dr. wolfgang h. mahr, m.sc., bba, mbci, cisa …...... m.sc., bba, mbci, cisa governance &...
TRANSCRIPT
IT-SeCX 2015-11-06 © 2015
Dr. Wolfgang H. Mahr, M.Sc., BBA, MBCI, CISA
governance & continuuuity gmbh CH-8408 Winterthur, Switzerland
www.continuuuity.ch LinkedIn, XING, Twitter, YouTube [email protected]
Page1
IT-SeCX 2015-11-06 © 2015
Page2
Why a BIA?
BIA in the BCM Lifecycle
Outcomes of the BIA
BIA supporting BCM Goals
ISO 22317 on the BIA
BIA Approaches
Challenges when doing a BIA
Sokrates Maps –what’s this?
Sokrates Maps Benefits and Applications
Sokrates Maps for the BIA
BIA Critical Success Factors
IT-SeCX 2015-11-06 © 2015
Page3
This contribution underlines the fundamental importance of the one of the most important
phases in the BCM lifecycle – the BIA.
Other - subsequent - phases such as selecting one or more business continuity strategies
or the formulation of a BC plan, exhibit a much smaller space of choices than the BIA,
which is primarily an information gathering stage, charged with understanding the
business.
Critically important information needs to be unearthed and, ideally, not one important
aspect must be omitted or forgotten. This is the reason why ISO TC 292 (formerly 223),
after developing ISO 22301 and ISO 22313, has embarked on developing a standard on
the BIA: ISO 22317.
This paper focuses on a visualization and presentation method newly applied to the BIA
process, in order to better understand a company’s processes, resources and their
interdependencies.
IT-SeCX 2015-11-06 © 2015
Page4
BCM is a cyclic process
BCM is based on continuous improvement
BIA makes you know your processes better
BIA is the base for the subsequent development of one or more Business Continuity Strategies
…
IT-SeCX 2015-11-06 © 2015
Page5
Increasing the efficiency of the organisation
Evaluate alternative strategic planning options
Assist in long-term strategy decision making
Assist in developing a risk analysis
…
IT-SeCX 2015-11-06 © 2015
BIA in the BCM lifecycle
Reference: The Business Continuity Institute
Page6
IT-SeCX 2015-11-06 © 2015
Major outcomes include:
◦ Validation of the organisation’s BC programme scope
◦ Identification of requirements the organisation
◦ Determination of impacts, over time (of disruptions)
◦ Identification of relationships between
Products/services
Processes
Activities
Resources
◦ Resources needed to perform prioritised activities
Such as facilities, people, assets, supplies, financial resources
◦ Dependencies and interrelationships
◦ …
Page8
IT-SeCX 2015-11-06 © 2015
Protecting company value and reputation
Safeguards the reputation and future of the company in an emergency
Increase shareholder value and demonstrates commitment by management
Assures the survival of the company in the case of a serious incident
Minimize financial losses in case of an incident or emergency
BIA supporting BCM Goals
Page9
IT-SeCX 2015-11-06 © 2015
Developed by ISO TC292 (“Security and Resilience”)
Currently as DTS (Draft Technical Specification)
Published in September 2015
Based on ISO 22301, ISO 22313 and ISO 22300
Focus on Performing the BIA:
◦ Project Planning and Management
◦ Product and Service Prioritisation
◦ Process Prioritisation
◦ Activity Prioritisation
◦ Analysis and Consolidation
◦ Top Management Endorsement of BIA Results
Annexes on
◦ Terminology Mapping
◦ Information Collection Methods
ISO/TS 22317 on BIA
Page10
IT-SeCX 2015-11-06 © 2015
Gold, Silver, Bronze
Strategic / Tactical
Iterations
Questionnaires
Workshops
Interviews
◦ Middle Management
◦ Process Owners
BIA Approaches
Page11
IT-SeCX 2015-11-06 © 2015
Commitment
Level of effort
“Right” effort
Correctness /Completeness
No excessive overlap / no white spots
Challenges when doing a BIA
Page12
IT-SeCX 2015-11-06 © 2015
Benefits
◦ Foundation of method
◦ Psychological background
◦ Common view across hierarchies and disciplines
◦ Discover new:
Ideas
Facts
Relationships
Dependencies
Communicate & visualize
Hierarchical view on complex situations
Electronic representation, communication and archiving
Sokrates Maps – Benefits
Page16
IT-SeCX 2015-11-06 © 2015
Sokrates Maps - Applications
Page18
Board Level view of a hospital:
Get the big picture
◦ Based on details
IT-SeCX 2015-11-06 © 2015
Visualisation of the standards (psychological foundation)
◦ ISO 22301, ISO 22317 (maturity model)
Assessment tool, BIA support tool
◦ Presentation of BIA findings (electronic representation, communication and archiving)
◦ Usage as questionnaire (maturity model, psychological foundation)
Single person or in workshops
◦ Visualisation (hierarchical, common view across disciplines)
Overlaps (discover ideas, facts, relationships, dependencies)
Gaps (discover ideas, facts, relationships, dependencies)
Redundancies (discover ideas, facts, relationships, dependencies)
◦ Enhanced BIA quality and maturity
Sokrates Maps for BIA
Page20
IT-SeCX 2015-11-06 © 2015
BIA Critical Success Factors
Page21
Follow best practices such as
◦ BCI’s Good Practice Guidelines and/or
◦ ISO Standards such a ISO 22301, ISO 22313 and ISO/TS 22317
Obtain top management commitment
Apply project management methodologies
Follow a BIA approach fit for the selected type of BIA
Use an approach compatible with the company’s structure
Deploy tools helping to obtain a “true and fair” representation of products, services, priorities, dependencies and requirements
Develop a hierarchical view on complex situations
Use electronic representation, communication and archiving