GS-7 ZAWADA-GIFFIN-AVALUTION- ISO22301 › images › conferences › sd2012 › sesmat › GS-7...
Transcript of GS-7 ZAWADA-GIFFIN-AVALUTION- ISO22301 › images › conferences › sd2012 › sesmat › GS-7...
ISO 22301 Has Arrived – Now What?
Brian Zawada & Robert Giffin
Avalution Consulting
© 2012 Avalution Consulting, LLC | All Rights Reserved
© 2012 Avalution Consulting, LLC | All Rights Reserved
2
Enthusiasm?
Skepticism?
© 2012 Avalution Consulting, LLC | All Rights Reserved
3
Unsure?
3
© 2012 Avalution Consulting, LLC | All Rights Reserved
© 2012 Avalution Consulting, LLC | All Rights Reserved
44
© 2012 Avalution Consulting, LLC | All Rights Reserved
Raise your hand if:
© 2012 Avalution Consulting, LLC | All Rights Reserved
Today’s Agenda: ISO 22301
• Value
• What is it?
• Why and how to use it
• What’s next?
5
© 2012 Avalution Consulting, LLC | All Rights Reserved
Common Challenges
• Management Engagement
• Alignment to Business Strategy
• Common Vocabulary
• Risk Management Coordination
• Long-term Improvement
6
© 2012 Avalution Consulting, LLC | All Rights Reserved
ISO 22301
World’s First International
Business Continuity Standard!
7
© 2012 Avalution Consulting, LLC | All Rights Reserved
What is a Standard?
What Standards ARE
• A collection of best
practices and guidelines
• Developed collaboratively
in a consensus process
• Evolutionary – revisited and
revised at regular intervals
• Voluntary
What Standards ARE NOT
• Regulations
• Prescriptive
• Singularly focused on
certification
• Industry Specific
8
© 2012 Avalution Consulting, LLC | All Rights Reserved
9
Requirements Standards
HOWGuidance Standards
WHAT
What is a Standard?
© 2012 Avalution Consulting, LLC | All Rights Reserved
ISO 22301: Formation via TC 223
10
TC 223
Countries
(45)
Observers
(20)
Other Committee
Liaisons
© 2012 Avalution Consulting, LLC | All Rights Reserved
Technical Committee 223 Projects
ISO Guide 73:2009
Terminology
ISO 22301
Business Continuity Management Systems –
Requirements
ISO 22313
Business Continuity Management Systems –
Guidance
ISO 22320
Emergency Management – Requirements for
Command and Control
ISO 22397
Guideline to Set Up a Partnership Agreement for the Governance of
Interoperability
ISO 22398
Guidelines for Exercises and Testing
11
© 2012 Avalution Consulting, LLC | All Rights Reserved
What is ISO 22301?
• Section 1: Scope
• Section 2: Normative References
• Section 3: Terms and Definitions
Introduction
• Section 4: Context of the Organization
• Section 5: Leadership
• Section 6: Planning• Section 7: Support
• Section 8: Operations• Section 9: Performance Evaluation
• Section 10: Improvement
Requirements
12
© 2012 Avalution Consulting, LLC | All Rights Reserved
The Core of ISO 22301…
Plan
Do
Check
Act
13
Management
Systems
© 2012 Avalution Consulting, LLC | All Rights Reserved
Content Caveat!
• Written for many audiences:
– All organizations in all countries
– not designed to build business continuity
professional competencies
• Minimal jargon
– Explanations used instead
14
© 2012 Avalution Consulting, LLC | All Rights Reserved
Example ISO 22301 Wording:
The Business Impact Analysis shall include the
following:
“...Setting prioritized timeframes for resuming
activities at a specified minimum acceptable level,
taking into consideration the time within which the
impacts of not resuming would become
unacceptable;…”
15
© 2012 Avalution Consulting, LLC | All Rights Reserved
Common Challenges (Addressed)
�Management Engagement
�Alignment to Business Strategy
�Common Vocabulary
�Risk Management Coordination
�Long-term Improvement
16
© 2012 Avalution Consulting, LLC | All Rights Reserved
ISO 22301 and PS-Prep™
• PS-Prep™ will continue to include BS 25999
even though it will likely be withdrawn soon.
• ISO 22301 will likely
be added to PS-Prep™
17
Why Use ISO 22301?
18
© 2012 Avalution Consulting, LLC | All Rights Reserved
© 2012 Avalution Consulting, LLC | All Rights Reserved
“Once a standard takes hold, people start
to focus on the quality of what they do as
opposed to how they are doing it.”
-Thomas L. Friedman
The World Is Flat – A Brief History of the 21st Century
19
© 2012 Avalution Consulting, LLC | All Rights Reserved
Why Consider Standards?
• An answer for: “What are others doing?”
• A common language:
– Understand Risk
– Set Expectations
– Efficiency During Response and Recovery
20
© 2012 Avalution Consulting, LLC | All Rights Reserved
BCI/LRQA-Sponsored Survey
• Main Advantage: Common Language (85%)
• Alignment – 67% in the next three years
21
© 2012 Avalution Consulting, LLC | All Rights Reserved
Standards and Certification
Alignment with Standards DOES NOT mean an
organization intends to (or should) pursue
certification!
– Certification is a business decision
– Certification is an ongoing
process (and expense).
22
© 2012 Avalution Consulting, LLC | All Rights Reserved
Key Topic: Management Systems
• All recent standards use a management
system based approach
• Management reviews enable continuous
improvement
• Success Factors:
– Align to existing management systems
– Document procedures for repeatability
23
© 2012 Avalution Consulting, LLC | All Rights Reserved
ISO 22301 Value
• Management and customers
respect ISO standards
• A form of benchmarking
• Common language
• Drives engagement through
continuous improvement
24
What’s Next?
25
© 2012 Avalution Consulting, LLC | All Rights Reserved
26
© 2012 Avalution Consulting, LLC | All Rights Reserved
Get a Copy of ISO 22301!
www.iso.org | www.ansi.org
© 2012 Avalution Consulting, LLC | All Rights Reserved
Get to Know ISO 22301
• Read it and give it a chance!
Understand the What, Why and How
• Standards aren’t designed to be complex just for
complexity’s sake
• Introduce ISO 22301
to Management
27
© 2012 Avalution Consulting, LLC | All Rights Reserved
Potential Focus Areas
• Scoping via Products and Services
• Management Engagement
• Risk Appetite
• Management Review
• Corrective Actions
28
© 2012 Avalution Consulting, LLC | All Rights Reserved
Next Steps for TC 223
• Continuous improvement of new standards
• Finalize ISO 22313
• Organizational resilience
• Many other “projects”
29
Questions
30
© 2012 Avalution Consulting, LLC | All Rights Reserved
© 2012 Avalution Consulting, LLC | All Rights Reserved
Contact Information
31
Robert Giffin (CBCP, CISA)Director of Technology
Brian Zawada (MBCI, MBCP)Director of Consulting
866.533.0575 | www.avalution.com