iso 22301: the new standard for business continuity best practice
TRANSCRIPT
ISO 22301 The New Standard for Business Continuity Best Practice
Sponsored By
Emergency Notification | Incident Management
Reputation Combat: Protecting Your Company’s Online Reputation ©Copyright 2011, Jonathan Bernstein 2 ISO 22301 2
Agenda
1 • So what is ISO 22301?
2 • The Benefits of ISO 22301
3 • BS 25999 compared to ISO 22301
4 • Planning to comply with ISO 22301
5 • The Certification Process
6 • Q & A
Reputation Combat: Protecting Your Company’s Online Reputation ©Copyright 2011, Jonathan Bernstein 3 ISO 22301 3
Sponsored by
Smarter Crisis Management
Emergency Notification Incident Management Mobile Crisis Communications
www.missionmode.com/mobile
Reputation Combat: Protecting Your Company’s Online Reputation ©Copyright 2011, Jonathan Bernstein 4 ISO 22301 4
This presentation is from a recorded webinar. To view and listen to the video presentation, visit:
www.missionmode.com/webinars
Reputation Combat: Protecting Your Company’s Online Reputation ©Copyright 2011, Jonathan Bernstein 5 ISO 22301 5
John McGill Managing Partner, ISO 22301 Ltd.
So What Is ISO 22301?
ISO 22301 7
ISO 22301 has sprung from a need for global standardisation.
“I couldn’t help with the spill, I
couldn’t do anything about getting
the ship off the rocks”.
Statement 10 days after the Exxon
Valdez incident by Lawrence Rawl,
CEO Exxon Mobile
ISO 22301 8
ISO 22301 was developed by the International Organization for Standardization (ISO), the world’s largest developer of international standards.
ISO 22301 9
ISO 22301 identifies the fundamentals of best practice business continuity.
107 Steps to excellence
ISO 22301 10
The Automata
Fortress Model
of
B u s i n e s s
The Automata
Fortress Model
of
Terms and
Definitions
Understanding
The Business
Leadership
Planning
Support
Operation
Improvement
Introduction
Scope and
References
0
1/2
3
4 5 6
7
8
10
Evaluation 9
The Benefits of ISO 22301
ISO 22301 12
Establish, implement, maintain and improve business continuity.
Meet the requirements of your business continuity policy.
Give key stakeholders confidence.
Save time and money
ISO 22301 13
So why will an organisation’s leaders decide they want to align with ISO 22301, or even become certified in it?
"I think the environmental impact of
this disaster is likely to have been
very, very modest." —Tony Hayward, BP CEO
BS 25999 vs.
ISO 22301
ISO 22301 15 ISO 22301 15
All core 25999 business continuity requirements are in ISO 22301.
ISO 22301 16 ISO 22301 16
ISO 22301 puts emphasis on: Interested Parties Understanding the organisation Monitoring performance and
metrics Legal and regulatory requirements Crisis Communications
ISO 22301 17 ISO 22301 17
BS 25999 ISO 22301
4.1
4.1
5.2
4.3.3.3 7.4, 8.4.2, 8.4.3
4.4.3 9.1
S 3.2.1 4.3
O 3.2.1.1 6.2
P 3.2.2 5.3
3.4 7.5
4.1.2 8.2.1, 8.2.3
BS 25999 and ISO 22301
Understanding the needs and expectations of interested parties
MagnitudeArea of change
Understand the organisation
Document information
Monitoring, measurement, analysis and evaluation
Risk assessment
Business continuity policy
Communication & warning system
Management commitment
Determine the scope
Business continuity objectives
BS 25999 vs. ISO 22301
Full chart will be available for download.
Planning to comply with ISO 22301
ISO 22301 19
ISO 22301 specifically requires you to define your approach for measurement and monitoring.
ISO 22301 20 ISO 22301 20
ISO 22301 21 ISO 22301 21
ISO 22301 22 ISO 22301 22
Business Continuity Management System (BCMS)
ISO 22301 23 ISO 22301 23
The key aspects of your ISO 22301 project:
1. Scope of business continuity
2. Business continuity Policy
3. Business continuity Objectives
4. Strategy for meeting the objectives
The Business Impact Analysis (BIA)
ISO 22301 25 ISO 22301 25
Develop the BIA
into a risk log
and then create
Business
Continuity
Plans
Evaluate the
Recovery
Timeframes
Review the
needs of
interested
parties
Review the initial impact and then the impact were the disruption to continue
Consider the impact were the resources upon which the PAs depend are unavailable
Identify Priority
Activities (PA)
ISO 22301 26 ISO 22301 26
Develop Incident Management
Train
Test
ISO 22301 27 ISO 22301 27
Resource requirements: BCMS project leader ………………………….
Project team members ………………………
Project board chairman ……………………..
Incident Management team members
Executive …………………………………………..
Staff ……………………………………...............
1,000 Hours
36 Hours
130 Hours
20 Hours
20 Hours
1 Hour
The Certification Process
ISO 22301 29 ISO 22301 29
Certification process: Identify accredited certification
companies
Meet a shortlist of companies
Appoint a certification company
Agree schedule with chosen company
Schedule audit and pre-audit meetings
ISO 22301 30
ISO 22301 outlines BCMS requirements, but does not dictate how to plan in a prescriptive manner.
Heads Up: The auditor cannot act as a consultant and advise you.
ISO 22301 31
Phase 1 audit: one day
Focuses on a review of your documents
ISO 22301 32
Phase 1 non-conformities must be resolved before the Phase 2 audit.
Phase 2 will last two days and will comprise some further review of documents.
The outcomes are as per the Phase 1 audit, plus the option for certification.
ISO 22301 33
The project to obtain certification should not be self serving.
Proof that your business continuity planning is following best practice.
ISO 22301 34
The ISO 22301 Standard can be downloaded at a cost of CHF 116 ($124 /€94).
Additional guidance can be downloaded in ISO 22313 at a cost of CHF 154 ($165/€126).
Reputation Combat: Protecting Your Company’s Online Reputation ©Copyright 2011, Jonathan Bernstein 35 ISO 22301 35
Sponsored by
Smarter Crisis Management
Emergency Notification Incident Management Mobile Crisis Communications
www.missionmode.com/mobile
Reputation Combat: Protecting Your Company’s Online Reputation ©Copyright 2011, Jonathan Bernstein 37 ISO 22301 37
This presentation is from a recorded webinar. To view and listen to the video presentation, visit:
www.missionmode.com/webinars