ian charters and malcolm cornish.pptshop.bsigroup.com/upload/conferences/conference... · 2012. 12....
TRANSCRIPT
I S O 2 2 3 1 3 1
AGENDA
Why guidance?Why guidance?Why guidance?Why guidance?
Rules followed during ISO 22313 developmentRules followed during ISO 22313 developmentRules followed during ISO 22313 developmentRules followed during ISO 22313 development
ISO 22313ISO 22313ISO 22313ISO 22313
� Structure
� Signposting
� Examples
� Explanations� Explanations
� Terminology
� Types of plan
I S O 2 2 3 1 3 2
WHY GUIDANCE?
Eliminate confusionEliminate confusionEliminate confusionEliminate confusion
Clarification of termsClarification of termsClarification of termsClarification of terms
Alternative interpretationsAlternative interpretationsAlternative interpretationsAlternative interpretations
Expand and clarifyExpand and clarifyExpand and clarifyExpand and clarify
Identify relationshipsIdentify relationshipsIdentify relationshipsIdentify relationships
IllustrationsIllustrationsIllustrationsIllustrationsIllustrationsIllustrationsIllustrationsIllustrations
I S O 2 2 3 1 3 3
RULES FOLLOWED
Relationship with ISO 22301:2012 Relationship with ISO 22301:2012 Relationship with ISO 22301:2012 Relationship with ISO 22301:2012
Not prescriptiveNot prescriptiveNot prescriptiveNot prescriptive
New structure and text for all management systems New structure and text for all management systems New structure and text for all management systems New structure and text for all management systems
• JTCG : Guide 83 now Annex SLJTCG : Guide 83 now Annex SLJTCG : Guide 83 now Annex SLJTCG : Guide 83 now Annex SL
I S O 2 2 3 1 3 4
APPLICATION OF PDCA MODEL
Following table indicates which sections are applicable Following table indicates which sections are applicable Following table indicates which sections are applicable Following table indicates which sections are applicable
Establish(Plan)
Continual improvement of business continuity management system (BCMS)
Interested parties4,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,7
Implement and operate
(Do)
Monitor and review(Check)
Maintain and improve
(Act)
Interested parties
Requirements for business continuity
parties
Managed business continuity
4,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,7
88888888
99999999
1010101010101010
I S O 2 2 3 1 3 5
STRUCTURE
Same highSame highSame highSame high----level structure as ISO 22301level structure as ISO 22301level structure as ISO 22301level structure as ISO 22301
Additional lower level headings e.g.Additional lower level headings e.g.Additional lower level headings e.g.Additional lower level headings e.g.
8.38.38.38.3 Business Continuity StrategyBusiness Continuity StrategyBusiness Continuity StrategyBusiness Continuity Strategy
8.3.2 Establishing resource requirements
8.3.2.1 General
8.3.2.2 People
8.3.2.3 Information and data8.3.2.3 Information and data
8.3.2.4 Buildings, work environment and associated utilities
8.3.2.5 Facilities, equipment and consumables
8.3.2.6 Information communications technology (ICT) systems
8.3.2.7 Transportation
8.3.2.8 Finance
8.3.2.9 Suppliers
I S O 2 2 3 1 3 6
SECTION 8
I S O 2 2 3 1 3 7
LISTS AND CROSS-REFERENCES
Documented information required by this International Standard Documented information required by this International Standard Documented information required by this International Standard Documented information required by this International Standard
includes:includes:includes:includes:
� The context of the organization (4.1)
� Legal, regulatory and other …(4.2.2)
� Scope of the BCMS and any exclusions (4.3.2)
� Business continuity policy (5.3)� Business continuity policy (5.3)
…………………………………………….…………………………………………….…………………………………………….…………………………………………….
In addition, documented information covering the following information In addition, documented information covering the following information In addition, documented information covering the following information In addition, documented information covering the following information
may be required to ensure the effectiveness of the BCMS:may be required to ensure the effectiveness of the BCMS:may be required to ensure the effectiveness of the BCMS:may be required to ensure the effectiveness of the BCMS:
� Customer contracts…..
I S O 2 2 3 1 3 8
INTERESTED PARTIES
I S O 2 2 3 1 3 9
EXAMPLES AND SUGGESTIONS
The organization should review current and pending statutory and The organization should review current and pending statutory and The organization should review current and pending statutory and The organization should review current and pending statutory and
regulatory requirements in their locations which may include:regulatory requirements in their locations which may include:regulatory requirements in their locations which may include:regulatory requirements in their locations which may include:
a) Incident Response: including emergency management and health,
safety and welfare legislation;
b) Continuity: which may specify the scope of the programme or the b) Continuity: which may specify the scope of the programme or the
extent or speed of response;
c) Risk: requirements defining the scope or methods of a risk
management programme; and
d) Hazards: operating requirements relating to dangerous materials
stored at the location.
NOTE Organizations operating in multiple locations often have to satisfy
the requirements of different jurisdictions.
I S O 2 2 3 1 3 10
EXAMPLES AND SUGGESTIONS
Business continuity strategy optionsBusiness continuity strategy optionsBusiness continuity strategy optionsBusiness continuity strategy options
� Protecting prioritized activities
� Stabilising, continuing, resuming and recovering activities
BUT – what if prohibitively expensive?
I S O 2 2 3 1 3 11
EXPLANATIONLeve
l of opera
tions
Mitigating impacts through effective business continuity – gradual disruption
WarningWarningWarningWarning
Incident
Incident
Incident
Incident
Resumption of activities at acceptable
level within acceptable timeframe
Recovery Time Objective
Time at which impacts become unacceptable
I S O 2 2 3 1 3 12
Leve
l of opera
tions
Time
Controlled
response
Incident
Incident
Incident
Incident
Minimum
acceptable level
of operations
Minimum
acceptable level
of operations
1. 1. Mitigating, responding Mitigating, responding
to and managing impactsto and managing impacts
2. Shortened disruption2. Shortened disruption
WithWithWithWithWithWithWithWith business continuitybusiness continuity
WithoutWithoutWithoutWithoutWithoutWithoutWithoutWithout business continuitybusiness continuity
TERMINOLOGY
No glossary No glossary No glossary No glossary –––– shared definitions with ISO 22301shared definitions with ISO 22301shared definitions with ISO 22301shared definitions with ISO 22301
Prioritized activities = No longer “critical”Prioritized activities = No longer “critical”Prioritized activities = No longer “critical”Prioritized activities = No longer “critical”
MTPD MTPD MTPD MTPD ---- Estimating how long it would take for the impacts associated Estimating how long it would take for the impacts associated Estimating how long it would take for the impacts associated Estimating how long it would take for the impacts associated
with disruption of the organization’s activities to become with disruption of the organization’s activities to become with disruption of the organization’s activities to become with disruption of the organization’s activities to become
unacceptable;unacceptable;unacceptable;unacceptable;
NOTE 4: The time it would take for impacts to become unacceptable NOTE 4: The time it would take for impacts to become unacceptable
can be referred to as ‘maximum tolerable period of disruption’,
‘maximum tolerable period’ or ‘maximum acceptable outage’. The
minimum level of product or service that is acceptable to the
organization can be expressed as the minimum business continuity
objective (MBCO)
I S O 2 2 3 1 3 13
BUSINESS CONTINUITY, BCM AND BCMS
Business continuityBusiness continuityBusiness continuityBusiness continuity
� The capabilitycapabilitycapabilitycapability of an organization to continue delivery of products or
services at acceptable predefined levels following a disruptive
incident
Business continuity management (BCM)Business continuity management (BCM)Business continuity management (BCM)Business continuity management (BCM)
� The processprocessprocessprocess of achieving business continuity
� Preparing an organization to deal with disruptive incidents that might � Preparing an organization to deal with disruptive incidents that might
otherwise prevent it from achieving its objectives
Business continuity management system (BCMS)Business continuity management system (BCMS)Business continuity management system (BCMS)Business continuity management system (BCMS)
� The systemsystemsystemsystem that enables BCM to be controlled, evaluated and
continually improved
I S O 2 2 3 1 3 14
TYPES OF PLANS
Incident management / strategic management proceduresIncident management / strategic management proceduresIncident management / strategic management proceduresIncident management / strategic management procedures
Communications proceduresCommunications proceduresCommunications proceduresCommunications procedures
Safety and welfare proceduresSafety and welfare proceduresSafety and welfare proceduresSafety and welfare procedures
Salvage and security proceduresSalvage and security proceduresSalvage and security proceduresSalvage and security procedures
Procedures for resuming activitiesProcedures for resuming activitiesProcedures for resuming activitiesProcedures for resuming activities
Recovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systems
I S O 2 2 3 1 3 15
Lots of useful Lots of useful Lots of useful Lots of useful information and information and information and information and signpostingsignpostingsignpostingsignposting� Eliminate confusion
�Clarification of terms
� Alternative interpretations
Supplements ISO Supplements ISO Supplements ISO Supplements ISO 22301:201222301:201222301:201222301:2012ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:
x Substitute for ISO 22301:2012
x Guide to BCM
CONCLUSION
interpretations
� Expand and clarify
� Identify relationships
� Illustrations
The Future?The Future?The Future?The Future?
� Further Guidance?
�Revision cycle
I S O 2 2 3 1 3 16