22301 CF 19Sep - c.ymcdn.comc.ymcdn.com/sites/ · PDF file25/09/2012 4 ISO 22301 without...
Transcript of 22301 CF 19Sep - c.ymcdn.comc.ymcdn.com/sites/ · PDF file25/09/2012 4 ISO 22301 without...
25/09/2012
1
ISO 22301
Impacts OpportunitiesAnd??
Overview
•ISO 22301, Societal security —Business continuity management systems — Requirements •Approved by ISO and published 16th May 2012 •First internationally endorsed Standard for Business Continuity Management
25/09/2012
2
A World of Standards Over 100 BCM standards, frameworks, sets of best practices, laws and regulations worldwide
ASIS SPC.1 2009. OrganisationalResilience
ANAO BCM Better Practice Guide 2009
NFPA 1600:2010
APRA Prudential Standard CPS 232
BS 25999 Parts 1 (2006) & 2 (2007)
ASIS BCM. 2012
AS/NZS 5050:2010.
SS540: 2008. BCM
What Has Changed?
Not very much – distillation of source standards;
•Management System Standard
•Management Expectations ‐Leadership•Context of the organization•Terminology – “Guide 83”•Planning & Support
25/09/2012
3
Management System Standard
ISO 22313: Societal Security – Business Continuity Management Systems – Guidance
ISO 22301 Clauses (Chapters)
• Clause 4 –Context of the Organisation Describes the requirements necessary to establish the context of the BCMS as it applies to the organisation, as well as needs, requirements and scope.
• Clause 5 – LEADERSHIP requirements specific to top management’s role in the BCMS & policy
• Clause 6 – PLANNING establishing strategic objectives and guiding principles for the BCMS as a whole
• Clause 7 – SUPPORT resources required, the competence of those involved, awareness of, and communications with, interested parties, and requirements for document management
25/09/2012
4
ISO 22301 without direct comparison (by Clause)
• 3 Terms and definitions, some terms omitted, new terms added, some redefined.
• 4.1 Understanding of the organisation and its context
• 6.1 Actions to address risks and opportunities (to the BCMS)
• 8.4.3Warning and communication• 8.4.5 Recovery• 9.1 Monitoring, measurement, analysis and
evaluation
Clause 8. Operation8.1 Operational planning and control8.2 Business impact analysis and risk assessment8.3 Business continuity strategy8.4 Establish and implement business continuity procedures8.5 Exercising and testing
ISO 22301 & the BCM Lifecycle
25/09/2012
5
Leadership
•Top management given clear BCM responsibilities •Management must demonstrate its commitment to the BCMS –compatible with the strategic direction of the organisation –integrating BCMS into the organisation’s business processes –communicating the importance of conforming to the BCMS requirements
Context of the organisation
25/09/2012
6
Terminology
•Consistent with other management system standards•Many acronyms and terms replaced with ‘plain English’ explanations.•“Prioritised timeframes” ‐ Order & timing of recovery for critical activities•“Interested parties” – stakeholders•“Activity” – process, function
Planning & Support
•Business continuity objectives–Who will be responsible,–What will be done,–What resources will be required,–When it will be completed, and–How the results will be evaluated•Determine & provide the resources needed for the BCMS–Competence–Awareness–Communication–Documented information
25/09/2012
7
Risk Treatment – Consistent with ISO 31000:2009
ISO 22301 ‐ Impacts•No fundamental change in core BC principles•Required discipline to meet BCMS requirements•A single, global consensus BCM benchmark•Common framework and terminology•Makes executive participation central to the BCM program•Plus ?
25/09/2012
8
BS 25999
Check
Monitoring and reviewing the
BCMS
1. Internal audit2. Management review
of the BCMS
Plan
Planning the BCMS
1. General2. Establishing and
managing the BCMS3. Embedding BCM in
the organization’s culture
4. BCMS documentation and records
Act
Maintaining and improving
the BCMS
1. Preventative and corrective actions
2. Continual improvement
Do
Implementing and operating
the BCMS
1. Understanding the organization
2. Determining business continuity strategy
3. Developing and implementing a BCM response
4. Exercising, maintaining and reviewing BCM arrangements
ISO 22301
Check
Monitoring and reviewing the
BCMS
1. Performance Evaluation
2. Management review of the BCMS
Plan
Planning the BCMS
1. General2. Context of the
Organisation3. Leadership4. Planning5. Support
Act
Maintaining and improving
the BCMS
1. Preventative and corrective actions
2. Continual improvement
Do
Implementing and operating
the BCMS
1. OperationPlanning & controlBIABCM StrategyImplement
2. Exercising & Testing
25/09/2012
9
25/09/2012
10
ISO 22301 ‐ Opportunities•Drive BC adoption & certification, especially for those organisations with an international focus•Contribution to current National & International debate on Organisation Resilience•Accepted tool for self or supplier BC assessment•Use by organisations to promote their products, services and capabilities•Plus ?
ISO 22313: Societal Security –Business Continuity Management Systems – Guidance•ISO/WD 22323. Societal Security —Management system for resilience in organizations —Requirements and guidance for use•ISO/CD 22398. Societal security — Guidelines for exercises and testing
Other ISOs In The Pipeline
25/09/2012
11
Standards
BS 25777:2008 ICT Service Continuity replaced by ISO 27301:2011;
ISO 22301 published May 2012 to replace BS25999-2:2007 BCMS Specifications
2012 will see a raft of new ISO standards under the “Societal Security” headers
It’s becoming difficult to keep tabs on them all.
ISO Projects
PROJECT STATUS ISO/CS has reserved the ISO numbers 22300 to 22399 ISO 22300 Societal security – Vocabulary ISO 22301 Societal security – Business continuity management systems ‐ Requirements ISO 22311 Societal security – Video surveillance ISO/TR 22312:2010 Societal security – Technological capabilities ISO 22313 Societal security – Business continuity management systems ‐ Guidelines ISO 22320 Societal security – Emergency management – Requirements for command
and control ISO 22322 Societal security – Emergency management – Public warning ISO 22323 Societal security – Organizational resilience management systems –
Requirements ISO 22351 Societal security – Emergency management – Shared situation awareness ISO 22397 Societal security – Guidelines for private public partnershipsISO 22398 Societal security – Guidelines for exercises and testing ISO/PAS 22399:2007 Societal security – Guideline for incident preparedness and
operational continuity management
25/09/2012
12
PO Box 334017, Sunnynook, Auckland 0743, New Zealand
Mobile +64 276 888 503
e-mail [email protected]
Ian Clark F.B.C.I.