ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Contents
Certified ISO 22301 Lead Implementer--------------------- 5
Exam Preparation Guide -------------------------------------- 267
Appendix A: Case Study ------------------------------------- 281
Appendix B: Exercises List ---------------------------------- 297
Appendix C: Correction Key for Exercises --------------- 319
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 3
This page has been left blank Intentionally
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 5
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 1
Course objectives and structure
a. Meet and greet
b. General Information
c. Training objectives
d. Educational approach
e. Examination and certification
f. Schedule for the training
2
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 6
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Activity
Meet and greet
3
General Information
Use of mobile phones Use of a computer and Emergency exit
and recording devices access to the Internet
Timetable and breaks Meals Absences
4
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 7
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Some Industry Survey Results
On business continuity
Gartner Meta , Insurance disaster report
2 out of 5 enterprises experiencing a 30% of businesses never reopen, while
disaster will go out of business within 5 29% go out of business within 2 years
years
Veritas Recovery Research Group
Gartner estimates that 40% of all
businesses which lose all their data go Top 5 consequences of a disaster, 2006
out of business within 5 years
1. Decreased employee productivity (62%),
Business Continuity Institute 2. Data Loss (43%),
3. Reduction in profits (40%) ,
80% of Businesses that do not have 4. Damage to customer relationship (38%),
Business Continuity plans go out of 5. Reduction in revenue (27%)
business within 13 months of a major
incident
5
Training Objectives
Acquiring knowledge
Understand the operation of a Business Continuity
1 Management System based on ISO 22301 and its principal
processes
2 Understand the goal, content and correlation between ISO
22301 and other standards and regulatory frameworks
Master the concepts, approaches, standards, methods and
3 techniques for the implementation and effective management
of a BCMS
6
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 8
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Training Objectives
Development of competencies
1 Interpret the ISO 22301 requirements in the specific context of
an organization
Develop the expertise to support an organization to plan,
2 implement, manage, monitor and maintain a BCMS as
specified in ISO 22301
3 Acquire the expertise to advise an organization on business
continuity management best practices
4 Strengthen the personal qualities necessary to act with due
professional care when conducting a compliance project
7
Educational Approach
Students at the center
8
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 9
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Examination
Competency domains
1 Fundamental principles of business continuity
2 Business continuity management best practice
3 Planning a BCMS based on ISO 22301
4 Implementing a BCMS based on ISO 22301
5 Performance evaluation, monitoring and measurement of a BCMS
based on ISO 22301
6 Continual improvement of a BCMS based on ISO 22301
7 Preparing for a BCMS certification audit
9
Certified ISO 22301 Lead Implementer
Prerequisites for Certification
1 Pass the exam
2
3 Adhere to the Code of Ethics
4 5 years professional experience
5
6 2 years business continuity
experience
300 hours project activity
Professional references
Certified ISO 22301
Lead Implementer
10
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 10
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 11
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Why Become a Certified Implementer?
Advantages
Qualifying oneself to manage a BCMS project
Formal and independent recognition of personal
competencies
Certified professionals usually earn
salaries higher than those of non-certified
professionals
13
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 12
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
QUESTIONS?
16
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 13
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 2
Standard and regulatory framework
a. What is ISO?
b. Fundamental ISO principles
c. Management system standards
d. Integrated management system
e. Business Continuity standards
f. ISO 22301 and ISO 27001
g. ISO 22301 advantages
17
What is ISO?
ISO is a network of national standardization bodies
from over 160 countries
The final results of ISO works are published as
international standards
Over 19 000 standards have been published since
1947
18
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 14
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Basic Principles – ISO Standards
1. Equal representation: 1 vote per country
Basic 2. Voluntary membership: ISO does not have the
principles of authority to force adoption of its standards
ISO 3. Business orientation: ISO only develops
standards standards for which a market demand exists
4. Consensus approach: looking for a large
consensus among the different stakeholders
5. International cooperation: over 160 member
countries plus liaison bodies
19
Eight ISO Management Principles
20
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 15
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Management System Standards
Primary standards against which an organization can be
certified
ISO 9001 ISO 14001 OHSAS 18001 ISO 20000
Quality Environment Health and Safety IT Service
at work
ISO 22000 ISO 22301 ISO 27001 ISO 28000
Food Safety Business Information Supply Chain
continuity Security Security
21
Integrated Management System
Common structure of ISO standards
Requirements ISO ISO ISO ISO ISO
9001:2008 14001:2004 20000:2011 22301:2012 27001:2005
Objectives of the
management system 5.4.1 4.3.3 4.5.2 6.2 4.2.1
Policy of the 5.3
management system 4. 2 4.1.2 5.3 4.2.1
5.1
Management 4.4.1 4.1 5.2 5
commitment 4.2
4.4 4.3 7.5 4.3
Documentation 8.2.2
requirements 8.5.1 4.5.5 4.5.4.2 9.2 6
5.6 4.5.3 4.5.5 10 8
Internal audit 4.6 4.5.4.3 9.3 7
Continual
improvement
Management review
22
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 16
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
ISO 22301
Specifies requirements for
BCMS management
Requirements (clauses) are
written using the imperative
verb “shall”
Integrate the PDCA (Plan,
Do, Check and Act) model
Auditable
Organization can obtain
certification against this
standard
23
ISO 22301
Contents
Section 1 Scope
Section 2 Normative references
Section 3 Terms and definitions
Section 4 Context of the organization
Section 5 Leadership
Section 6 Planning
Section 7 Support
Section 8 Operation
Section 9 Performance evaluation
Section 10 Improvement
24
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 17
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
ISO 22313
Guide for code of practice for
implement, maintain and
improve a Business
Continuity Management
System (Reference
document)
Clause written using the verb
“should” to provide
implementation guidance
Organization can not obtain
certification against this
standard
25
History of the ISO 22301 Standard
1988 – 2013
2013
2012
2006 2007 ISO published
first version of
Publication of Publication of
BS 25999-1 BS 25999-2 ISO 22313
2003 ISO published
first version of
Publication of
PAS 56 ISO 22301
2002
1994
1988 BCI publishes
BCM Good
Creation of the Practice
Guidelines
Business
Creation of the DRI Continuity
International Institute (BCI) in
(originally known as the UK
Disaster Recovery
Institute) in the USA
26
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 18
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Other Business Continuity Standards
Examples
27
Content and Correlation Between
ISO 22301 and ISO 27001
ISO 27001, A.14: Business Continuity Management ISO 22301
requirements
Business continuity
4.4 management system
8.2 BIA and Risk assessment
8.4 Business continuity procedures
6 Planning the BCMS
8.5 Exercising and testing
28
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 19
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Exercise 1
Myths and Realities – Business Continuity
29
Business Continuity
Advantages
Predictable and Protection of Maintenance of Better
effective people vital activities of understanding of
the organization the organization
response to
crises
Cost reduction Respect of the Protection of the Confidence of
interested reputation and clients
parties
brand
Competitive Legal Regulatory Contract
advantage compliance compliance compliance
30
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 20
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
31
Certified ISO 22301
Lead Implementer Training
Section 3
Business Continuity Management System (BCMS)
a. Definition of a BCMS
b. Process approach
c. Overview – Clauses 4 to 10
d. Key components of a BCMS
32
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 21
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
What is Business Continuity?
Business-driven process that establishes a fit-for-purpose
strategic and tactical framework that:
1 Proactively improves an organization’s resilience
against the disruption of its ability to achieve its key
objectives
2 Provides a rehearsed method of restoring an
organization’s ability to supply its key products and
services after a disruption
3 Delivers a proven capability to manage a business
disruption and protect the organization’s reputation
and brand
33
Business Continuity Management
ISO 22301, clause 3.4
Holistic management process that identifies potential
threats to an organization and the impacts to business
operations those threats, if realized, might cause, and
which provides a framework for building organizational
resilience with the capability of an effective response that
safeguards the interests of its key stakeholders, reputation,
brand and value-creating activities
Note: The management system includes organizational
structure, policies, planning activities, responsibilities,
practices, procedures, processes and resources
34
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 22
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Key Components of a BCMS
ISO 22301, Introduction
A BCMS, like any other management system, has the
following key components:
1. A policy
2. People with defined responsibilities
3. Management processes relating to:
Policy
Planning
Implementation and operation
Performance assessment
Management review
Improvement
4. Documentation providing auditable evidence
5. Any business continuity management processes relevant to the
organization
35
Plan-Do-Check-Act (PDCA) cycle
ISO 22301, Introduction
Interested Plan Interested
Parties Parties
Establish a BCMS
Act Do
Business Maintain and Implement the
Continuity Improve the BCMS BCMS
requirements
Monitor and Managed
and review the BCMS Business
expectations Continuity
Check
36
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 23
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
General requirements
ISO 22301
In summary
The organization shall establish, implement, maintain and improve a BCMS in
accordance with the needs and the requirements of the interest parties
1. Understanding 2. Determine 3. Implement &
of the organization needs and manage a BCMS
and its context requirements
37
Context of the organization
ISO 22301, clause 4
Understanding of the The organization’s activities, functions, services, products,
organization and its partnerships, supply chains, relationships with interested parties,
context Links between the business continuity policy and the
organization’s objectives and other policies
The organization’s risk appetite
Understanding the The interested parties needs that are relevant to the BCMS
needs and The requirements of these interested parties
Legal and regulatory requirements
expectations of
interested parties
Determining the The organization shall determine the boundaries and applicability
scope of the of the BCMS to establish its scope
BCMS
When determining this scope, the organization shall consider the
external and internal issues and the requirements
38
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 24
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Leadership and Management
Commitment
ISO 22301, clause 5.1 and 5.2
Strategic orientation
Ensure that the BCMS is compatible with the
strategic orientation of the organization
Integrate the BCMS requirements into the
organization’s business processes
Make resources available
Management shall determine and provide the
necessary resources for the BCMS
Communication
Management shall communicate the
importance of effective Business Continuity
Management and conformance to the BCMS
processes
39
Business Continuity Policy
ISO 22301, clause 5.3
Top management shall establish a business continuity
policy that:
is appropriate to the purpose of the organization
provides a framework for setting business continuity objectives
includes a commitment to satisfy applicable requirements
includes a commitment to continual improvement of the BCMS
The BCMS policy shall:
be available as documented information
be communicated within the organization
be available to interested parties, as appropriate
be reviewed for continuing suitability at defined intervals and
when significant changes occur
40
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 25
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Organizational Roles, Responsibilities
and Authorities
ISO 22301, clause 5.4
Top management shall ensure that the
responsibilities and authorities for relevant roles are
assigned and communicated within the organization
Top management shall assign the responsibility and
authority for:
Ensuring that the management system
is established and implemented in
accordance with the requirements
of ISO 22301
Reporting on the performance of the
BCMS to top management
41
Objectives and Plans to Achieve Them
ISO 22301, clause 6.2
Top management shall ensure that business continuity
objectives are established and communicated for
relevant functions and levels within the organization
The objectives shall:
a) Be consistent with the business continuity policy
b) Take account of the minimum level of products and
services that is acceptable to the organization to
achieve its objectives
c) Be measurable
d) Take into account applicable requirements
e) Be monitored and updated as appropriate
42
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 26
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Support Persons doing work under The organization’s BCMS
the organization’s control shall include documented
ISO 22301, clause 7 shall be aware of the BC information required by
policy, their roles in the ISO 22301 and records to
The organization BCMS and the demonstrate the
shall determine and requirements for the effectiveness of the BCMS
provide the organization
resources needed
for the BCMS
Resources Competence Awareness Communication Documentation
The organization The organization shall
shall ensure to establish, implement and
have competent maintain arrangements
persons to perform for communicating with
tasks related to the relevant external and
BCMS internal interested
parties
43
Documented Information
ISO 22301, clause 7.5
2. Identification 3. Classification
and security
1. Creation
9. Disposal 4. Modification
5. Approval
8 . Archiving
6. Distribution
7. Adequate
use
A procedure must be established to manage the document life cycle
44
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 27
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Business Impact Analysis and Risk
Assessment
ISO 22301, clause 3.8, 3.50 & 8.2
Process of Business Risk Overall process
analysing Impact Assessment of risk
business Analysis
functions and the identification, risk
effect that the analysis and risk
business
disruption might evaluation
have upon them
45
Business Continuity Strategy
ISO 22301, clause 8.3
The organization shall determine appropriate continuity
options for:
B) Stabilizing, continuing, resuming
and recovering prioritized activities
46
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 28
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Establish and Implement Business
Continuity Procedures
ISO 22301, clause 8.4.1
The organization shall document procedures (including necessary
arrangements) to ensure continuity of activities and management of
a disruptive incident
Emergency Response and General
Crisis Management
The organization shall
establish, implement, and
maintain business continuity
procedures to manage a
disruptive incident and
continue its activities based
on recovery objectives
identified in the business
impact analysis
47
Exercising and Testing
ISO 22301, clause 8.5
The organization
shall exercise and
test its business
continuity
procedures to
ensure that they are
consistent with its
business continuity
objectives
48
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 29
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Performance evaluation
ISO 22301, clause 9
1. Review of exercise and test of BCMS 2. Regular review of the
monitoring effectiveness of the BCMS taking
continuity procedures, post-incident and review into account the feedback and
reporting suggestions of interested parties
6. Management review 3. Measurement of the
and update of business effectiveness of the
continuity plans & procedures
procedures
4. Review of risk assessments
5. Conducting the internal audits and BIA
Note: Each of these actions must be documented and recorded
49
Improvement
ISO 22301, clause 10
The organization shall continually improve the
suitability, adequacy or effectiveness of the BCMS
The organization can use the processes of the
BCMS such as leadership, planning and
performance evaluation, to achieve improvement
50
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 30
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
51
Certified ISO 22301
Lead Implementer Training
Section 4
Fundamental principles of business continuity
a. Business continuity & disaster recovery
b. Event: from incident to emergency
c. Organization and prioritized activities
d. Process and resources
e. Probability, consequence and impact
f. Stakeholder (Interested party)
g. Resilience
52
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 31
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Business Continuity Disaster Recovery
& Disaster Recovery
Recover ‘technology’
Differences as quickly as possible
Business Continuity Included are:
Ensuring the business The data, hardware and
can continue during an software necessary to
emergency resume critical business
Targeted are: operations
First and foremost, the A disaster recovery plan
human capital of the (DRP) also includes plans
company for coping with the
unexpected or sudden loss
Product or service delivery to of key personnel
the company’s customers
In a BCP, it’s one aspect of
Critical business functions in the plan
the company
53
Involve all elements of the organization
Business Continuity Management
is in relation with:
RISK MANAGEMENT
EMERGENCY
MANAGEMENT
IT DISASTER RECOVERY
FACILITIES MANAGEMENT
SUPPLY CHAIN
MANAGEMENT
QUALITY
MANAGEMENT
ENVIRONMENTAL
MANAGEMENT
HEALTH & SAFETY
CRISIS MANAGEMENT
HUMAN RESOURCES
SECURITY
COMMUNICATIONS & PR
54
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 32
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Event: from Incident to Emergency
Definitions from ISO 22300, ISO 22301 & ISO 22399
Event Occurrence of a particular set of circumstances
(ISO 22301, 3.17) Event that might be, or could lead to, an operational interruption,
disruption, loss, emergency or crisis
Incident
Incident, whether anticipated (e.g. hurricane) or unanticipated (e.g.
(ISO 22301, 3.19) a blackout or earthquake) which disrupts the normal course of
operations at an organization location
Disruption
Any incident(s), human-caused or natural, that require(s) urgent
(ISO 22399, 3.5) attention and action to protect life, property, or environment
Crisis Situation where widespread human, material, economic or environmental
losses have occurred which exceeded the ability of the affected organization
(ISO 22399, 3.3) community or society to respond and recover using its own resources
Disaster Sudden, urgent, usually unexpected occurrence or event requiring
immediate action
(ISO 22300, 2.1.11)
Emergency
(ISO 22399, 3.6)
55
Organization and Activities
ISO 22301, clause 3.1, 3.33 & 3.42
Organization (3.33)
Person or group of people that has its own
functions with responsibilities, authorities and
relationships to achieve its objectives
Activity (3.1)
Process or set of processes undertaken by an
organization (or on its behalf) that produces or
supports one or more products and services
Prioritized activities (3.42)
Activities to which priority must be given following
an incident in order to mitigate impacts
56
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 33
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Process
ISO 22301, clause 3.40
Set of interrelated or interacting activities which
transforms inputs into outputs
Input Activities Output
57
Resources
ISO 22301, clause 3.47
Resources People
All assets, people, skills, Assets Information
information, technology
(including plant and Premises Technologies Supplies
equipment), premises, and
supplies and information
(whether electronic or not) that
an organization has to have
available to use, when needed,
in order to operate and meet its
objective
58
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 34
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Risk
ISO 22301
Risk (3.48)
Effect of uncertainty on objectives
Risk appetite (3.49)
Amount and type of risk that an organization
is willing to pursue or retain
Risk assessment (3.50)
Overall process of risk identification, risk
analysis and risk evaluation
Risk management (3.51)
Coordinated activities to direct and control
an organization with regard to risk
59
Probability, Consequence and Impact
ISO 22399
Probability (3.28)
Extent to which an event is likely to occur
Consequence (3.2)
Outcome of an event
Impact (3.10)
Evaluated consequence of a particular
outcome
60
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 35
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Interested party (Stakeholder)
ISO 22301, clause 3.21
Person or organization that can affect, be affected by,
or perceive themselves to be affected by a decision or activity
Financial Suppliers Customers Interest
institutions groups
Board of Management
Directors Team
Employees Organization
Unions
Regulator Media Public Shareholders
61
Resilience
ISO 22300, clause 2.1.17
Resilience
Adaptive capacity of an
organization in a complex
and changing environment
62
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 36
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
63
Certified ISO 22301
Lead Implementer Training
Section 5
Initiating the BCMS implementation
a. BCMS implementation approach
b. BCMS implementation methodology
c. Alignment with best practices
64
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 37
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
ISO 22301, clause 5.4
5.4 Organizational roles, responsibilities and authorities
Top management shall assign the responsibility and authority for: and
this
a) ensuring that the management system is established
implemented in accordance with the requirements of
International Standard;
65
1.1. Initiating the BCMS Implementation
List of activities
Intention to 1.1.1 Definition of the 1.1.2. Selection of a 1.1.3. Alignment
implement a BCMS approach for the methodological with the best
implementation framework practices
1.2. Understanding
the organization
66
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 38
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.1.1. Definition of the Approach for the
BCMS Implementation
Possible approaches
2. Level of maturity of
processes in place
3. Expectations
and scope
1. Speed of
implementation
67
Proposed Approach 2. Systems Approach
Guidelines Overall implementation of
the BCMS process, not by
1. Business approach isolating processes
Integrates into the context of
commercial activities across
the organization
Guidelines
5. Iterative approach 3. Systematic approach
Rapid implementation of Apply best practices in
the BCMS respecting project management
the minimum
requirements and switch 4. Integrated Approach
to continual
improvement thereafter Integrating the BCMS or harmonize
it with other requirements of the
organization 68
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 39
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Application Guidelines
Recommendations
1. Avoid the integration of new technologies
2. Integrate the BCMS into existing processes
3. Apply the principles of continual improvement
4. Involve stakeholders in the organization
5. Get management support
6. Identify and formally appoint a BCMS project manager
69
1.1.2. Choose a Methodological Framework to
Manage the BCMS Implementation Project
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation
the organization assessment
3.2 Internal audit 4.2 Continual
1.3 Analyze the 2.3 Business 3.3 Management improvement
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
70
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 40
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Integrated Implementation Methodology for
Management Systems and Standards (IMS2)
0ethodology for BCMS implementation
4 phases 21 Steps 101 Activities Undefined tasks
Plan
BCMS Do
Project
Check
Act
71
Approach and Methodology
Based upon the best practices
ISO 10006 PMBOK ISO 22313
Guidelines for quality Project Management Business Continuity
management system implementation
management in Body of Knowledge
projects Guidance
72
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 41
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.1.3. Alignment with the Best Practices
Use of ISO standards
73
Questions?
74
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 42
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Exercise 2
Advantages, drivers, constraints of a BCMS project
75
Certified ISO 22301
Lead Implementer Training
Section 6
Understanding the organization
a. Understanding the organization
b. Identification and analysis of interested parties
c. Identification and analysis of requirements and expectations
d. Preliminary definition of the scope
76
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 43
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.2. Understanding the Organization
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation
the organization assessment
3.2 Internal audit 4.2 Continual
1.3 Analyze the 2.3 Business 3.3 Management improvement
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
77
Requirements
ISO 22301, clause 4.1
4.1 Understanding of the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose
and that affect its ability to achieve the expected outcomes of its BCMS.
These issues shall be taken into account when establishing, implementing and maintaining the
organization’s BCMS.
The organization shall identify and document the following:
a) the organization’s activities, functions, services, products, partnerships, supply chains,
relationships with interested parties, and the potential impact related to a disruptive
incident;
b) links between the business continuity policy and the organization’s objectives and other
policies, including its overall risk management strategy; and
c) the organization’s risk appetite.
In establishing the context, the organization shall:
1) articulate its objectives, including those concerned with business continuity,
2) define the external and internal factors that create the uncertainty that gives rise to risk,
3) set risk criteria taking into account the risk appetite, and
4) define the purpose of the BCMS.
78
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 44
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.2. Understanding the Organization
List of activities
1.1 Initiating 1.2.1 Mission, 1.2.2 External 1.2.3 Internal
the BCMS objectives, environment environment
values, strategies
1.2.4 Process 1.2.5 Infrastructure 1.2.6 Interested 1.2.7 Business
and activities parties requirements
1.2.8 Risk appetite 1.2.9 Preliminary 1.3 Gap Analysis 1.4 Scope
and risk criteria Scope
79
1.2.1. Understanding of Mission,
Objectives, Values, and Strategies
Mission
Values Strategies Business
Continuity
Strategic Alignment objectives
Objectives
Corporate Policies Business Continuity Policy
80
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 45
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.2.2. Analysis of the External
Environment
Strengths Weaknesses Practical Advice
Opportunites Threats
ISO 22301 offers no practical
approach to analyze the context
of an organization
Several methodologies exist to
understand how an organization
functions
The important thing is to identify
the characteristics of internal and
external environmental factors
that will influence business
continuity management: mission,
main activities, internal
organization, stakeholders, etc.
81
1.2.3. Analysis of the Internal
Environment
Organizational structure and key players
Understanding the structure
and main actors of the
organization related to the
scope at the levels:
Strategy (who sets the
strategic directions?)
Steering (who coordinates
and manages the
operations?)
Operational (Who is
involved in production and
support activities?)
82
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 46
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.2.4. Identification of the Key
Processes and Activities
3. Key information 1. Product and Service
Assets Offers
What are the key What are the goods and
information assets services produced by the
of the organization?
organization?
2. Business Processes
What are the
key processes that
enable the organization
to achieve its mission?
Note: At this stage, there is no need to completely map the processes and
a detailed inventory of assets but only to establish a general list
83
1.2.5. Identification of Infrastructure
ISO 22301, clause 3.20
Infrastructure: System of facilities, equipment and services
needed for the operation of an organization
Category Examples
(Example)
Sites Office, server room, employees residence, secure area,
production site, etc.
Utilities Electricity, gas, air conditioning, humidity control, etc.
Industriel equipment Storage and handling equipment, conveyors, industriel
robots,
Service Accounting, human resources, purchasing, logistics, etc.
Transport Truck, car, barge, railway, public transport, etc.
Telecommunication Phones, PBX, router, network cable, switch, bridge, etc.
Information Server, laptop, network, Operating system, accounting
technology software, etc.
84
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 47
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.2.6. Identification and Analysis of
Interested Parties
Analysis of their requirements and expectations
1. Identify the 2. Validate 3. Identify roles and
requirements and the requirements and responsibilities
expectations expectations
Define what is expected
Identify all interested Analyze the security from the different
parties and their needs and confirm interested parties within
requirements and whether the organization the project: the roles,
expectations responds to their responsibilities and
concerns at this moment levels of required
The requirements and participation
expectations may be Can be made by sending
implicit or explicit a questionnaire, Establish a consensus
conducting interviews or with them during the
Example: rate of service facilitation of focus planning stage of their
availability of 99.5% groups involvement
85
Interested Parties
Positive and negative influence
Negative interested parties Positive interested parties
For these the BCMS could have a negative Those that would benefit from the BCMS
impact Example : customers of an IT service company
Example : an HR department involved in the
BCMS implementation will suffer a heavy
burden on the documentation of employee files
Important note : Negative interested parties often put their interest first when evaluating the risk that they
could experience due to the BCMS implementation
86
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 48
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.2.7. Identification and Analysis of
Business Requirements
Legal and External Standards
Regulatory
Internal International standards
All laws and regulations and codes of practices
that the organization must related to the industry
sector that are voluntary
comply to
implemented by the
Mandatory organization
Market Voluntary
All contractual obligations Internal policies
that the organization has
All requirements inside
signed with its the organization: internal
stakeholders policies, code of ethics,
work rules, etc.
87
Legal Compliance
The organization must comply to ISO 22301 can be
the applicable laws and regulations used to comply to
several laws and
In most countries, the
implementation of an ISO standard regulations
is a voluntary decision of the
organization, not a legal condition 88
Organizations operating in multiple
locations often have to satisfy the
requirements of different
jurisdictions
In all cases, laws take precedence
over standards
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 49
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Laws and Regulations
The four industry sectors more impacted
Healthcare Requires data backup plan, DR Government Mostly emphasizes data security
plan and emergency mode rather than BC and DR
operation plan
An important need to be
Requirements for electronic addressed is the requirement
records that government is open and
running during a crisis
Finance Requires that banks put in place Utilities Requires a BCP to ensure that
BC and DR plans to ensure agency mission continues during
continuous operation and to limit a crisis
losses
Emergency restoration plans
Requires BCPs to be upgraded required as condition of
and tested to incorporate risks continued services
discovered
89
1.2.8. Determination of the Risk Appetite
and the Risk Criteria
ISO 22301, clause 3.49 and 4.1
Risk appetite 5. Hungry
Definition: Amount and type of risk 80
that an organization is willing to
pursue or retain 70
It’s the level of risk that an 4. Open
organisation is prepared to accept,
before action is deemed necessary 60
to reduce it
50
It represents a balance between the
potential benefits of innovation and 40 3. Cautious
the threats that change inevitably
brings 30
2. Minimal
20
10
1. Averse
0
Example of risk appetite scale
90
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 50
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Risk Criteria
ISO 22301, clause 4.1 & ISO 31000, clause 5.3.5
1 Evaluation of risk
2 Impacts
3 Risk acceptance
Note : This step consist only to define basic criteria for risk management.
Detailed criteria will be defined during the risk assessement
91
1.2.9. Preliminary Definition
of the Scope
The preliminary BCMS scope should include:
Key characteristics of the organization
Business processes that could be in scope
List of products and services and all related activities within the
proposed scope
List of geographic locations to which the BCMS would be applied
A summary of the BCMS requirements
A description of how the area(s) in the scope interact with other
management systems
(e.g. ISO 9001, ISO 27001, ISO 28000)
92
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 51
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
QUESTIONS?
93
Exercise 3
Understanding the organization
94
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 52