ISO 22301 and its iteration with other standards and good practices

1ATENÇÃO: O conteúdo desta apresentação é CONFIDENCIAL. Nada poderá ser divulgado por qualquer forma ou meio, em qualquer tempo, sem a prévia autorização por escrito da STROHL Brasil.

Consultoria ı Ferramentas ı Capacitação

ISO 22301And its iteration with other

standards and good practices

Oct

ober

21s

t, 20

15


Introductions

Sidney R. Modenesi• Manager at STROHL Brasil; • ISO 22301 BSI Technical Expert,

2013;• MBCI since 2006;• Over 35 years experience in

DRP and BCM;• Former ICT professional since

1977;• International BCM trainer (ISO

22301, 22313 & others);• BCI - Business Continuity

Institute forum leader in Brazil.

STROHL Brasil• Brazilian company;• 20+ years dedicated solely to

BCM;• Solid and proved experience

in many different industries;• Providing consultancy, training

and BCM software;• Sungard Availability Service

Authorized Representative in Brazil;

• PECB training partner.

222


Agenda

In today´s webinar we will cover briefly the ISO 22301 evolution and the main iterations

between ISO 22301 with other relevant standards and good practices.

NOTE: Potentially we may have iterationswith other ISO, BS and local standards or

good practices I may not be aware of.

3


BEFORE WE START

4


ISO 22301 Item 4.2.2Legal and regulatory requirements

The organization shall establish, implement and maintain a procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements to which the organization subscribes related to the continuity of its operations, products and services, as well as the interests of relevant interested parties.

We can use the same approach regarding new or recently updated standards and good practices, improving the efficiency of the BCMS and theresiliency of the organization.

5


A BIT OF HISTORY …

6


A bit of history

7

At the beginningthere was

darkness ...

September 11 Attacks - 2001

PAS 56 Guide to business continuity

management

2003

BCI Good Practice Guidelines

2002 2006 2007

BS 25999-1 Business Continuity Management

Code of Practice

BS 25999-2 Specification for Business Continuity

Management

PAS 77 IT Service Continuity Management

Code of Practice

2008

BS 25777IT Service Continuity

Management

2011

July 07, 2005 London bombings

Principles for the Sound Management of

Operational Risk - BIS

2012

ISO 22301 Business continuity management systems. Requirements

2013

ISO 22313 Business continuity management

systems. Guidance

ISO 27031 Guidelines for ICT readiness

for business continuity


THE 22300 FAMILY OF STANDARDS

8


The 22300 family of standards “ISO 22300:2012 - Societal security – Terminology” “ISO 22301:2012 - Societal security -- Business continuity management systems ---

Requirements” “ISO 22311:2012 - Societal security -- Video-surveillance -- Export interoperability” “ISO/TR 22312:2011 - Societal security -- Technological capabilities” “ISO 22313:2012 - Societal security -- Business continuity management systems – Guidance” “ISO 22315:2014 - Societal security -- Mass evacuation -- Guidelines for planning” “ISO/TS 22317:2015 - Societal security -- Business continuity management systems -- Guidelines

for business impact analysis (BIA)” “ISO/TS 22318:2015 - Societal security -- Business continuity management systems -- Guidelines

for supply chain continuity” “ISO 22320:2011 - Societal security -- Emergency management -- Requirements for incident

response” “ISO 22322:2015 - Societal security -- Emergency management -- Guidelines for public warning” “ISO 22324:2015 - Societal security -- Emergency management -- Guidelines for colour-coded

alerts” “ISO/TR 22351:2015 - Societal security -- Emergency management -- Message structure for

exchange of information” “ISO 22397:2014 - Societal security -- Guidelines for establishing partnering arrangements” “ISO 22398:2013 - Societal security -- Guidelines for exercises”

9


ISO 22301 - CHAPTER 0INTRODUCTION

10


PDCA Model

0.1 General…Business continuity contributes to a more resilient society. The wider community and the impact of the organization’s environment on the organization and therefore other organizations may need to be involved in the recovery process.

“BS 65000:2014 Guidance onorganizational resilience”

11


PDCA Model

0.2 The Plan-Do-Check-Act (PDCA) modelThis International Standard applies the “Plan-Do-Check-Act” (PDCA) model to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organization’s BCMS.

This ensures a degree of consistency with other management systems standards, such as “ISO 9001 Quality management systems”, “ISO 14001, Environmental management systems”, “ISO/IEC 27001, Information security management systems”, “ISO/IEC 20000-1, Information technology — Service management”, and “ISO 28000, Specification for security management systems for the supply chain”, thereby supporting consistent and integrated implementation and operation with related management systems.

As known as, by BSI, the High Level Structure.

12


PDCA Model

13


BIBLIOGRAPHY

14


Bibliography• [1] ISO 9001, Quality management systems —

Requirements• [2] ISO 14001, Environmental management systems —

Requirements with guidance for use• [3] ISO 19011, Guidelines for auditing management

systems• [4] ISO/IEC 20000-1, Information Technology — Service

Management• [5] ISO 22300, Societal security — Terminology• [6] ISO/PAS 22399, Societal security — Guideline for

incident preparedness and operational continuity management

• [7] ISO/IEC 24762, Information technology — Security techniques — Guidelines for Information and communications technology disaster recovery services

• [8] ISO/IEC 27001, Information Security Management Systems

• [9] ISO/IEC 27031, Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity

• [10] ISO 31000, Risk Management — Principles and Guidelines

• [11] ISO/IEC 31010, Risk management — Risk assessment techniques

• [12] ISO/IEC Guide 73, Risk management — Vocabulary• [13] BS 25999-1, Business continuity management — Code of

practice, British Standards Institution (BSI)• [14] BS 25999-2, Business continuity management —

Specification, British Standards Institution (BSI)• [15] SI 24001, Security and continuity management systems

— Requirements and guidance for use, Standards Institution of Israel

• [16] NFPA 1600, Standard on disaster/emergency management and business continuity programs, National Fire Protection Association (USA)

• [17] Business Continuity Plan Drafting Guideline, Ministry of Economy, Trade and Industry (Japan), 2005

• [18] Business Continuity Guideline, Central Disaster Management Council, Cabinet Office, Government of Japan, 2005

• [19] ANSI/ASIS SPC.1, Organizational Resilience: Security, Preparedness, and Continuity Managements

• [20] ANSI/ASIS/BSI BCM.01, Business Continuity Management Systems: Requirements with Guidance for Use

15


ISO 22301 - CHAPTER 4CONTEXT OF THE ORGANIZATION

16


4.1 Understanding of the organizationand its context

…The organization shall identify and document the following:

a) the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; “ISO 9001:2015 Quality management systems – Requirements” requires that a

business unit be responsible to manage the organization´s businesses, “business mapping”, through process mapping. This business mapping will be very helpful when executing item 8.2.2 Business impact analysis.

b) links between the business continuity policy and the organization’s objectives and other policies, including its overall risk management strategy; andc) the organization’s risk appetite. There is a note in item 8.2.3 Risk Assessment saying this process could be made in

accordance with “ISO 31000 Risk management. Principles and guidelines”. “Review of the Principles for the Sound Management of Operational Risk”, Bank for

International Settlements, October 2014, Principle 10: Business resilience and continuity as part of the Corporate Operational Risk. (www.bis.org)

17


Risk Management standards

• “ISO 31000:2009 Risk management -- Principles and guidelines”

• “ISO/TR 31004:2013 Risk management -- Guidance for the implementation of ISO 31000”

• “ISO Guide 73:2009 Risk management – Vocabulary”

• “IEC 31010:2009 Risk management -- Risk assessment techniques”

18


ISO 22301 - CHAPTER 5LEADERSHIP

19


5.3 Policy

Top management shall establish a business continuity policy that

a) is appropriate to the purpose of the organization,b) provides a framework for setting business continuity objectives, c) includes a commitment to satisfy applicable requirements,d) includes a commitment to continualimprovement of the BCMS.

“ISO 19600:2014 Compliancemanagement systems. Guidelines”

20


ISO 22301 - CHAPTER 7SUPPORT

21


7.4 Communication

The organization shall determine the need for internal and external communications relevant to the BCMS includinga) on what it will communicate,b) when to communicate,c) with whom to communicate.“ISO 22320:2011 Societal security –

Emergency management -- Requirements for incident response” - Annex B (normative) Operational information process criteria

22


7.5.2 Creating and updating

When creating and updating documented information, the organization shall ensure appropriatea) identification and description (e.g. a title, date, author or reference number),b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic), and review and approval for suitability and adequacy. “ISO 9001:2015 Quality management systems.

Requirements”

23


ISO 22301 - CHAPTER 8OPERATION

24


8.2.2 Business impact analysis

The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. (aka BIA)

“ISO/TS 22317:2015 Societal security — Business continuity management systems —Guidelines for business impact analysis (BIA)”

“BCI Good Practice Guidelines 2013”, pages 52-63

25


8.2.3 Risk assessment

The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization.NOTE This process could be made in accordance with ISO 31000.“ISO 31000:2009 Risk management — Principles and

guidelines”Other organizations may use “COSO - Committee of

Sponsoring Organizations of the Treadway Commission” to manage their corporate risks.

26



Risks can be classified in 5 main groups:

1. Information and Communication Technology;2. Information security;3. Facilities or premises;4. Supply chain;5. Human assets.

Requiring controls and/or managed systems to mitigate any of these risks.

27



Information and Communication Technology“ISO/IEC 20000 Information technology — Service

management” family;“ITIL - Information Technology Infrastructure Library”“COBIT® - Control Objectives for Information and

related Technology”

28



Information Security“ISO/IEC 27001:2013 - Information technology --

Security techniques -- Information security management systems – Requirements”;

“ISO/IEC 27002:2013 - Information technology -- Security techniques -- Code of practice for information security controls”;

“ISO/IEC 27013:2012 - Information technology -- Security techniques -- Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1”

29



Facilities or premisesISO 14000 family of standards;

“ISO 14001:2015 – Environmentalmanagement systems – Requirementswith guidance for use”;

There are many other standardsrelated to facilities andinfrastructure issues.

30



Supply chainISO 28000 family of standards;

“ISO 28001:2007 - Security management systems for the supply chain”;

“ISO/TS 22318:2015 - Societal security -- Business continuity management systems -- Guidelines for supply chain continuity”

“PAS 7000:2014 - Supply chain risk management. Supplier prequalification”

31



Human assets “BS OHSAS 18001:2007. Occupational health and

safety management systems. Requirements” “BS OHSAS 18002:2008. Occupational health and

safety management systems. Guidelines for the implementation of OHSAS 18001:2007”

32


8.4.2 Incident response structure8.4.3 Warning and communication

• 8.4.2 The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident …

• 8.4.3 The organization shall establish, implement and maintain procedures for a) detecting an incident, b) regular monitoring of an incident …

“ISO 22320:2011 - Societal security -- Emergency management -- Requirements for incident response”

“ISO 22322:2015 - Societal security -- Emergency management -- Guidelines for public warning”

“ISO 22324:2015 - Societal security -- Emergency management -- Guidelines for colour-coded alerts”

“ISO/TR 22351:2015 - Societal security -- Emergency management -- Message structure for exchange of information”

33


8.4.4 Business continuity plans

The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them.

“ISO 9001:2015 Quality management systems. Requirements”

34


8.5 Exercising and testing

The organization shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives.The organization shall conduct exercises and tests that … “ISO 22398:2013 - Societal security --

Guidelines for exercises”

35


ISO 22301 - CHAPTER 9PERFORMANCE EVALUATION

36


9.2 Internal audit

The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system …

“ISO 19011:2011 – Guidelinesfor auditing management systems”

“ISO 19600:2014 - Compliancemanagement systems. Guidelines”

37


OTHER RELEVANT DOCUMENTATION

38


Other relevant documentation

“ISO 21500:2012 - Guidance on project management”;

“PMM - Project Management Methodology”; “NFPA 1600: STANDARD ON

DISASTER/EMERGENCY MANAGEMENT AND BUSINESS CONTINUITY PROGRAMS”;

“Six Sigma”;“TOGAF - The Open Group Architecture

Framework”.

39


CLOSING

40


Closing

ISO 22301/22313 standards implementation

can be highly improved with the utilization and integration of other

management systems, standards and good practices increasing,

consequently, the management and the

resilience of the organizations.

41


• ISO standards can be purchased at the ISO Store - www.iso.org/iso/home/store.htm or through the ISO representative in your country

• BS standards can be purchased at the BSI Shop - shop.bsigroup.com/

• The BCI Good Practice Guidelines can be purchased at www.thebci.org/index.php/resources/the-good-practice-guidelines

• NFPA 1600 can be downloaded at http://www.nfpa.org/codes-and-standards/document-information-pages?mode=code&code=1600

42

http://www.iso.org/iso/home/store.htm

http://www.thebci.org/index.php/resources/the-good-practice-guidelines

http://www.thebci.org/index.php/resources/the-good-practice-guidelines

http://www.nfpa.org/codes-and-standards/document-information-pages?mode=code&code=1600

http://www.nfpa.org/codes-and-standards/document-information-pages?mode=code&code=1600


Questions

Sidney R. Modenesi, [email protected]+55 11 5583-0033Skypeid sidneymd-strohl

Thank you, very much for your attendance.

43

mailto:[email protected]

44ATENÇÃO: O conteúdo desta apresentação é CONFIDENCIAL. Nada poderá ser divulgado por qualquer forma ou meio, em qualquer tempo, sem a prévia autorização por escrito da STROHL Brasil.Consultoria ı Ferramentas ı

Capacitação

Contatos:

Tel. 11 [email protected]

44