Rob Acker

Business Continuity Lead Assessor

LRQA Ltd

How to to transition to ISO 22301 . . . One year on

• Structure of ISO22301

• Detailed review – a walk through….

• Section 4 – understanding

• Section 5 – leadership

• Section 6 – planning

• Section 7 – support

• Section 8 – operation

• Section 9 – performance

• Section 10 – improvement.

• Transition

• How LRQA can help

Agenda

ISO 22301 and BS 25999 Comparison

Societal security

Greater emphasis on business need and context

The horizontal – effective, efficient control of recovery

Policy

Direction

Acting on

results

The vertical

Commitment, Plan

Controls, Objectives,

KPI’s

Measure

System framework

Plan

DoCheck

Act Plan

DoCheck

Act

PDCA - BCM cycle

Plan

DoCheck

Act Plan

DoCheck

Act

Establish business continuity policy, objectives,

targets, controls, processes and procedures

relevant to improving business continuity in

order to deliver results that align with the

organization’s overall policies and objectives.

Implement and operate the business continuity

policy, controls, processes and procedures

Monitor and review performance against

business continuity policy and objectives,

report the results to management for review,

and determine and authorize actions for

remediation and improvement.

Plan

Do

Check

Act

Maintain and improve the BCMS by taking

corrective action, based on the results of

management review and reappraising the

scope of the BCMS and business continuity

policy and objectives

Structural changes

• Name change – Societal security – contributing to a resilient society

• The new format is more consistent with other ISO management system

standards (e.g. ISO 9001, ISO 14001), but retains the existing BC lifecycle

• 105 ‘Shall’s’ compared

with the 56 of BS 25999

• Some simplification,

clarification or re-wording

and some new

requirements.

PDCA comparison

0

5

10

15

20

25

30

35

40

45

50

Plan Do Check Act

Co

un

t o

f re

qu

irem

en

ts

BS25999

ISO22301

New Requirements Summary

• Formalisation of external and internal issues relevant to BCMS outcomes

• Management Commitment

• Business Continuity Objectives

• Legal and regulatory requirements

• Resource Planning

• 3rd Party Management

• Measures and Effectiveness

Enhanced requirements

5.2 Management commitment

5.3 Policy requirements

6.2 Business Continuity Objectives

7.1 Resources

7.2 Communications.

Section 5 - Leadership

• Top management demonstrate Leadership

• Compatibility of BCMS to company strategic

direction

• Integration, achievement of outcomes

• Policy enhancements include:

• Provide the framework for setting business continuity objectives,

• Be communicated within the organization to all persons working for or on

behalf of the organization within the scope of the BCMS

This clarifies existing requirements and aligns it to other management system expectations (e.g. roles, responsibility & authority definition, resource determination and review).

Section 6 - Planning

Business Continuity Objectives

SMART but practical linking the analysis of Issues and opportunities to operations and results Actions to address risks and opportunities

This risk assessment is aimed at a corporate level risks (for which a BCMS is effective mitigation) rather than operational risks that might trigger a BCMS response.

Section 7 - Support

Competence & awareness

Communication

Documents and

records

Section 7 - Resource requirements

• Clarifies the types of resources required to be considered

• All resources under the organisation’s control to be identified

together with associated competences

7.4 Communication

• Essentially now need to define What, When and Whom

• Needs to be tested

Section 8 - Operation

Business Impact

Analysis & Risk

Assessment

Business Continuity Strategy

Incident response

Business recovery and

continuity

8.4.4 Business Continuity Plans

Plan

Purpose and Scope Objectives

Activation criteria and procedures

Roles, responsibilities and authorities

Communication requirements

and procedures

Internal and external

interdependencies and interactions

Resources, information and

records

8.5 Exercise and Test

• Testing is explicitly mentioned

• Consistent with Policy AND Objectives

• Reviewed against aims and objectives

• Based on scenarios

• The communication and warning procedures shall be regularly exercised.

Section 9 - Performance evaluation

• Determine what needs to be monitored or measured the When’s

What’s and How’s

• Methods to use

• When it needs to be done

• When analysis needs to done

• Action on adverse trends

• Periodic review of legal and regulatory requirements.

9.3 Management Review

Gone

• Results of education & training

programmes

• Level of residual risk and

acceptance as input

• Feedback from interested

parties

• ‘When significant changes

occur’

New

• Trends audits and measures

• Changes required to policy and

objectives

• Updates to BIA, RA and BCPs

• Security requirements rather

than resilience

• Changes to contractual

requirements.

The Conversion Process

• Conducted an internal audit of our old BCMS against the new ISO, thereby

identifying potential non-conformities

• Re-ordered our BCMS so that it followed the ISO Chapter headings,

making it easier for the external certifying body easier to audit the system.

• To reflect enhanced top management role

• Ensured that the BCMS stated the links between business continuity and

the business as a whole, with demonstrable evidence of how it is

incorporated into the business processes (strategic direction and

operational control)

• Review of the process in terms of upstream (supply chain) and downstream

(impact on clients). To better demonstrate the accountability of 3rd party

suppliers.

• Independent audits of critical outsourced dependencies incorporated into

Monitoring and Measurement process.

Changes to the BCMS…

• Improved alignment with day to day running of the business

• Review and utilisation of ISO31000 principles in managing operational risks

• Improved iteration of risk assessment

• Developed simple but effect risk controls

• Carried out simulation exercise

• Improved proactive, preventive controls throughout operations

Changes to the BCMS (continued…)

Challenges

• Being able to prove to an auditor that the business

continuity plan can achieve

• “Recovery of its activities to a predetermined level, based on management approved recovery objectives.”

• Specific plans are required for any RTOs for critical

activities that are time sensitive.

Summary

• The changes from BS 25999 to ISO 22301 are

not a great leap into the unknown; rather, it is a

process of evolving the BCMS

• The initial internal audit is crucial to critically

analyse the changes required to ensure our

BCMS conformed to ISO 22301.

• UKAS requirements on Certification Body (CB) drives the maximum

period to transition

• CB’s must transition by 30 May 2014

• No new client certificates or renewals to BS 25999 in 2014

• For how long does your BS 25999 certificate remain valid?

• 30 May 2015 at the latest, but is governed by other rules . . .

• Client transition should be at the first surveillance or renewal after

CB transition.

What to expect from LRQA . . . Transition Plans

How long would the transition audit take?

• Up to a 1 day depending on approach

What is the approach to the transition audit?

• Can take place at a surveillance visit

• Driven by a checklist pre-completed by the organisation with supporting

information

• Additional time will be required if the checklist is completed following

‘exploration’ by the assessor

• Any deficiencies will be reported as findings in the usual way. As long

as these are minimal and a corrective action plan has been agreed, the

assessor will recommend approval to the ISO/IEC 22301 standard.

What to expect from LRQA . . . Transition Plans

What happens if you are part way through your initial assessment

against BS 25999?

• Subject to normal assessment limitations, the limit is 31 December 2013

(BS25999 expires 1 June 2014)

• Switching standards between Stage 1 and 2 is not recommended and will

require some additional time to check the new requirements have been met.

What to expect from LRQA . . . Transition Plans

Lloyd's Register Quality Assurance Limited (LRQA)

is a subsidiary of Lloyd's Register Group Limited.

Any questions?

Come and see us on Stand 23

Thank you!

Rob Acker Lead Assessor

Lloyd’s Register Quality Assurance Limited

Hiramford, Middlemarch Office Village

Siskin Drive, Coventry, CV3 4FJ United Kingdom

T +44 (0)24 7688 2343

E rob.acker@lrqa.com

W www.lrqa.co.uk