article on iso 22301_v1 0
TRANSCRIPT
-
8/13/2019 Article on ISO 22301_V1 0
1/3
STANDARD
ISO 22301 1
STANDARD ISO/IEC 22301:Business Continuity Management
in a single frameworkBy Matthieu Aubigny, Alex Mckinnon, itrust consulting
At present, business continuity managementinvolves strict management to improve theprofitability of each activity and to avoid sleepingassets or processes. However, another side of thatbusiness philosophy is not well known: minorincidents can affect the entire framework. For thisreason, assuring business continuity, by overcomingincidents or security breaches, becomes more andmore important. Moreover, as all business activities,including critical activities from a societalpoint of view, are
interdependent toprovide services tothe citizens of theworld, businesscontinuitymanagement isnot just an optionbut one of thefundamentalharmonics toensuring societalsecurity in the worldwide
economic environment.Business continuity is not a new topic and has beenaddressed in two different ways: Firstly, by international, European or
governmental regulations which give strictguidelines to avoid threats on business continuity orto decrease impact on societal security. Forexample, the financial regulations (Sarbanes-Oxley
Acts) to mitigate corporate and accounting risks, thebanking regulations (Basel Accords) to mitigatefinancial and operational risks in the banking sector,and the European commercial regulations (MIFID)to control the market and protect investors. InLuxembourg, the CSSF regulations encourage
transparency of the financial market to avoiddisruption and financial cascading effects.
Secondly, by more technical guidelines toimplement continuity developed by professionalgroups such as the British Standard Institution withthe BS 25999, the Federal Office for InformationSecurity (BSI) BSI-Standard 100-4, the US DRII(Disaster Recovery Institute International), and theBritish BCI (Business Continuity Institute). We could
also mention more recently (2011),the ISO 27031 which
addresses the conceptsand principles ofinformation and
communication technology(ICT) readiness for businesscontinuity and provides a
framework of methods to implementthis readiness. Specific standards are
also directly linked to businesscontinuity such as the standards provided
by NFPA (National Fire Protection Association), to enforce the protection of
business assets.
However, to ensure business continuity, anorganisation which binds together all these aspectsstill misses the master piece to perform an accuratemanagement of the continuity, to balance strategicregulations and technical points of views, and toharmonise business efficiency, risk and societalsecurity: this Standard, published in June, exists inthe form of ISO 22301.
The BCO as master key for the systemic frameworkIf the notions described in the standard are perfectlyin line with the referential mentioned above, themajor points of the document are on one hand to
In a world where business management is synonymous with strictmanagement, the continuity of business activities has become moreand more important. If business continuity management needs someoperational rules, the new standard ISO 22301 published in June2012 gives the missing strategic guidelines to improve the quality ofbusiness continuity: a Swiss army knife for the new BusinessContinuity Officer and future quality criteria through Certificationbased on this new standard.
-
8/13/2019 Article on ISO 22301_V1 0
2/3ISO 22301
STANDARD
2
underline that business continuity management hasto be considered as a systemic framework and forthat reason shall be based on a specific system ofmanagement titled BCMS (Business ContinuityManagement System); and on the other hand thatthis BCMS requires a dedicated team and especiallya person responsible for BCMS implementation: Top management shall provide evidence of itscommitment to the establishment, implementation[ ] of the BCMS by appointing one or more personsto be responsible for the BCMS with appropriateauthority and competencies . Even if the standarddoes not underline this point, the BCO (BusinessContinuity Officer) becomes the master key of thisnew standard, in charge of building relationshipsbetween strategic and operational points ofview, business and technicalrequirements, and ensuring thealignment of all specificationstogether. The mainrole of the BCO,more defined as awatermark in thestandard, is tobe theconductor of
the whole set ofprocesses involvedin the BCMS, i.e.(as shown in thefigure) on onehand themanagementof theoperational tasksinvolved in the businesscontinuity and on the other hand thetasks necessary to ensure a continuous
improvement of the BCMS as in a QualityManagement System or an ISMS and to ensurerelations with top management. The standard alsoallows defining the profile of the future BCO: even iftheir responsibilities include operational tasks, theirmain duty requires more management qualities and,without contest, knowledge of the whole chain of thebusiness activity and a high level of responsibility inthe organisation to be able to ensure a goodrelationship with every actor involved.
The BCMS in detail
The description of the operations (chapter 8) can bedescribed as a sub-cycle under the directresponsibility of the BCO (8.1), which includes fourphases:
(8.2) A Business Impact Analysis (BIA) and aRisk Assessment (RA) which shall cover allrelevant activities of the business, involve allpersons responsible, and take into account theresults of former tests of the BC infrastructure. (8.3) the design of a BC strategy taking into
account the most critical activities according to theBIA and RA and involving a societal security point ofview (financial and economic stability,interdependence of activities...). (8.4) the implementation of procedures and
processes necessary to deploy the strategy.
(8.5) the tests and exercises performed regularlyto verify the operational level of the BC framework.
The management task of the BCO aims to ensure
the reliability and sustainability of the BC activities: (4) Analyse precisely the business context to
avoid misunderstanding of societal riskinvolved by the business activities
and to define the target ofevaluation (TOE). (5) Implement a real
relationshipwith
stakeholdersand top
managementaccording to a definedBC policy. (6) Plan the BCMS
strategy according tobusiness priorities.
(7) Organisemanagement support i.e. the
BCMS documentation, resources,awareness, training, etc.
(9) Review and assess theperformance of the BC framework. (10) Improve and verify the compliance of the BC
framework.In order to be operational for any business activitiesand organisation, the standard focus still remainsgeneric but should be complete with specificapproaches provided by other standards.
The ISO 27005 which provides a recommendedrisk analysis framework. The ISO 22313 (12/2012) which provides
technical guidelines to apply the standard. The ISO 22300 and ISO 22312 which specify on
one hand the BC vocabulary and on the other hand
-
8/13/2019 Article on ISO 22301_V1 0
3/3
STANDARD
ISO 22301 3
the modelling frameworks of threats, specific targetsand counter-measures.
The ISO 27031 to deploy a BC framework in anICT environment.
The certification process
The implementation of the standard's requirementscan lead to the acquisition of an ISO certificate bythe dedicated certification body. The process will besimilar to ISMS certification 27001 or qualitycertification 9001. It is well known that this type ofcertification requires significant workload, not only toset up but also to maintain the certification of aBCMS. Therefore, the main question is on theopportunity for the organisation in order to assessthe balance between benefits and costs. The
workload is similar to the workload of an ISO 27001certification. What could be the benefits to initiatesuch certification? As a management standard, the ISO 22301 will
improve the quality of the management and thebusiness reactivity of the organisation. As the standard process requires assessing all
business processes and their relative risks, itsimplementation will improve the organisationsknowledge of the whole chain of businessprocesses especially their criticism and
interdependent aspects. Linked to the previous benefits and based on the
dedicated responsibility of the BCO, theimplementation of the standard will improve thereactivity of the organisation in case of real crisisand avoid risk cascading effects in case of securityincident.
The improvement of the legal compliance of theorganisation. The improvement of the organisation s resilience.
The improvement of the organisationscompetitiveness by increasing the customer s confidence level. And last but not least, the improvement of the
societal security at any level (national, European orworldwide).
As certification bodies, organisations such asSNCH, LSTI, AFNOR Certification, BSI alreadypropose to assess ISO 22301 compliance.Compliance to legal requirements at national orEuropean level, customers expectancies orrequirements, reduction of capital equity could leadto initiating the certification process or audit; but inall cases, the reliability of the business will increaseboth for the customers and for the stakeholders. Forall these reasons, itrust consulting will support
organisations to apply the new standard by offeringtrainings and implementation expertise, and internaland external auditors.The announced trainings in Luxembourg with exam
by LSTI are: