gs-7 zawada-giffin-avalution- iso22301 › images › conferences › sd2012 › sesmat › gs-7...

ISO 22301 Has Arrived – Now What?

Brian Zawada & Robert Giffin

Avalution Consulting

© 2012 Avalution Consulting, LLC | All Rights Reserved


2

Enthusiasm?

Skepticism?


3

Unsure?

3



44


Raise your hand if:


Today’s Agenda: ISO 22301

• Value

• What is it?

• Why and how to use it

• What’s next?

5


Common Challenges

• Management Engagement

• Alignment to Business Strategy

• Common Vocabulary

• Risk Management Coordination

• Long-term Improvement

6


ISO 22301

World’s First International

Business Continuity Standard!

7


What is a Standard?

What Standards ARE

• A collection of best

practices and guidelines

• Developed collaboratively

in a consensus process

• Evolutionary – revisited and

revised at regular intervals

• Voluntary

What Standards ARE NOT

• Regulations

• Prescriptive

• Singularly focused on

certification

• Industry Specific

8


9

Requirements Standards

HOWGuidance Standards

WHAT

What is a Standard?


ISO 22301: Formation via TC 223

10

TC 223

Countries

(45)

Observers

(20)

Other Committee

Liaisons


Technical Committee 223 Projects

ISO Guide 73:2009

Terminology

ISO 22301

Business Continuity Management Systems –

Requirements

ISO 22313

Business Continuity Management Systems –

Guidance

ISO 22320

Emergency Management – Requirements for

Command and Control

ISO 22397

Guideline to Set Up a Partnership Agreement for the Governance of

Interoperability

ISO 22398

Guidelines for Exercises and Testing

11


What is ISO 22301?

• Section 1: Scope

• Section 2: Normative References

• Section 3: Terms and Definitions

Introduction

• Section 4: Context of the Organization

• Section 5: Leadership

• Section 6: Planning• Section 7: Support

• Section 8: Operations• Section 9: Performance Evaluation

• Section 10: Improvement

Requirements

12


The Core of ISO 22301…

Plan

Do

Check

Act

13

Management

Systems


Content Caveat!

• Written for many audiences:

– All organizations in all countries

– not designed to build business continuity

professional competencies

• Minimal jargon

– Explanations used instead

14


Example ISO 22301 Wording:

The Business Impact Analysis shall include the

following:

“...Setting prioritized timeframes for resuming

activities at a specified minimum acceptable level,

taking into consideration the time within which the

impacts of not resuming would become

unacceptable;…”

15


Common Challenges (Addressed)

�Management Engagement

�Alignment to Business Strategy

�Common Vocabulary

�Risk Management Coordination

�Long-term Improvement

16


ISO 22301 and PS-Prep™

• PS-Prep™ will continue to include BS 25999

even though it will likely be withdrawn soon.

• ISO 22301 will likely

be added to PS-Prep™

17

Why Use ISO 22301?

18



“Once a standard takes hold, people start

to focus on the quality of what they do as

opposed to how they are doing it.”

-Thomas L. Friedman

The World Is Flat – A Brief History of the 21st Century

19


Why Consider Standards?

• An answer for: “What are others doing?”

• A common language:

– Understand Risk

– Set Expectations

– Efficiency During Response and Recovery

20


BCI/LRQA-Sponsored Survey

• Main Advantage: Common Language (85%)

• Alignment – 67% in the next three years

21


Standards and Certification

Alignment with Standards DOES NOT mean an

organization intends to (or should) pursue

certification!

– Certification is a business decision

– Certification is an ongoing

process (and expense).

22


Key Topic: Management Systems

• All recent standards use a management

system based approach

• Management reviews enable continuous

improvement

• Success Factors:

– Align to existing management systems

– Document procedures for repeatability

23


ISO 22301 Value

• Management and customers

respect ISO standards

• A form of benchmarking

• Common language

• Drives engagement through

continuous improvement

24

What’s Next?

25


26


Get a Copy of ISO 22301!

www.iso.org | www.ansi.org


Get to Know ISO 22301

• Read it and give it a chance!

Understand the What, Why and How

• Standards aren’t designed to be complex just for

complexity’s sake

• Introduce ISO 22301

to Management

27


Potential Focus Areas

• Scoping via Products and Services

• Management Engagement

• Risk Appetite

• Management Review

• Corrective Actions

28


Next Steps for TC 223

• Continuous improvement of new standards

• Finalize ISO 22313

• Organizational resilience

• Many other “projects”

29

Questions

30



Contact Information

31

Robert Giffin (CBCP, CISA)Director of Technology

[email protected]

Brian Zawada (MBCI, MBCP)Director of Consulting

[email protected]

866.533.0575 | www.avalution.com

gs-7 zawada-giffin-avalution- iso22301 › images › conferences › sd2012 › sesmat › gs-7...

Documents