This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Safety - be aware of emergency exits• Restroom and Telephones - nearest locations• Restroom and Telephones - nearest locations• Contact Number - for urgent messages• Personal Property - keep possessions secure • Phones and Pagers - please avoid interruptions• Recording Devices - not allowed in class• Lunch and Breaks - please return on timep• Smoking - not permitted in the classroom• Special Needs - please inform the instructor
• Name• Organization and business sector• Organization and business sector• Job role• Knowledge of BS25999 (1 – 10 scale)• Knowledge of auditing (1 – 10 scale)• Your aim for attending this course• Something interesting about yourselfg g y
Learning Objectives
Upon completion of the course, students should be able to:
4
• Lead and carry out an audit of a business continuity management system
• Explain the requirements of BS 25999-2:2007• Understand the Business Continuity Management Code
of Practice• Clarify the different purposes of BS 25999 Part 1 and Part 2• Articulate and present audit findings• Manage successful audit communication and interviews• Write a succinct audit report• Conduct opening, closing, and follow-up audit meetings
Strategic and tactical capability of the organization to plan for and respond to incidents and business disruption in p porder to continue business operations at an acceptable
Defining Business Continuity ManagementHolistic management process that identifies potential threats to an organization and the impacts to business
7
g poperations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities
• Verifies conformity to requirements• Increases awareness and understanding• Increases awareness and understanding• Provides a measurement of effectiveness of the
management system to top management• Reduces risk of management system failure• Identifies improvement opportunities• Continual improvement if performed regularly
IntentDoes Top Management intend to implement a BCMS and how is this i t t i t d?intent communicated?
Implementation Does the implementation of the BCMS reflect the intent of Top Management?
EffectivenessIs the implementation effective (i.e., does it meet the parameters established by the intent)
32
Management System Standards and the Process Approach• BS 25999-2:
Is based upon the PDCA cycle which can be appliedIs based upon the PDCA cycle which can be applied to processesApplies the PDCA cycle to implementing, operating, monitoring, exercising, maintaining and improving the effectiveness of a BCMS
• ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system auditssystem audits
• One or more audits depending on, size, nature and complexity of the auditee
• All activities necessary for planning, organizing, and providing resources to conduct audits
40
Audit Program
• Top management should authorize responsibility for program managementp g g
• Those assigned responsibility should:Establish, implement, monitor, review, and improve the audit programIdentify the necessary resources and ensure they are provided
• Audit program processes should include:Planning and scheduling auditsPlanning and scheduling auditsAssuring competence of auditors and audit teamsConducting audits and audit follow-upMonitoring the performance of the audit program
• Program should be managed by a member of the organization Keep appropriate audit records to monitor and review the• Keep appropriate audit records to monitor and review the audit program
42
Audit Program and Plan
• An audit plan is an output from the audit programp g
• Audit plans give details about the audit, including:
• Appointing the audit team leader• Defining audit objectives, scope, criteria• Determining feasibility of the audit• Selecting the audit team• Establishing initial contact with the auditee
Defining Audit Objectives, Scope, CriteriaAudit objectives may include:
46
6.2.26.2.2
• Determination of the extent of conformity of auditee’s BCMS with audit criteria
• Evaluation of capability of BCMS to ensure compliance with statutory, regulatory, and contractual requirements
• Evaluation of effectiveness of the BCMS to meet its objectives
• Identification of areas of improvement• Identification of areas of improvement
Defining Audit Objectives, Scope, CriteriaAudit scope describes extent and boundaries of audit, including:g
• Physical locations• Organizational units• Activities and processes• Time period covered by audit
48
Selecting the Audit Team
For team size and competence, consider: 6.2.46.2.4
• Audit objectives, scope, criteria, and duration• Whether audit is combined or joint• Competence of team to meet objectives• Statutory, regulatory, contractual and accreditation /
For team size and competence, consider: 6.2.46.2.4
• Independence of the team• Ability of team members to interact with auditee and
each other • Language of the audit • Auditee’s social and cultural characteristics
50
Auditor Responsibilities
• Document and support all findings• Keep auditee informed• Keep auditee informed• Safeguard all documents• Maintain confidentiality• Be objective and ethical• Verify corrective actions, if required
Auditor CompetenceGeneric Knowledge and SkillsAudit principles, procedures, and techniques: 7.3.17.3.1
• Apply principles, procedures, and techniques• Plan and organize work• Conduct audit within time schedule• Collect information through interviewing, listening, observing,
and reviewing documents• Understand sampling techniques• Confirm evidence to support findings• Prepare audit reports• Maintain confidentiality and security
54
Auditor CompetenceGeneric Knowledge and Skills• Organizational situations:
Size, structure, functions, and relationships7.3.17.3.1
, , , pBusiness processes and terminologyCultural and social customs
• Laws, regulations, and other requirements:Local, regional, and nationalContracts and agreementsInternational treaties and conventions
• Management system and reference documents: Interaction between the components of the systemApplicable standards, procedures, and reference documents
• Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit
• May include relevant BCMS documents, records, and previous audit reports
• May include a preliminary site visit
58
Conducting Document Review
When conducting a document review, ask:
• Are all requirements of BS 25999 addressed?• Does documentation match the audit scope?• Is management commitment clearly defined?• Have responsibilities been adequately defined?• Is the lower level documentation referenced?• Are you familiar with the area to be audited?Are you familiar with the area to be audited?
• Determine the objective of the audit• Identify specified requirements• Identify specified requirements• Determine audit duration and resources needed• Select the team• Contact the auditee – agree the date(s)• Draw up audit plan• Brief the team• Prepare work documents
• Prepare work documents • Use as a reference and for recording audit proceedings• Use as a reference and for recording audit proceedings• Include checklists, sampling plans and forms,
BS 25999-1:2006 and BS 25999-2:2007 standards, etc.• Keep checklists flexible to allow changes resulting from
information collected during the audit• Safeguard any confidential and proprietary information
R t i k d t d d• Retain work documents and records
64
Checklists Benefits
• Keeps audit scope and objectives clear• Provides evidence of audit planning• Provides evidence of audit planning• Maintains audit pace and continuity• Reduces auditor bias• Reduces workload during audit• Provides space for auditor notes• Identifies expected evidencep
• Conduct Opening Meeting• Communicate during the audit
6.56.5
• Communicate during the audit• Explain roles and responsibilities of participants• Collect and verify information• Generate audit findings• Prepare audit conclusions• Conduct Closing Meetingg g
70
Opening Meeting
• Hold opening meeting with auditee top management and those responsible for
6.5.16.5.1g p
processes audited• Meeting may range from informal (1st party) to
formal (3rd party)• Chaired by team leader• Audit team present• Purpose is to confirm all prior arrangementsPurpose is to confirm all prior arrangements
2. Objective / scope / criteria3. Documentation status4. Audit plan confirmation5. Audit methods6. Sampling 7. Communication channels8 Language of audit8. Language of audit9. Audit progress10. Closing / interim meetings
Auditing ProcessCollect and Verify Information• Collect information relevant to:
Audit objectives scope and criteria6.5.46.5.4
Audit objectives, scope, and criteriaInterfaces between functions, activities and processes
• Collect audit evidence by appropriate sampling and verify and record it
• Be aware of sampling limitations, if acting on the audit conclusion
• Use only information that is verifiable as audit evidence
76
Auditing ProcessTechniques to Obtain Audit Evidence• Interview:
Personnel that manage perform andPersonnel that manage, perform, and verify activitiesAlso ensure they are responsible for the activity being auditedListen carefully to responses
• Observe:Identity, status, condition, processes, y, , , p ,equipment, activities, environment, and people
• Review documents that describe:ActivitiesPlansControlsStrategiesExercisesTests
• Review business continuity records for evidence of conformity to documents
• Review records, statements of fact, or other information which are relevant to the audit criteria and verifiable
• Audit evidence may be qualitative or quantitative
78
Communication and Interpersonal Skills• Put auditee at ease• Ask short questions and listen• Ask short questions and listen• Reflect right attitude, tone of voice, body language,
and facial expressions• Smile and show eye contact• Avoid interruptions• Avoid off-cuff and condescending remarks• Give praise when appropriate
Communication and Interpersonal Skills • Show interest• Be tactful and polite• Be tactful and polite• Show patience and understanding• Remember to say please and thank you• Ask the right person• Don’t say you understand when you don’t
80
Questioning Techniques
• Open question:Using why who what where when or how gets moreUsing why, who, what, where, when, or how gets more than a yes or no answer
• Expansive question:Further elaborates the current point
• Opinion question:Asks opinion about current point
Non verbal:• Non-verbal:Uses body language, for example: raise eye-brow to elicit further information
• Evaluate audit evidence against audit criteria to generate audit findings
6.5.56.5.5g g
• Indicate if findings are conformities, nonconformities or opportunities for improvement
• Meet (audit team) to review findings• Specify (with supporting evidence) or summarize
conformity by location, functions, or processes, as required by audit plan
90
Nonconformity
• Non-fulfillment of a specified requirement:Not doing it
6.5.56.5.5
Not doing itPartially doing itDoing it the wrong way
• Specified requirements:Conditions of customer contractBC standard (BS 25999-2)Business Continuity management systemStatutory or regulatory requirements
• Failure to comply with a requirement which (based on judgement and experience) is not likely to result in j g p ) yBCMS failure
• Single observed lapse or isolated incident• Minimal risk of nonconforming product or service• Examples:
A two month lapse in the exercise programA training record not availableA training record not availableNo actions taken to improve or review BCM arrangements after exercises
94
Nonconformity – Major
• Absence or total breakdown of a system to meet a requirementq
• A number of minors related to the same clause or requirement
• A nonconformity that experience and judgement indicate will likely result in BCMS failure or significantly reduce its ability to assure controlled processes and products
The nonconformity statements below are inadequate due to the lack of specified q prequirements and detailed evidence:
• Steering Group meeting minutes are not adequate• The authority level for the Emergency Controller must
be documented for clarity purposes
98
Nonconformity Good Report Examples
ABC BCMS Audit
Nonconformity Report
Incident Number: 1
C d A di XYZ ICompany under Audit: XYZ, Inc.
Area under Review: BCP
BS 25999-2 Clause Number: 4.3.3.3
Category: Major Minor
Requirement:
Clause 4.3.3.3 of BS 25999-2:2007 states that the business continuity plan must identify lines of communication.
Nonconformity Finding:
Upon review of the business continuity plan for XYZ, Inc. Issue 2, it was found that the contact information for the BCP still names employees that have left XYZ, Inc.
Audit team should confer prior to the closing meeting:
6.5.66.5.6g g
• Scheduling of the audit plan• To plan for closing meeting• Purpose is to:
Review audit findings and other information Agree on audit conclusions
• To prepare the audit report and recommendations• If included in audit plan, to discuss audit follow-up
102
Audit Report Prepare, Approve and Distribute1. Audit reference2 Client and Auditee details
6.6.16.6.1
2. Client and Auditee details3. Audit team details 4. List of auditee representatives5. Objectives, scope, and criteria 6. Audit plan – dates, places, areas audited
and timing
6.6.26.6.2
7. Summary of audit process8. Audit Summary 9. Uncertainty due to sampling
Audit Report Prepare, Approve and Distribute10. Nonconformity reports11 Recommendation
6.6.16.6.1
11. Recommendation12. Obstacles encountered13. Any areas in audit scope not covered14. Any unresolved issues between the auditee and team15. Confirmation that audit objectives accomplished16. Confidentiality statement
6.6.26.6.2
y17. Distribution list
104
Audit Report Distribution
• Issue within agreed time period• If delayed provide reasons and agree on
6.6.16.6.1
• If delayed, provide reasons and agree on new issue date
• Report must be dated, reviewed, and approved as per procedures
• Distribute to recipients designated by audit client• Report is property of audit client
R i i t d dit t t t th• Recipients and audit team must respect the confidentiality of the report
• Audit is complete when all activities in audit plan have been carried out and audit report
6.76.7p pis distributed
• Maintain or dispose of audit documents based on contractual, regulatory, and audit program procedures
• Maintain confidentiality of audit documents, information, and report
• Notify audit client and auditee ASAP if disclosure of audit information is required
106
3rd Party AuditRecommendation Options• Recommend registration without conditions• Recommend conditional registration based on• Recommend conditional registration based on
submission of acceptable plan and follow-up:Verification at next surveillance visitEvaluation of the mailed evidence Special visit to verify corrective action
• Unable to recommend registration at this time:P ti l ditPartial re-auditFull re-audit
Completing the Audit Corrective Action Follow-Up• Auditee receives the nonconformity report• Auditee prepares and approves a corrective
6.86.8
• Auditee prepares and approves a corrective action plan
• Auditee submits the plan to audit organization• Audit organization evaluates and approves the plan• Auditee implements the approved corrective action plan
114
Completing the Audit Corrective Action Follow-Up• Auditee collects and evaluates evidence
of effectiveness6.86.8
• Auditee revises the plan, if necessary• Auditee documents the changes in the BCM system• Auditor verifies the implementation and effectiveness• Records of all actions taken by auditor and auditee