IT-SeCX 2015-11-06 © 2015

Dr. Wolfgang H. Mahr, M.Sc., BBA, MBCI, CISA

governance & continuuuity gmbh CH-8408 Winterthur, Switzerland

www.continuuuity.ch LinkedIn, XING, Twitter, YouTube wolfgang.mahr@continuuuity.ch

Page1

IT-SeCX 2015-11-06 © 2015

Page2

Why a BIA?

BIA in the BCM Lifecycle

Outcomes of the BIA

BIA supporting BCM Goals

ISO 22317 on the BIA

BIA Approaches

Challenges when doing a BIA

Sokrates Maps –what’s this?

Sokrates Maps Benefits and Applications

Sokrates Maps for the BIA

BIA Critical Success Factors

IT-SeCX 2015-11-06 © 2015

Page3

This contribution underlines the fundamental importance of the one of the most important

phases in the BCM lifecycle – the BIA.

Other - subsequent - phases such as selecting one or more business continuity strategies

or the formulation of a BC plan, exhibit a much smaller space of choices than the BIA,

which is primarily an information gathering stage, charged with understanding the

business.

Critically important information needs to be unearthed and, ideally, not one important

aspect must be omitted or forgotten. This is the reason why ISO TC 292 (formerly 223),

after developing ISO 22301 and ISO 22313, has embarked on developing a standard on

the BIA: ISO 22317.

This paper focuses on a visualization and presentation method newly applied to the BIA

process, in order to better understand a company’s processes, resources and their

interdependencies.

IT-SeCX 2015-11-06 © 2015

Page4

BCM is a cyclic process

BCM is based on continuous improvement

BIA makes you know your processes better

BIA is the base for the subsequent development of one or more Business Continuity Strategies

…

IT-SeCX 2015-11-06 © 2015

Page5

Increasing the efficiency of the organisation

Evaluate alternative strategic planning options

Assist in long-term strategy decision making

Assist in developing a risk analysis

…

IT-SeCX 2015-11-06 © 2015

BIA in the BCM lifecycle

Reference: The Business Continuity Institute

Page6

IT-SeCX 2015-11-06 © 2015

BIA in the BCM lifecycle

Reference: ISO 22301:2012

Page7

IT-SeCX 2015-11-06 © 2015

Major outcomes include:

◦ Validation of the organisation’s BC programme scope

◦ Identification of requirements the organisation

◦ Determination of impacts, over time (of disruptions)

◦ Identification of relationships between

Products/services

Processes

Activities

Resources

◦ Resources needed to perform prioritised activities

Such as facilities, people, assets, supplies, financial resources

◦ Dependencies and interrelationships

◦ …

Page8

IT-SeCX 2015-11-06 © 2015

Protecting company value and reputation

Safeguards the reputation and future of the company in an emergency

Increase shareholder value and demonstrates commitment by management

Assures the survival of the company in the case of a serious incident

Minimize financial losses in case of an incident or emergency

BIA supporting BCM Goals

Page9

IT-SeCX 2015-11-06 © 2015

Developed by ISO TC292 (“Security and Resilience”)

Currently as DTS (Draft Technical Specification)

Published in September 2015

Based on ISO 22301, ISO 22313 and ISO 22300

Focus on Performing the BIA:

◦ Project Planning and Management

◦ Product and Service Prioritisation

◦ Process Prioritisation

◦ Activity Prioritisation

◦ Analysis and Consolidation

◦ Top Management Endorsement of BIA Results

Annexes on

◦ Terminology Mapping

◦ Information Collection Methods

ISO/TS 22317 on BIA

Page10

IT-SeCX 2015-11-06 © 2015

Gold, Silver, Bronze

Strategic / Tactical

Iterations

Questionnaires

Workshops

Interviews

◦ Middle Management

◦ Process Owners

BIA Approaches

Page11

IT-SeCX 2015-11-06 © 2015

Commitment

Level of effort

“Right” effort

Correctness /Completeness

No excessive overlap / no white spots

Challenges when doing a BIA

Page12

IT-SeCX 2015-11-06 © 2015

Sokrates Maps – what’s this?

Page13

IT-SeCX 2015-11-06 © 2015

Sokrates Maps – what’s this?

Page14

IT-SeCX 2015-11-06 © 2015

Sokrates Maps – what’s this?

Page15

IT-SeCX 2015-11-06 © 2015

Benefits

◦ Foundation of method

◦ Psychological background

◦ Common view across hierarchies and disciplines

◦ Discover new:

Ideas

Facts

Relationships

Dependencies

Communicate & visualize

Hierarchical view on complex situations

Electronic representation, communication and archiving

Sokrates Maps – Benefits

Page16

IT-SeCX 2015-11-06 © 2015

Sokrates Maps - Applications

Page17

IT-SeCX 2015-11-06 © 2015

Sokrates Maps - Applications

Page18

Board Level view of a hospital:

Get the big picture

◦ Based on details

IT-SeCX 2015-11-06 © 2015

Sokrates Maps - Applications

Page19

IT-SeCX 2015-11-06 © 2015

Visualisation of the standards (psychological foundation)

◦ ISO 22301, ISO 22317 (maturity model)

Assessment tool, BIA support tool

◦ Presentation of BIA findings (electronic representation, communication and archiving)

◦ Usage as questionnaire (maturity model, psychological foundation)

Single person or in workshops

◦ Visualisation (hierarchical, common view across disciplines)

Overlaps (discover ideas, facts, relationships, dependencies)

Gaps (discover ideas, facts, relationships, dependencies)

Redundancies (discover ideas, facts, relationships, dependencies)

◦ Enhanced BIA quality and maturity

Sokrates Maps for BIA

Page20

IT-SeCX 2015-11-06 © 2015

BIA Critical Success Factors

Page21

Follow best practices such as

◦ BCI’s Good Practice Guidelines and/or

◦ ISO Standards such a ISO 22301, ISO 22313 and ISO/TS 22317

Obtain top management commitment

Apply project management methodologies

Follow a BIA approach fit for the selected type of BIA

Use an approach compatible with the company’s structure

Deploy tools helping to obtain a “true and fair” representation of products, services, priorities, dependencies and requirements

Develop a hierarchical view on complex situations

Use electronic representation, communication and archiving

IT-SeCX 2015-11-06 © 2015

Thank you

Page22