ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.9. Competence and Awareness
List of activities
1.7 Organizational 1.8 Documented 1.9.1 Defining 1.9.2 Assessment
structure information a competence of the required
development competences
programme
1.9.3 Defining a 1.9.4 Defining a 1.9.5 Evaluation 2.1 BIA
training awareness & continuous
programme programme improvement
71
1.9.1. Defining a Competence
Development Programme
ISO 22301 & ISO 22313, clause 7.2
The organization should develop a competence development
programme that include:
Assessment of competences for role(s) to be undertaken
Creation of a personal development programme that
identifies training, coaching, etc.
Provision of training and mentoring including selection of
suitable methods and materials
Knowledge sharing
Job sharing
Hiring or contracting competent persons
Evaluation and continuous improvement of the
programme
72
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 103
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.9.2. Assessment of the required
Competences
Example
Functions Policies Crisis BIA Audit Legal
Function A
Function B
Function C
Function D
Function E
Expertise Knowledge Awareness-Level
73
1.9.3. Defining a Training Programme
Types of programme and their objectives
Get information on specific topics Initiation Session
Continuous Education
Maintaining skills
and acquire specific skills
Acquire general skills Basic Education (College & University)
74
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 104
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Principal Training Methods
ISO 10015, clause 4.3
Workshop Course Apprentice When a training solution is
on-site or ships selected to close the
Distance competence gaps, training
learning off-site On-the-job needs should be specified and
coaching documented
Training
methods Potential training methods to
meet the training needs should
be listed. The appropriate form
of training will depend on the
listed resources, constraints
and objectives
Self-
training
75
1.9.4. Defining an Awareness Program
Principal topics
Persons doing work under the organization’s control shall be aware of:
The business continuity policy
Their expected contribution to the BCMS
The benefits of business continuity
Their role during incidents
Note: An organization’s Business Continuity Management awareness plan is an
ongoing process
76
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 105
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.9.5. Evaluation & Continual Improvement of
the Competency Development Programme
The purpose of the evaluation is to confirm that both
organizational and individual competence objectives
have been met, i.e. the competency development
programme has been effective
77
Questions?
78
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 106
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 14
Business Impact Analysis (BIA)
a. Purpose of a BIA
b. Planning the BIA
c. Collecting the data
d. Analysis of the data
e. Validation of the data
f. Presentation of BIA Report
79
2.1. Business Impact Analysis
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 80
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 107
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
ISO 22301, clause 8.2.2
Business impact analysis
The organization shall establish, implement, and maintain a formal and
documented evaluation process for determining continuity and recovery
priorities, objectives and targets. This process shall include assessing the
impacts of disrupting activities that support the organization’s products and
services.
The business impact analysis shall include the following:
a) identifying activities that support the provision of products and services;
b) assessing the impacts over time of not performing these activities;
c) setting prioritized timeframes for resuming these activities at a specified
minimum acceptable level, taking into consideration the time within which
the impacts of not resuming them would become unacceptable; and
d) identifying dependencies and supporting resources for these activities,
including suppliers, outsource partners and other relevant interested
parties.
81
Prioritized Activities and Resources
Purpose of a BIA
Obtain an understanding of the organization’s key
products and services and the activities that deliver them
Determine priorities and timeframes for resuming
activities
Identify the key resources likely to be required for
continuity and recovery
Identify dependencies (both internal and external)
82
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 108
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.1. Business Impact Analysis
List of activities
1.9 Competence & 2.1.1 Planning 2.1.2 Collecting 2.1.3 Analysis
training the BIA the data of the data
2.1.4 Validation 2.1.5 Presentation 2.2 Risk
of the data of BIA report assessment
83
2.1.1. Planning the BIA
Activities
1 Determination of the approach and method to data collection
2 Identification of the activities that support key products and
services
3 Selection of the impacts to be analyzed
4 Preparation of the BIA tools
84
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 109
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
I. Determination of the Approach and
Method to Data Collection
Determination of the approach
The approach can be quantitative (with calculation of financial
impacts) and/or qualitative (assessment of non-financial impacts as
reputation impacts, customer service impacts, etc.)
Determination of the method
The BIA data collection can be done with a combination of methods
as workshop, interview and questionnaire
Identification of the participants
Creation of a BIA team and identify the respondents for the
interviews (from business functions and support functions)
85
II. Identifying the Activities that Support
Key Products and Services
Activities to be considered
Supporting the organization's mission
and that are vital to its achievement
Related to legal and/or contractual
obligations
86
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 110
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Main Business Activities
Example based upon the value chain of Porter
R&D Management of infrastructure Customer
Human Resources management service
Research &
Development Finance & accounting
Marketing Design Production Distribution
Sales Supply
Packaging
Transformation
Export After sales
services
Marketing Design Manufacturing
Quality control
87
III. Selection of the Impacts to be
Analyzed
LOST REVENUE PENALTIES DAMAGED REPUTATION
Direct Loss Contractual Customers, Suppliers,
Compensatory Payments Regulatory
Lost Future Revenues Legal Partners, Banks,
Investment Loss Financial Markets
Credit Ratings
EXTRA EXPENSE DELAYED COLLECTIONS
Cost to Recover Billing Losses
Overtime Expense Missed Discounts
Increased Fraud Risk
Increased Error Rate ENVIRONMENTAL IMPACTS
Travel Expenses Ground contamination
Temporary Employees Air contamination
Water contamination
PRODUCTIVITY LOSS SAFETY IMPACTS Devastation of flora and
Number of Employee impacted loss of life or injury
Number of hours lost Respiratory irritation fauna
% Capacity lost Illness
88
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 111
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
IV. Preparation of the BIA Tools
Main tools
“Worst case scenario”
Questionnaire
Guide for respondents to questionnaires
Guide for workshops facilitators and interviwers
Agenda and presentation for workshop
Kick-off presentation
BIA software
89
Worst Case Scenario
Example
Example Mon Tue Wed Thu Fri Sat Sun
A company offers (an 12
online service) to help 3456789
taxpayer to complete 10 11 12 13 14 15 16
their income tax report 17 18 19 20 21 22 23
to the government 24 25 26 27 28 29 30
For them, the two 31
weeks before the
deadline to send the
tax report is a critical
period
The worst case scenario would be the loss of the online application
2 weeks before the deadline, preventing to report taxes on time
90
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 112
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.1.2. Collecting the Data
During the business impact analysis, it is advisable to collect data
through questionnaires, interviews, or workshops
Additional data can be gathered using documents and research, but
this data should be gathered only to support or supplement data
gathered through direct contact with business subject matter experts
During the data collection phase, the following information should be
gathered:
Evaluation of the impacts
Identification of the interdependencies
Identification of the business continuity objectives as RTO, RPT
and MBCO
Prioritized activities documentation
91
I. Evaluation of the Impacts
Example
Impact Thresholds
Financial risk 1 2 3 4
Limited Important Serious Critical
$ 250 000 $ 2 500 000 $ 25 000 000 $ 250 000 000
Functionality No more backlog No more backlog No more backlog No more backlog
Impact after 1 week
after 2 weeks after 1 month after 3 months
Impact on Public Limited Divulging
Image of Incidents Significant Important Change Permanent
Change of Public of Public Image Change of Public
Engagement of Customer Image Image
Responsibility Complaints Cancellation of
Questioning Current Contracts Dismissal of
Economic, Limited Financial Current Contracts CEO/or members
Human and Loss of Management
Social Impact
Significant Financial Debts Bankruptcy
Financial Loss
92
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 113
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
II. Identification of Key Resources and
Dependencies Linked to Critical Processes
Example with a production process
Customer´s
home
Stock holding 2
Stock holding 1 Production Shipping
Reception and 93
material selection
III. Identification of the Business
Continuity Objectives
RPO & RTO
Recovery Point Objective (RPO) Recovery Time Objective (RTO)
Point to which information used by Period of time following an incident
an activity must be restored to within which: product or service must
enable the activity to operate on be resumed; or activity must be
resumption resumed; or resources must be
recovered
94
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 114
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
RPO and RTO Recovery Time Objective
Example (maximum acceptable
Recovery Point Objective down time)
(maximum acceptable
data loss)
Disaster
Time Very
0:00
Backup Network Mirror Critical important Important
on tapes backup system (1h)
(7 days) (24h) (1minute) (12h) (72 h)
95
Identification of the Business Continuity
Objectives
MBCO
Minimum Business Continuity
Objective (MBCO)
Minimum level of services and/or
products that is acceptable to the
organization to achieve its business
objectives during a disruption
100% Normal level of service
40%
Minimum business continuity objective (MBCO)
0%
96
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 115
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
IV. Prioritized Activities Documentation
Summary based on best practices
1 Business Function Description
2 Critical activities
3 Dependencies
4 Workflow Impact
5 Impact of Not Processing
97
2.1.3. Analysis of the Data
Transcribe into interview minutes or synthesis
documents
Verify that all questions that are applicable have
been completed
Verify that the business continuity objectives are
justified by operational and/or financial impacts
Identify elements that need to be clarify
Identify inconsistencies
98
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 116
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.1.4. Data Validation
Data validation
Validate with:
o Business function manager
o Departmental manager
Any changes to the data
collected must be documented
and approved
At the end of this phase, ensure
that all the information collected
is complete, precise and agreed
by people involved
99
2.1.5. Presentation of BIA Report
BIA report
There is no standardized format
for a BIA report and, as with
many other processes, this
document will likely follow the
organization's standard format
At minimum, the BIA report
should include:
o The list of activities that
support key products and
services
o The impact assessments
o The RTO and recovery
priorities
o Significant dependencies
and supporting resources
100
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 117
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Summary of Recovery Objectives
Recovery Point Recovery Time Maximum acceptable
Objective (RPO) Objective (RTO) outage (MAO)
Protection and mitigation Incident response plan
measures plan
Training and awareness Recovery plan
plan
Disaster Restoration plan
Normal level
of service
100%
40% Minimum business continuity hours day week month Time
0% objective (MBCO)
Last backup Reach point of the Return to
minimum service to normal
recover 101
Business Impact Analysis
Summary with an Example
Business Potential Impacts Max Tolerable System Recovery Time
Process Downtime
Process Components Objective
Invoice
Operations – more than 1,000 72 Application Server 36
Prepare staff affected hours hours
invoice
Reputation –media outlets 30 Web server 24
Process announce concerns hours hours
Invoice
STAKEHOLDER
INPUT Process
Invoice
Reputation – congressional 36 Database Server 12
insight hours hours
Customer Service – over 500 36 Desktop Computers 30
customer complaints hours hours
Interdependencies
102
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 118
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
103
Exercise 7
Business Impact Analysis (BIA)
104
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 119
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 15
Risk assessment
a. Risk identification
b. Risk analysis
c. Risk evaluation
105
2.2. Risk Assessment
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 106
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 120
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
ISO 22301, clause 8.2.3
Risk assessment
The organization shall establish, implement, and maintain a formal documented risk
assessment process that systematically identifies, analyses, and evaluates the risk of
disruptive incidents to the organization.
NOTE: This process could be made in accordance with ISO 31000:2009.
The organization shall:
a) identify risks of disruption to the organization’s prioritized activities and the
processes, systems, information, people, assets, outsource partners and other
resources that support them;
b) systematically analyze risk;
c) evaluate which disruption related risks require treatment; and
d) identify treatments commensurate with business continuity objectives and in
accordance with the organization’s risk appetite.
NOTE: The organization must be aware that certain financial or governmental obligations
require the communication of these risks at varying levels of detail. In addition, certain
societal needs can also warrant sharing of this information at an appropriate level of
detail.
107
Risk Management Process (ISO 31000)
a) Creates value Mandate and Risk assessment
commitment (4.2)
b) Integral part of Establishing
organizational processes Design of the context (5.3) Communication and consultation (5.2)
framework for Monitoring and review (5.6)
c) Part of decision making managing risk Risk identification (5.4.2)
Risk analysis (5.4.3)
d) Explicitly addresses (4.3)
uncertainty Risk evaluation (5.4.4)
Continual Implementing Risk treatment (5.5)
e) Systematic, structured and improvement risk
timely
of the management
f) Based on the best framework (4.4)
available information
(4.6)
g) Tailored
Monitoring and
h) Take human and cultural review of the
factors into account
framework (4.5)
i) Transparent and inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organization
Principles (clause 3) Framework (clause 4) Process (clause 5)
108
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 121
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Tools and Methods for Risk Assessment
Presented in ISO 31010
Brainstorming Root cause analysis Reliability centered maintenance
Structured or semi- Failure mode Sneak circuit analysis
structured interviews effect analysis Markov analysis
Monte Carlo simulation
Delphi Fault tree analysis Bayesian statistics
and Bayes
Check-lists Event tree analysis FN curves
Cause and Risk indices
Primary hazard analysis Consequence
Hazard and operability consequence analysis / probability matrix
Cause-and-effect analysis Cost/benefit analysis
studies (HAZOP) Multi-criteria decision
Hazard Analysis and Critical Layer protection analysis (MCDA)
analysis (LOPA)
Control Points (HACCP)
Environmental risk assessment Decision tree
Structure « What if? » (SWIFT) Human reliability analysis
Bow tie analysis
Scenario analysis
Business impact analysis
109
2.2. Risk Assessment
List of activities
2.1 BIA 2.2.1 Risk 2.2.2 Risk 2.2.3 Risk
Identification Analysis Evaluation
2.3 BC strategy
110
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 122
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.2.1. Risk Identification
ISO 31000, clause 5.4.2
The organizations should:
Identify sources of risk, areas of impacts, events and their
causes
Include risks (internal and external) and examine their
causes and consequences
Apply risk identification tools and techniques that are
suited to its objectives and capabilities, and to the risks
faced
111
Risk Identification Approach and Methods
ISO 31010, clause 5.2
Risk identification methods can include:
Evidence based methods, examples of which are check-
lists and reviews of historical data
Systematic team approaches where a team of experts
follow a systematic process to identify risks by means of a
structured set of prompts or questions
Inductive reasoning techniques such as HAZOP
Various supporting techniques can be used to
improve accuracy and completeness in risk
identification, including brainstorming, and Delphi
methodology
1 HAZOP = HAZard and OPerability studies,
112
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 123
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Risk Identification
Main elements included in Risk Assessment Methods
1. Determination of the risk acceptance criteria and identification of
acceptable risk levels
2. Identification of assets
3. Identification of threats to which assets are confronted
4. Identification of vulnerabilities that could be exploited by threats
5. Identification of impacts
6. Analysis and evaluation of the impact
7. Analysis and evaluation of the likelihood
8. Evaluation of risk levels
9. Determination of acceptable risk thresholds on the basis of
established risks
10. Identification and evaluation of risk treatment choices
11. Selection of measures and controls for treating risks
113
2.2.2. Risk Analysis
ISO 31000, clause 5.4.3
Risk Analysis is defined as the analysis of an
environment for risks
Each risk is evaluated according to the:
losses it may cause
probability of occurrence
the cost of countermeasures to mitigate the risk and
the likely loss if those countermeasures were
implemented
114
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 124
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Risk Analysis Approach and Methods
ISO 31010, clause 5.3.1
Qualitative analysis:
Defines consequence, probability and level of risk by
significance levels such as “high”, “medium” and “low”, may
combine consequence and probability, and evaluates the
resultant level of risk against qualitative criteria
Quantitative analysis:
Estimates practical values for consequences and their
probabilities, and produces values of the level of risk in specific
units defined when developing the context. Full quantitative
analysis may not always be possible or desirable due to
insufficient information
115
Analysis of Risk Scenarios
Usual main categories
1 Scenarios involving buildings
2 Scenarios involving utilities
3 Scenarios involving communication systems
4 Scenarios involving computer systems
5 Scenarios involving consumables
6 Scenarios involving people
7 Scenarios involving information or data
116
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 125
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Analysis of Risk Scenarios
Example
Scenario 1 Possible Causes / Consequences Impact
Threats
Unavailability of building Fire Production stopped 3
Flood
Bomb alert Inability to ensure Probability
Strike the logistics for
Manifestation delivery 2
Gas leak
Hurricane Inability to bill Risk Level
Earthquake delivered goods
6
Comments: In the last 10 years, the organization has lost 9 days because of the unavailability of the
building (a strike of 7 days, 1 day for an hurricane alert, 1 for a gas leak)
117
Risk Determination Calculation
Example of a calculation table
Likelihood of occurrence - Threat
Asset Low Medium High
value Vulnerability Level
L M H L M H LMH
0 0 1 2 1 2 3 234
1 1 2 3 2 3 4 345
2 2 3 4 3 4 5 456
3 3 4 5 4 5 6 567
4 4 5 6 5 6 7 678
118
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 126
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.2.3. Risk Evaluation
ISO 31000, clause 5.4.4
Risk evaluation is the comparison of the estimated
risk level with the evaluation criteria and the risk
acceptance criteria and have them prioritized
Risk evaluation is necessary before making a
decision on possible options for risk treatment
including:
If a corrective action will be taken to reduce the level of
calculated risk
Which risks will be given priority
119
Decision resulting of Risk Evaluation
ISO 31010, clause 5.4
Decisions may include:
Whether a risk needs treatment
Priorities for treatment
Whether an activity should be undertaken
Which of a number of paths should be followed
Note: The decision on the actions to take after
the risk evaluation will be influenced by the level of
risk appetite of the organization
120
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 127
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Example of a Risk Evaluation Matrix
Threat Consequence Likelihood of Level of risk Threat
(asset) value threat priority
Scenario A 10 ranking
Scenario B 5 occurrence 8
Scenario C 2 15 2
Scenario D 3 2 3
Scenario E 1 4 3
Scenario F 4 4 8
2 1
5
5
3
4
1
3
4
121
Evaluation of Risk
Selection of protection and mitigation measures
The results of the risk assessment will help to guide and
determine the appropriate management action and
priorities for managing risks, and for implementing
protection and mitigation measures to protect against
these risks
Measures can be selected from several standards or
new controls can be designed to meet the specific needs
of the organization
122
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 128
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
123
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 129
This page has been left blank Intentionally
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 131
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 16
Business continuity strategy
a. Analysis of the BC strategy options
b. Selection of the strategy for protecting
prioritized activities
c. Selection of the strategy for stabilizing,
continuing, resuming and recovering
prioritized activities
d. Selection of the strategy for mitigating,
responding to and managing impacts
e. Evaluation of the business continuity
capabilities of the suppliers
2
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 132
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.3. Business Continuity Strategy
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 3
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Requirements
ISO 22301, clause 8.3.1
8.3 Business continuity strategy
8.3.1 Determination and selection
Determination and selection of strategy shall be based on the outputs
from the business impact analysis and risk assessment.
The organization shall determine an appropriate business continuity
strategy for:
a) protecting prioritized activities;
b) stabilizing, continuing, resuming and recovering prioritized activities
and their dependencies and supporting resources; and
c) mitigating, responding to and managing impacts.
The determination of strategy shall include approving prioritized time
frames for the resumption of activities.
The organization shall conduct evaluations of the business continuity
capabilities of suppliers.
4
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 133
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Business Continuity Strategy
The objective of Strategy Selection is to assist in
defining the action items needed to protect the
organization and to select the most appropriate
recovery solutions for critical business functions and
supporting resources
The strategy need to adress the findings from the BIA
and the risk assessment
The business continuity strategy forms the basis for
the Business Continuity Plans
5
2.3. Business Continuity Strategy
List of activities
2.1 BIA 2.2 Risk Analysis 2.3.1 Strategy 2.3.2 Strategy
analysis & for protecting
selection prioritized activities
2.3.3 Strategy for 2.3.4 strategy for 2.3.5 Evaluation 2.4 Protection
stabilizing, continuing, mitigating, capabilities & mitigation
of suppliers
resuming responding to and measures
and recovering managing impacts
6
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 134
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.3.1 Analysis of the BC
Strategy Options
The organization should determine appropriate strategy
options for:
Protecting prioritized activities
Stabilizing, continuing, resuming
and recovering prioritized activities
Mitigating, responding to and managing impacts
7
2.3.2 Selection of the Strategy for
Protecting Prioritized Activities
The protection of prioritized activities
may be targeted at:
123
Reducing the risk to the Transferring the activity to Ceasing or changing the
activity a third party (though the activity if viable
responsibility remains with alternatives are available
the organization)
8
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 135
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.3.3 Selection of the Strategy for Stabilizing,
continuing, resuming and recovering
prioritized activities
The organization should determine appropriate strategy
options for:
1 Activity relocation
2 Resource relocation or reallocation
3 Alternate processes and spare capacity
4 Resource and skills replacement
5 Temporary workaround
9
2.3.4 Selection of the Strategy for Mitigating,
responding to and managing impacts
The organization should determine appropriate strategy
options for:
Purchase of insurance may
provide some financial
recompense for some losses,
but will not meet all costs
Contracting the stand-by
services of companies that
specialize in the cleaning or
repair of assets following
their damage
C) Reputation management
Developing an effective warning and communication capability
and establishing effective communications procedures
10
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 136
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Example of BC Strategy Options
Available BC strategies and the RTO they satisfy
C
O
S IX. Hot site
T
VIII.
O Relocation in
F other group
facilities
S VII.
Remote
T working
R
A VI. Warm
T site
V.
E Reciprocal IV. Mobile III. Cold II. Rebuilt I. No
G agreement site site and Strategy
Y
restoration
TIME OF RECOVERY
11
I. No Strategy
Caracteristics No strategy defined
No documentation for business recovery and continuity
Data are not sent off-site, and there is no alternate site identified
Strategy used by organizations with high risk appetite or for a site with low
criticallity; also, can be seen where a product has a limited life span
Advantages Disadvantages
The least expensive strategy to The most expensive strategy after a
implement disaster…
12
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 137
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
II. Rebuild and Restoration
Caracteristics Strategy focus mainly on insurance
Documentation of the material assets and facilities
Data are not sent off-site, and there is no alternate site identified
Strategy used by organizations with moderate risk appetite or for a site with
low critically
Advantages Disadvantages
Low cost strategy and easy to Strategy usually does not take in
implement consideration the business
processes and immaterial assets
Protection against the financial loss
for physical assets Strategy does not include a plan to
ensure continuity of operation during
a disaster
13
III. Cold Site
Caracteristics Facility with electrical power, Heating Ventilation and Air Conditioning
(HVAC)
Ready for equipment but no computer hardware on site
Communications links may or may not be ready
Strategy used by organizations with moderate risk appetite or for a site with
low critically
Advantages Disadvantages
Low cost False sense of security
Fast to implement
Easy to maintain Length of time for recovery can be
long depending of the complexity of
the technology and equipment used
by the organization
Service provider may oversell
processing capabilities
14
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 138
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
IV. Mobile Site
Caracteristics Trailer that can be quickly transported to an alternate site
Can be preconfigured with servers, desktop computers, communications
equipment, microwave and satellite data links
Useful alternative when there are no recovery facilities in the geographic
area
Advantages Disadvantages
Low cost Capacity of the equipment can be
Fast to implement insufficient for the need
Easy to maintain
Flexibility
15
V. Reciprocal Agreement
Caracteristics Arrangement with another company with similar hardware or software
configurations
Agreement by both parties, assumes sufficient capacity in time of need (Big
Assumption)
Should only be considered if no other options, or perfect partner with
compatible technology environment
Advantages Disadvantages
Low or no cost Highly unlikely the capacity will exist
If processing requirements are Severely limits responsiveness and
similar it may be workable support
16
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 139
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
VI. Warm Site
Caracteristics Facility with electrical power, Heating Ventilation and Air Conditioning
(HVAC) and communication link
Workstations and printers are available but software may not be installed
Strategy used by organizations with moderate or low risk appetite or for a
site with low or medium critically
Advantages Disadvantages
Cost – much less than hot Service provider may oversell
Location – since less control processing capabilities
required sites can be more flexible
17
CaracteristicsVII. Remote Working
Includes the concept of “working from home” and working from other non-
corporate locations e.g. hotels
Strategy used by small organizations or for some business units
Advantages Disadvantages
Low cost and easy to implementer Due to security and confidentiality
for a small organization issues this option is not always
suitable
Flexible solution
Difficult to coordinate for large
organizations
18
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 140
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
VIII. Relocation in Other Group Facilities
Caracteristics In case of a disruptive incident of an organizational division, the relocation
will be done in another facillity of the same organization
Strategy used by large organizations with several facillities
Advantages Disadvantages
Cost can be low to medium Does not have an assurance that
Easy to implement the capacity will exist when needed
In most case, compatibility of the
Resource contention during disaster
technology
Quick response to activate
19
IX. Hot Site
Caracteristics Applications are installed on the servers and workstations
Workstations and servers are kept up to date
Strategy used by organizations with very low risk appetite or for a site with
high critically
Advantages Disadvantages
24/7 availability, exclusivity of use Expensive
Immediately available Requires constant maintenance of
Supports short and long term
hardware, software, data and
outages applications
Security of hot site, primary site
security must be duplicated
20
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 141
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.3.5 Evaluations of the Business
Continuity Capabilities of Suppliers
The organization should assess the relevant risks and
then take adequate steps to ensure that critical
equipment and services provided by suppliers can be
ensured in case of incident disruption affecting them
For critical activities outsourced or dependent on a
supplier, a regular evaluation of the BC capacities should
be done. That can be by:
Asking the suppliers to be ISO 22301 certified
Auditing the suppliers
Obtaining audited evidence of the viability of key
suppliers’ continuity plans
21
Signature of an Agreement
When the strategy depends on an alternative site
1. Contract/agreement duration
2. Cost/fee structure (daily usage), annual cost/fee increases
3. Site/facility priority access and/or use, site availability and guarantee
4. Contract/agreement change, modification or termination process and conditions
5. Information system requirements (including data and telecommunication requirements)
for hardware, software, and any special system needs (hardware and software)
6. Security requirements, including special security needs
7. Staff, facilities service, supplies and support provided/not provided
8. Testing, including scheduling, availability, test time duration
9. Records management (onsite and offsite), including electronic media and hardcopy
10.Service-level management (performance measures and management of quality of
information system services provided), process to negotiate extension of service
11.Work space requirements (e.g., chairs, desks, telephones, personal computers)
12.Other contractual issues, as applicable
22
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 142
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
23
Exercise 8
Selection of a business continuity strategy
24
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 143
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 17
Protection and mitigation measures
a. Protection & mitigation measure
b. Preventive measure
c. Detective measure
d. Corrective measure
25
2.4. Protection & Mitigation Measures
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
26
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 144
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
ISO 22301, clause 8.3.3
Protection and mitigation
For identified risks requiring treatment, the organization shall consider proactive
measures that:
a) reduce the likelihood of disruption;
b) shorten the period of disruption; and
c) limit the impact of disruption on the organization’s key products and
services.
The organization shall choose and implement appropriate risk treatments in
accordance with its level of risk acceptance.
27
2.4. Protection & Mitigation Measures
List of Activities
2.1 BIA 2.2 Risk 2.3 Business 2.4.1 Preventive
assessment continuity measures
strategy
2.4.2 Detective 2.4.3 Corrective 2.5 Business 2.6 Communication
measures measures continuity
plan
28
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 145
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Implementation of
Protection & Mitigation Measures
Preventive Detective Corrective
Measures Measures Measures
Disaster
29
Risk Scenarios and Selection
of Protection and Mitigation Measures
Example
Scenario Likelihood Impact Evaluation Protection & Mitigation Measures
Failure of Possible (3) Serious High Redundancy in air conditioning equipment's
the utilities (3) Protection of technical rooms
Fast intervention contract
Redundancy in the competences of staff
Documentation of the maintenance tasks
Unauthori- Regular (4) Important High Enforce the respect of the physical security
zed access (2) High policy
to the site
Enforce the respect of the physical access
External Possible (3) Serious policy for the rooms and resources
intentional (3)
vandalism Redundancy of system
Regular testing of emergency equipment
Electrical Rare (2) Important Significant Adapted and full backup
failure (2) Physical protection of the building
Regular testing of electricity generators
Be connected to two electrical transformer
station
UPS and secure stop of the machinery
Use of equipment with double power supply
Fast intervention contracts
30
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 146
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.4.1. Implementation of Preventive
Measures
Reduce the likehood and the possible impact
Risk Physical & Change & Equipment
management logical protection configuration maintenance
management
Preventive measures:
- Work proactively
- Make sure your preparation is appropriate
- Discourage the appearance of problems
- Must be based on continual improvement
31
2.4.2. Implementation of Detective
Measures
Reduce the impact Alerting Incident
management
Monitoring
Detective measures:
- Detect and identify anomalies
- Give quick indication
- Are non-discriminating
- Must be followed by an escalation procedure
32
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 147
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.4.3. Implementation of Corrective
Measures
Mitigate the consequences
BC and DR Communication Backup Nonconformity
Plans follow-up
Corrective measures: 33
- Work short term or long term
- Must follow change management
- Human involvement most likely required
- Must be incorporated into continual improvement
Questions?
34
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 148
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Exercise 9
Mitigation measures
35
Certified ISO 22301
Lead Implementer Training
Section 18
Business continuity plans and procedures
a. Business continuity plan development
b. Plan format and structure
c. Business continuity plan content
d. Types of business continuity plans
e. Activation of the different plans
36
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 149
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.5. Business Continuity Plans and
Procedures
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation
the organization assessment
3.2 Internal audit 4.2 Continual
1.3 Analyze the 2.3 Business 3.3 Management improvement
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
37
Requirements
ISO 22301, clause 8.4.1
Establish and implement business continuity procedures
The organization shall establish, implement, and maintain business
continuity procedures to manage a disruptive event and continue its
activities based on recovery objectives identified in the business
impact analysis.
The organization shall document procedures (including necessary
arrangements) to ensure continuity of activities and management of
a disruptive incident.
38
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 150
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
ISO 22301, clause 8.4.4
Business continuity plans
The organization shall establish documented procedures for responding to a
disruptive incident and how it will continue or recover its activities within a
predetermined timeframe. Such procedures shall address the requirements of
those who will use them.
Each plan shall define:
− purpose and scope;
− objectives;
− activation criteria and procedures;
− implementation procedures;
− roles, responsibilities, and authorities;
− communication requirements and procedures;
− internal and external interdependencies and interactions;
− resource requirements; and
− information flow and documentation processes.
39
Business Continuity Plan (BCP)
Goals
Time required to execute the plan must be within or equal to the
RTO
Address the business disruption, interruption or loss from the initial
response to the point at which normal business operations are
resumed
It is based upon the agreed Business Continuity Strategies and
provides procedures and processes for both the business continuity
and resource recovery teams
In particular, the plan allocates roles and their accountability,
responsibility and authority
The plan must also detail the interfaces and the principles for
dealing with a number of key issues e.g. internal/external
communications, key suppliers, external bodies, emergency
services and the media
40
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 151
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.5. Business Continuity Plans and
Procedures
List of activities
2.2 Risk Analysis 2.3 Business 2.4 Protection & 2.5.1 Plan
continuity mitigation development
strategy measures
process
2.5.2 Plan 2.5.3 Draft the 2.5.4 Draft the 2.6 Communication
Format & structure BC plan(s) BC procedures
2.7 Exercising &
Testing
41
2.5.1. Business Continuity Plan
Development Process
4. Gather
information
1. Appoint a 2. Strategy 3. Structure, 5. Draft 7. Publish
responsible & Approach format,
components
6-9. Review
8. Use
42
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 152
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
BCMS Material
Discover the best professional documents and content resources in AnyFlip Document Base.
Search