectmanagementortheprovisionofcertain
ITappl
ications.Theremayalsobes
pecificplanscoveringin
dividua
lthreats,suchaspandemic.
Generally,BCplansshouldbedevelopedtominimiset
he
impactofathreateningsituationtotheorganisationrather
thanaroundbroadscenariossuchasfire,floodor
earthquake.(Pandemicis
areasonableexceptiontoth
is.)
(C
ontinued)
49
7/24/2019 Business Continuity Management Systems
28/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
Table3.4
(Continued)
Elementsofdevelopingandimple
mentingaBCM
response
BCMSTopTips
BCPlansshouldaddressthreetiersofbusinessactivity:
Strategic:Topmanagementtakedirectresponsibilityforissues
suchasmanagingthemedia,busin
essreputation,welfareof
individualsandenvironmental/widerimpactsfromanincident.
Tactical:Managementwilloversee
operationsduringan
inciden
tincludingtheoverallalloca
tionofresourceand
coordinationofactivities.
Operational:Businessunitlevelfocusoncontinuing
predeterminedprioritisedactivities
whichsupportthedelivery
ofkeyproductsandservices.
Howtheorganisationcho
osestoincorporatethethree
tiers
willbedeterminedbythe
sizeandcomplexityofthe
business(seefirsttip).
Theorganisationcannam
etheirtieredplansastheyw
ishto
suittheirculture.
BCplanscanbeproducedinanum
berofwaysandinvolve
differentpeople.Thebasisofdevelopingplansshouldbeto
include
:
Information
gatheredfromtheBIA
andRiskAssessment
pro
cesses
Lessonslearnedfrompreviousincidents
Localinformation
Theviewsofdifferentstaff/managers.
Itisimportanttodevelop
aBCplantemplatethatsuitsyour
organisationsneeds.Try
nottocutandpastetempla
tes
usedbyothersunlessthe
styleandformatreflectsyo
urown
requirements.
MuchoftheinformationinTacticalandOperationalBC
plans
maybegenerictotheorg
anisation.However,itshould
be
cleartouserswhichareasrelatespecificallytotheir
activities.Itshouldnotbe
lostamongstseveralpages
of
otherinformation.
MakesurethatBCplansr
emainflexiblesothattheyc
an
easilybeadaptedtodifferentincidentsituations.
(C
ontinued)
50
7/24/2019 Business Continuity Management Systems
29/61
BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE
Table3.4
(Continued)
Elementsofdevelopingandimple
mentingaBCM
response
BCMSTopTips
Thekeyaspectsthatformthebasis
ofaBCplanare:
Purpose,scopeandobjectives
Rolesandresponsibilities
Inv
ocationandstanddownautho
rity
Communications
Me
etingpoints
Contactdetails
Keyinformationtosupporttherecoveryofprioritisedactivities
Setofassumptionsandknowninterdependencies.
Wherepossible,havemor
ethanonetestedmethodof
communicatingwithstaff
andotherstakeholdersduringan
incident.Forexampleema
ilandmobilephoneorpage
r.
Identifymorethanoneme
etingpoint.Oneonsiteandone
awayfromtheoffice.
Informationwhichissubjecttochangemaybeheldin
appendices.Thiswillredu
cetheneedtoreproducecomplete
planswhen,forexample,contactdetailschangeandn
eed
updating.
(C
ontinued)
51
7/24/2019 Business Continuity Management Systems
30/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
Table3.4
(Continued)
Elementsofdevelopingandimple
mentingaBCM
response
BCMSTopTips
Action
sheetsandlogsshouldform
partoftheplan(possiblyas
append
ices).Theyshouldalsobein
cludedalongwithotherkey
inform
ation,inbattleboxesand/or
grabbags.
Makesurethatanybattle
boxes/grabbagsareplaced
in
accessibleandsecureloc
ations.Forexampleatasecurity
gate/officeandsecondary/thirdpartyrecoverylocatio
n.
Includeaninventoryinthebox/bagandensurethatw
hether
lockedornot,thecontentsareperiodicallychecked,equip-
mentremainsoperational(forexamplebatteriesrema
in
charged)andthatarecordiskeptoftheseinspections
(a
favouriteforauditors).
Allplansmustincludetheroles,responsibilitiesandauthorities
oftheresponseteam.
Theallocationofdutiesfo
rmanagingBCplansshould
be
carefullyconsideredbeforeappointment.LikeallBCM
roles,
theindividualmusthavethenecessarycompetencefo
rthe
role(whichyouwillhavepredetermined),availabilitya
ndthe
respectofhispeersandm
anagers.
Forexample,itdoesnota
utomaticallyhavetobethej
obof
thedepartmentmanager.
52
7/24/2019 Business Continuity Management Systems
31/61
BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about developingand implementing a BCM response.
Exercising, maintaining and reviewing BCM
Having developed and implemented a BCM response, you must now rehearsethe arrangements to ensure those impacted by them become familiar with what
happens upon invocation and beyond. You should also have a maintenanceprogramme in place to make sure that your arrangements remain up to date andreflect current business needs (see Table 3.5).
53
7/24/2019 Business Continuity Management Systems
32/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
Table3.5
Elementsofexercising,maintainingandreviewingBCM
Elementsofexercising,maintainingandreviewingBCM
BCMSTopTips
Anexe
rciseandtestprogrammesh
ouldbedevelopedwhich
covers
allBCplans,informationheldwithintheplansand
people
whomaybeimpactedbyinvocation.
Remembertoinvolveinterestedpartiesintheexercise
programme.
Thereareanumberofrecognisedmethodsofexercisingand
testing
BCM
arrangementsandthe
programmeshouldreflect
this.Th
eseinclude:
Calltreetest
ITtests
Desktopreview
Wa
lkthrough
Sim
ulation/scenario
Partialexerciseofprioritisedactivities
Fullexerciseincludingincidentm
anagementresponse.
Toensurethatyoubringsta
ffwithyouontheBCM
journ
ey,the
initialexercisesshouldbesimple.Youcanthenbuildonthem
asconfidencegrowsandthe
reisgreaterfamiliaritywith
BCM
arrangements.
Anestablishedexerciseprogrammeshouldcontinuetoinclude
abroadrangeofexercises.
Exercisescenariosshouldbepertinenttotheorganisatio
n,its
strategy(includingriskappe
tite)andtakeintoconsiderationany
localrequirements,suchas
logisticalissues.
Whendevelopinganexerciseandtestschedule,consider:
Theresultsofpreviousexercises
Knownthreats
Sta
keholderrequirements
Cost
Varietyinordertoretaininterest
andfocus.
Exercisesandtestsshouldb
eprogressive.Makesure
weaknessesareretestedun
tilremoved.Takeintoaccoun
tnew
risksfacingtheorganisation
asaresultofinternaland
externalchanges.Besureto
demonstratecontinual
improvementthroughyoure
xerciseprogramme.
(Continued)
54
7/24/2019 Business Continuity Management Systems
33/61
BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE
Table3.5
(Continued)
Elementsofexercising,maintainingandreviewingBCM
BCMSTopTips
Theprogrammeshouldbeforasettimeframe,forexample
12monthshence.Itshouldbediscussedwith,and
approv
edby,topmanagementand
beinlinewith
budgetaryrequirements.
Exercisesshouldtakeplace
onanongoingbasis.Thiswillhelp
staffbecomefamiliarwithw
hatisexpectedofthemand
pro-
videassurancethatincident
sdonothavetobetoodisruptiveto
theirworklife.Byvaryingth
etypeandinvolvementofstaff,this
shouldnotimpacttheentire
organisationtoomuch.
Topma
nagementshouldtakeapro
activeroleinexercises.
Directinvolvementinexercisesbytopmanagementnotonly
ensurestheyremainfamilia
rwiththeirresponsibilities
duringanincident,butalsodemonstratestheirsupportf
orBCM
tostaff.
Ensure
thatexercisestonotexpose
theorganisationto
undue
risk.
Considertheschedulingofe
xercisessothattheydonotoccur
duringbusytimesforthebu
siness.Alsoconsiderwhatresource
willberequiredforeachexe
rciseortestsothatexcessiv
e
burdensarenotplacedonremainingstaff.
Eache
xerciseandtestshouldhave
apredeterminedobjective.
Remembertorevisittheobjectivewhencarryingoutthe
exercisereviewinordertoc
oncludewhetherithasbeen
met
(ornot).Makesureyoudocu
mentthisinyourreport.
Individualsrunningandobservingexercisesandtests
mustb
ecompetenttodoso.
AswithotherBCM
competencies,theseneedtobeprede
ter-
mined.Considerthesoftskillsthataresuitedtothisrole
,for
exampleoperatingunderstr
essfulcircumstancesandap
plying
attentiontodetail.
Organisationsmaychoosetoinvolveexternalprovidersduring
someofthemorecomplexe
xercises.Thisisfine,butideallythe
skillsrequiredshouldbedevelopedbythosewithinthe
organisationtosupportown
ershipoftheBCM
programm
e.
(Continued)
55
7/24/2019 Business Continuity Management Systems
34/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
Table3.5
(Continued)
Elementsofexercising,maintainingandreviewingBCM
BCMSTopTips
Allexe
rcisesandtestsaretobefor
mallyreportedand
review
ed.
Tosupportthecontinualimp
rovementoftheBCMS,the
outcomesoftheexerciseor
testaretoberecordedalong
with
lessonslearned,improveme
ntareasandfollowupactions.
Confirmationofwhetherthe
originalobjectiveswereach
ievedis
alsorequired.
Itshouldbeevidentthattop
managementhassightofth
ese
reportsandtheopportunity
toprovideinputtothem.Itm
ayalso
beworthwhilesharingtheresultsofexercisesandtests
with
staffasawayofmaintainingtheirBCMSawareness.
ABCM
maintenanceprogrammeis
requiredinorderforall
aspectsofBCM
tobereviewedand
updated.Aminimum
review
periodshouldbeset(ideally
atleastannually)andbe
flexible
sothatchangesimpactingtheorganisationarealso
consideredandincorporatedwhere
necessary.
Encourageaculturewhichp
roactivelydevelopsyourBCMS
arrangements.Thiswillensurethattherearenotprolonged
periodswherechangesaffectingtheorganisationarenot
incorporatedintotheBCMSprogramme.
ManageorganisationalexpectationsthattheBIA,risk
assessment,strategyandBCplanswillallevolveandde
velop
overtime.
ThereshouldbeclearownershipoftheBCM
maintenanceand
review
programme.
ThereviewofBCplansshou
ldbethroughnamedplanow
ners.
Theywillhaveknowledgeof
localisedchangesandwillb
ebest
placedtokeepusersinformedofamendments.
56
7/24/2019 Business Continuity Management Systems
35/61
BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about exercising,maintaining and reviewing BCM.
Embedding BCM in the organisations culture
To be fully effective, the BCM programme must be embedded in the organisationsculture. That means that BCM becomes part of the organisations core values.Understanding what the business expects in this respect, how it will achieve it and
measuring its effectiveness all form part of the embedding process. Its approach tocommunicationand BCM awarenessmust be flexible and maintained throughoutthe BCM Programmes existence (see Table 3.6).
57
7/24/2019 Business Continuity Management Systems
36/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
Table3.6
Elementsofembedding
BCM
intheorganisationscu
lture
58
ElementsofembeddingBCM
intheorganisationsculture
BCMSTopTips
TodevelopasustainableBCM
culturewithinyourorganisation,y
oumust
firstha
veaclearideaofthecurrentawarenesslevelsofBCMwithinthe
business.Theresultsofanalysissh
ouldthenbecomparedtothe
levelof
awaren
esstheorganisationwishes
toachieve,afterwhichapro
gramme
canbe
developed.
Thisinformationwillinpartbecomeclearwhenyou
conductyourBIA
andRiskAssessment.
Expectationsshou
ldbemanagedcarefullyino
rderto
avoidfalsehopeo
rdisappointment.
Anorganisationsculturedevelopsovertimeandisheavilyinfluencedby
topma
nagementbehaviourandattitude.ToembedBCMintothe
organisationscultureeffectively,topmanagementmustvisiblysupport
thepro
grammeasmusttheremain
ingmanagementteamands
taff.
Where
necessary,existingbehaviou
rmaybechangedthrough
knowle
dgeandenlightenment.
Topmanagement
isexpectedtomaintainitss
upport
duringandaftert
heinitialstagesofBCM
prog
ramme
implementation.T
heeffortrequiredtoachieve
this
shouldnotbeund
erestimated.
ABCM
awarenessprogrammeshouldconsider:
Wh
owillberesponsibleforimplementingtheprogramme
Wh
attheprogrammewillconsis
tof
Wh
enandhowoftenspecificawarenessactivitiesaretobedep
loyed
Howtheeffectivenessoftheprogrammeismonitored
Thecostofrunningtheprogramme(programmerequirestop
ma
nagementpriorapproval)
Wh
eretheawareness,education
andtrainingwillbeobtained
from
Wh
attheacceptableminimumle
velsofachievementwillbeandby
wh
en.
Whatyoudecidet
oincorporateintoyourawar
eness
programmewills
ubconsciouslybedeterminedbythe
organisationsexi
stingculture.Youshouldcho
ose
methodsthatyou
believeyourstaffandintere
sted
partieswillbuyin
to.
Whatmethodsyourorganisationchoosesis
immaterial(withinreason!)aslongasyoucan
measuregreaterawarenessovertime,improv
ed
performanceduri
ngexercisesandrecoveryfr
om
incidents.
7/24/2019 Business Continuity Management Systems
37/61
BUSINESS CONTINUITY FROM A MANAGEMENT SYSTEM PERSPECTIVE
Examples of methods of embedding BCM in the organisations culture include:
General staff briefings across the organisation
Office poster campaigns
Conducting a BIA
Conducting risk assessments and maintaining a risk register
Communicating risk acceptance levels amongst managers
Writing BC plans
Participation (at whatever level) in exercises and tests
Participation in Business Continuity Awareness Week activities (in house or
external)
Specific BCM training, e.g. organising exercises, developing a BIA, auditingthe BCMS
BCM education courses
Awareness and understanding of the BC policy and objectives
Understanding the implications of not having BCM arrangements in place
Ensuring individuals understand the impact a disruption might have ontheir role
Communicating the results of exercises and feedback from a disruption.
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about embeddingBCM in the organisations culture.
59
7/24/2019 Business Continuity Management Systems
38/61
BUSINESS CONTINUITY MANAGEMENT SYSTEMS
SUMMARY
(1) The BCM lifecycle should be viewed as an ongoing process rather than a one
off exercise. Whilst not directly referred to in ISO 22301, it remains a usefultool for BCM resource.
(2) Develop the BCMS in line with the businesss core strategy, aims andobjectives.
(3) Establish a practical BCM programme which is straightforward and clearto everyone involved.
(4) In order to have effective BCM arrangements you need to understand theorganisation, its key products and services, time-critical and prioritisedactivities and the needs and expectations of interested parties.
(5) BC strategies should reflect the needs and capabilities of the organisationand be aligned to its risk acceptance levels.
(6) Design your BCM response to sit comfortably with other operational require-ments. Do not overcomplicate it.
(7) Be clear when allocating roles, responsibilities and authorities andrehearse these.
(8) A good way to develop closer partnerships with key suppliers is to includethem in your exercise programme.
(9) Start your exercise programme with straight forward tests and develop theircomplexity over time.
(10) The post exercise review is equally important as the exercise itself.
(11) Embedding BCM into the organisations culture is an ongoing processand one which should involve everyone working under the organisationsdirection.
60
7/24/2019 Business Continuity Management Systems
39/61
INDEX
accreditation, definition of 75accreditation bodies 72, 75action sheets
audit checklist 82 BCM programme
management 41 BCM response 53 BCM strategies 48 benefits of adopting ISO 22301
standard 8 certification to/alignment with
ISO 22301 standard 35 competency requirements 30 embedding BCM 59 evidence 87 exercising/maintaining/reviewing
BCM 57 improvements to management
systems 20 maintaining momentum 95 management system objectives
22, 32 performance metrics 67 reviewing BC plans 71 scope of management systems 14 staff strategy 70 transition process to
certification 73 understanding the
organisation 45 using 2allocation of duties (in BC plans) 52allocation of management systemresources 235
audit, definition of 75audit checklist 802audit plans 90audit reporting 912audit stages (in certificationprocess) 7782
audit teams 89awareness (in ISO 22301standard) 65
awareness programmes 58
battle boxes (in BC plans) 52BCM (Business ContinuityManagement)
communication of policy 40 determining strategy 458 developing/implementing
response 4853 embedding 579
exercising/maintaining/reviewing 537
lifecycle of 378 programme management 3941 requirements 7, 6770 self evaluation of 94 understanding the
organisation 415BIA (business impact analysis)26, 29, 414, 47, 68, 812
brainstorming 43BS 25999 standard
and BCM lifecycle 37 certification to 1 differences from ISO 22301
standard 6370 production of 612 similarities with ISO 22301
standard 623 transitioning from 713BS 5750 standard 4, 6Business Continuity Sponsors 15, 28
certification bodies 723, 7582commercial strategies 46commitment of top management1517
communication 40, 51, 65competence 3, 81context 41continual improvement 3, 5, 18, 89corrective action 3, 18, 32, 66critical activities (in terminology ofstandards) 63
cultural differences 7culture of organisations 579customer focus 5
determining management systemcompetencies 23
determining strategy (in BCMlifecycle) 458
developing/implementing response(in BCM lifecycle) 4853
documentation 3, 1718, 40
effectiveness, definition of 3embedding BCM 579emergency response (in BCMresponse) 49
engagement of top management 40evaluation of managementsystems 312
evidence 845exclusions 13exercise/test programmes 546, 65,6970
exercising/maintaining/reviewing(in BCM lifecycle) 537
experience of audits 8892experience of BCM 1
factual approach to decisionmaking 5
gap analysis (in certificationprocess) 7980
grab bags (in BC plans) 52
hazards 44health warnings (in certificationprocess) 79
improvement (in ISO 22301standard) 66
improvement (to managementsystems) 1820
incident management (in BCMresponse) 49
individual awareness 93initial audits 78interested party (in terminology ofstandards) 63
internal audit 4involvement of people 5ISO (International Organisation forStandardisation) 612, 63
ISO 22301 standardalignment with 33
and BCM lifecycle 37 benefits of 8 certification to
audit stages 7782 choosing a certification body
767 deciding on 1, 345 experience of audits 8892 maintaining momentum 925 preparing for audit 837 terminology 75 transition process 713 development of 5 differences from BS 25999
standard 6370 and management system
competencies 26
114
7/24/2019 Business Continuity Management Systems
40/61
production of 612 self assessment 85, 10211 similarities with BS 25999
standard 623ISO 9000 series 45ISO 9001 standard 4, 6
leadership 5localised threats 44
maintaining momentum (inauditing process) 925maintenance and reviewprogrammes 56
management principles 56management review 31management systems
alignment with ISO 22301standard 33
certification to ISO 22301standard 1, 345
definition of 4 determining/tracking
competencies 23, 269 development of 3 and differences between
standards 635 documentation of 1718, 40 evaluation of 312 evolution of 6 improvements to 1820 local 7 and management principles 56 mandatory requirements of 10 origins of 45 and PDCA models 89, 20 resource allocation 235 scope of 1014 setting objectives 212 top management responsibilities
1517 two-part 67 writing policies 201matrices 23meeting points (in BC plans) 51mutually beneficial supplierrelationships 5
nonconformity 4, 18, 32, 66, 91
operational (tactical) strategies 46operational planning andcontrol 68
operational tier (in BC plans) 50organisational focus 93
PDCA (Plan Do Check Act) models89, 20, 31, 62, 978
performance evaluation (in ISO22301 standard) 656, 97101performance metrics 65, 67, 979performance reviews 40pitching to top management1517
policy, definition of 4preparing for audit 837preventive action (in terminology ofstandards) 63
prioritised activities (in terminologyof standards) 63
procedure, definition of 4process approach 5production of standards 612programme management (in BCMlifecycle) 3941
proof 84provision of evidence 845
raising audit findings 91recertification audit (in certificationprocess) 79
record, definition of 4recovery 47,49, 69representing organisations889
resumption (in BCM response) 49reviewing BCM strategies 47risks/opportunities assessment20, 41, 44,65, 68
rushing implementation 87
sample selection (in auditingprocess) 901
scope of management systems1014
self assessment 85, 10211self evaluation of BCM 94setting management systemobjectives 212
stakeholder (in terminology ofstandards) 63
strategic objectives 39strategic tier (in BC plans) 50structural requirements (ofmanagement systems) 6
surveillance audits 71, 789system approach tomanagement 5
systematic (in terminology ofstandards) 68
tactical tier (in BC plans) 50technical requirements (ofmanagement systems) 6
templates (in BC plans) 50terminology of standards 63threat analysis 44timescales 21, 423, 47, 72, 85top management
and auditing process 867, 89 and BCM response 50 and BCM strategies 467 and BIA 42 definition of 4 and embedding BCM 58 engagement of 40 and exercise/test programmes
556, 65 responsibilities of 1517, 645tracking management systemcompetencies 23, 269
transition process to certification713
understanding the organisation(in BCM lifecycle) 415
warning and communicationclause 69
workforce engagement 867writing management systempolicies 201
115
7/24/2019 Business Continuity Management Systems
41/61
ACTION SHEET
To help support your organisations decision to implement a BCMS, create a summaryof the benefits of adopting ISO 22301 in order to help focus peoples minds andmanagement commitment.
116
7/24/2019 Business Continuity Management Systems
42/61
ACTION SHEET
Taking into consideration what you have read about scoping a BCMS in this chapter,write down here the key considerations for your organisations BCMS scope.
117
7/24/2019 Business Continuity Management Systems
43/61
ACTION SHEET
As your BCMS develops and you undertake more of the control requirements (audits,reviews, exercises etc.) make a note here of possible improvements to the system.
118
7/24/2019 Business Continuity Management Systems
44/61
ACTION SHEET
Use this space to write down some ideas for what you want your BCMS objectives toachieve.
119
7/24/2019 Business Continuity Management Systems
45/61
ACTION SHEET
Consider the BCMS roles you expect to create and, against each one, write down thecompetency requirements you consider appropriate.
120
7/24/2019 Business Continuity Management Systems
46/61
ACTION SHEET
Make a note here of what you consider are the over arching objectives of your BCMSand what you expect to see as evidence that it is working effectively.
121
7/24/2019 Business Continuity Management Systems
47/61
ACTION SHEET
Has your organisation made its decision about whether to seek alignment or certifica-tion to ISO 22301?
Either way, based on the information provided in this chapter (and any other relevantfactors), list what considerations you believe your organisation should take into accountwhen reaching its decision.
122
7/24/2019 Business Continuity Management Systems
48/61
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about BCMprogramme management.
123
7/24/2019 Business Continuity Management Systems
49/61
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about how to under-stand the organisation.
124
7/24/2019 Business Continuity Management Systems
50/61
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about BCM strategies.
125
7/24/2019 Business Continuity Management Systems
51/61
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about developingand implementing a BCM response.
126
7/24/2019 Business Continuity Management Systems
52/61
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about exercising,maintaining and reviewing BCM.
127
7/24/2019 Business Continuity Management Systems
53/61
ACTION SHEET
Make a note of any actions that you have thought of whilst reading about embeddingBCM in the organisations culture.
128
7/24/2019 Business Continuity Management Systems
54/61
ACTION SHEET
Consider how you will use performance metrics to demonstrate the effectiveness ofyour BCMS. Be selective in what you measure and ensure a clear link back to thebusiness strategy.
129
7/24/2019 Business Continuity Management Systems
55/61
ACTION SHEET
Consider the human aspects of your continuity strategies. Taking into account thefindings of your BIA and risk assessment, list below what you need to include whenpreparing a strategy for the organisations most important resource, its staff.
You may find it helpful to refer to PD 25111:2010 Business Continuity ManagementGuidance on Human Aspects of Business Continuity.
130
7/24/2019 Business Continuity Management Systems
56/61
ACTION SHEET
Take time to review your existing BC plans and compare the existing format andcontents to the requirements of ISO 22301. List below what you need to change or addto them.
131
7/24/2019 Business Continuity Management Systems
57/61
ACTION SHEET
Write down here any actions that your organisation needs to take if it is consideringthe transition to ISO 22301. Add suggested time lines against each action and discussthem with your certification body as well as your BC sponsor.
132
7/24/2019 Business Continuity Management Systems
58/61
ACTION SHEET
Having reviewed the suggested evidence list and undertaken your self assessment,make a list of the evidence that you will draw upon to demonstrate the effectivenessof your BCMS to the auditor.
133
7/24/2019 Business Continuity Management Systems
59/61
ACTION SHEET
Having reviewed the suggested evidence list and undertaken your self assessment,make a list of the evidence that you will draw upon to demonstrate the effectivenessof your BCMS to the auditor.
134
7/24/2019 Business Continuity Management Systems
60/61
ACTION SHEET
Note down here how you might maintain the momentum of your BCM arrangements.
Method Participants
135
7/24/2019 Business Continuity Management Systems
61/61
Top Related