iso22313: your ultimate guide for establishing a business ... · pdf fileiso22313: your...

ISO22313: Your Ultimate Guide for Establishinga Business Continuity Management SystemBy Mr Peck Eing SengSenior Consultant, Business Continuity Planning Asia Pte. Ltd.

Peck Eing Seng Senior Consultant | Business Continuity Planning Asia

Pte. Ltd.

Certified BCM professional by the Business ContinuityInstitute (BCI) with 7 years experience in BusinessContinuity.

More than 6 years experience in project management,ranging from a production environment to a serviceprovider environment, handling projects that involvedboth internal and external users.

Project lead for BCP Asia’s IT-DRP program thatcovers design, implement and activation of therecovery plan. The plan is then embedded to part ofBCP Asia’s BC management that eventually achievesISO 22301 certification.

BCM Standards and GuidelinesUnited Kingdom

• British Standards Institution (BSI):BS25999 Business ContinuityManagement

• The Business Continuity Institute (BCI):Business Continuity Management GoodPractice Guidelines, 2010

Singapore

• SPRING Singapore: Singapore Standard for BusinessContinuity Management, SS 540 : 2008

• Monetary Authority of Singapore (MAS): BusinessContinuity Management Guidelines, June 2003 (lastupdated in Jan 2006)

other Countries

China:• 国务院信息化工作办公室:

China IT DR Guidelines, April 2005

• Hong Kong Monetary Authority (HKMA):A Guidance Note on Business ContinuityPlanning, 2nd December 2002

India:• Reserve Bank of India: guidelines to

all scheduled banks in India, August2006

Japan:• Ministry of Economy, Trade and Industry:

BCP Guidelines , 31st March 2005

Malaysia:• Standards Malaysia: Malaysian Standard MS 1970

Business Continuity Management-Framework• Bank Negara Malaysia: ‘Guidelines on Business

Continuity Management (BCM) for Banking Institutions

Thailand:• Bank of Thailand: ‘Guideline on Business

Continuity Management (BCM) and Preparation ofBusiness Continuity (BCP) of Financial Institution’

Indonesia:• Bank Indonesia: Peraturan Bank Indonesia

no.9/PBI/15/2007

Australia and New Zealand• Standards Australia, Standards New Zealand:

AS/NZS 5050:2010 Business Continuity -Managing disruption- related risk

United States• ASIS International and BSI: ASIS/BSI

BCM.01-2010 BCMS: Requirements withGuidance to Use (approved byANSI as American National Standard on 2November 2010)

BCM Standards and Guidelines

ISO 22301 : 2012

• Societal security – Business continuity management systems –Requirements

• Published by ISO

• Published on 15 May 2012

• Accepted worldwide

• Organisations can attain certification

General Information

ISO 22301 is

generic in its application and

suitable for organisations of any size

from any sector of the economy sectors

ISO 22301 : 2012General Information

Business continuity standardization evolves with ISO 22301 byadding:

Greater emphasis on setting the objectives, monitoringperformance and metrics;

Clearer expectations on management;

More careful planning for and preparing the resourcesneeded for ensuring business continuity.

ISO 22301 : 2012General Information

What is ISO 22313?

Clarify the intent of the requirements and providing explanationsand examples.

Direct correlation between the clauses in the requirements andguidance.

Provides additional information

ISO 22313 : 2012General Information

ISO 22301 ISO 22313

is the International Standard onSocietal Security - BusinessContinuity Management Systems,

is the guidance document to supportISO 22301,

published in 15 May 2012. published in 12 December 2012.

It is the specification documentagainst which organisations will seekcertification.

It shows examples and proposals onthe methods to comply with the ISO22301.

with very few Diagrams and noexplanations on examples orreferences to best practices.

essentially lists the auditablenecessities, tells you the “how-to”.

ISO 22301 vs ISO 22313Comparison

What are the benefits ofusing ISO 22313?

The standard is divided into 10 main sections, starting with

Clause 1 - Scope, Clause 2 - Normative references, Clause 3 - Terms and definitions.

Following these are the standard’s requirements

ISO 22313 : 2012Contents

Establish (Plan)

Maintain & Improve(Act)

Monitor & Review (Check)

Implement &Operate (Do)

• Clause 4, 5, 6, 7

• Clause 8

• Clause 9

• Clause 10

PDCA and the ISO22301 and ISO22313 Clauses

ISO 22313 : 2012

ISO 22313 : 2012

Clause 4- Context of the Organisation

• Know the organization, both Internal and External needs.

• Consider the needs and requirements of Interested parties.

• Operate within the framework of the Legal and Regulatoryrequirements.

• Determine the Scope of the BCMS

ISO 22313 : 2012

Clause 5- Leadership

• Emphasis on the need for appropriate BCM Leadership andManagement commitment.

• Management defines the Business Continuity policy.

• Ensure the Assignment and Communication of Responsibilities andAuthorities.

ISO 22313 : 2012

Clause 6- Planning

• Requires the organization to Identify risks toimplementation of the management system.

• Set Business Continuity Objectives.

ISO 22313 : 2012

Clause 7- Support

• Resources required for implementation BCMS.

• Introduces the important concept:

Competence

Awareness

Communicating

Documentation information

ISO 22313 : 2012

Clause 8- Operations

This section contains the main body of business continuity specificexpertise.

1. Operational Planning and Control

2. Business Impact analysis and Risk assessment

3. Business Continuity Strategy

4. Establish and implement Business Continuity Procedures

5. Exercise and Testing

ISO 22313 : 2012

Clause 9- Performance Evaluation

• Evaluate Performance against the plan.

• Monitoring, Measurement, Analysis and Evaluation Internal audit and Management review

ISO 22313 : 2012

Clause 10- Improvement

• Nonconformity and Corrective action

• Continual improvement

Summary

ISO 22301 Certified

ISO 22313 follows the latest best practice for business continuity.

Chapters in both ISO 22301 and ISO 22313 are the same.

Facing issues understanding ISO 22301 and need additionalbackground and more detailed explanation, refers to ISO 22313.

Summary

Contact Us

BUSINESS CONTINUITY PLANNING ASIA PTE LTDThe leading provider of training and consultancy in Business Continuity, Crisis Management,

Disaster Recovery & Enterprise Risk Management

1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544

Call (65) 63252080 Email conference@bcpasia.comVisit www.bcpasia.com