Upload File

the$impact$of$iso$22301$$$ moving$your ... · pdf file•...

  • Home
  • Documents
  • The$Impact$of$ISO$22301$$$ Moving$Your ... · PDF file• ISO$22300:$Societal$Security$ZTerminology: ... • ISO$22398:$Societal$Security$–Exercises$andTesting$ZGuidance:!Learn!how!to!manage!your!testing!and!exercise!
5
The Impact of ISO 22301 Moving Your BCM Program to a Management System Implementing the Newly Approved International Business Continuity Management System Standard & Guidance Documents We have all sat through presentations on “How to Get and Keep Management Support for Your BCM Program.” The problem is now solved. The new question becomes, “How to Implement an Auditable and InternationallyAccepted Business Continuity Management System.” Moving your business continuity program to a management system requires management commitment. It involves embedding business continuity management into the culture of the organization. It is the endgame. It is what we have been seeking. We finally have a “standard” method for BCM program development and improvement. We no longer need to rely on “Consultant X’s ‘Patented Approach.’” We no longer have to discuss and argue about definitions. The vocabulary is defined. So how to you begin? 1. Learn about the standards. Buy them. Read them. Study them. Take classes on how to implement them. 2. Benchmark your current program against the requirements of the standards. What’s missing? In what areas can you improve your program? 3. Use the guidance documents to guide you through the process (it’s why they’re there!) 4. Demonstrate to management how the implementation of the standard will increase the resilience of your organization. Learn About the Standards ISO 22301: Societal Security – Business Continuity Management Systems – Requirements is one standard that is part of a series of standards developed with the intention to, as defined in ISO 22312: Technical Specifications, “…work towards international standardization that provides protection from and response to risks of unintentionally, intentionally, and naturallycaused crises and disasters that disrupt and have consequences on societal functions.” This series of standards address the “public planning & response” as well as “private sector planning & response.” The intent of ISO 22301 is to “provide the structure for an organization to design a BCMS that is appropriate to its needs and that meets its interested parties’ requirements.” Built upon the foundation of British Standard 259991: 2007, it provides a framework for both BCM program development and improvement. If you are familiar with the requirements of BS 259991 you will note the following changes or modifications: New! Understanding of the Organization and its Context Terminology has been changed from “key stakeholder” to “interested parties.” Determining the Scope of the System Organizations must now document and explain exclusions from the scope of the BCMS. ISO 22301: Societal Security – Terminology ISO 22313: BCMS – Guidance ISO 22398: Exercises and Testing Guidance It is important for the cornerstone of the BCMS to be built upon an understanding of what internal and external factors should be taken into consideration when evaluating risk management and the requirements of interested parties.

Upload: dinhdiep

Post on 08-Feb-2018

219 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: The$Impact$of$ISO$22301$$$ Moving$Your ... · PDF file• ISO$22300:$Societal$Security$ZTerminology: ... • ISO$22398:$Societal$Security$–Exercises$andTesting$ZGuidance:!Learn!how!to!manage!your!testing!and!exercise!

 

 

The  Impact  of  ISO  22301      Moving  Your  BCM  Program  to  a  Management  System  

Implementing  the  Newly  Approved  International  Business  Continuity  Management  System  Standard  &  Guidance  Documents  

       

 We  have  all  sat  through  presentations  on  “How  to  Get  and  Keep  Management  Support  for  Your  BCM  Program.”    The  problem  is  now  solved.    The  new  question  becomes,  “How  to  Implement  an  Auditable  and  Internationally-­‐Accepted  Business  Continuity  Management  System.”        Moving  your  business  continuity  program  to  a  management  system  requires  management  commitment.    It  involves  embedding  business  continuity  management  into  the  culture  of  the  organization.    It  is  the  endgame.    It  is  what  we  have  been  seeking.    We  finally  have  a  “standard”  method  for  BCM  program  development  and  improvement.    We  no  longer  need  to  rely  on  “Consultant  X’s  ‘Patented  Approach.’”    We  no  longer  have  to  discuss  and  argue  about  definitions.    The  vocabulary  is  defined.        So  how  to  you  begin?    

1. Learn  about  the  standards.    Buy  them.    Read  them.  Study  them.    Take  classes  on  how  to  implement  them.  2. Benchmark  your  current  program  against  the  requirements  of  the  standards.    What’s  missing?    In  what  areas  can  

you  improve  your  program?  3. Use  the  guidance  documents  to  guide  you  through  the  process  (it’s  why  they’re  there!)  4. Demonstrate  to  management  how  the  implementation  of  the  standard  will  increase  the  resilience  of  your  

organization.    Learn  About  the  Standards  ISO  22301:  Societal  Security  –  Business  Continuity  Management  Systems  –  Requirements  is  one  standard  that  is  part  of  a  series  of  standards  developed  with  the  intention  to,  as  defined  in  ISO  22312:  Technical  Specifications,  “…work  towards  international  standardization  that  provides  protection  from  and  response  to  risks  of  unintentionally,  intentionally,  and  naturally-­‐caused  crises  and  disasters  that  disrupt  and  have  consequences  on  societal  functions.”    This  series  of  standards  address  the  “public  planning  &  response”  as  well  as  “private  sector  planning  &  response.”    The  intent  of  ISO  22301  is  to  “provide  the  structure  for  an  organization  to  design  a  BCMS  that  is  appropriate  to  its  needs  and  that  meets  its  interested  parties’  requirements.”    Built  upon  the  foundation  of  British  Standard  25999-­‐1:  2007,  it  provides  a  framework  for  both  BCM  program  development  and  improvement.    If  you  are  familiar  with  the  requirements  of  BS  25999-­‐1  you  will  note  the  following  changes  or  modifications:    

• New!    Understanding  of  the  Organization  and  its  Context      

     Terminology  has  been  changed  from  “key  stakeholder”  to  “interested  parties.”  

 • Determining  the  Scope  of  the  System  

Organizations  must  now  document  and  explain  exclusions  from  the  scope  of  the  BCMS.  

ISO  22301:  Societal  Security  –  Terminology  ISO  22313:  BCMS  –  Guidance  ISO  22398:  Exercises  and  Testing  -­‐  Guidance  

It  is  important  for  the  cornerstone  of  the  BCMS  to  be  built  upon  an  understanding  of  what  internal  and  external  factors  should  be  taken  into  consideration  when  evaluating  risk  management  and  the  requirements  of  interested  parties.  

Page 2: The$Impact$of$ISO$22301$$$ Moving$Your ... · PDF file• ISO$22300:$Societal$Security$ZTerminology: ... • ISO$22398:$Societal$Security$–Exercises$andTesting$ZGuidance:!Learn!how!to!manage!your!testing!and!exercise!

 

 

 • Leadership  &  Support  

 

     

• The  Business  Impact  Analysis  &  Risk  Assessment    

   Maximum  Tolerable  Period  of  Disruption  (MTPD)  and  Maximum  Acceptable  Outage  (MAO)  have  been  redefined  as,  “time  it  would  take  for  adverse  impacts,  which  might  arise  as  a  result  of  not  providing  a  product/service  or  performing  an  activity,  to  become  unacceptable.”        The  combination  of  Recovery  Time  Objective  (RTO)  and  MBCO  and  setting  prioritized  timeframes  for  recovery  of  activities  at  a  minimum  acceptable  level  –  taking  into  consideration  the  time  within  which  the  impacts  of  not  resuming  them  would  become  unacceptable  –  is  new  language  regarding  the  Business  Impact  Analysis.    

     

• Business  Continuity  Strategy  What  is  interesting  about  how  ISO  22301  has  worded  this  section  of  the  standard  is  that  it  requires  the  organization  to  differentiate  between  how  it  is  going  to  mitigate  identified  risks  that  require  treatment  and  those  activities  and  their  dependencies  that  need  to  have  strategies  developed  to  stabilize,  continue,  resume,  and  recover  their  operation  as  well  as  mitigate,  respond  to,  and  manage  impacts.    ISO  22313  (Guidance)  offers  these  examples  of  what  this  might  include.  

The  standard  is  very  specific  on  how  management  demonstrates  is  commitment.    ISO  22301  includes  the  other  requirements  as  well  for  competency  of  personnel  and  the  required  resources  included  in  BS  25999-­‐1.  

New  Term!  Minimum  Business  Continuity  Objective  (MBCO):  Minimum  level  of  services  and/or  products  that  is  acceptable  to  the  organization  to  achieve  its  business  objectives  during  a  disruption.    

Regarding  Risk  Management,  ISO  22301  specifically  points  to  ISO  31000:  Risk  Management  –  Principles  and  Guidelines  as  a  reference  to  how  to  manage  risk.        Just  like  in  BS  25999,  the  scope  of  the  risk  assessment  may  be  limited  to  the  scope  of  the  business  continuity  management  system.    It  can  also  be  “enterprise”  risk  management,  but  is  not  a  requirement  for  ISO  22301.  

 

Page 3: The$Impact$of$ISO$22301$$$ Moving$Your ... · PDF file• ISO$22300:$Societal$Security$ZTerminology: ... • ISO$22398:$Societal$Security$–Exercises$andTesting$ZGuidance:!Learn!how!to!manage!your!testing!and!exercise!

 

 

                                 Establishing  Resource  Requirements    

     

• Business  Continuity  Objectives  &  the  Plans  to  Achieve  Them,  Implementing  Business  Continuity  Procedures,  and  Communication  This  section  of  the  Standard  is  where  there  have  been  significant  changes  in  both  the  organization  and  framework.    In  BS  25999-­‐1,  there  was  an  incident  response  structure  with  incident  management  plan  content  as  well  as  requirements  for  any  types  of  plans.    These  requirements  remain  but  have  been  expanded  upon.    Expanded  Focus  on  Communication  In  ISO  22301  the  focus  is  much  larger  in  scope  and  in  requirements.    In  addition  to  the  required  incident  response  structure,  there  is  a  focus  on  communication  of  business  continuity  requirements  and  objectives  as  well  as  a  warning  and  communication  structure  that  is  to  be  used  to  detect  an  incident,  to  monitor  an  incident,  to  document  an  incident,  and  the  means  of  communicating  during  and  after  an  incident.      Included  also  is  the  need  to  document  what  will  be  communicated,  when  to  communicate,  and  to  whom  to  communicate.    The  organization  must  also  establish  procedures  for  receiving  communications  from  interested  parties.    ISO  22301  has  included  requirements  of  ASIS.SPC.1:2009  and  NFPA  1600:2010  in  this  section.    As  part  of  the  planning  stage,  the  organization  must  document  the  following  resource  requirements:    

ISO  22301  draws  a  direct  connection  between  the  outputs  of  the  BIA  and  RA  and  the  development  of  risk  treatments,  including  strategies  for  continuity  and  recovery.        Included  in  this  step  is  the  establishment  of  resource  requirements  with  the  specific  types  of  resources  to  be  considered  (at  a  minimum)  as  illustrated  in  the  graphic.  

 

Page 4: The$Impact$of$ISO$22301$$$ Moving$Your ... · PDF file• ISO$22300:$Societal$Security$ZTerminology: ... • ISO$22398:$Societal$Security$–Exercises$andTesting$ZGuidance:!Learn!how!to!manage!your!testing!and!exercise!

 

 

                         The  following  sections  included  in  ISO  22301  do  not  vary  significantly  in  intent  or  requirements  from  BS-­‐25999-­‐1  although  they  may  be  found  organized  differently  between  the  two  standards:    

• Legal  and  regulatory  requirements  • Policy    • Documented  information  • Awareness  • Exercising  and  Testing  • Performance  Evaluation,  Continuous  Improvement,  Audit  –  with  the  exception  that  ISO  22301  does  not  include  the  

requirement  for  preventive  actions.    

Benchmark  your  current  program  against  the  requirements  of  the  standards.    What’s  missing?    In  what  areas  can  you  improve  your  program?  This  is  where  the  real  work  begins.    Certifying  Bodies  often  report  that  90%  of  the  time  and  resources  required  for  a  certification  audit  is  in  the  preparation  for  the  audit  and  not  the  audit  itself.    Don’t  underestimate  the  time  it  will  take  to  bring  your  organization  into  conformance  with  a  standard.    But  the  upside  is,  it  gives  you  specific  program  improvement  goals  and  objectives  that  should  provide  for  an  annual  budget.    Use  the  guidance  documents  to  guide  you  through  the  process  (it’s  why  they’re  there!)  Yes,  each  standard  and  the  guidance  documents  cost  money.    You  can  find  out  the  exact  cost  by  visiting  http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=295786      

• ISO  22300:  Societal  Security  -­‐  Terminology:    Use  this  as  a  reference  for  how  the  world  is  going  to  be  using  terms  related  to  business  continuity  in  the  future.  Consider  the  need  to  modify  and  update  how  your  organization  defines  terms  and  the  relevance  of  aligning  to  international  standards  (or  not).  

 • ISO  22313:  Societal  Security  –  Business  Continuity  Management  Systems  –  Guidance:  A  great  resource  for  how  to  

interpret  the  requirements  of  ISO  22301.    Kind  of  like  having  a  “teacher’s  guide”  for  the  standard.    This  document  is  also  utilized  by  Certifying  Bodies  as  a  reference  document  for  understanding  the  requirements.    

• ISO  22398:  Societal  Security  –  Exercises  and  Testing  -­‐  Guidance:    Learn  how  to  manage  your  testing  and  exercise  program.    Why  are  tests  “pass  or  fail”  and  exercises  a  demonstration  “improvement  of  the  system?”    Activities  are  organized  as  “discussion-­‐based”  or  “operationally-­‐based.”    Includes  great  Annexes  with  examples  of  how  to  do  everything  from  create  a  scenario  to  how  to  evaluate  the  exercise  itself.        

Demonstrate  to  management  how  the  implementation  of  the  standard  will  increase  the  resilience  of  your  organization  This  is  really  where  the  “rubber  meets  the  road”  or  how  you  can  gain  traction.    Sometimes  program  leadership  is  not  interested  in  aligning  their  “customized”  and  “internally  created”  program  to  a  management  system.    The  argument  is  made  that  if  they  tell  senior  management  that  changes  need  to  be  made  that  they  will  question  the  quality  of  the  current  program.        

Page 5: The$Impact$of$ISO$22301$$$ Moving$Your ... · PDF file• ISO$22300:$Societal$Security$ZTerminology: ... • ISO$22398:$Societal$Security$–Exercises$andTesting$ZGuidance:!Learn!how!to!manage!your!testing!and!exercise!

 

 

Do  you  want  management  to  believe  that  they  have  a  state-­‐of-­‐the-­‐art  program  only  to  discover  later  that  it  didn’t  meet  the  requirements  of  an  international  standard?    A  management  system  requires  continual  improvement.    A  management  system  involves  management.    It  requires  management  to  demonstrate  commitment.    The  standard  provides  a  baseline  for  what  that  commitment  looks  like  and  the  requirements  of  the  program  leadership.        A  management  system  approach  (versus  the  current  often  siloed  approach)  is  more  efficient  and  ties  to  other  management  systems  often  in  place  in  the  organization.    It  can  eliminate  waste  and  duplication  of  services.    It  embeds  BCS  into  the  culture  of  the  organization  versus  maintaining  ownership  with  a  few  individuals.        A  management  system  is  a  proven  framework  for  managing  and  continually  improving  your  organization’s  policies,  procedures  and  processes.    Business  units  work  with  a  shared  vision,  with  information  sharing,  benchmarking,  and  team  work.    Seeking  Third-­‐Party  Certification?  ISO  22301  is  being  considered  for  adoption  by  DHS/FEMA  as  an  additional  standard  that  can  be  used  for  PS-­‐Prep™  certification.    The  addition  of  the  international  standard  will  allow  organizations  to  concurrently  fulfill  the  U.S.  national  interests  for  preparedness  with  international  trade  interests.    Show  your  support  for  the  adoption  of  ISO  22301  as  a  PS-­‐Prep™  standard  by  writing  a  letter  to  FEMA/DHS  Administrator  W.  Craig  Fugate.    For  more  information,  contact  Lynnda  Nelson  by  email  at  [email protected].        


ISO/TC 223 Societal Security documents/Standards Activities... · ISO/TC 223 Societal Security ISO/TC 223 Scope • ISO/TC 223 develops international standards that aim to ... ISO/FDIS

Societal Proposals

Marketing Societal

Crisis-proofing cities - ISO/TC 292 Online...ISO 22316, Societal security – Organi-zational resilience – Principles and guide - lines, guides businesses in developing an organizational

Societal challenges require societal engagement …...Societal challenges require societal engagement Engage2020 is a project funded by the European Commission exploring how members

BUILDING(ANDTESTING(IOT SOLUTIONSBOF - … · – Early’IoTexperiences’with’IBM’ BlueMix and ... • Reference’architecture’ ... Introduce’Workshop Modelling’Review’

Societal Renewal

Deutsche Akkreditierungsstelle GmbH...ISO 22301:2014 Societal security - Business continuity management systems - Requirements, according to ISO/IEC 17021-6; Cert-310-VA-001 Rev.2/07.18

ICOR Presents: ISO/TC 223 Societal Security...ICOR Presents: ISO/TC 223 Societal Security International Standardization Aimed at Increasing Crisis and Continuity Management Capabilities

Diagnostic Test andTesting for Econometrics Problemsfin.bus.ku.ac.th/01135534 Financial Modeling/Lecture Slides/9... · Diagnostic Test andTesting for Econometrics Problems & Econometric

ISO 22313 Societal Security_BCM.pdf

STORYBOARD SOCIETAL-SYSTEMS ANALYTICS ......Managing Societal-System Complexity M. G. Marshall Page 1 of 16 STORYBOARD: SOCIETAL-SYSTEMS ANALYTICS MANAGING COMPLEXITY IN MODERN SOCIETAL-SYSTEMS

Standardization for DRR: Opportunities or barriers? · ISO/TS 22317 Societal security –Business continuity management systems –Guidelines for business impact analysis ISO/TS 22318

Societal security — Business continuity management systems — Guidelines ...TS+22317-2015.pdf · ©ISO 2015 Societal security — Business continuity management systems — Guidelines

ISO international standards - BSI Group...ISO international standards Collaborate with national standards bodies to achieve economic, environmental and societal benefits ISO is the

ICOR Presents: ISO/TC 223 Societal Security...ISO 22398: Guideline for exercises and testing ISO / PAS 22399 Guideline for incident preparedness and operational continuity management

ISO 22301: Overview, certification and what to expect from your … Conference/Suzanne Fribbin… · • ISO 22301 Societal Security -Business continuity management system -Requirements

Societal Risk: Initial briefing to Societal Risk Technical ... · PDF fileExecutive Health and Safety Societal Risk: Initial briefing to Societal Risk Technical Advisory Group Prepared

Societal Issues

Societal Crucifixion

Societal Security

Business Continuity Management Policy Docum… · practices with ISO 22301 Societal Security – Business Continuity Management Systems – Requirements, which specifies the requirements

Ledelsessystemer – Videreførelse af virksomhedsdrift ... · PDF file©ISO 2012 Societal security — Business continuity management systems — Guidance Sécurité sociétale —

UNE-ISO 22320 GESTIÓN DE EMERGENCIAS · PDF fileISO 22300:2012 Societal security. Terminology ISO 22301:2012 Societal security. Business continuity management systems.Requirements

Societal security · 2012. 4. 11. · –ISO 22397: Societal security – Guidelines to set up a public private Partnership •Project Lead: representatives of the Italian National

ASystematicApproachfortheDesign,Fabrication,andTesting ...downloads.hindawi.com/archive/2012/132465.pdfAntenna printing Antenna patch curing Measured conductivity Antenna parameters

T 공공 기관 정보시스템을 위한 - tta.or.kr -KS A ISO 22300:2012 Societal security – Terminology-KS A ISO 22301:2012 Societal security – Business continuity management

Societal Topics

ISO/TC 223 Societal Security

Kan standarder öka samhällets skydd och beredskap? - SFK• ISO 22398 Societal security – Guidelines for exercises • ISO 22315 Societal security – Mass evacuation – G •

ΚΥΠΡΙΑΚΟΣ ΟΡΓΑΝΙΣΜΟΣ ΤΥΠΟΠΟΙΗΣΗΣ (CYS)Έκπτωτη 50% CYS EN ISO 22301:2014 Societal security - Business con6nuity management systems - Requirements

Societal Impacts

The Design andTesting ofaLowN oise

SLOVENSKI STANDARD SIST EN ISO 22313:2015 · 2021. 1. 26. · ISO 22313 was prepared by Technical Committee ISO/TC 223, Societal security. For the purposes of research, users are

Societal marketing