ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.5.2. Define a Plan Format
and Structure
Recommendations
The structure of the BCP should be customized to meet the
specific needs of the organization
While following a BCP structure is not mandated, it is
recommended that a standard BCP format be adopted to
enable consistent application across an organization
Good practices identifie that a BCP should be modular in
design with different consecutively numbered/named sections
The different sections of the BCP provide an opportunity to
form separate documents (named: modules, sections or
“subplans”) that can be supplied to individuals and/or teams
on a need to know basis
43
2.5.3. Drafting the BC Plan(s)
Minimum content required by ISO 22301
1 Purpose and scope
2 Objectives
3 Activation criteria and procedures
4 Implementation procedures
5 Roles, responsibilities, and authorities
6 Communication requirements and procedures
7 Internal and external interdependencies and interactions
8 Resource requirements
9 Information flow and documentation processes
44
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 153
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Content to exclude from the BC Plan
The following details are not essential to the invocation and
operation of the business continuity plan and should be
excluded and kept in separate documents:
Risk Assessment
Business Impact Analysis
Exercise, Rehearsal or Testing Reports
Maintenance Process
Audit Report
Other non-essential information and records
45
Business Continuity
Plan Content (part 1)
Example Description
Section Introduction, purpose (aim) of the plan, scope, objectives, assumptions, plan
ownership, event/decision log
1. Plan Overview
Site Business Continuity Management Coordinator, Business Unit Manager, Business
2. Accountability, Unit BCM Team
responsibilities
and authority Notification process and/or flowchart, invocation process and/or flowchart, escalation
3. Notification, process and/or flowchart, call out lists (call trees) (including a reverse cascade)
invocation and process and/or flowchart
escalation BCM team membership, location and contact details of BCM command center(s),
map of BCM command center location (s), command center locations
4. BCM Team
Internal personnel, external contacts including subject experts
5. Contacts
Mandatory tasks, discretionary tasks, task completion tracking process
6. Task Checklist
and aide Personnel, injuries and fatalities, staff welfare and counseling, media and public
memoires relations, health and safety, emergency services liaison, finance, legal advice,
suppliers (intra-organization and outsourced providers), insurance, invocation of
7. Supporting specialist services, communications
information
46
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 154
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Business Continuity
Plan Content (part 2)
Section Description
8. Critical Business Activities Schedule of Critical Business Activities or support
activities, Critical Business Activities or support activities
9. Recovery site location (Intra- (RTO and RPO objectives) recovery
organization or outsourced action plan, BCM resource recovery profile, BCM recovery
supplier) profile
Invocation process and/or flowchart, recovery site (work
10. Recovery resource profile area) floor plan layout, map of recovery site location,
relocation of staff (including transport and
11. Form templates accommodation), security, mail.
Appendices Standard Workstations i.e. desk, chair, telephone and PC,
Computer equipment, software applications, technology
connectivity, telecommunications, backed-up data,
vital/unique documents/records, office equipment,
specialist equipment, office supplies, recovery site
requirements e.g. disabled person access.
Meetings agenda, internal briefing, decision and action
log, task list status report, telephone message, action or
task worksheet.
Contracts and Service Level Agreements, return home
47
Types of Plans
Plan Purpose
Business continuity Documented procedures that guide organizations to respond, recover, resume,
plan and restore to a pre-defined level of operation following disruption
Documented procedures that guide organizations to respond to an incident that
Incident response plan may be used to support and enhance mitigation of, response to, and recovery
from disruptions, disasters, or emergencies
Emergency response
plan Coordinated procedures for minimizing loss of life or injury and protecting
Crisis management property damage in response to a physical threat
plan
Coordinated procedures to manage complex situations that represent a threat
Recovery plan to the strategic objectives, reputation or existence of an organization
Restoration plan Coordinated procedures to recover and maintain critical business operations,
possibly at an alternate location, in the event of emergencies, system failures,
Communication plan or disasters in time to restore normal operations at the primary site
Coordinated procedures to recover and restore business operations following a
Training and awareness disaster to return to normal activities. This may include clean up or rebuilding
plan facilities, networks or operational capability
Testing and exercising
plan Provides procedures for disseminating status reports
to personnel and the public
To ensure competency and awareness of personnel
To ensure the effectiveness of the business continuity plans and procedures
48
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 155
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.5.4. Drafting the BC 49
Related Procedures 50
ISO 22301, clause 3.39
Procedure
Definition: Specified way to carry
out an activity or a process
The structure and format of the
documented procedures (hard
copy or electronic media) should
be defined by the organization in
the following ways: text, flow
charts, tables, a combination of the
above, or any other suitable
method in accordance with the
needs of the organization
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 156
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Description of Activities in a Procedure
The 6 W’s
1. Who
2. What
3. How
4. When
5. Where
6. Why
Example:
The network administrator (Who) makes sure that backups
are completed (What) by reviewing backup logs (how) each
morning (When). Following the review, he completes and
signs a checklist (Where) that is retained for future reference
(Why)
51
Questions?
52
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 157
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 19
Incident response plan
a. Monitoring of events
b. Detection of incidents
c. Assessment and evaluation of incidents
d. Activation of an incident response
e. Structured incident response communication
f. Escalation of incidents
g. Documentation about an incident
53
Requirements
ISO 22301, clause 8.4.2
Incident response structure
The organization shall establish, document, and implement procedures and a management
structure to respond to a disruptive incident using personnel with the necessary responsibility,
authority and competence to manage an incident.
The response structure shall:
a) identify impact thresholds that justify initiation of formal response;
b) assess the nature and extent of a disruptive incident and its potential impact;
c) activate an appropriate business continuity response;
d) have processes, and procedures for the activation, operation, coordination, and
communication of the response;
e) have resources available to support the processes and procedures to manage a
disruptive incident in order to minimize impact; and
f) communicate with interested parties and authorities, as well as the media.
The organization shall decide, using life safety as the first priority and in consultation with
relevant interested parties, whether to communicate externally about its significant risks and
impacts and document its decision. If the decision is to communicate then the organization
shall establish and implement procedures for this external communication, alerts and warnings
including the media as appropriate.
54
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 158
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
ISO 22301, clause 8.4.3
Warning and communication
The organization shall establish, implement and maintain procedures for:
a) detecting an incident,
b) regular monitoring of an incident,
c) internal communication within the organization and receiving, documenting and
responding to communication from interested parties,
d) receiving, documenting and responding to any national or regional risk advisory
system or equivalent,
e) assuring availability of the means of communication during a disruptive incident,
f) facilitating structured communication with emergency responders,
g) recording of vital information about the incident, actions taken and decisions made,
and the following shall also be considered and implemented where applicable:
The following shall also be considered and implemented where applicable:
− alerting interested parties potentially impacted by an actual or impending disruptive
incident;
− assuring the interoperability of multiple responding organizations and personnel;
− operation of a communications facility.
The communication and warning procedures shall be regularly exercised.
55
Incident Response Plan
Objectives and common content
The incident response plan should integrate processes and
procedures to:
I. Monitor events that can result in incidents
II. Detect an incident
III. Assess and evaluate an incident
IV. Declare an incident response
V. Facilitate a structured communication
VI. Escalate an incident
VII. Document and record vital information about the
incident
VIII.Review an incident
56
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 159
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
What is an Incident?
ISO 22301, clause 3.19
Definition: Situation that might be, or could lead to, a
disruption, loss, emergency or crisis
Important to not confuse with the use of the term
« Incident » in information security and information
technology field
An unplanned interruption to a service (ITIL)
Single or a series of unwanted or unexpected information
security events that have a significant probability of
compromising business operations and threatening
information security (ISO 27000)
57
I. Monitoring of Events
The organization needs to monitor events that could lead
to an incident
Monitoring should be in line with scenarios documented
in the risk assessment and BIA
Monitoring can be done by:
The use of detection tools and the analysis of trends
Sharing and exchanging with experts
Received early warnings and advisories from
authorities, emergency services, suppliers,
customers, media, etc.
58
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 160
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Events reporting
An outage or disruption may occur with or without prior
notice
Events predicted should be communicated to relevant
stakeholders
Examples:
An advance notice that a hurricane is predicted to affect an area
by the National Weather Service
Notices and warning about a possible new avian flu sent by the
World Health Organization
An alert from the CERT (Computer Emergency Response Team)
that a computer virus is expected on a certain date
59
II. Detection of Incidents
The organization needs to implement measures to detect
incidents and collect information associated with them
The detection measures should be in line with scenarios
documented in the risk assessment and BIA
Alerts on IT system Alarm system Bomb and metal
detector
60
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 161
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
III. Assessment and Evaluation
of the Incident
Example of a process
User/Source Operations Support Crisis management
Group Incident Response team team
Event Detection
Reporting Reporting
Information Collection Assessment
Decision
First Assesment
No Yes Second Assesment
Relevant?
False positive No Relevant?
Yes
Time No Response
Forensic Analysis Immediate Incident No Crisis?
Communications Response under
control??
Yes Yes
Later Responses ‘’Crisis’’
Activities
Review
Continuous improvement
61
IV. Invocation of an Incident Response
Criteria and procedures
The BC plan should be activated if one or more of the activation
criteria are met
If an activation criterion is met, the designated authority should
activate the plan
Activation criteria for system outages or disruptions are unique for
each organization and should be defined
Criteria may be based on:
Extent of any damage to the system (e.g., physical, operational, or
cost)
Criticality of the system to the organization’s mission (e.g. critical
infrastructure protection asset)
Expected duration of the outage lasting longer than the RTO
62
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 162
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
V. Incident Response Communication
Incident response communication
To contact the emergency
responders
To alert interested parties
potentially impacted by an actual
or impending disruptive incident
To assure the interoperability of
multiple responding
organizations and personnel
63
Notification Methods
Notifications can be accomplished through a variety of
methods, either automated or manual and include:
Telephone
Email
Cell phone
Visit in person at home, etc.
Automated notification systems follow established protocols
and criteria and can include rapid authentication and
acceptance, and secure messaging
Automated notification systems require up-front investment
and learning curve, but may be an effective way for some
organizations to ensure prompt and accurate delivery
64
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 163
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
VI. Escalation of an Incident
Example of an incident escalation scale
Incident
Mode
Standard Crisis
Mode Mode
Disaster
Mode
65
VII. Documentation of an Incident
All relevant information related to the incident should be
recorded, including:
1. Description of the event
2. Category and priority
3. Date/time of the recording, escalation, decision
4. Assets and processes affected
5. Groups or individuals affected by the incident
6. Activities undertaken to resolve the incident and
their results
7. Decisions made
66
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 164
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
VIII. Post-incident Review
In the event of an incident that disrupts the organization’s prioritized
activities or requires an incident response, a post-incident review
should be undertaken. This may include:
1. Identifying the nature and cause of the incident
2. Assessing the adequacy of management’s response
3. Assessing the organization’s effectiveness in meeting its
recovery time objectives
4. Assessing the adequacy of the business continuity
arrangements in preparing employees for the incident
5. Identifying improvements to be made
6. Comparing actual impacts with those considered during the
business impact analysis
7. Obtaining feedback from interested parties and those who have
participated in the response
67
Questions?
68
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 165
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 20
Emergency response plan
a. What Is an emergency?
b. Objectives of an emergency response plan
c. Roles and responsibilities
d. Evacuation procedure
e. Emergency reporting procedure
f. Controls to limit impacts during an emergency
g. Preventive and detective controls
h. Awareness, drill and training
69
Requirements
ISO 22301, clause 8.4.4
Business continuity plans
The response procedures shall collectively contain:
c) details to manage the immediate consequences of a
business disruption giving due regard to:
1) the welfare of individuals,
2) strategic and operational options for responding to the
disruption, and
3) prevention of further loss or unavailability of prioritized
activities;
70
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 166
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
What Is an Emergency?
ISO 22399, clause 3.6
Definition: sudden, urgent, usually unexpected
occurrence or event requiring immediate action
Obviously, numerous events can be "emergencies,"
including:
Fire
Hazardous materials incident
Flood or flash flood
Hurricane
Tornado
Winter storm
Earthquake
Communications failure
Radiological accident
Civil disturbance
Loss of key supplier or customer
Explosion, etc.
71
Objectives of an Emergency
Response Plan
1st PRIORITY: PROTECT LIFE
Protecting the health and safety of everyone in the facility is
the first priority during an emergency
The other priorities can be:
Protect the environment
Limit the financial lost
Protecting the health and safety of animals
Protect records,
Restoring operations, etc.
72
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 167
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Emergency Response Plan
Common elements to be included
I. Roles and responsibilities
II. Evacuation procedure
III. Emergency reporting procedure
IV. Immediate measures to limit impacts during an
emergency situation
V. Facility and systems shutdown procedure
VI. Preventive and detective measures
VII. Awareness, drill and training
73
I. Roles and responsibilities
Emergency Response Coordinator
Usually, the emergency response coordinator is the
facility manager
He is in command and control all aspects of the
emergency:
Drafting the emergency response procedures
Implement physical preventive controls
Order the evacuation or shutdown of the facility
Organize drills and exercises of evacuation
74
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 168
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
II. Evacuation Procedure
Best practices
1. Determine the conditions under which an evacuation would be necessary
2. Identify personnel with the authority to order an evacuation. Designate
"evacuation wardens" to assist others in an evacuation and to account for
personnel
3. Establish specific evacuation procedures. Establish a system for
accounting for personnel. Consider employees' transportation needs for
community-wide evacuations
4. Establish procedures for assisting persons with disabilities and those who
do not speak the local language
5. Draft post evacuation procedures
6. Designate personnel to continue or shut down
critical operations while an evacuation is underway. They must
be capable of recognizing when to abandon the operation and
evacuate themselves
7. Coordinate plans with the local emergency management office
75
Evacuation Routes and Exits
Essential elements with evacuation procedure
1. Designate primary and secondary evacuation routes and
exits. Have them clearly marked and well lit. Post signs
2. Install emergency lighting in case a power outage occurs
during an evacuation
3. Ensure that evacuation routes and emergency exits are:
Wide enough to accommodate the number of evacuating personnel
Clear and unobstructed at all times
Unlikely to expose evacuating personnel to additional hazards
76
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 169
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
III. Emergency Reporting Procedure
Emergency Call Lists
Lists (wallet size if possible) of all persons on and off site
who would be involved in responding to an emergency,
their responsibilities and their 24-hour telephone
numbers
Determine state and local requirements for reporting
emergencies, and incorporate them into your procedures
Police
Fire department
Gas company
Telecommunication providers, etc.
77
IV. Immediate Measures
to Limit Impacts
Elements to take in consideration during an emergency
If possible, the discoverer should attempt to secure the scene and
control access, but no one should be placed in physical danger to
perform these functions
Basic security measures include:
Closing doors or windows
Establishing temporary barriers with furniture after people have safely
evacuated
Dropping containment materials (absorbent pads, etc.) in the path of
leaking materials
Closing file cabinets or desk drawers
Only trained personnel should be allowed to perform advanced
security measures
Access to the facility should be limited to persons directly involved in
the response
78
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 170
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
V. Facility and Systems Shutdown
Establish shutdown procedures
Facility shutdown is generally a last resort but always a possibility.
Improper or disorganized shutdown can result in confusion, injury
and property damage
Some facilities require only simple actions such as turning off
equipment, locking doors and activating alarms. Others require
complex shutdown procedures
Work with department heads to establish shutdown procedures.
Include information about when and how to shut off utilities. Identify:
The conditions that could necessitate a shutdown
Who can order a shutdown
Who will carry out shutdown procedures
How a partial shutdown would affect other facility operations
The length of time required for shutdown and restarting
79
VI. Preventive and Detective Controls
Examples of measures that can be implemented before an
emergency
Fire protection systems
Lightning protection systems
Water-level monitoring systems
Overflow detection devices
Automatic shutoffs
Emergency power generation systems
80
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 171
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
VII. Awareness, Drill and Training
1. Orientation and Education Sessions: These are regularly scheduled discussion sessions
to provide information, answer questions and identify needs and concerns
2. Tabletop Exercise: Members of the emergency management group meet in a conference
room setting to discuss their responsibilities and how they would react to emergency scenarios.
This is a cost-effective and efficient way to identify areas of overlap and confusion before
conducting more demanding training activities
3. Walk-through Drill: The emergency management group and response teams actually perform
their emergency response functions. This activity generally involves more people and is more
thorough than a tabletop exercise
4. Functional Drills: These drills test specific functions such as medical response, emergency
notifications, warning and communications procedures and equipment, though not necessarily at
the same time. Personnel are asked to evaluate the systems and identify problem areas
5. Evacuation Drill: Personnel walk the evacuation route to a designated area where procedures
for accounting for all personnel are tested. Participants are asked to make notes as they go along
of what might become a hazard during an emergency, e.g., stairways cluttered with debris, smoke
in the hallways. Plans are modified accordingly
6. Full-scale Exercise: A real-life emergency situation is simulated as closely as possible. This
exercise involves company emergency response personnel, employees, management and
community response organizations
81
Questions?
82
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 172
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Exercise 10
Preparation of evidence for an audit of the emergency
response plan
83
Certified ISO 22301
Lead Implementer Training
Section 21
Crisis management plan
a. What is a crisis?
b. Crisis Management Plan Development
c. Crisis Management Plan Content
84
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 173
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
No formal requirements from ISO 22301 (All topics
included in a crisis plan can be included in the other
plans)
The crisis plan usually incorporates the incident
response plan, the emergency response plan and the
communication plan in a single plan
Important: The developed plan and procedures should allow
to response at the same time in a coherent,
integrated and complementary way
85
What is a Crisis?
ISO 22300, clause 2.1.12
Situation with high level of uncertainty that disrupts the core
activities and/or credibility of an organization and requires
urgent action
86
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 174
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Crisis Characteristics
Crises do not always involve business interruption or
direct threats to life, property, assets
However, they almost always challenge an
organization’s reputation and brand, even if it is only
through the need to demonstrate resilience and effective
leadership
Crises can become highly politicized and subject to
intense public and media scrutiny
87
Crisis Management Plan
Objectives and common elements included
The crisis management plan should integrate processes
and procedures to:
I. Roles, accountability, responsibility and authority
II. Emergency Procedures
III. Notification, invocation and escalation
IV. Crisis Committee and crisis management teams
V. Crisis communication plan
88
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 175
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Crisis Management
A Top management responsability
The roles of strategic management are amplified during a
crisis
They are likely to include direct intervention and decisive
strategic leadership along lines that cannot be preconceived
They may even include strategic repositioning of the
organization as a whole, and for that reason crisis
management is the domain of top management
Essentially, top managers, endorse and support BCM, but
they tend to implement, lead
and direct crisis management
89
Crisis Management deals
with Complexity
A lot of disruptive incidents (tornado, earthquake, etc.) are
predictable and pre-prepared responses can be developed
Crisis, on the other hand, are often produced by risks that had
not been identified, or at least not identified with the scale and
intensity they presented
Crisis may also be the product of an unforeseen combination
of interdependent risks. They develop in unpredictable ways,
and the response usually requires genuinely creative, as
opposed to pre-prepared, solutions
Crisis management needs to be able to deal with issues that
may not be manageable within BCM procedures, how well
developed these may be
90
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 176
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Crisis Management deals with Dilemmas
Crises are associated with highly complex problems, the full
implications and nature of which may be unclear at the time.
Each possible solution may have severe consequences in
one form or another
Managers may have to choose the “least bad” solution and
may have to resolve (or at least recognize and accept)
fundamental strategic dilemmas. These might mean that
every choice comes with a penalty of some sort and that there
is no ideal solution
91
Communication
A key factor of success
Even if the organization is perceived to be at fault or
blameworthy, the demonstration of virtue, integrity and
compassion can offset, to some extent, the damage to its
reputation and standing
A well-managed crisis can demonstrate the positive
qualities of an organization and enhance its general
reputation
92
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 177
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
93
Exercise 11
Pandemic plan
94
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 178
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 22
IT recovery plan
a. Objectives of the IT recovery plan
b. Activation of the recovery site
c. Transfer to the recovery site and logistics
d. Equipment supply
e. Financial and administrative procedures
f. Telecommunication recovery
g. Data recovery and backup procedures
h. Recovery of services and systems by priority
i. Recovery procedure for each system
95
Requirements
ISO 22301, clause 8.4.4
Business continuity plans
The organization shall establish documented procedures for
responding to a disruptive incident and how it will
continue or recover its activities within a predetermined
timeframe. Such procedures shall address the requirements
of those who will use them.
96
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 179
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
IT Recovery Plan
Objectives and common elements included
The IT recovery plan should integrate processes and
procedures to:
I. Activation of the recovery site
II. Transfer to the recovery site and logistics
III. Equipment supply
IV. Financial and administrative procedures
V. Telecommunication recovery
VI. Data recovery and backup procedures
VII. Recovery of services and systems by priority
VIII.Recovery procedure for each system
97
I. Activation of the Recovery Site
The recovery team should arrive first at the alternative
site to do a quick assessment in order to prepare the
transfer of employees
With the use of a checklist, they should verify and
confirm the status of the resources in place:
HVAC
Security
IT equipment and networks
Telecommunications
Backup
Office space
98
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 180
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
II. Transfer to the Recovery Site and
Logistics
Logistics
Transport of personnel and materials
Personnel support and welfare
List of the suppliers and contract
Remote worker environment
99
III. Equipment Supply
Three basic strategies exist to ensure a quick equipment
replacement
Equipment
Supply
Vendor Equipment Existing
Agreements Inventory Compatible
Equipment
100
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 181
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
IV. Accounting and Administration
The organization should develop financial and administrative
procedures to support the business needs before, during, and
after an incident
Procedures should be established to ensure that financial
decisions can be expedited and should be in accordance with
established authority levels and accounting principles
The procedures should include, but not be limited to, the
following:
Finance authority, including its reporting relationships to the
programme coordinator(s)
Emergency funds access
Programme procurement procedures
Payroll
Accounting systems to track and document costs
101
V. Telecommunications Recovery
Methods Description
Redundancy Involves providing extra capacity with a plan to use
the surplus capacity should the normal primary
Alternative routing transmission capability not be available
Diverse routing Routing information via an alternate medium
Long haul network such as copper cable or fiber optics
diversity
Emergency Routing traffic through split cable facilities
Communications or duplicate cable facilities
Systems
Many recovery facilities vendors have provided
diverse long-distance network availability
In order to communicate amongst team members, an
emergency communication system and alternatives
should be selected
102
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 182
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
VI. Data Recovery and Backup
Procedures
The key components to restore availability of information
The backup procedure is the key component to restore availability of information
Organization should ensure that the integrity and confidentiality of organization
data are maintained whilst being transferred (either electronically or physically)
to and from recovery sites, subject to contractual obligations with organizations
To ensure the data recovery, a backup policy, strategy and procedures need to
address the priorities identified in the BIA findings. Amongst items a backup
policy and procedures should address are:
What data to backup
How is it labeled
How long is it retained
How backups are tested
How frequently backups are conducted
Where will media be stored
How quickly can media be retrieved
Who is authorized to retrieve the media
How is it restored
103
Backup 2. Replication
Main solutions With disk replication or recovery images,
recovery is optimized. Data is written to
1. Storage Area Network (SAN) two disks and provides high availability
With storage virtualization, multiple 4. Electronic vaulting
storage devices are combined into a
single, logical, virtual storage system With electronic vaulting, data is backed up
to remote drives located off-site over high
3. Distributed processing quality communication links
Servers, located in the same or multiple 6. Media archives
locations, are configured with load
balancing and clustering to process Another approach is to record files to
requests and exchange data backup media and transport it to an off-
site location
5. Remote journaling
Remote journals, transactions or journal
files are periodically transmitted to the
remote drives located off-site
104
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 183
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Backup Strategy Alignment
With RPO and RTO
Priority Description
Low priority - any outage with little Backup: Tape backup
impact, damage, or disruption to the Strategy: Relocate or Cold site
organization
Backup: Optical backup
Important or moderate priority - any WAN/VLAN replication
system that, if disrupted, would cause
a moderate problem to the Strategy: Cold or Warm site
organization and possibly other
networks or systems Backup: Mirrored systems and
disc replication
Mission-critical or high priority - the
damage or disruption to these Strategy: Hot site
systems would cause the most
impact on the organization, mission,
and other networks and systems
105
Backup Near-Site
Location and storage
On-Site
Backup Off-Site
May be stored in several
locations, each serving a
different purpuse
When transported, media
should be secured
106
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 184
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
VII. Recovery of Services and Systems
by Priority
Based on the prioritization of operations predetermined in
impact analysis, an organization should prioritize the services
and systems to restore by priority, comprehensively
considering the extent of damage on equipment, actual
availability of personnel and prospective progress of recovery
107
VIII. Recovery Procedure for Each
System
In the recovery plan, a recovery procedure should be
available to restore each system in scope of the BCMS
with:
A list of the sequence of operations to restore
System requirements to restore
Time estimated for each operation
Recovery procedures are outlined per team and should
be executed in the sequence presented to maintain an
efficient recovery effort
108
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 185
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
109
Certified ISO 22301
Lead Implementer Training
Section 23
Restoration plan
a. Objectives of the restoration plan
b. Securing the sites
c. Damage assessment and insurance
d. Restoration plan and allocation of resources
e. Clean-up the site and restore the infrastructure
f. IT systems and data recovery
g. Tests and validation
h. Relocation to the primary site
i. Personnel reward and recognition
110
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 186
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
ISO 22301, clause 8.4.5
No formal requirements from ISO 22301 to establish a
restoration plan
111
Restoration Plan
Objectives and common elements included
The restoration plan should integrate processes and
procedures to:
I. Securing the sites
II. Damage assessment and insurance
III. Restoration plan and allocation of resources
IV. Clean-up the site and restore the infrastructure
V. IT systems and data recovery
VI. Tests and validation
VII. Relocation to the primary site
VIII.Personnel reward and recognition
112
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 187
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
I. Securing the Sites
First step
During a disaster, the primary site can be vulnerable to fraud,
looting, vandalism, etc.
The restoration site needs to be secured to prevent
unauthorized physical access
Planning should consider assigning or contracting security
guards
113
II. Damage Assessment and Insurance
Damage assessment Contact with the insurance
114
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 188
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
III. Restoration Plan and Allocation
of Resources
After reviewing information on the extent of the damage
and its operational impact collected by emergency
response and continuity teams, top management should
select measures to be taken and specify restoration
milestones, time and level of resource allocation
115
IV. Clean-up the Site and Restore
the Infrastructure
Clean-up the site Rebuilt the facility and
restore the infrastructure
116
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 189
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
V. IT Systems and Data Recovery
Restoration of the Data restoration
IT Infrastructure
117
VI. Tests and Validation
Data Testing and Validation
Data testing and validation is the process of testing and
validating data to ensure that data files or databases have been
recovered completely at the permanent location
Functionality Testing and Validation
Functionality testing and validation is the process of verifying
that functionality has been tested, and the system is ready to
return to normal operations. Provide system functionality testing
and/or validation procedures to ensure that the system is
operating
118
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 190
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
VII. Relocation to the Primary Site
Restore the normal operations
End of the incident or crisis declaration
Close of the recovery site
Feedback and post-recovery reporting
119
VIII. Personnel Reward and Recognition
When an incident is over, it is important for staff involved in
the incident response to receive some degree of reward or
recognition
All staff affected by the incident need to know that changes
will occur as a result of the incident; that learning has taken
place to ensure that the incident is not repeated
Those who have worked over and above their hours of work
and have taken on additional tasks should be thanked in
some way for their efforts
This can be done informally or formally. It is usually very
positive to involve managers and directors in a formal process
of appreciation
120
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 191
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
121
Certified ISO 22301
Lead Implementer Training
Section 24
Communication plan
a. Principles of an efficient communication strategy
b. BC Communication Process
c. Establishing communication objectives
d. Identifying interested parties
e. Planning communication activities
f. Planning crisis communication
g. Performing a communication activity
h. Evaluating communication
122
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 192
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.6. Communication Plan
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 123
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Requirements
ISO 22301, clause 7.4 & 8.4.3
7.4 Communication
The organization shall determine the need for internal and external communications relevant to
the BCMS including:
a) what to communicate;
b) when to communicate; and
c) to whom it will communicate.
The organization shall establish, implement, and maintain procedure(s) for:
− internal communication amongst interested parties and employees within the organization,
− external communication with customers, partner entities, local community, and other
interested parties, including the media,
− receiving, documenting, and responding to communication from interested parties,
− adapting and integrating a national or regional threat advisory system, or equivalent, into
planning and operational use, if appropriate,
− ensuring availability of the means of communication during a disruptive incident,
− facilitating structured communication with appropriate authorities and ensuring the
interoperability of multiple responding organizations and personnel, where appropriate, and
− operating and testing of communications capabilities intended for use during disruption of
normal communications.
124
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 193
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.6. Communication Plan
List of activities
2.5 Business 2.6.1 Establishing 2.6.2 Identifying 2.6.3 Planning
Continuity Plan communication interested parties communication
& Procedures objectives
2.7 Training activities
and awareness
2.6.4 Performing a 2.6.5 Evaluating
communication communication
activity
125
Principles of an Efficient Communication
Strategy
1 Transparency
Make the processes, procedures, methods, data sources and assumptions used in communication
available to all interested parties, taking account of the confidentiality of information as required
2 Appropriateness
Make information provided in communication relevant to interested parties, using formats, language
and media that meet their interests and needs, enabling them to participate fully
Credibility
3 Conduct communication in an honest and fair manner, and provide information that is truthful, accurate
and substantive. Develop information and data using recognized and reproducible methods and
indicators
4 Responsiveness
Respond to the queries and concerns of interested parties in a full and timely manner. Make interested
parties aware of how their queries and concerns have been addressed
5 Clarity
Ensure that communication approaches and language are understandable to interested parties to
minimize ambiguity
126
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 194
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
BC Communication Process
ORGANIZATION
Other corporate principles, Business continuity
policies and strategies policy
Interested Business continuity communication policy
parties
Business continuity communication strategy Principles of communication
Estabish Identification of Considering
objectives interested parties resource issues
Business continuity communication activities
Target Planning Selecting Executing Evaluating
groups approaches & tools
• Situation analysis • Collecting and Conducting
• Setting targets • Define evaluating data Management review &
• Identifying target responsabilities
• Conducting planning revisions
groups • Tracking input from communication
• Defining geographic interested parties activities
scope • Planning for crisis • Recording &
• Identifying and emergencies responding to
feedback
information
127
2.6.1. Establishing Communication
Objectives
Examples
Improving the organization’s credibility and reputation
Establishing ongoing dialogue on business continuity
matters with interested parties
Complying with applicable legal requirements and with
other requirements to which the organization subscribes
Influencing public policy on business continuity issues
Providing information and encouraging understanding by
interested parties about the business continuity activities
Meeting the business continuity information expectations
of interested parties
128
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 195
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.6.2. Identifying Interested Parties
To adapt the communication plan
Media Suppliers
Employees Investors
Communities Clients
129
2.6.3. Planning Communication
Activities
Key for success
An organization should decide what it intends to achieve
with an business continuity communication activity
Targets should be established that are consistent with
the business continuity communication objectives and
that are specific, measurable, achievable, realistic and
time-related
This will allow the organization to evaluate the business
continuity communication activity and determine whether
or not the target has been met
The organization should anticipate business continuity
issues of concern to interested parties
130
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 196
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Planning Crisis Communication
Although business continuity communication is important
at all times, it is particularly critical during business
continuity crises and emergencies
The organization should identify any potential crises and
emergencies and plan the appropriate business
continuity communication
The planning should address relevant information for
response to both potential situations and
actual crises and emergency situations
131
2.6.4. Performing a Communication
Activity
Communication approaches and tools
Website Newspaper articles Guided tours
of the organization
Reports Press releases Workshops
and Conferences
Brochures & Advertisement Media interviews
newsletters
Posters Public meetings Presentation to groups
Emails Focus group & surveys Social medias
132
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 197
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Example of a Communication Activities
Invitation of visitors and media during an exercise
Visitors may take a more or less formal “observer” role
Media are occasionally invited to report exercises (but
their presence can be also risky…)
133
2.6.5. Evaluating Communication
An organization should allow adequate time for the
business continuity communication to be effective
The time needed depends on the nature of the
communication, the number of interested parties and
their concerns, and the type of media used
The organization should review and assess the
effectiveness of its business continuity
communication
134
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 198
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Communication and Reporting
Example of a form
Project Name <Name> Project Number 01.01.2015
Responsible Date
Communication Stakeholder Name 1 Stakeholder Name 2 Stakeholder Name 3
Approach to
communication*
Main Interest and Subjects
Current Status
(Supporter/ Neutral /Opponent)
Desired Support
(High/ Medium/ Low)
Anticipated project role
(if existing)
Anticipated Actions
Required Notices
Actions and further
communication channels
135
Questions?
136
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 199
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Exercise 12
Crisis Communication
137
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 200
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 201
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 25
Exercising and testing
a. Definition
b. Definition of the exercise and test strategy
c. Creation of an exercise & test plan
d. Creation of exercise & test scenarios
e. Schedule of exercises and tests
f. Determining exercise/test objectives
g. Conducting an exercise & test activity
h. Evaluation of an exercise & test activity
i. Exercise/Test report
2
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 202
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
BCMS Material
Discover the best professional documents and content resources in AnyFlip Document Base.
Search