ICOR Presents: Moving your BCM Program to a Management … · 7.1.3 Incident Response Personnel dd Responsible for managing any disruptive incident that has the potential to significantly
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ICOR Presents: Moving your BCM Program to a
Management System
Implementing ISO 22201: 2012
ISO 223 Societal Security Management System Series
ISO 22300: VocabularyISO 22301: BCMS (BS 25999)ISO 22311: Video surveillance-Export interoperabilityISO 22312: Technological capabilitiesISO 22312: Technological capabilitiesISO 22313: BCMS GuidelinesISO 22320: Emergency management – Requirements on
command and control (NFPA 1600)ISO 22322: Emergency management – Public warningISO 22323: Organizational Resilience (ASIS SPC.1)ISO 22324: Emergency management–Colour coded alert ISO 22351: Emergency management - General rules for writingISO 22351: Emergency management General rules for writing
data elements and codes for information sharing ISO 22352: Emergency management - Data elements and codes for information sharing.ISO 22397: Public/Private partnerships ISO 22398: Guidelines for exercises and testing
What is a management system?A proven framework for managing and continually improving your organization’s policies, procedures and processes• The best businesses work as complete units with a
shared vision
• EncompassInformation sharing– Information sharing
– Benchmarking – Team working– Working to the highest quality
Holistic management process that identifies potential threats to an organization and the i t t b i ti thimpacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the p ginterests of its key stakeholders, reputation, brand and value-creating activities.
Published June 2012? - Developed from BS 25999-2:2007Scope of the standard
Business Continuity Management: ISO 22301
Scope of the standardApplicable to all types and sizes of organizations that wish to:• Establish, implement, maintain, & improve a
BCMS;• Assure conformance with stated BCM policy;• Demonstrate conformance to others;Demonstrate conformance to others;• Seek certification/registration of its BCMS by an
accredited third party certification body; or • Make a self-determination and self-declaration of
4.3 Determining Scope of the SystemThe organization shalla) Clearly define what is in and out of scope
• Explain exclusions• Such exclusions shall not affect the organization’s ability and
responsibility to provide continuity of business and operations thatresponsibility to provide continuity of business and operations that meet the BCMS requirements, as determined by BIA or RA and applicable legal or regulatory requirements
b) Establish BCMS requirements considering how it supports the organization’s overall mission, goals, legal responsibilities and internal and external obligations in order to preserve the integrity of the organization.
c) Identify products and services and all related ) y pactivities within the scope of the BCMS
d) Take into account needs and interests of all interested parties
e) Define the scope in terms of and appropriate to the size, nature and complexity of the organization
a) Policyb) BCMS objectives & planc) Roles responsibilities and competenciesc) Roles, responsibilities and competenciesd) Appointment of one or more persons with
responsibility and authority for accountability of implementation and maintenance
e) Communication and promotion ofe) Communication and promotion of awareness within the organization of the importance of meeting objectives and conforming to policy
f) Sufficient resourcesg) Definitions of criteria for accepting risksh) E i i i i d t tih) Engaging in exercising and testingi) Ensuring internal audits are conductedj) Conducting management reviewsk) Demonstrating commitment to continual
7.1 General Resourcesa) Achieve policy, objectives and targetsb) Meet the changing requirementsb) Meet the changing requirementsc) Ensure effective communication on
BCMS matters both internally and externally
d) Provide for on-going operation and ti l i tcontinual improvement
Determine the necessary competence of person(s) doing work under its controlEnsure these persons are competent on theEnsure these persons are competent on the basis of appropriate education, training, & experienceTake actions to acquire the necessary competence and evaluate the effectiveness of the actions takenRetain appropriate documented information as evidence
BCM Program ManagementHow to conduct a BIA and/or RADeveloping and Implementing BCM documentationRunning an exerciseCommunication skillsHandling of media inquiries
Persons working under the organization’s control should have appropriate awareness of the BCMS – ensuring they
are aware of their role.
7.3 Awareness
Development of a BCM culture is supported by
Involvement of all personnelInvolvement of all personnelLeadership from managersAssignment of responsibilitiesPerformance indicatorsAwareness raisingSkills trainingExercising procedures
The organization shall determine, plan, implement, and control those activities needed to address the risks andneeded to address the risks and opportunities bya) Establish criteria for those activities or
processesb) Implementing controls) K i d t d i f ti t c) Keeping documented information to
demonstrate that they have been carried out as planned
Ensure the relevance of the scope, roles and responsibilitiesPromote and embed continuity across thePromote and embed continuity across the organizationManaging costs associated with BCEstablish and monitor change management and succession management regimesArranging or providing appropriate trainingArranging or providing appropriate training for staffMaintaining program documentation
Identify activities that support the provision of products and servicesAssess the impacts over time of not performingAssess the impacts over time of not performing these activitiesSetting prioritized for resuming these activities at a specified minimum acceptable level –taking into consideration the time within which the impacts of not resuming them would become unacceptablebecome unacceptableIdentifying dependencies and supporting resources for these activities including suppliers, outsource partners and other relevant interested parties
The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyzes, and evaluates the risk of disruptive incidents to the organization.
This process could be made in This process could be made in accordance with ISO 31000:2009
The organization shalla) Identify risks of disruption to the
organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them
b) Systematically analyze riskc) Evaluate which disruption related risks
require treatmentrequire treatmentd) Identify treatments commensurate with
BC objectives and in accordance with the organization’s risk appetite
The organization must be aware that certain financial or governmental obligations require the communication of these risks at variousthe communication of these risks at various
levels of detail.
In addition, certain societal needs can also warrant sharing of this information at an
thoseRequired by activities with high priorityWith significant replacement lead-time
Identifying, Analyzing & Evaluating Risks
Determination of the criteria for risk acceptanceIdentification of acceptable levels of riskIdentification of acceptable levels of riskAnalysis of
Specific threats • Flood, fire, staff loss, computer viruses, etc.
Vulnerabilities might occur as weaknesses within the resources and may be exploited by the threats• Single points of failure, staffing levels, IT security,
8.3.1 Determination & SelectionDetermination and selection of strategy shall be based on the outputs from the BIA and the risk assessment.The organization shall determine appropriateThe organization shall determine appropriate business continuity strategy for
Protecting prioritized activitiesStabilizing, continuing, resuming, and recovering prioritized activities and their dependencies and supporting resourcesMitigating responding to and managing Mitigating, responding to, and managing impacts
Include prioritized time frames for resumption and evaluations of the BC capabilities of
The organization shall establish, implement, and maintain BC procedures to manage a p gdisruptive incident and continue activities based on recovery objectives identified in the BIAThe organization shall document procedures to ensure continuity of activities andto ensure continuity of activities and management of a disruptive event
activation, operation, coordination, and communication of the response; and
e) Communicate with interested parties and authorities as well as the media.
75
8.4.2 The Incident Response Structure
The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties whether torelevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision.
The response structure should be simple and capable of being formed quickly. When determining the structure, consideration should be given to:be given to:
Having one or more competent personnel available to establish the ramifications of the incident and evaluate the impact or potential impact of the incident and its timescaleBeing able to mobilize teams to take control, contain the incident, and initiate the
i b i i i appropriate business continuity responseIncluding appropriate resources which may include staff, contractors, equipment, and finance.
The organization shall establish documented procedures for responding to a disruptive i id t d h it ill ti itincident and how it will continue or recover its activities within a predetermined timeframe.
Such procedures shall address the requirements of those who will use themrequirements of those who will use them.
2) Preferred interface with the media; 3) Guideline or template for drafting a statement for the media; and4) Appropriate spokespeople.
g) A process for standing down once the incident is over
83
8.4.4 Business Continuity Plans
Each plan shall define:a) Purpose and scope;b) Objectives;c) Activation criteria and procedures;d) Implementation procedures;e) Roles responsibilities and authorities;f) Communication requirements and
procedures;g) Internal and external interdependencies
Purpose: To allow top management to take control during the initial phase of an incident when its reputation is most likely toincident when its reputation is most likely to be threatened. Should provide the basis for managing all possible issues.
Identify a location from which an incident can be managed• Also an alternate location from the primary
• Can be a hotel room or a formal “command center”
Space for the required number of peopleEffective primary and secondary means of p y ycommunicationFacilities for assessing and sharing information, including monitoring the news media
Can be included in the incident management response or a separate procedure
Establish a suitable venue to support liaison with the media or other groupsAppropriate number of competent, trained people to answer telephone enquiries from the pressUse all communication channels including Use all communication channels including social mediaPrepare background material about the organization and its operations
Provide criteria for setting priorities and make provisions for allocating persons to each
stakeholder or group of stakeholders
8.4.4.3.3 Incident and WelfareCover the initial stage of an incident involving damage or threat to safety.
Site evacuation / shelter-in-placeFirst aid / evacuation assistance teamsLocating and accounting for personnelTranslation servicesTransport servicesContact information for emergency services, first responders etcfirst responders, etc.Locating contractors, displaced workersManaging telephone help linesCounseling services (physical and emotional)
Prioritized activities to be resumedTimescalesRecovery levelsResource numbers at different points of timeMobilization of 3rd party resourcesp yManual workarounds, system recovery, etc.
Reference disaster recovery proceduresInvoking the DR procedures and d l i ldeploying personnelAccessing back-up data and acquiring alternative hardwareRestoration of data and communications
The organization shall have documented procedures to restore and return business activities from the temporary measuresactivities from the temporary measures adopted to support normal business requirements after an incident.
Make claims against insurance policiesObtain additional manpower to support recovery effortRecover lost informationConduct a post recovery reviewConduct due diligence on audit and governance requirements
9.1.2 Evaluation of Continuity Proceduresa) The organization shall conduct evaluations of its business
continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness;
b) This evaluation shall be undertaken through periodic reviews exercising testing post incident reporting andreviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner;
c) The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and
d) The organization shall conduct evaluations at plannedd) The organization shall conduct evaluations at planned intervals and when significant changes occur.
When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake
The organization shall conduct internal audits at planned intervals to provide information to assist in the determination of whether theassist in the determination of whether the BCMS:a) Conforms to:
1. the organization’s own requirements for its BCMS;
2. the requirements of this International Standard; and
The organization shall:a) Plan, establish, implement and maintain an audit
programme(s), including the frequency, methods, responsibilities planning requirements andresponsibilities, planning requirements and reporting, while taking into consideration the importance of the processes concerned and the results of previous audits;
b) Define the audit criteria and scope for each audit;c) Select auditors and conduct audits to ensure
objectivity and the impartiality of the audit process;objectivity and the impartiality of the audit process; d) Ensure that the results of the audits are reported to
relevant management; ande) Retain documented information as evidence of the
9.2 Internal AuditThe audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits The audit procedures shall cover the scopeaudits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results.The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undueand corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results.
9.3 Management ReviewTop management shall review the organization's BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:The management review shall include consideration of:a) the status of actions from previous management
reviews; b) changes in external and internal issues that are
relevant to the business continuity management system;
c) information on the business continuity performance, including trends in:including trends in:1) nonconformities and corrective actions;2) monitoring and measurement evaluation results; 3) audit results; and
The output from the management review shall include decisions and actions related to continual improvement opportunities and thecontinual improvement opportunities and the possible need for changes to the BCMS and include the following:
a) Variations to the scope of the BCMS;b) Improvement of the effectiveness of the
BCMSBCMS;c) Update of the risk assessment, business
impact analysis, business continuity plans and related procedures;
d) modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to:1) business and operational requirements;2) risk reduction and security requirements;3) operational conditions and processes;4) legal and regulatory requirements;5) contractual obligations;6) levels of risk and/or criteria for accepting risks;6) levels of risk and/or criteria for accepting risks;7) resource needs;8) funding and budget requirements; and
e) how the effectiveness of controls are measured.
10.1 Nonconformity and Corrective ActionThe organization shall also evaluate the need for action to eliminate the causes of nonconformities, including:
a) Reviewing nonconformities;a) Reviewing nonconformities;b) Determining the causes of nonconformities;c) Identifying if potential similar nonconformities
exist elsewhere in the BCMS;d) Evaluating the need for action to ensure that
nonconformities do not recur or occur elsewhere;elsewhere;
e) Determining and implementing action needed; f) Reviewing the effectiveness of any corrective
action taken; andg) Making changes to the BCMS, if necessary.
The organization shall continually improve the suitability, adequacy or effectiveness of the BCMSthe BCMS.NOTE: The organization can use the processes of the BCMS such as leadership, planning and performance evaluation, to achieve improvement.