How to to transition to ISO 22301 . . . One year on · period to transition • CB’s must...
Transcript of How to to transition to ISO 22301 . . . One year on · period to transition • CB’s must...
Rob Acker
Business Continuity Lead Assessor
LRQA Ltd
How to to transition to ISO 22301 . . . One year on
• Structure of ISO22301
• Detailed review – a walk through….
• Section 4 – understanding
• Section 5 – leadership
• Section 6 – planning
• Section 7 – support
• Section 8 – operation
• Section 9 – performance
• Section 10 – improvement.
• Transition
• How LRQA can help
Agenda
ISO 22301 and BS 25999 Comparison
Societal security
Greater emphasis on business need and context
The horizontal – effective, efficient control of recovery
Policy
Direction
Acting on
results
The vertical
Commitment, Plan
Controls, Objectives,
KPI’s
Measure
System framework
Plan
DoCheck
Act Plan
DoCheck
Act
PDCA - BCM cycle
Plan
DoCheck
Act Plan
DoCheck
Act
Establish business continuity policy, objectives,
targets, controls, processes and procedures
relevant to improving business continuity in
order to deliver results that align with the
organization’s overall policies and objectives.
Implement and operate the business continuity
policy, controls, processes and procedures
Monitor and review performance against
business continuity policy and objectives,
report the results to management for review,
and determine and authorize actions for
remediation and improvement.
Plan
Do
Check
Act
Maintain and improve the BCMS by taking
corrective action, based on the results of
management review and reappraising the
scope of the BCMS and business continuity
policy and objectives
Structural changes
• Name change – Societal security – contributing to a resilient society
• The new format is more consistent with other ISO management system
standards (e.g. ISO 9001, ISO 14001), but retains the existing BC lifecycle
• 105 ‘Shall’s’ compared
with the 56 of BS 25999
• Some simplification,
clarification or re-wording
and some new
requirements.
PDCA comparison
0
5
10
15
20
25
30
35
40
45
50
Plan Do Check Act
Co
un
t o
f re
qu
irem
en
ts
BS25999
ISO22301
New Requirements Summary
• Formalisation of external and internal issues relevant to BCMS outcomes
• Management Commitment
• Business Continuity Objectives
• Legal and regulatory requirements
• Resource Planning
• 3rd Party Management
• Measures and Effectiveness
Enhanced requirements
5.2 Management commitment
5.3 Policy requirements
6.2 Business Continuity Objectives
7.1 Resources
7.2 Communications.
Section 5 - Leadership
• Top management demonstrate Leadership
• Compatibility of BCMS to company strategic
direction
• Integration, achievement of outcomes
• Policy enhancements include:
• Provide the framework for setting business continuity objectives,
• Be communicated within the organization to all persons working for or on
behalf of the organization within the scope of the BCMS
This clarifies existing requirements and aligns it to other management system expectations (e.g. roles, responsibility & authority definition, resource determination and review).
Section 6 - Planning
Business Continuity Objectives
SMART but practical linking the analysis of Issues and opportunities to operations and results Actions to address risks and opportunities
This risk assessment is aimed at a corporate level risks (for which a BCMS is effective mitigation) rather than operational risks that might trigger a BCMS response.
Section 7 - Support
Competence & awareness
Communication
Documents and
records
Section 7 - Resource requirements
• Clarifies the types of resources required to be considered
• All resources under the organisation’s control to be identified
together with associated competences
7.4 Communication
• Essentially now need to define What, When and Whom
• Needs to be tested
Section 8 - Operation
Business Impact
Analysis & Risk
Assessment
Business Continuity Strategy
Incident response
Business recovery and
continuity
8.4.4 Business Continuity Plans
Plan
Purpose and Scope Objectives
Activation criteria and procedures
Roles, responsibilities and authorities
Communication requirements
and procedures
Internal and external
interdependencies and interactions
Resources, information and
records
8.5 Exercise and Test
• Testing is explicitly mentioned
• Consistent with Policy AND Objectives
• Reviewed against aims and objectives
• Based on scenarios
• The communication and warning procedures shall be regularly exercised.
Section 9 - Performance evaluation
• Determine what needs to be monitored or measured the When’s
What’s and How’s
• Methods to use
• When it needs to be done
• When analysis needs to done
• Action on adverse trends
• Periodic review of legal and regulatory requirements.
9.3 Management Review
Gone
• Results of education & training
programmes
• Level of residual risk and
acceptance as input
• Feedback from interested
parties
• ‘When significant changes
occur’
New
• Trends audits and measures
• Changes required to policy and
objectives
• Updates to BIA, RA and BCPs
• Security requirements rather
than resilience
• Changes to contractual
requirements.
The Conversion Process
• Conducted an internal audit of our old BCMS against the new ISO, thereby
identifying potential non-conformities
• Re-ordered our BCMS so that it followed the ISO Chapter headings,
making it easier for the external certifying body easier to audit the system.
• To reflect enhanced top management role
• Ensured that the BCMS stated the links between business continuity and
the business as a whole, with demonstrable evidence of how it is
incorporated into the business processes (strategic direction and
operational control)
• Review of the process in terms of upstream (supply chain) and downstream
(impact on clients). To better demonstrate the accountability of 3rd party
suppliers.
• Independent audits of critical outsourced dependencies incorporated into
Monitoring and Measurement process.
Changes to the BCMS…
• Improved alignment with day to day running of the business
• Review and utilisation of ISO31000 principles in managing operational risks
• Improved iteration of risk assessment
• Developed simple but effect risk controls
• Carried out simulation exercise
• Improved proactive, preventive controls throughout operations
Changes to the BCMS (continued…)
Challenges
• Being able to prove to an auditor that the business
continuity plan can achieve
• “Recovery of its activities to a predetermined level, based on management approved recovery objectives.”
• Specific plans are required for any RTOs for critical
activities that are time sensitive.
Summary
• The changes from BS 25999 to ISO 22301 are
not a great leap into the unknown; rather, it is a
process of evolving the BCMS
• The initial internal audit is crucial to critically
analyse the changes required to ensure our
BCMS conformed to ISO 22301.
• UKAS requirements on Certification Body (CB) drives the maximum
period to transition
• CB’s must transition by 30 May 2014
• No new client certificates or renewals to BS 25999 in 2014
• For how long does your BS 25999 certificate remain valid?
• 30 May 2015 at the latest, but is governed by other rules . . .
• Client transition should be at the first surveillance or renewal after
CB transition.
What to expect from LRQA . . . Transition Plans
How long would the transition audit take?
• Up to a 1 day depending on approach
What is the approach to the transition audit?
• Can take place at a surveillance visit
• Driven by a checklist pre-completed by the organisation with supporting
information
• Additional time will be required if the checklist is completed following
‘exploration’ by the assessor
• Any deficiencies will be reported as findings in the usual way. As long
as these are minimal and a corrective action plan has been agreed, the
assessor will recommend approval to the ISO/IEC 22301 standard.
What to expect from LRQA . . . Transition Plans
What happens if you are part way through your initial assessment
against BS 25999?
• Subject to normal assessment limitations, the limit is 31 December 2013
(BS25999 expires 1 June 2014)
• Switching standards between Stage 1 and 2 is not recommended and will
require some additional time to check the new requirements have been met.
What to expect from LRQA . . . Transition Plans
Lloyd's Register Quality Assurance Limited (LRQA)
is a subsidiary of Lloyd's Register Group Limited.
Any questions?
Come and see us on Stand 23
Thank you!
Rob Acker Lead Assessor
Lloyd’s Register Quality Assurance Limited
Hiramford, Middlemarch Office Village
Siskin Drive, Coventry, CV3 4FJ United Kingdom
T +44 (0)24 7688 2343
W www.lrqa.co.uk