ISO 22301 Presentation

1

Introducing ISO 22301

2

Background

How was the ISO22301 formed?

3

Contributors

4

Context

• Source documents included

– BS25999-2

– NFPA 1600

– ASIS OR standard

– Singapore standards

– ISO 27031

– ISO Guide 73

– ISOPAS22399

• So ISO 22301 is not simply an international version of

BS25999

5

Publication Timeline…

Q1

2011

Q2

2011

Q3

2011

Q4

2011

Q1

2012

Q2

2012

Q3

2012

Q4

2012

Q1

2013

ISO 22301 BCM

– Requirements

DIS Public Commenting

Period

FDIS

Development

FDIS

Published

Final ISO

Publication

ISO 22313 BCM

– Guidelines

Document out for public

comment

Publication

???

6

• ISO is currently developing a high level structure

(Guide 83) and standardised text suitable for all ISO

management system standards, ISO 22301 is the first

to be developed to this new structure.

• The intention is standardise terminology and

requirements for essentially what are the fundamental

elements of a management system.

• As ISO 22301 will be the first “new” ISO management

system standard it will be the vanguard for all new and

revised versions of existing ISO standards

Summary of ISO FDIS 22301:2012

7

ISO 22301 Key Points

(Societal Security – BCMS)

"...standardization in the area of

societal security, aimed at

increasing crisis management and

business continuity capabilities, i.e.

through improved technical, human,

organizational, and functional

interoperability as well as shared

situational awareness, amongst all

interested parties."

8

4 Context of the organisation

5 Leadership

6 Planning

7 Support

8 Operation

9 Performance

Evaluation

10 Improvement

ISO22301

*

0 Introduction

1 Scope

2 Normative References

-Guide 73: Risk mgmt. vocab.

-ISO 22300 Terminology

3 Terms and Definitions

9

4 Context of the organisation

5 Leadership

6 Planning

7 Support

8 Operation

9 Performance

Evaluation

10 Improvement

BS25999

3 Planning the BCMS

-Scope, Objectives, Policy

-Resources

-Competency

-Embedding

-Documentation

4 Implementing and Operating the

BCMS

-BIA

-Risk and Risk Choices*

-Strategy

-Incident response, IMP, BCP

-Exercising, Review

5 Monitoring and Reviewing the BCMS

Internal Audit

Management Review

6 Maintaining and Improving the BCMS

-Preventive*, Corrective &

Improvement Actions

*

10

Key Changes / Aspects…

Notable shifts in emphasis from BS25999-2:2007:

• Change in the way an organisation may be defined.

• Top Management leadership shall be more demonstrable

and active.

• Preventive action has been replaced with “actions to address

risks and opportunities” and features earlier.

• ISO 22301 puts a much greater emphasis on setting the

objectives, monitoring performance and metrics – aligning

BC to top management strategic thinking.

11

Key Changes / Aspects…

• Strong emphasis on performance evaluation & metrics.

• Communication elements more demanding and there is a

responsibility to the wider community defined.

• BIA similar but with some changes to terminology.

• There is a stronger link to the organisations approach to risk.

• To reflect the Societal security approach some new

terminology has been introduced, see ISO 22300.

12

Benefit of BCM – sudden disruption 1

2

13

Benefit of BCM – gradual disruption 1

3

14

3. Terms & Definitions…

• Business continuity plan

• Correction

• Corrective action

• Interested party

• Maximum acceptable

outage (MAO)

• Maximum tolerable period

of disruption (MTPD)

• Minimum business

continuity objective

(MBCO)

15

Context - Interested Parties 1

5

16

Context

• Requirement for documenting:

• links between the business continuity policy and the

organization’s objectives and other policies, including

its overall risk management strategy; and

• the organization’s risk appetite.

• The requirement to have procedures which identify

legal and regulatory requirements. There is also a

requirement to keep this information up to date which

must tie in with maintenance.

17

6. Planning

• Section 6.1 talks about risks and 6.2 about objectives

• Standardized text but might confuse

– Having fully understood the context of the organisation,

planning activities are introduced to address the risks

and opportunities of the business.

– This proactive approach, if carried out properly, will

ensure a resilient BCM system as it will focus on

planning for successfully achieving BCM objectives and

realising opportunities for improvement. Ownership and

accountability of BC objectives will be allocated and a

clear direction to accomplishing these objectives will be

agreed.

18

7. Support

7.2 Competence

• The organisation (generally acknowledged to be

through its Top Management) has a responsibility to

ensure that sufficient and appropriate resource is

available for the BCMS. Appropriateness is often

determined through competency analysis

• It is people who take action when an incident occurs

– Competence relates both to operating the BCMS AND

to performing following an incident

– Note also 7.3 d) – everyone has to be aware of their role

during disruptive incidents

19

Communication

• external communication with customers, partner entities, local

community, and other interested parties, including the media,

• receiving, documenting, and responding to communication

from interested parties,

• adapting and integrating a national or regional threat advisory

system, or equivalent, into planning and operational use, if

appropriate,

• ensuring availability of the means of communication during a

disruptive incident, facilitating structured communication with

appropriate authorities and ensuring the interoperability of

multiple responding organizations and personnel, where

appropriate, and

• operating and testing of communications capabilities intended

for use during disruption of normal communications.

20

BIA

• a) identifying activities that support the provision of

products and services;

• b) assessing the impacts over time of not performing

these activities;

• c) setting prioritized timeframes for resuming these

activities at a specified minimum acceptable level,

taking into consideration the time within which the

impacts of not resuming them would become

unacceptable; and

• d) identifying dependencies and supporting resources

for these activities, including suppliers, outsource

partners and other relevant interested parties.

2

0

21

Risk Assessment

• The organization shall establish, implement, and maintain a

formal documented risk assessment process that

systematically identifies, analyses, and evaluates the risk of

disruptive incidents to the organization.

• NOTE This process could be made in accordance with ISO

31000.

• The organization shall

• identify risks of disruption to the organization’s prioritized

activities and the processes, systems, information, people,

assets, outsource partners and other resources that support

them, analyse them, evaluate and treat them.

2

1

22

Strategy

• BS25999-2 had 4.1.3 Determining Choices and 4.2

Determining business continuity strategy

• ISO 22301 better defined

– Decide what you are going to do to reduce the likelihood

and impact as well as how to respond (these are not

alternative approaches)

– Set RTOs

– Work out the resource requirements

– Act on the protection and mitigation needed

– Evaluate business continuity capability of suppliers

23

Incident Response Structure

8.4.2 broadly equivalent to 4.3.2 in BS25999

– “Impact thresholds” is new

– Personnel to assess the incident

– Communication mentions “authorities” and “media”

explicitly

– External communications a new requirement. Life safety

explicitly mentioned.

24

Warning and Communication

• The organization shall establish, implement and maintain

procedures for

• a) detecting an incident,

• b) regular monitoring of an incident,

• c) internal communication within the organization

• d) receiving, documenting and responding to any national or

regional risk advisory system or equivalent,

• e) assuring availability of the means of communication

during a disruptive incident,

• f) facilitating structured communication with emergency

responders,

• g) recording of vital information about the incident, actions

taken and decisions made,

25

Recovery

• The organization shall have documented

procedures to restore and return business

activities from the temporary measures adopted

to support normal business requirements after an

incident

26

Exercising and Testing

• Covers pretty much the same ground as BS25999-2

• It talks about exercises and tests.

• Expect to see a programme – point is that over time these

should provide objective assurance that the arrangements

made will work as anticipated and when required: so does

the programme really do this?

27 Performance Evaluation…

• As with all management system standards there is a

need to look back at what has been achieved. ISO

22301 also requires that this analysis is evaluated and

conclusions drawn by the organisation.

• Performance metrics (to be selected by the business)

are required in ISO 22301. Whilst this is a new

requirement it is likely that organisations will already

produce certain metrics and these may be able to be

tailored to cover the BCMS performance.

28

Performance Evaluation…

• Internal audits and

management

review continue to

be key methods of

reviewing the

performance of the

BCMS and tools for

its continual

improvement.

29

Transition…

• Organizations who are currently certified to BS25999-2:2007

will be provided with:

– A transition guideline

– A transition timescale

• Widely expected that transitions will be conducted during a

CAV visit.

• Guidelines and timescales dependent upon UKAS. Certified

organisations have 12 to 18 months to transition although

could be up to 3 years

2

9

30

3

0