dr. wolfgang h. mahr, m.sc., bba, fbci, cisa governance ... · pdf file... bba, fbci, cisa...
TRANSCRIPT
2016-02-24.1© 2016
Dr. Wolfgang H. Mahr, M.Sc., BBA, FBCI, CISA
governance & continuuuity gmbhCH-8408 Winterthur, Switzerland
www.continuuuity.chLinkedIn, XING, Twitter, [email protected]
Page1
2016-02-24.1© 2016
Page2
Abstract
Why Standards?
Before ISO Standards
Basic Principles of ISO
How is ISO working?
History, Composition and Deliverables of ISO/TC 292
Business-Continuity-related Deliverables (WG2)
ISO 22301:2012, ISO 22313:2012, ISO/TS 22317:2015
ISO/TS 22318:2015, ISO/DIS 22316
ISO/TS 17021-6:2014
Work in Progress
Conclusions
2016-02-24.1© 2016
Page3
ISO, the International Organization for Standardization, through their TechnicalCommittee 292 (formerly 223) has developed a range of standards in the continuityand resilience fields.
Developed by experts from dozens of countries and adopted by a solid majority ofnational standards associations, these standards advance the profession by providingpractitioners, regulators, management and customers with valuable implementationand auditing tools.
Find out about the deliverables provided by this Technical Committee and how theymay support you.
2016-02-24.1© 2016
Page4
Standards serve to raise the level of competencies of involved parties
Standards help understand involved parties’ degree of preparation and maturity
Standards help training of key personnel
Standards enable certification of organizations against publicly accepted criteria
International standards enable global organizations to achieve compliance in a number of jurisdictions
Management system standards enable a continuous improvement
2016-02-24.1© 2016
Before ISO standards
Page5
Many countries had local standards
(UK, US, Israel, Singapore,
Australia,…)
Many countries had no standards
(Switzerland, Germany,…)
International organizations faced
uncertainties
British standard BS25999 served as
de facto international standard
2016-02-24.1© 2016
Page6
Equal representation: one vote per country
Voluntary membership: ISO does not have the
authority to force adoption of its standards
Business orientation: ISO only develops standards
for which a market demand exists
Consensus approach: looking for a large consensus
among the different stakeholders
International Corporation: over 160 member
countries plus liaison bodies
2016-02-24.1© 2016
Page7
ISO is a network of national standardization bodies from about 160 countries
The final results of ISO developments are published as International Standards
Over 20,000 standards have been published since 1947
Standards are sold via www.iso.org or national standards associations
◦ Table of contents of most standards can be viewed
2016-02-24.1© 2016
Page8
Amalgamation of three technical committees:
◦ ISO/TC 223 Societal security (2001-2014)
◦ ISO/TC 247 Fraud countermeasures and controls (2009-2014)
◦ ISO/PC 284 Management system for quality of PSC operations (2013-2014)
In June 2014 the Technical management Board of ISO (TMB) took the decision to create a new ISO Technical committee called ISO/TC 292 where three committees were merged into one.
More info: http://www.isotc292online.org/
2016-02-24.1© 2016
Page9
WG 1 Terminology
WG 2 Continuity and organizational resilience
WG 3 Emergency management (no change)
WG 4 Authenticity, integrity and trust for products and documents
WG 5 Community resilience
WG 6 Protective security
2016-02-24.1© 2016
General
◦ ISO 22300 Societal security – Terminology
◦ ISO/TR 22312 Societal security – Technological capabilities
Page10
2016-02-24.1© 2016
Business continuity management
◦ ISO 22301 Societal security – Business continuity management systems – Requirements
◦ ISO 22313 Societal security – Business continuity management systems – Guidance
◦ ISO/TS 22317 Societal security – Business continuity management systems – Guidelines for business impact analysis
◦ ISO/TS 22318 Societal security – Business continuity management systems – Guidelines for supply chain continuity
◦ ISO/IEC/TS 17021-6 Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 6: Competence requirements for auditing and certification of business continuity management systems
Page11
2016-02-24.1© 2016
Emergency management
◦ ISO 22320 Societal security – Emergency management –Requirements for incident response
◦ ISO 22322 Societal security – Emergency management –Guidelines for public warning
◦ ISO 22324 Societal security – Emergency management –Guidelines for colour coded alert
◦ ISO/TR 22351 Societal security – Emergency management –Message structure for exchange of information
Page12
2016-02-24.1© 2016
Community resilience
◦ ISO 22315 Societal security – Mass evacuation – Guidelines for planning
◦ ISO 22397 Societal security – Guidelines for establishing partnering arrangements
◦ ISO 22398 Societal security – Guidelines for exercises
Page13
2016-02-24.1© 2016
Authenticity, integrity and trust for products and documents
◦ ISO 12931 Performance criteria for authentication solutions used to combat counterfeiting of material goods
◦ ISO 16678 Guidelines for interoperable object identification and related authentication systems to deter counterfeiting and illicit trade
Page14
2016-02-24.1© 2016
Protective security
◦ ISO 22311 Societal security – Video-surveillance – Export interoperability*
◦ ISO 18788 Management system for private security operations - Requirements with guidance for use
◦ ISO 28000 Specification for security management systems for the supply chain
ISO 28001 Security management systems for the supply chain -Best practices for implementing supply…
ISO 28002 Security management systems for the supply chain -Development of resilience in the supply chain…
ISO 28003 Security management systems for the supply chain -Requirements for bodies providing audit and certification …
ISO 28004 Security management systems for the supply chain -Guidelines for the implementation of ISO 28000 (Part 1-4)
Page15
2016-02-24.1© 2016
Page16
Lifecycle: The Business Continuity Institute
BCMS Specifications
BCMS Guidance
EmergencyManagement
BIA
Glossary
Audit
Audit
OrganizationalResilience
Supply Chain
2016-02-24.1© 2016
Published 2012, revision process under evaluation
Based on ISO 22300
Management System for Business Continuity Management◦ Based on ISO Management System Guidelines
◦ Similar structure as ISO 9001, ISO 27001, etc.
Certifiable standard: Specification (”shall”)
◦ Varying acceptance worldwide
◦ Non-mandatory except when prescribed by jurisdiction
Based on the Plan-Do-Check-Act Cycle
ISO 22301:2012 BCMS
Page17
2016-02-24.1© 2016
Contents:◦ Introduction
◦ Scope
◦ Normative references
◦ Terms and definitions
◦ Context of the organization
◦ Leadership
◦ Planning
◦ Support
◦ Operation
◦ Performance evaluation
◦ Improvement
◦ Bibliography
ISO 22301:2012 BCMS
Page18
2016-02-24.1© 2016
ISO 22301:2012 BCMS
Reference: ISO 22301:2012
Page19
Plan – Do – Check – Act Cycle
2016-02-24.1© 2016
ISO 22301:2012
Page20
2016-02-24.1© 2016
Published 2012, revision process under evaluation
Based on ISO 22300 and ISO 22301
Identical structure as ISO 22301
Non-certifiable standard: Guidance (”should”)
ISO 22313:2012
Page21
2016-02-24.1© 2016
Published in September 2015
Based on ISO 22301, ISO 22313 and ISO 22300
Non-certifiable standard: Guidance (”should”)
Focus on Performing the BIA:
◦ Project Planning and Management
◦ Product and Service Prioritisation
◦ Process Prioritisation
◦ Activity Prioritisation
◦ Analysis and Consolidation
◦ Top Management Endorsement of BIA Results
Annexes on
◦ Terminology Mapping
◦ Information Collection Methods
ISO/TS 22317 on BIA
Page22
2016-02-24.1© 2016
Commitment
Level of effort
“Right” effort
Correctness /Completeness
No excessive overlap / no white spots
Challenges when doing a BIA
Page23
2016-02-24.1© 2016
ISO/TS 22318 on Supply Chain Continuity
Page24
Published in 2015
Based on ISO 22301, ISO 22300
Non-certifiable standard: Guidance (”should”)
Focus on Supply Chain Continuity:
Why supply chain continuity is important
Analysis of the supply chain
SCCM strategies (Supply Chain Continuity Management)
Managing a disruption in the supply chain
Performance evaluation
2016-02-24.1© 2016
ISO/TS 17021-6 Competence Requirements
Page25
Published in 2014
Based on ISO 22301 and ISO 17021
Developed in cooperation with ISO CASCO
Conformity Assessment www.iso.org/iso/casco
Full title: Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 6: Competence requirements for auditing and certification of business continuity management systems
Non-certifiable standard: Guidance (”should”)
Focus on Auditor Competencies:
Generic competence requirements
Competence requirements for the Auditors and personnel reviewing audit reports and making certification decisions
Conducting the application review to determine or the team competence required, to select the audit's team members, and to determine that audit time
Annex A: Knowledge for the BCMS auditing and certification
2016-02-24.1© 2016
To be published in 2016
Based on ISO 22301, ISO 22300
Non-certifiable standard: Guidance (”should”)
Focus on Organizational Resilience:
◦ Principles and approach
◦ Attributes and activities for organizational resilience
◦ Evaluating the organization's strategy for organizational resilience
◦ Annex A: Relevant vocabulary
◦ Annex B: Relevant management disciplines
ISO/DIS 22316 on Organizational Resilience
Page26
2016-02-24.1© 2016
Within WG2: standards on
◦ Human factors in business continuity (based on an UK standard)
◦ Standard on business continuity strategy
◦ …
Work In Progress
Page27
2016-02-24.1© 2016
Page28
Standards…
◦ serve to promote good practices
◦ allow an assessment of a situation
◦ may serve as a base for certification
◦ serve to promote confidence in suppliers
◦ take some time to for their development
◦ reflect the knowledge of a range of subject matter experts
◦ facilitate international operations and trade
◦ may serve as minimum requirements as prescribed by a regulator
Conclusions
2016-02-24.1© 2016
Thank you
Page29