icor presents: iso/tc 223 societal security...iso 22398: guideline for exercises and testing iso /...
TRANSCRIPT
-
ICOR Presents: ISO/TC 223 Societal Security
International Standardization Aimed atIncreasing Crisis and Continuity Management
Capabilities and Awareness in Order to Improve the Resilience of Society
ISO/TC 223: Early Beginnings
©2012 ICOR ALL RIGHTS RESERVED 2
ISO/TC 223 got its start with the sinking of the Russian submarine Kursk in the Barents Sea in Sept. 2000.
The international community lacked the tools necessary to cooperate effectively in emergency situations, resulting in an initiative from the Russian standards organization, GOST, to establish ISO/TC 223.
-
From “Civil Defence” to “Societal Security”
In 2001, originally titled, “Civil Defence” with the intention to standardize emergency procedures
After the 9/11 attacks as well as a surge in natural disasters, ISO conducted an assessment in 2005 to begin in earnest and renamed it “Societal Security” to broaden its approach from just “Civil”
©2012 ICOR ALL RIGHTS RESERVED 3
Early Optimism & Resulting Challenges
Build on 5 major works in emergency management from Australia, Israel, Japan, UK, and USA
ISO/PAS 22399:2007 Societal security – Guideline for Incident Preparedness and Operational Continuity Management
However – none of the countries wanted to use the new standard in replacement of their national standards…
©2012 ICOR ALL RIGHTS RESERVED 4
To what extent are countries prepared to relinquish their own solutions in search for common ground?
-
ISO/TC 223 Societal Security - Restarted
Technical Committee formed by ISO in
2008 in the area of Societal Security
Aim to increase crisis management and business continuity capabilities through improved
• Technical,
• Human,
• Organizational, and
• Functional interoperability as well as
• Shared situational awareness
5©2012 ICOR ALL RIGHTS RESERVED
ISO/TC 223 Societal Security
TC 223 develops standards for the protection of society from, and in response to, incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards and technical failures.
Its all-hazards perspective covers adaptive, proactive and reactive strategies in all phases before, during and after a disruptive incident.
The area of societal security is multi-disciplinary and involves actors from both the public and private sectors.
An emphasis on developing deliverables that will contribute to improving the resilience of society
6©2012 ICOR ALL RIGHTS RESERVED
-
ISO/TC 223 Societal Security
ISO/TC 223 aspires to answer how individuals, organizations, communities and society can
Anticipate, prevent, prepare for, respond to and recover from disruptive events potentially resulting in an incident, emergency, crisis or disaster
Protect assets (human, physical, intangible and environmental) from disruptive events
Identify, assess, and leverage their capacity and capabilities to withstand disruptive events.
7©2012 ICOR ALL RIGHTS RESERVED
ISO/TC 223 Societal Security
ISO/TC 223 provides tools to enhance
capacity and demonstrate improved
performance through:
Standardization for the prevention and management of disruptive events
Standardization to promote collaboration and coordination of incident identification, response and recovery
Standardization for the design, deployment and evaluation of technical capabilities.
8©2012 ICOR ALL RIGHTS RESERVED
-
ISO/TC 223 Societal Security
Approximately 45 countries are participating with 17 others observing. At this time there are six work groups working on the following initiatives:1. Framework Standard on Societal Security
Management
2. Terminology
3. Emergency Management
4. Preparedness & Continuity
5. Video Surveillance
6. Mass Evacuation
Within each Work Group are different Project Teams that work on specific standards.
9©2012 ICOR ALL RIGHTS RESERVED
The US Delegation: NFPA / ANSI
©2012 ICOR ALL RIGHTS RESERVED 10
-
ISO 223 Societal Security SeriesISO 22300: Terminology – published May 2012ISO 22301: BCMS – published May 2012ISO 22311: Video surveillance-Export interoperabilityISO / TR 22312: Technological capabilities – published 2010ISO 22313: BCMS Guidelines – published August 2012?ISO 22315: Mass EvacuationISO 22320: Emergency management – Requirements for incident response –published December 2011ISO 22322: Emergency management – Public warning
ISO 223XX: Organizational Resilience ISO 22324: Emergency management–Colour coded alert ISO 22325: Emergency management – Guidelines for emergency capability assessmentISO 22351: Emergency management – Shared information awarenessISO 22397: Public/Private partnerships - Guidelines to set up partnership agreementsISO 22398: Guideline for exercises and testing
ISO / PAS 22399 Guideline for incident preparedness and operational continuity management – published in 2007
11©2012 ICOR ALL RIGHTS RESERVED
Types of Standards
Management System Standards
Specify requirements that can be applied to any organization, regardless of the product it makes or the service it performs
• Auditable
• Organizations can be certified to these standards as complying with their requirements
– ISO 22301 is the only standard in this series that is a management system standard
12©2012 ICOR ALL RIGHTS RESERVED
-
Types of Standards
Guidance
13©2012 ICOR ALL RIGHTS RESERVED
Types of Standards
Technical Report
14©2012 ICOR ALL RIGHTS RESERVED
-
Types of Standards
Published Document
15©2012 ICOR ALL RIGHTS RESERVED
Types of Standards
Publicly Available Specification
A step in the process of standardization. It includes useful and practical information that can be made available quickly to suit the market need of the developers and users of a product, process or service.
16©2012 ICOR ALL RIGHTS RESERVED
-
Standards Divided by Discipline
Emergency Management
(Public Sector)
ISO 22311: Video surveillance-Export interoperability
ISO 22315: Mass Evacuation
ISO 22320: Emergency management – Requirements for incident response
ISO 22322: Emergency management – Public warning
ISO 22324: Emergency management – Colour coded alert
ISO 22325: Emergency management – Guidelines for emergency capability assessment
ISO 22351: Emergency management – Shared information awareness
Business Continuity
(Private Sector)
ISO 22301: BCMS Requirements
ISO 22313: BCMS Guidelines
ISO 223XX: Organizational Resilience Principles & Guidance
©2012 ICOR ALL RIGHTS RESERVED 17
ISO 22300: TerminologyISO 22312: Technological capabilitiesISO 22397: Public/Private partnerships ISO 22398: Guidelines for exercises ISO 22399: Guidelines for Incident Preparedness & Operational Continuity Management
Both
Emergency Management Standards(Public Sector)
©2012 ICOR ALL RIGHTS RESERVED 18
-
ISO 22311: Video Surveillance -Export Interoperability
©2012 ICOR ALL RIGHTS RESERVED 19
ISO 22311: Video Surveillance -Export Interoperability
Purpose of the Standard: Video-
surveillance is a crucial asset in intelligence
collection, crime prevention, crisis
management, and forensic applications, etc.
The minimum requirement in societal security is for the authorities to be able to rapidly use the data collected by different CCTV systems from given locations.
©2012 ICOR ALL RIGHTS RESERVED 20
-
Video Surveillance-Export Interoperability
Provides an export interoperability profile
which constitutes the exchange format and
minimum technical requirements that ensure
that the digital video-surveillance contents
exported
Are compatible with the replay systems,
Establish an appropriate level of quality and
Contain all the context information (metadata) necessary for their processing.
©2012 ICOR ALL RIGHTS RESERVED 21
Video Surveillance-Export Interoperability
It is crucial for societal security that present
and future video-surveillance systems
implement this interface to allow efficient
forensic processing of the material
produced, often in massive quantities.
This standard also contains provisions to
ensure that citizen privacy measures can be
implemented.
©2012 ICOR ALL RIGHTS RESERVED 22
-
Video-Surveillance Systems Generic Architecture
A CCTV system usually consists of hardware, software and human elements.
A CCTV system for security applications presented as functional blocks, which portray the various parts and functions of the system, as well as the interactions with the human stakeholders
©2012 ICOR ALL RIGHTS RESERVED 23
The Following Graphics are Provided
Functional blocks of a CCTV system for security applications
Generic files organization
Structure of the Audio-Video Package XML description and integration in the folder
Arrangement of the XML Descriptor
Arrangement of the descriptive metadata
Sensor metadata items
Event metadata items
©2012 ICOR ALL RIGHTS RESERVED 24
-
Minimum Requirements for Interoperability
The implementation of this standard shall be such that widely available OS independent tools will allow for minimal processing of received standard files by societal security organizations, ensuring as a minimum the following and any combination thereof:
Videos and metadata display;
Direct access to the metadata without display of the videos;
Selection of content time slots;
Access to the sources defined by name or scene-location.
©2012 ICOR ALL RIGHTS RESERVED 25
ISO 22315: Mass Evacuation
©2012 ICOR ALL RIGHTS RESERVED 26
Israel
WWII Bomb
US Wildfires
Philippines Typhoon
-
ISO 22315: Mass Evacuation
Governments and Emergency Management
Agencies have a duty to prepare to
evacuate areas in readiness for major
catastrophic incidents.
There is no template for the assessment of
the plans for mass evacuation.
Plans are developed using different
assumptions, relying on different data, and
are often specific to immediate hazards
rather than being broad in scope.
©2012 ICOR ALL RIGHTS RESERVED 27
ISO 22315: Mass Evacuation
Purpose: To develop a framework against
which planners can assess their planning for
mass evacuation.
The framework will allow planners identify how well developed are their plans and where additional resources might add value.
The content of the standard will, in part, be informed by a 10-country, 3 year EU project on how countries prepare for mass evacuation.
©2012 ICOR ALL RIGHTS RESERVED 28
-
ISO 22315: Mass Evacuation
Covers 6 planning activities:
1. Preparing the public to evacuate;
2. Understanding the evacuation zone;
3. Making evacuation decisions;
4. Disseminating the warning message;
5. Evacuating pedestrians and traffic; and
6. Shelter management.
©2012 ICOR ALL RIGHTS RESERVED 29
ISO 22315: Mass Evacuation
Will specify a consistent structure to plan for
mass evacuation for a range of risks.
Will cover the following tasks
Analyzing evacuation situations,
Preparing,
Training & exercising,
A common framework for debriefing/assessing response.
©2012 ICOR ALL RIGHTS RESERVED 30
-
ISO 22320: Requirements for Incident Response
©2012 ICOR ALL RIGHTS RESERVED 31
ISO 22320: Requirements for Incident Response
Published November 2011
Overall approach to preventing emergencies and managing those that occur with a focus on international, national, regional, or local incidentsSpecifies minimum requirements for effective incident response• Utilizes the “command and control” process
• Decision support
• Traceability
• Information management
• Interoperability
32©2012 ICOR ALL RIGHTS RESERVED©2012 ICOR ALL RIGHTS RESERVED
-
ISO 22320: Requirements for Incident Response
Purpose: Need for a multi-national and multi-organizational approach for responding to an incident
Enables incident response organizations to improve their capabilities in handling all types of emergencies
Specifies minimum requirements for effective incident response
©2012 ICOR ALL RIGHTS RESERVED 33
Process of Providing Operational Information
©2012 ICOR ALL RIGHTS RESERVED 34
Planning & Direction
Analysis & Production
Dissemination & Information
Collection
Processing &
Exploitation
Mission
-
Multiple Hierarchical Command & Control Process
ISO 22322: Public Warning
©2012 ICOR ALL RIGHTS RESERVED 36
-
ISO 22322: Public Warning
Purpose: Effective incident response needs structured and pre-planned public warning which is the message broadcasted by organizations dealing with societal security tasks to ensure safety and security of the public and the vital functions of society.
Public warning consists of alert message and notification message.
It is necessary to establish a framework risk identification, hazard monitoring, decision making, warning dissemination and evaluation.
©2012 ICOR ALL RIGHTS RESERVED 37
ISO 22322: Public Warning
All organizations which are responsible for contributing to or issuing a public warning
Should be aware of the system so that relevant, accurate, reliable, and timely information will be disseminated promptly (who);
Should take continuous efforts to raise and maintain public awareness about the process of public warning (to whom);
Should use all available means and technologies systematically and redundantly to ensure the highest quality of information (how);
Should specify the following four elements for safety action: when, where, what hazard, and how to cope with (what).
©2012 ICOR ALL RIGHTS RESERVED 38
-
ISO 22322: Public Warning
©2012 ICOR ALL RIGHTS RESERVED 39
Hazard Identification
Public Warning Process
Hazard Monitoring
Area Identification
Warning Activation
Warning Area
Warning Methods
Warning Dissemination
People at risk
, reso
urces, and
coordination
Monitoring &
Review
Implementation
Planning / Decision-Making
Public Warning
ISO 22322: Public Warning
©2012 ICOR ALL RIGHTS RESERVED 40
-
ISO 22324: Colour-Coded Alert
©2012 ICOR ALL RIGHTS RESERVED 41
ISO 22325: Emergency Capability Assessment
©2012 ICOR ALL RIGHTS RESERVED 42
-
ISO 22325: Emergency Capability Assessment
Purpose: Provide organizations with key elements and an assessment tool in order to
determine the organization's state of
emergency capability.
Will seek to provide
• Road map
• Assessment model
• Assessment procedure
• Assessment criteria
• Assessment tool
©2012 ICOR ALL RIGHTS RESERVED 43
ISO 22325: Key Elements
1. Leadership2. Resources3. Resource Management4. Risk Management 5. Rick Analysis6. Information & Communication7. Command & Control8. Coordination & Cooperation9. Structure10. Planning11. Exercise & Training12. Hazard Mitigation13. Hazard Mitigation14. Activation
©2012 ICOR ALL RIGHTS RESERVED 44
-
Four Level Maturity Model
©2012 ICOR ALL RIGHTS RESERVED 45
Assessment Procedure
©2012 ICOR ALL RIGHTS RESERVED 46
-
ISO 22351: Shared Situation Awareness
©2012 ICOR ALL RIGHTS RESERVED 47
ISO 22351: Shared Situation Awareness
A new standard not yet published in any manner – a new project.
©2012 ICOR ALL RIGHTS RESERVED 48
-
Standards for Both Public & Private Sectors
©2012 ICOR ALL RIGHTS RESERVED 49
ISO 22300 Societal Security - Terminology
©2012 ICOR ALL RIGHTS RESERVED 50
Societal Security “Definition please?”
-
ISO 22300 Societal Security - Terminology
Purpose: Contains terms and definitions applicable to societal security to establish a common understanding so that consistent terms are used.
6 categories
• 2.1 Societal security
• 2.2 Management of societal security
• 2.3 Operational – Risk reduction
• 2.4 Operational – Exercise
• 2.5 Operational – Recovery
• 2.6 Technology
©2012 ICOR ALL RIGHTS RESERVED 51
ISO 22300 Societal Security - Terminology
2.1 Societal security defined
Protection of society from, and response to incidents, emergencies, and disasters caused by intentional and unintentional human acts, natural hazards, and technical failures
Civil protection
• Measures taken and systems implemented to
preserve the lives and health of citizens, their
properties, and their environment from unnatural events
©2012 ICOR ALL RIGHTS RESERVED 52
-
©2012 ICOR ALL RIGHTS RESERVED 53
ISO 22300 Societal Security – Terminology
All-Hazards
Disaster
Risk
Consequence
Threat
Risk Management
Business Continuity
Event
HazardCrisis
Incident
Mitigation Resilience
2.1 Societal Security
©2012 ICOR ALL RIGHTS RESERVED 54
ISO 22300 Societal Security – Terminology
Capacity
Business Impact Analysis
Exercise Program
Risk Source
Emergency Management
Policy
Risk Owner
Performance
Objective
Partnership Mutual Aid Agreement
2.2 Management of Societal Security
Competence
Conformity / Nonconformity
Effectiveness
Corrective Action
Residual Risk
Continual Improvement
-
©2012 ICOR ALL RIGHTS RESERVED 55
ISO 22300 Societal Security – Terminology
Vulnerability
Contingency
Risk Assessment
Work Environment
Training Probability
Test / Testing
2.3 Operational –
Risk Reduction
Prioritized Activities
©2012 ICOR ALL RIGHTS RESERVED 56
ISO 22300 Societal Security – Terminology
Scenario
After-action Report
Inject
Drill
Exercise Coordinator
Script Monitoring
Observer
Exercise
Functional Exercise
2.4 Operational -
Exercise
Exercise Safety Officer
Full-Scale Exercise
Strategic Exercise
Exercise Annual Plan
-
©2012 ICOR ALL RIGHTS RESERVED 57
ISO 22300 Societal Security – Terminology
Coordination
Recovery
Improvisation
Protection
Shelter in Place
Operational Information
Incident Response
Command & Control
2.5 Operational -Recovery
Incident Command
©2012 ICOR ALL RIGHTS RESERVED 58
ISO 22300 Societal Security – Terminology
Forensic
CCTV System
2.6 Technology
Video-Surveillance
Scene Location
-
ISO 22312 Societal Security –Technological Capabilities
©2012 ICOR ALL RIGHTS RESERVED 59
ISO 22312 Societal Security –Technological Capabilities
A Technical Report that outlines the work of the Technical Committee for ISO 223ANSI-Homeland Security Standards Panel (HSSP)
BEN BT/WG 161 Protection of the Citizen
ISO/IEC/ITU-T/SAG-S
Asian-Pacific Economic Cooperation (APEC) and Standards Australia Initiative
Documents work completed at the launch of the project
©2012 ICOR ALL RIGHTS RESERVED 60
-
ISO 22397:Public-Private Partnership Agreements
©2012 ICOR ALL RIGHTS RESERVED 61
ISO 22397:Public-Private Partnership Agreements
Purpose: Addresses principles, planning and development of partnership agreements with the objective of
Managing relations among relevant organizations,
Promoting interoperability, Enabling governance and
Fulfilling of the agreement.
The modeling framework should lead to benefits such as:
Structure to avoid and resolve conflicts among the organizations;
Synergy in the use of organizations' resources to achieve objectives;Trust and sharing common procedures;
©2012 ICOR ALL RIGHTS RESERVED 62
-
ISO 22398: Guidelines for Exercises
©2012 ICOR ALL RIGHTS RESERVED 63
ISO 22398: Guidelines for Exercises
Purpose: Describes the procedures
necessary for planning, implementing,
managing, evaluating, reporting and
improving exercises, and the testing designs
to assess the readiness of an organization
to perform the mission.
©2012 ICOR ALL RIGHTS RESERVED 64
-
ISO 22398: Guidelines for Exercises
4 Establishing the foundation
4.1 Needs and gap analysis
4.2 Base of support
4.3 Framework
4.4 Scope
4.5 Exercises within the system
4.6 Planning Document
©2012 ICOR ALL RIGHTS RESERVED 65
ISO 22398: Guidelines for Exercises
5 Planning & design
5.1.1 Developing aim and performance objectives
5.1.2 Team management
5.1.3 Risk management & information security
5.1.4 Environmental aspects
5.1.5 Gender and diversity aspects
5.1.6 Logistics
5.1.7 Communication
5.1.8 Resources
©2012 ICOR ALL RIGHTS RESERVED 66
-
ISO 22398: Guidelines for Exercises
©2012 ICOR ALL RIGHTS RESERVED 67
ISO 22398: Guidelines for Exercises
5.2 Design & development
5.2.1 General
5.2.2 Selecting exercise type
5.2.3 Exercise types
5.2.4 Exercise methods
5.2.5 Preparing scenarios
5.2.6 Documentation
5.2.7 Records
5.2.8 Intervention
©2012 ICOR ALL RIGHTS RESERVED 68
-
ISO 22398: Guidelines for Exercises
Discussion Based
Seminar
Workshop
Tabletop
Game
Operational Based
Simulation
Drill
Functional
Full-scale
©2012 ICOR ALL RIGHTS RESERVED 69
ISO 22398: Guidelines for Exercises
©2012 ICOR ALL RIGHTS RESERVED 70
-
ISO 22398: Guidelines for Exercises
6 Conducting Exercises
6.1 Run through
6.2 Briefing
6.3 Launch
6.4 Wrap up
6.5 Post exercise briefing
6.6 Observation
©2012 ICOR ALL RIGHTS RESERVED 71
ISO 22398: Guidelines for Exercises
7 Improvement
7.1 After action review
7.2 Evaluation
7.3 After action report
7.4 Management review
7.5 Corrective action
7.6 Implement follow up
©2012 ICOR ALL RIGHTS RESERVED 72
-
ISO 22398: Guidelines for Exercises
©2012 ICOR ALL RIGHTS RESERVED 73
ISO 22398: Guidelines for Exercises
©2012 ICOR ALL RIGHTS RESERVED 74
-
ISO/PAS 22399: Guidelines for IncidentPreparedness & Operational Continuity Management
©2012 ICOR ALL RIGHTS RESERVED 75
ISO/PAS 22399: Guidelines for IncidentPreparedness & Operational Continuity Management
Purpose: Provide general guidance for an organization to develop its own specific performance criteria for incident preparedness and operational continuity and design an appropriate management system.
Excludes specific emergency response activities such as disaster relief and social infrastructure recovery
©2012 ICOR ALL RIGHTS RESERVED 76
-
ISO/PAS 22399: Guidelines for IncidentPreparedness & Operational Continuity Management
This standard has essentially been replaced with ISO 22301 and ISO 22313, however it has some good information in it. It has not yet been retired, but it is not being reviewed for updating.
©2012 ICOR ALL RIGHTS RESERVED 77
Business Continuity Management Standards(Private Sector)
©2012 ICOR ALL RIGHTS RESERVED 78
-
Published May 2012 - Developed from BS 25999-2:2007
Scope of the standardApplicable to all types and sizes of organizations that wish to:• Establish, implement, maintain, & improve a BCMS;
• Assure conformance with stated BCM policy;
• Demonstrate conformance to others;
• Seek certification/registration of its BCMS by an accredited third party certification body; or
• Make a self-determination and self-declaration of conformance with this International Standard.
ISO 22301: BCMS - Requirements
79©2012 ICOR ALL RIGHTS RESERVED
Plan-Do-Check-Act Cycle Applied to BCMS
Establish
(Plan)
Implement & Operate
(Do)
Monitor & Review
(Check)
Maintain & Improve
(Act)
©2012 ICOR ALL RIGHTS RESERVED 80
Continual improvement of preparedness & continuity management system
Interested
Parties
Requirements
for
preparedness
& continuity
management
Interested Parties
Managed preparedness & continuity
-
ISO 22313: Guidance
This International
Standard provides
guidance to ISO
22301 for setting up
and managing an
effective business
continuity
management system
(BCMS)
.81©2012 ICOR ALL RIGHTS RESERVED
8.1.1 BCM Program Elements
©2012 ICOR ALL RIGHTS RESERVED82From ISO 22313
-
BS 25999-2 & ISO 22301 Comparison
©2012 ICOR ALL RIGHTS RESERVED 83
BS 25999-2 ISO 22301
Context of the Organization ---- 4.1 & 4.2.1
Legal & Regulatory 3.2.1.1 4.2.2
Scope & Objectives 3.2.1 4.3 & 4.4
Management Commitment / Provision of Resources
3.2.3 & 3.2.4 5 & 7
Policy 3.2.2 5.3
Documentation 3.4 7.5
BIA 4.1.1 8.0, 8.1 & 8.2
Risk Assessment 4.1.2 & 4.1.3 8.2.3 & 6.1
Strategy 4.2 8.3
Plan Documentation / Implementation 4.3 6.2, 8.4 & 7.4
Training & Awareness 3.3 7.3
Exercising & Testing 4.4.2 8.5
Program Maintenance & Improvement 4.4.3,5, & 6 9 & 10
*Reference Excel Comparison Document
Review of ISO 22301 by Category
4. Context of the Organization
5. Leadership
6. Planning
7. Support
8. Operation*
9. Performance evaluation
10. Improvement
*contains bulk of the requirements
84©2012 ICOR ALL RIGHTS RESERVED
-
4 Context of the Organization
4.1 Understanding the organization and its
context
85
Internal Factors External Factors
©2012 ICOR ALL RIGHTS RESERVED
4.2 Understanding Needs & Expectations of Interested Parties
86©2012 ICOR ALL RIGHTS RESERVED
From ISO 22313
-
4.3 Determining Scope of the System
©2012 ICOR ALL RIGHTS RESERVED 87
The whole organization?
Or part of the organization?
Scope of Program vs. Scope of Certification
©2012 ICOR ALL RIGHTS RESERVED
Scope: BCM Program
Scope: Certification
88
-
5 Leadership
©2012 ICOR ALL RIGHTS RESERVED 89
Demonstrated
Management Commitment
BCM Policy
Roles, Responsibilities & Authorities
Defined
Management Shall Demonstrate Leadership
6 Planning
• Assure the BCMS can achieve its intended outcomes
• Prevent undesired effects
• Realize opportunities for improvement• Evaluate the need to plan actions to address these
risks and opportunities
6.1 Actions to Address Risks &
Opportunities
• Be consistent with policy• Take account of the minimum level of products and
services acceptable to achieve its objectives
• Be measurable• Take into account requirements
• Be monitored and updated as appropriate
6.2 BC Objectives & Plans to Achieve Them
90©2012 ICOR ALL RIGHTS RESERVED
-
7 Support
91
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented Information
©2012 ICOR ALL RIGHTS RESERVED
8 Operation
92
8.1 Operational Planning & Control
8.2 BIA & Risk Assessment
8.3 Business Continuity Strategy
8.4 Business Continuity Procedures
8.5 Exercising & Testing
©2012 ICOR ALL RIGHTS RESERVED
-
8.1 Operational Planning & Control
The organization shall determine, plan, implement, and control those activities needed to address the risks and opportunities bya) Establish criteria for those activities or
processes
b) Implementing controls
c) Keeping documented information to demonstrate that they have been carried out as planned
The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary
Including those that are contracted out or outsourced©2012 ICOR ALL RIGHTS RESERVED 93
8.2 The BIA & Risk Assessment
The organization shall have a formal and documented process for business impact analysis and risk assessment that:
©2012 ICOR ALL RIGHTS RESERVED 94
BIA & RA
Establishes context
Defines criteria
Evaluates potential impact of a disruptive
incident
Accounts for legal and other
requirements
Includes systematic analysis
Prioritization of risk treatments
and costs
Defines required output
Information is kept up to date and confidential
From ISO 22313
-
8.2.2 Assessing Potential Impacts Over Time
©2012 ICOR ALL RIGHTS RESERVED 95
Consequences of
Non-complianceDamage to
Reputation
Effects on Staff &
Public Well-Being
Deterioration of Product or Service QualityReputation Reduced Financial
Viability
Environmental Damage
From ISO 22313
New Term: MBCO
Minimum Business Continuity Objective (MBCO)
Minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption
©2012 ICOR ALL RIGHTS RESERVED 96
Normal Operations
During a Disruption
-
©2012 ICOR ALL RIGHTS RESERVED
ISO 31000 Risk Management Process
What may happen and why?
What are the consequences?
What is the probability?
How to mitigate or reduce
probability of the risk?
©2012 ICOR ALL RIGHTS RESERVED 97
©2012 ICOR ALL RIGHTS RESERVED 98
The process needs to take into consideration
Financial
Governmental
Societal obligations
The organization should understand the threats to and vulnerabilities of each resource required for each activity and in particular those
Required by activities with high priority
With significant replacement lead-time
ISO 31000
-
Document the Risk Management Strategy
Product/Service at Risk
Accept RiskChange, Suspend,
or Terminate Produce/Service
Transfer / Mitigate Risk
Document & Sign Off = Risk Management Program
Business Continuity
Options to continue
operations at pre-defined
levels
People Facilities TechnologyPhysical Assets
Supply Chain
Data & Information
©2012 ICOR ALL RIGHTS RESERVED 99
8.3.1 Determination & Selection of Strategies
©2012 ICOR ALL RIGHTS RESERVED 100
Control or mitigate
Financing / Insurance Acceptance
Remove Risk to
Activity Cease or Change the Activity
Transfer Risk to another part of the Organization or a
Third Party
From ISO 22313
-
8.3.1 Determination & Selection of Strategies
©2012 ICOR ALL RIGHTS RESERVED 101
Resource Relocation Redundancy Resource & Skills
Replacement
Temporary Workaround
Manual Procedures
Asset Restoration
From ISO 22313
8.3.2 Establishing Resource Requirements
102
Facilities, Equipment
, Utilities & Consumables
Information, Data, Technology &
Telecommunications
Systems
Employees & Stakeholders
Transportation,
Partners & Suppliers
Reputation Finance
From ISO 22313
©2012 ICOR ALL RIGHTS RESERVED
-
8.3.3 Protection & Mitigation
©2012 ICOR ALL RIGHTS RESERVED 103
Limit the impact of a disruption on
the organization’s key services
Shorten the period of disruption
Reduce the likelihood of a disruption
The organization shall consider proactive measures that:
8.4 Establish & Implement BC Procedures
65
8.4.1 General
8.4.2 Incident Response Structure
8.4.3 Warning & Communication
8.4.4 Business Continuity Plans
8.4.5 Recovery
©2012 ICOR ALL RIGHTS RESERVED
-
8.4.1 Establish & Implement BC Procedures
a) Establish an appropriate internal and external communications protocol
b) Be specific regarding the immediate steps that are to be taken during a disruption
c) Be flexible to respond to unanticipated threats and changing internal and external conditions
©2012 ICOR ALL RIGHTS RESERVED 105
The procedures shall:
8.4.1 Establish & Implement BC Procedures
d) Focus on the impact of events that could potentially disrupt operations
e) Be developed based on stated assumptions and an analysis of interdependencies
f) Be effective in minimizing consequences through implementation of appropriate mitigation strategies
©2012 ICOR ALL RIGHTS RESERVED 106
The procedures shall:
-
8.4.2 Incident Response Structure
The organization shall establish, document, and implement procedures and a management structure to respond to a
©2012 ICOR ALL RIGHTS RESERVED 107
Strategic
Tactical
Operational
disruptive incident using personnel with the necessary responsibility, authority, and competence to manage an incident.
8.4.3 Warning and Communication
The organization shall establish, implement, and maintain procedures for
a) Detecting an incident
b) Regular monitoring of an incident
c) Internal communication within the organization and receiving, documenting, and responding to communication from interested parties
d) Receiving, documenting, and responding to any national or regional risk advisory system or equivalent
©2012 ICOR ALL RIGHTS RESERVED 108
-
8.4.3 Communication and Warning
e) Assuring availability of the means of communication during a disruptive event
f) Facilitating structured communication with emergency responders
g) Recording of vital information about the incident, actions taken and decisions made
©2012 ICOR ALL RIGHTS RESERVED 109
8.4.4 Business Continuity Plans
The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe.
Such procedures shall address the requirements of those who will use them.
©2012 ICOR ALL RIGHTS RESERVED 110
-
8.4.4.3 Specific Types of Procedures
111
8.4.4.3.1 Incident / Strategic
8.4.4.3.2 Communications
8.4.4.3.3 Incident & Welfare
8.4.4.3.4 Resuming Activities
8.4.4.3.5 Recovery of ICT
©2012 ICOR ALL RIGHTS RESERVED From ISO 22313
8.4.5 Recovery
Goal: Get operations back to the state they were in before the incident.
Repair damage
Migrate operations from temporary premises back to restored or new location
©2012 ICOR ALL RIGHTS RESERVED From ISO 22313 112
-
8.5 Exercising & Testing
The organization shall conduct exercises and tests that:a) Are consistent with the scope of the BCMS;
b) Are based on appropriate scenarios that are well planned with clearly defined aims and objectives;
c) Taken together over time validate the whole of its business continuity arrangements involving relevant interested parties;
d) Minimize the risk of disruption to operations;
e) Produce formalized post-exercise reports that contain outcomes, recommendations, and actions to implement improvements;
f) Are reviewed within the context of promoting continual improvement; and
g) Are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates.
©2012 ICOR ALL RIGHTS RESERVED 113
Sections 9 & 10: Continuous Improvement
©2012 ICOR ALL RIGHTS RESERVED 114
-
9 Performance Evaluation
9.1 Monitoring, Measurement, Analysis, and Evaluation
9.2 Internal Audit
9.3 Management Review
©2012 ICOR ALL RIGHTS RESERVED 115
10 Improvement
10.1 Nonconformity and corrective action
The organization shall:
a) Identify nonconformities; and
b) React to the nonconformities, and as applicable
1. Take action to control, contain and correct them;
2. Deal with the consequences
©2012 ICOR ALL RIGHTS RESERVED116
-
10.2 Continual Improvement
The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS.
NOTE: The organization can use the processes of the BCMS such as leadership, planning and performance evaluation, to achieve improvement.
©2012 ICOR ALL RIGHTS RESERVED 117
ISO 223XX: Organizational Resilience Guidelines
©2012 ICOR ALL RIGHTS RESERVED 118
-
ISO 223XX: Organizational Resilience Guidelines
New proposed outline
Organizational Resilience Defined
What are the Benefits of Enhanced Resilience?
Behaviors that Support Resilience
Principles & Models that Support Resilience
Relationship to Risk Management
Measuring & Building Adaptive Capacity
©2012 ICOR ALL RIGHTS RESERVED 119
What is Organizational Resilience?
©2012 ICOR ALL RIGHTS RESERVED 120
Organizational resilience is the adaptive capacity adaptive capacity adaptive capacity adaptive capacity of
an organization in a complex and changing
environment.
ISO 22300
o Planning and decision-taking in order to build and sustain the adaptive capacity
of an organization in complex and rapidly changing circumstances;
o Achieving the agile treatment of a broad range of risks uniquely applicable to each organization; and
o Creating a culture that takes full advantage of adaptive change to meet its objectives and aims.
-
Benefits of Enhanced Resilience
Organizations with adaptive
cultures, innovative thinkers and inner
strength thrive in the face of unpredictable
markets. As such, building resilience has
daily business benefits.
©2012 ICOR ALL RIGHTS RESERVED 121
Valikangas (2010)
Enhanced
Leadership
CapacityImproved
Performance
Ability to
Change as
Needed
Resilience Objectives
©2012 ICOR ALL RIGHTS RESERVED 122
An organization accepts that adversity may cause it to cease operating
Exist in a reduced form after adversity
Regain pre-adversity position quickly and effectively
Improve aspects of its functioning so that it not only survives but possibly gains from event
-
Focus on Protection, Performance & Adaptation
©2012 ICOR ALL RIGHTS RESERVED 123
Protection of
business systems.
These systems
need to be robust
enough to survive
various assaults
and/or intrusions.
Adaptation is
required when
circumstances
change, demanding
a change in the
business focus,
structure and
processes.
Performance
refers to the need
to get things right
the first time and
to move quickly to
correct errors.
Behaviors that Support Resilience
©2012 ICOR ALL RIGHTS RESERVED 124
Open Communication: Communicate as openly and regularly as possible with all concerned stakeholders.
Honesty: Staff need to know that when they receive information it is truthful.
Authenticity: Do what you say. There must be alignment between the purpose and values of the
organization and what they do.
Deep Knowledge & Expertise: Extensive
training and exercises. Succession planning around key roles.
-
The Principles Model of Resilience
Resilience is an outcome
Resilience is not a static trait
Resilience is not a single trait
Resilience is multi-dimensional
Resilience exists over a range of conditions
Resilience is founded upon good risk management
©2012 ICOR ALL RIGHTS RESERVED 125
Volume 25, No.02, April 2010
The Progression of Resilience Maturity
©2012 ICOR ALL RIGHTS RESERVED 126
-
Static Model vs Principles Model
©2010 ICOR ALL RIGHTS RESERVED 127
Integrated Functions Model
©2012 ICOR ALL RIGHTS RESERVED 128
-
Attributional Model
©2012 ICOR ALL RIGHTS RESERVED 129
Composite Model
©2012 ICOR ALL RIGHTS RESERVED 130
-
Herringbone Model
©2012 ICOR ALL RIGHTS RESERVED 131
Resilience Triangle Model
©2012 ICOR ALL RIGHTS RESERVED 132
-
Resilience Strategies Model
©2010 ICOR ALL RIGHTS RESERVED 133
Characteristics that Support a Resilient State
©2012 ICOR ALL RIGHTS RESERVED 134
Ability to
recognize precedence
Ambiguity Tolerance
Creativity &
Agility
Stress Coping
Learnability
-
Risk Management Can Increase Resilience
©2012 ICOR ALL RIGHTS RESERVED 135
2010 study by FM Global showed a positive correlation between earnings stability of a company and their investment in physical loss prevention.
Pursuing strong physical risk management processes and systems to prevent the likelihood and losses, a company will potentially reap a measurable reduction in earnings viability.
(40% less volatile than companies with less advance risk management)
Resilience Benchmark Survey
©2012 ICOR ALL RIGHTS RESERVED 136
-
Dimensions & Indicators of Resilience
©2012 ICOR ALL RIGHTS RESERVED 137
Questions?
Lynnda Nelson
President, ICOR
866-765-8321 North America
+1630-705-0910 International
www.theICOR.org
Jim Nelson
Chair, ICOR
President, [email protected]
866-629-6327www.BusinessContinuitySvcs.com
©2012 ICOR ALL RIGHTS RESERVED 138