The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by rafemuhammed, 2015-12-06 01:56:35

BCMS Material

BCMS Material

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Contents

Certified ISO 22301 Lead Implementer--------------------- 5
Exam Preparation Guide -------------------------------------- 267
Appendix A: Case Study ------------------------------------- 281
Appendix B: Exercises List ---------------------------------- 297
Appendix C: Correction Key for Exercises --------------- 319

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 3

This page has been left blank Intentionally

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Certified ISO 22301
Lead Implementer

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 5

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Certified ISO 22301
Lead Implementer Training
Section 1

Course objectives and structure

a. Meet and greet
b. General Information
c. Training objectives
d. Educational approach
e. Examination and certification
f. Schedule for the training

2

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 6

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Activity

Meet and greet

3

General Information

Use of mobile phones Use of a computer and Emergency exit
and recording devices access to the Internet

Timetable and breaks Meals Absences

4

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 7

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Some Industry Survey Results

On business continuity

Gartner Meta , Insurance disaster report

 2 out of 5 enterprises experiencing a 30% of businesses never reopen, while
disaster will go out of business within 5 29% go out of business within 2 years
years
Veritas Recovery Research Group
 Gartner estimates that 40% of all
businesses which lose all their data go Top 5 consequences of a disaster, 2006
out of business within 5 years
1. Decreased employee productivity (62%),
Business Continuity Institute 2. Data Loss (43%),
3. Reduction in profits (40%) ,
80% of Businesses that do not have 4. Damage to customer relationship (38%),
Business Continuity plans go out of 5. Reduction in revenue (27%)
business within 13 months of a major
incident

5

Training Objectives

Acquiring knowledge

Understand the operation of a Business Continuity

1 Management System based on ISO 22301 and its principal

processes

2 Understand the goal, content and correlation between ISO

22301 and other standards and regulatory frameworks

Master the concepts, approaches, standards, methods and

3 techniques for the implementation and effective management

of a BCMS

6

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 8

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Training Objectives

Development of competencies

1 Interpret the ISO 22301 requirements in the specific context of
an organization

Develop the expertise to support an organization to plan,

2 implement, manage, monitor and maintain a BCMS as

specified in ISO 22301

3 Acquire the expertise to advise an organization on business
continuity management best practices

4 Strengthen the personal qualities necessary to act with due
professional care when conducting a compliance project

7

Educational Approach

Students at the center

8

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 9

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Examination

Competency domains

1 Fundamental principles of business continuity

2 Business continuity management best practice

3 Planning a BCMS based on ISO 22301

4 Implementing a BCMS based on ISO 22301

5 Performance evaluation, monitoring and measurement of a BCMS
based on ISO 22301

6 Continual improvement of a BCMS based on ISO 22301

7 Preparing for a BCMS certification audit

9

Certified ISO 22301 Lead Implementer

Prerequisites for Certification

1 Pass the exam
2
3 Adhere to the Code of Ethics
4 5 years professional experience
5
6 2 years business continuity

experience
300 hours project activity
Professional references

Certified ISO 22301
Lead Implementer

10

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 10

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 11

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Why Become a Certified Implementer?

Advantages
Qualifying oneself to manage a BCMS project

Formal and independent recognition of personal
competencies

Certified professionals usually earn
salaries higher than those of non-certified
professionals

13

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 12

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

QUESTIONS?

16

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 13

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Certified ISO 22301
Lead Implementer Training
Section 2

Standard and regulatory framework

a. What is ISO?
b. Fundamental ISO principles
c. Management system standards
d. Integrated management system
e. Business Continuity standards
f. ISO 22301 and ISO 27001
g. ISO 22301 advantages

17

What is ISO?

 ISO is a network of national standardization bodies
from over 160 countries

 The final results of ISO works are published as
international standards

 Over 19 000 standards have been published since
1947

18

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 14

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Basic Principles – ISO Standards

1. Equal representation: 1 vote per country

Basic 2. Voluntary membership: ISO does not have the
principles of authority to force adoption of its standards

ISO 3. Business orientation: ISO only develops
standards standards for which a market demand exists

4. Consensus approach: looking for a large
consensus among the different stakeholders

5. International cooperation: over 160 member
countries plus liaison bodies

19

Eight ISO Management Principles

20

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 15

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Management System Standards

Primary standards against which an organization can be
certified

ISO 9001 ISO 14001 OHSAS 18001 ISO 20000

Quality Environment Health and Safety IT Service

at work

ISO 22000 ISO 22301 ISO 27001 ISO 28000

Food Safety Business Information Supply Chain

continuity Security Security

21

Integrated Management System

Common structure of ISO standards

Requirements ISO ISO ISO ISO ISO
9001:2008 14001:2004 20000:2011 22301:2012 27001:2005
Objectives of the
management system 5.4.1 4.3.3 4.5.2 6.2 4.2.1
Policy of the 5.3
management system 4. 2 4.1.2 5.3 4.2.1
5.1
Management 4.4.1 4.1 5.2 5
commitment 4.2
4.4 4.3 7.5 4.3
Documentation 8.2.2
requirements 8.5.1 4.5.5 4.5.4.2 9.2 6
5.6 4.5.3 4.5.5 10 8
Internal audit 4.6 4.5.4.3 9.3 7

Continual
improvement
Management review

22

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 16

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

ISO 22301

 Specifies requirements for
BCMS management

 Requirements (clauses) are
written using the imperative
verb “shall”

 Integrate the PDCA (Plan,
Do, Check and Act) model

 Auditable

 Organization can obtain
certification against this
standard

23

ISO 22301

Contents

Section 1 Scope
Section 2 Normative references
Section 3 Terms and definitions
Section 4 Context of the organization
Section 5 Leadership
Section 6 Planning
Section 7 Support
Section 8 Operation
Section 9 Performance evaluation
Section 10 Improvement

24

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 17

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

ISO 22313

 Guide for code of practice for
implement, maintain and
improve a Business
Continuity Management
System (Reference
document)

 Clause written using the verb
“should” to provide
implementation guidance

 Organization can not obtain
certification against this
standard

25

History of the ISO 22301 Standard

1988 – 2013

2013

2012

2006 2007 ISO published
first version of
Publication of Publication of
BS 25999-1 BS 25999-2 ISO 22313

2003 ISO published
first version of
Publication of
PAS 56 ISO 22301

2002

1994

1988 BCI publishes
BCM Good
Creation of the Practice
Guidelines

Business

Creation of the DRI Continuity

International Institute (BCI) in

(originally known as the UK

Disaster Recovery

Institute) in the USA

26

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 18

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Other Business Continuity Standards

Examples

27

Content and Correlation Between
ISO 22301 and ISO 27001

ISO 27001, A.14: Business Continuity Management ISO 22301
requirements

Business continuity

4.4 management system

8.2 BIA and Risk assessment

8.4 Business continuity procedures

6 Planning the BCMS

8.5 Exercising and testing

28

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 19

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Exercise 1

Myths and Realities – Business Continuity

29

Business Continuity

Advantages

Predictable and Protection of Maintenance of Better
effective people vital activities of understanding of
the organization the organization
response to
crises

Cost reduction Respect of the Protection of the Confidence of
interested reputation and clients
parties
brand

Competitive Legal Regulatory Contract
advantage compliance compliance compliance

30

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 20

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Questions?

31

Certified ISO 22301
Lead Implementer Training
Section 3

Business Continuity Management System (BCMS)

a. Definition of a BCMS
b. Process approach
c. Overview – Clauses 4 to 10
d. Key components of a BCMS

32

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 21

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

What is Business Continuity?

Business-driven process that establishes a fit-for-purpose
strategic and tactical framework that:

1 Proactively improves an organization’s resilience
against the disruption of its ability to achieve its key
objectives

2 Provides a rehearsed method of restoring an
organization’s ability to supply its key products and
services after a disruption

3 Delivers a proven capability to manage a business
disruption and protect the organization’s reputation
and brand

33

Business Continuity Management

ISO 22301, clause 3.4
Holistic management process that identifies potential
threats to an organization and the impacts to business
operations those threats, if realized, might cause, and
which provides a framework for building organizational
resilience with the capability of an effective response that
safeguards the interests of its key stakeholders, reputation,
brand and value-creating activities

Note: The management system includes organizational
structure, policies, planning activities, responsibilities,

practices, procedures, processes and resources

34

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 22

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Key Components of a BCMS

ISO 22301, Introduction

A BCMS, like any other management system, has the
following key components:

1. A policy
2. People with defined responsibilities
3. Management processes relating to:

Policy
Planning
Implementation and operation
Performance assessment
Management review
Improvement

4. Documentation providing auditable evidence
5. Any business continuity management processes relevant to the

organization

35

Plan-Do-Check-Act (PDCA) cycle

ISO 22301, Introduction

Interested Plan Interested
Parties Parties
Establish a BCMS

Act Do

Business Maintain and Implement the
Continuity Improve the BCMS BCMS
requirements
Monitor and Managed
and review the BCMS Business
expectations Continuity
Check

36

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 23

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

General requirements

ISO 22301
In summary

The organization shall establish, implement, maintain and improve a BCMS in
accordance with the needs and the requirements of the interest parties

1. Understanding 2. Determine 3. Implement &
of the organization needs and manage a BCMS

and its context requirements

37

Context of the organization

ISO 22301, clause 4

Understanding of the  The organization’s activities, functions, services, products,
organization and its partnerships, supply chains, relationships with interested parties,

context  Links between the business continuity policy and the
organization’s objectives and other policies

 The organization’s risk appetite

Understanding the  The interested parties needs that are relevant to the BCMS
needs and  The requirements of these interested parties
 Legal and regulatory requirements
expectations of
interested parties

Determining the  The organization shall determine the boundaries and applicability
scope of the of the BCMS to establish its scope
BCMS
 When determining this scope, the organization shall consider the
external and internal issues and the requirements

38

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 24

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Leadership and Management
Commitment

ISO 22301, clause 5.1 and 5.2

Strategic orientation

 Ensure that the BCMS is compatible with the
strategic orientation of the organization

 Integrate the BCMS requirements into the
organization’s business processes

Make resources available

 Management shall determine and provide the
necessary resources for the BCMS

Communication

 Management shall communicate the
importance of effective Business Continuity
Management and conformance to the BCMS
processes

39

Business Continuity Policy

ISO 22301, clause 5.3

 Top management shall establish a business continuity
policy that:

is appropriate to the purpose of the organization
provides a framework for setting business continuity objectives
includes a commitment to satisfy applicable requirements
includes a commitment to continual improvement of the BCMS

 The BCMS policy shall:

be available as documented information
be communicated within the organization
be available to interested parties, as appropriate
be reviewed for continuing suitability at defined intervals and
when significant changes occur

40

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 25

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Organizational Roles, Responsibilities
and Authorities

ISO 22301, clause 5.4

 Top management shall ensure that the
responsibilities and authorities for relevant roles are
assigned and communicated within the organization

 Top management shall assign the responsibility and
authority for:

Ensuring that the management system
is established and implemented in
accordance with the requirements
of ISO 22301
Reporting on the performance of the
BCMS to top management

41

Objectives and Plans to Achieve Them

ISO 22301, clause 6.2

 Top management shall ensure that business continuity
objectives are established and communicated for
relevant functions and levels within the organization

 The objectives shall:

a) Be consistent with the business continuity policy
b) Take account of the minimum level of products and

services that is acceptable to the organization to
achieve its objectives
c) Be measurable
d) Take into account applicable requirements
e) Be monitored and updated as appropriate

42

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 26

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Support Persons doing work under The organization’s BCMS
the organization’s control shall include documented
ISO 22301, clause 7 shall be aware of the BC information required by
policy, their roles in the ISO 22301 and records to
The organization BCMS and the demonstrate the
shall determine and requirements for the effectiveness of the BCMS
provide the organization
resources needed
for the BCMS

Resources Competence Awareness Communication Documentation

The organization The organization shall
shall ensure to establish, implement and
have competent maintain arrangements
persons to perform for communicating with
tasks related to the relevant external and
BCMS internal interested
parties

43

Documented Information

ISO 22301, clause 7.5

2. Identification 3. Classification
and security
1. Creation
9. Disposal 4. Modification

5. Approval

8 . Archiving

6. Distribution

7. Adequate
use

A procedure must be established to manage the document life cycle

44

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 27

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Business Impact Analysis and Risk
Assessment

ISO 22301, clause 3.8, 3.50 & 8.2

Process of Business Risk Overall process
analysing Impact Assessment of risk
business Analysis
functions and the identification, risk
effect that the analysis and risk
business
disruption might evaluation
have upon them

45

Business Continuity Strategy

ISO 22301, clause 8.3
The organization shall determine appropriate continuity
options for:

B) Stabilizing, continuing, resuming
and recovering prioritized activities

46

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 28

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Establish and Implement Business
Continuity Procedures

ISO 22301, clause 8.4.1

The organization shall document procedures (including necessary
arrangements) to ensure continuity of activities and management of
a disruptive incident

Emergency Response and General
Crisis Management
 The organization shall
establish, implement, and
maintain business continuity
procedures to manage a
disruptive incident and
continue its activities based
on recovery objectives
identified in the business
impact analysis

47

Exercising and Testing

ISO 22301, clause 8.5

The organization
shall exercise and
test its business
continuity
procedures to
ensure that they are
consistent with its
business continuity
objectives

48

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 29

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Performance evaluation

ISO 22301, clause 9

1. Review of exercise and test of BCMS 2. Regular review of the
monitoring effectiveness of the BCMS taking
continuity procedures, post-incident and review into account the feedback and
reporting suggestions of interested parties

6. Management review 3. Measurement of the

and update of business effectiveness of the
continuity plans & procedures
procedures
4. Review of risk assessments
5. Conducting the internal audits and BIA

Note: Each of these actions must be documented and recorded

49

Improvement

ISO 22301, clause 10

 The organization shall continually improve the
suitability, adequacy or effectiveness of the BCMS

 The organization can use the processes of the
BCMS such as leadership, planning and
performance evaluation, to achieve improvement

50

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 30

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Questions?

51

Certified ISO 22301
Lead Implementer Training
Section 4

Fundamental principles of business continuity

a. Business continuity & disaster recovery
b. Event: from incident to emergency
c. Organization and prioritized activities
d. Process and resources
e. Probability, consequence and impact
f. Stakeholder (Interested party)
g. Resilience

52

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 31

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Business Continuity Disaster Recovery
& Disaster Recovery
Recover ‘technology’
Differences as quickly as possible

Business Continuity Included are:

Ensuring the business  The data, hardware and
can continue during an software necessary to
emergency resume critical business
Targeted are: operations

 First and foremost, the  A disaster recovery plan
human capital of the (DRP) also includes plans
company for coping with the
unexpected or sudden loss
 Product or service delivery to of key personnel
the company’s customers
 In a BCP, it’s one aspect of
 Critical business functions in the plan
the company
53

Involve all elements of the organization

Business Continuity Management
is in relation with:

RISK MANAGEMENT
EMERGENCY
MANAGEMENT
IT DISASTER RECOVERY
FACILITIES MANAGEMENT
SUPPLY CHAIN
MANAGEMENT
QUALITY
MANAGEMENT
ENVIRONMENTAL
MANAGEMENT
HEALTH & SAFETY
CRISIS MANAGEMENT
HUMAN RESOURCES
SECURITY
COMMUNICATIONS & PR

54

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 32

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Event: from Incident to Emergency

Definitions from ISO 22300, ISO 22301 & ISO 22399

Event  Occurrence of a particular set of circumstances

(ISO 22301, 3.17)  Event that might be, or could lead to, an operational interruption,
disruption, loss, emergency or crisis
Incident
 Incident, whether anticipated (e.g. hurricane) or unanticipated (e.g.
(ISO 22301, 3.19) a blackout or earthquake) which disrupts the normal course of
operations at an organization location
Disruption
 Any incident(s), human-caused or natural, that require(s) urgent
(ISO 22399, 3.5) attention and action to protect life, property, or environment

Crisis  Situation where widespread human, material, economic or environmental
losses have occurred which exceeded the ability of the affected organization
(ISO 22399, 3.3) community or society to respond and recover using its own resources

Disaster  Sudden, urgent, usually unexpected occurrence or event requiring
immediate action
(ISO 22300, 2.1.11)

Emergency

(ISO 22399, 3.6)

55

Organization and Activities

ISO 22301, clause 3.1, 3.33 & 3.42

Organization (3.33)

Person or group of people that has its own
functions with responsibilities, authorities and
relationships to achieve its objectives

Activity (3.1)

Process or set of processes undertaken by an
organization (or on its behalf) that produces or
supports one or more products and services

Prioritized activities (3.42)

Activities to which priority must be given following
an incident in order to mitigate impacts

56

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 33

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Process

ISO 22301, clause 3.40

Set of interrelated or interacting activities which
transforms inputs into outputs

Input Activities Output

57

Resources

ISO 22301, clause 3.47

Resources People

 All assets, people, skills, Assets Information
information, technology
(including plant and Premises Technologies Supplies
equipment), premises, and
supplies and information
(whether electronic or not) that
an organization has to have
available to use, when needed,
in order to operate and meet its
objective

58

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 34

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Risk

ISO 22301

Risk (3.48)

Effect of uncertainty on objectives

Risk appetite (3.49)

Amount and type of risk that an organization
is willing to pursue or retain

Risk assessment (3.50)

Overall process of risk identification, risk
analysis and risk evaluation

Risk management (3.51)

Coordinated activities to direct and control
an organization with regard to risk

59

Probability, Consequence and Impact

ISO 22399

Probability (3.28)

Extent to which an event is likely to occur

Consequence (3.2)

Outcome of an event

Impact (3.10)

Evaluated consequence of a particular
outcome

60

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 35

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Interested party (Stakeholder)

ISO 22301, clause 3.21

Person or organization that can affect, be affected by,
or perceive themselves to be affected by a decision or activity

Financial Suppliers Customers Interest
institutions groups

Board of Management
Directors Team

Employees Organization

Unions

Regulator Media Public Shareholders

61

Resilience

ISO 22300, clause 2.1.17

Resilience

Adaptive capacity of an
organization in a complex
and changing environment

62

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 36

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Questions?

63

Certified ISO 22301
Lead Implementer Training
Section 5

Initiating the BCMS implementation

a. BCMS implementation approach
b. BCMS implementation methodology
c. Alignment with best practices

64

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 37

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Requirements

ISO 22301, clause 5.4

5.4 Organizational roles, responsibilities and authorities

Top management shall assign the responsibility and authority for: and
this
a) ensuring that the management system is established
implemented in accordance with the requirements of
International Standard;

65

1.1. Initiating the BCMS Implementation

List of activities

Intention to 1.1.1 Definition of the 1.1.2. Selection of a 1.1.3. Alignment
implement a BCMS approach for the methodological with the best
implementation framework practices

1.2. Understanding
the organization

66

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 38

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

1.1.1. Definition of the Approach for the
BCMS Implementation

Possible approaches

2. Level of maturity of
processes in place

3. Expectations
and scope

1. Speed of
implementation

67

Proposed Approach 2. Systems Approach

Guidelines Overall implementation of
the BCMS process, not by
1. Business approach isolating processes
Integrates into the context of
commercial activities across
the organization

Guidelines

5. Iterative approach 3. Systematic approach

Rapid implementation of Apply best practices in
the BCMS respecting project management
the minimum
requirements and switch 4. Integrated Approach
to continual
improvement thereafter Integrating the BCMS or harmonize
it with other requirements of the
organization 68

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 39

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Application Guidelines

Recommendations
1. Avoid the integration of new technologies
2. Integrate the BCMS into existing processes
3. Apply the principles of continual improvement
4. Involve stakeholders in the organization
5. Get management support
6. Identify and formally appoint a BCMS project manager

69

1.1.2. Choose a Methodological Framework to
Manage the BCMS Implementation Project

1. Plan 2. Do 3. Check 4. Act

1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation
the organization assessment
3.2 Internal audit 4.2 Continual
1.3 Analyze the 2.3 Business 3.3 Management improvement
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness

70

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 40

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Integrated Implementation Methodology for
Management Systems and Standards (IMS2)

0ethodology for BCMS implementation

4 phases 21 Steps 101 Activities Undefined tasks

Plan

BCMS Do
Project
Check

Act
71

Approach and Methodology

Based upon the best practices

ISO 10006 PMBOK ISO 22313
Guidelines for quality Project Management Business Continuity
management system implementation
management in Body of Knowledge
projects Guidance

72

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 41

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

1.1.3. Alignment with the Best Practices

Use of ISO standards

73

Questions?

74

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 42

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Exercise 2

Advantages, drivers, constraints of a BCMS project

75

Certified ISO 22301
Lead Implementer Training
Section 6

Understanding the organization

a. Understanding the organization
b. Identification and analysis of interested parties
c. Identification and analysis of requirements and expectations
d. Preliminary definition of the scope

76

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 43

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

1.2. Understanding the Organization

1. Plan 2. Do 3. Check 4. Act

1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation
the organization assessment
3.2 Internal audit 4.2 Continual
1.3 Analyze the 2.3 Business 3.3 Management improvement
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness

77

Requirements

ISO 22301, clause 4.1

4.1 Understanding of the organization and its context

The organization shall determine external and internal issues that are relevant to its purpose
and that affect its ability to achieve the expected outcomes of its BCMS.

These issues shall be taken into account when establishing, implementing and maintaining the
organization’s BCMS.

The organization shall identify and document the following:

a) the organization’s activities, functions, services, products, partnerships, supply chains,
relationships with interested parties, and the potential impact related to a disruptive
incident;

b) links between the business continuity policy and the organization’s objectives and other
policies, including its overall risk management strategy; and

c) the organization’s risk appetite.

In establishing the context, the organization shall:
1) articulate its objectives, including those concerned with business continuity,
2) define the external and internal factors that create the uncertainty that gives rise to risk,
3) set risk criteria taking into account the risk appetite, and
4) define the purpose of the BCMS.

78

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 44

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

1.2. Understanding the Organization

List of activities

1.1 Initiating 1.2.1 Mission, 1.2.2 External 1.2.3 Internal
the BCMS objectives, environment environment

values, strategies

1.2.4 Process 1.2.5 Infrastructure 1.2.6 Interested 1.2.7 Business
and activities parties requirements

1.2.8 Risk appetite 1.2.9 Preliminary 1.3 Gap Analysis 1.4 Scope
and risk criteria Scope
79

1.2.1. Understanding of Mission,
Objectives, Values, and Strategies

Mission

Values Strategies Business
Continuity
Strategic Alignment objectives

Objectives

Corporate Policies Business Continuity Policy

80

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 45

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

1.2.2. Analysis of the External
Environment

Strengths Weaknesses Practical Advice
Opportunites Threats
 ISO 22301 offers no practical
approach to analyze the context
of an organization

 Several methodologies exist to
understand how an organization
functions

 The important thing is to identify
the characteristics of internal and
external environmental factors
that will influence business
continuity management: mission,
main activities, internal
organization, stakeholders, etc.

81

1.2.3. Analysis of the Internal
Environment

Organizational structure and key players

Understanding the structure
and main actors of the
organization related to the
scope at the levels:
 Strategy (who sets the

strategic directions?)
 Steering (who coordinates

and manages the
operations?)
 Operational (Who is
involved in production and
support activities?)

82

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 46

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

1.2.4. Identification of the Key
Processes and Activities

3. Key information 1. Product and Service
Assets Offers

What are the key What are the goods and
information assets services produced by the
of the organization?
organization?

2. Business Processes

What are the
key processes that
enable the organization
to achieve its mission?

Note: At this stage, there is no need to completely map the processes and
a detailed inventory of assets but only to establish a general list

83

1.2.5. Identification of Infrastructure

ISO 22301, clause 3.20
Infrastructure: System of facilities, equipment and services
needed for the operation of an organization

Category Examples

(Example)

Sites Office, server room, employees residence, secure area,
production site, etc.

Utilities Electricity, gas, air conditioning, humidity control, etc.

Industriel equipment Storage and handling equipment, conveyors, industriel
robots,

Service Accounting, human resources, purchasing, logistics, etc.

Transport Truck, car, barge, railway, public transport, etc.

Telecommunication Phones, PBX, router, network cable, switch, bridge, etc.

Information Server, laptop, network, Operating system, accounting
technology software, etc.

84

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 47

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

1.2.6. Identification and Analysis of
Interested Parties

Analysis of their requirements and expectations

1. Identify the 2. Validate 3. Identify roles and
requirements and the requirements and responsibilities
expectations expectations
 Define what is expected
 Identify all interested  Analyze the security from the different
parties and their needs and confirm interested parties within
requirements and whether the organization the project: the roles,
expectations responds to their responsibilities and
concerns at this moment levels of required
 The requirements and participation
expectations may be  Can be made by sending
implicit or explicit a questionnaire,  Establish a consensus
conducting interviews or with them during the
 Example: rate of service facilitation of focus planning stage of their
availability of 99.5% groups involvement

85

Interested Parties

Positive and negative influence

Negative interested parties Positive interested parties

 For these the BCMS could have a negative  Those that would benefit from the BCMS
impact  Example : customers of an IT service company

 Example : an HR department involved in the
BCMS implementation will suffer a heavy
burden on the documentation of employee files

Important note : Negative interested parties often put their interest first when evaluating the risk that they
could experience due to the BCMS implementation

86

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 48

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

1.2.7. Identification and Analysis of
Business Requirements

Legal and External Standards
Regulatory
Internal International standards
All laws and regulations and codes of practices
that the organization must related to the industry
sector that are voluntary
comply to
implemented by the
Mandatory organization

Market Voluntary

All contractual obligations Internal policies
that the organization has
All requirements inside
signed with its the organization: internal
stakeholders policies, code of ethics,

work rules, etc.

87

Legal Compliance

 The organization must comply to ISO 22301 can be
the applicable laws and regulations used to comply to
several laws and
 In most countries, the
implementation of an ISO standard regulations
is a voluntary decision of the
organization, not a legal condition 88

 Organizations operating in multiple
locations often have to satisfy the
requirements of different
jurisdictions

 In all cases, laws take precedence
over standards

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 49

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Laws and Regulations

The four industry sectors more impacted

Healthcare  Requires data backup plan, DR Government  Mostly emphasizes data security
plan and emergency mode rather than BC and DR
operation plan
 An important need to be
 Requirements for electronic addressed is the requirement
records that government is open and
running during a crisis

Finance  Requires that banks put in place Utilities  Requires a BCP to ensure that
BC and DR plans to ensure agency mission continues during
continuous operation and to limit a crisis
losses
 Emergency restoration plans
 Requires BCPs to be upgraded required as condition of
and tested to incorporate risks continued services
discovered

89

1.2.8. Determination of the Risk Appetite
and the Risk Criteria

ISO 22301, clause 3.49 and 4.1

Risk appetite 5. Hungry

 Definition: Amount and type of risk 80
that an organization is willing to
pursue or retain 70

 It’s the level of risk that an 4. Open
organisation is prepared to accept,
before action is deemed necessary 60
to reduce it
50
 It represents a balance between the
potential benefits of innovation and 40 3. Cautious
the threats that change inevitably
brings 30

2. Minimal

20

10

1. Averse

0

Example of risk appetite scale

90

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 50

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

Risk Criteria

ISO 22301, clause 4.1 & ISO 31000, clause 5.3.5

1 Evaluation of risk

2 Impacts

3 Risk acceptance

Note : This step consist only to define basic criteria for risk management.
Detailed criteria will be defined during the risk assessement

91

1.2.9. Preliminary Definition
of the Scope

The preliminary BCMS scope should include:

Key characteristics of the organization
Business processes that could be in scope
List of products and services and all related activities within the
proposed scope
List of geographic locations to which the BCMS would be applied
A summary of the BCMS requirements
A description of how the area(s) in the scope interact with other
management systems

(e.g. ISO 9001, ISO 27001, ISO 28000)

92

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 51

ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook

QUESTIONS?

93

Exercise 3

Understanding the organization

94

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 52


Click to View FlipBook Version