ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.7. Exercising and Testing
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 3
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Requirements
ISO 22301, clause 8.5
Exercising and testing
The organization shall exercise and test its business continuity procedures to
ensure that they are consistent with its business continuity objectives.
The organization shall conduct exercises and tests that:
a) are consistent with the scope and objectives of the BCMS,
b) are based on appropriate scenarios that are well planned with clearly
defined aims and objectives,
c) taken together over time validate the whole of its business continuity
arrangements, involving relevant interested parties,
d) minimize the risk of disruption of operations,
e) produce formalized post-exercise reports that contain outcomes,
recommendations and actions to implement improvements,
f) are reviewed within the context of promoting continual improvement, and
g) are conducted at planned intervals and when there are significant changes
within the organization or to the environment in which it operates.
4
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 203
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Exercising and Testing
ISO 22301, clause 3.18
Exercise Test
Process to train for, assess, Unique and particular type of
practice, and improve exercise, which incorporates an
performance in an organization expectation of a pass or fail
element within the goal or
objectives of the exercise being
planned
Note: Exercises can be used for: validating policies, plans, procedures, training, equipment,
and inter-organizational agreements; clarifying and training personnel in roles and
responsibilities; improving inter-organizational coordination and communications; identifying
gaps in resources; improving individual performance; and identifying opportunities for
improvement
5
Why Evaluating Business
Continuity Plans?
Objectives of exercises and tests
Training personnel in the use of BC plans
Gaining buy-in across business areas
Proving the adequacy, completeness and accuracy of the
current recovery plans
Component testing of technical elements
Improving business recovery procedures
Ensuring all aspects of the business are covered
6
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 204
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.7. Exercising and Testing
List of activities
2.6 Communication 2.7.1 Definition 2.7.2 Exercise & 2.7.3 Creation of
of the strategy test plan scenarios
2.7.4 Schedule of 2.7.5 Determining 2.7.6 Conducting 2.7.7 Evaluation of
exercises & tests exercise/test an exercise/test an exercise/test
objectives activity
activity
2.7.8 Exercise/Test 3.1 Monitoring, 3.2 Internal audit 3.3 Management
report measurement, review
analysis and
evaluation
7
2.7.1. Definition of the Exercise and
Test Strategy
Desktop process Recovery simulation Operational
review
Integrated Service
in operations
Familiarization Component
Checklist & walk through Individual process Integrated end-to-end End-to-end services
of invocation and or infrastructure service recovery tests / switching between
recovery process primary and secondary
component test / exercise exercise
Site
Increasing confidence and resilience
8
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 205
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.7.2. Creation of an
Exercise & Test Plan
The exercise and test plan should be documented to
provide the basis for an audit trail, including:
1. Roles and responsibilities
2. Frequency of exercises and tests
3. Scope of the plan, including locations, business
areas, etc.
4. The overall risks to be managed
5. Resources required to be effective
6. the competence of the people delivering the exercise
activity
7. Reporting on activities
8. Sign-off by top management
9
2.7.3. Creation of Exercise and Test
Scenarios
Exercise Type What is it? Benefit Disadvantages
Checklist Distribute plans for review Ensures plan addresses all Does not address
activities effectiveness
Structured Thorough look at each step Ensures planned activities are Low value in
Walkthrough of the BCP accurately described in the BCP proving response
capabilities
Simulation Scenario to enact Practice session When subsets are
recovery procedures very different
Parallel Full test, but primary Ensures high level of reliability Expensive as all
Full Interruption processing does not stop without interrupting normal personnel is
operations involved
Disaster is replicated to the
point of ceasing normal Most reliable test of BCP Risky
operations
10
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 206
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Type of Test Scenarios for IT System
Objective Test
Validates that the equipment
and systems conform to
specifications and operate in
the required environments,
and that procedures and
processes are viable
Static Dynamic Functional
Test Test Test
11
2.7.4. Schedule of Exercises and Tests
Test Checklist Walk Simulation Parallel Full
Through exercise interruption
Static
Department / Process / System
Human resources
Finance Dynamic
Procurement Function-
Sales nal
CRM
Email system
12
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 207
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.7.5. Determining Exercise/Test
Objectives
Recommendations
To ensure that an exercise does not cause incidents or
undermine the service capability, an exercise should be
carefully planned to minimize the risk of an incident
occurring as a direct result of the exercise
Exercises should be realistic, carefully planned and
agreed with stakeholders, so that there is minimum risk
of disruption to business processes
The scale and complexity of exercises should be
appropriate to the organization's recovery objectives
13
2.7.6. Conducting an
Exercise/Test Activity
The exercise should be conducted at an appropriate time
that best meets the objectives of the event, and:
Causes the minimum level of disruption to the
organization and its stakeholders
When the appropriate numbers of participants
required to support the exercise are available
When any physical locations, assets, equipment or
facilities are available for use in
the exercise
14
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 208
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Stopping or Suspending the Exercise
Stopping or Suspending
Exercises may be stopped, or
suspended, ahead of the scheduled time
for a number of reasons, including when
a real incident arises
This decision to stop or suspend the
exercise should be taken by the exercise
coordinator, who should be in possession
of the current status of all the activities in
the exercise and able to decide the
safest time to halt activities
Some organizations use code words to
achieve this
15
Exercise/Test Documentation
Standard list
1. Test scenarios
2. Reasons for the test
3. Objectives of the test
4. Type of tests
5. Testing schedule
6. Duration of the test
7. Specific test steps
8. Who will be the participants
9. The task assignments of the test
10. Resources and services required
11. Measurement for success/failure of tests
16
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 209
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2.7.7. Evaluation of an Exercise/Test
Activity
Post exercise reporting should cover:
Time Actual execution time of predetermined tasks vs planned
Sum Sum of the work performed vs. planned
Number Quantity of transactions and recordings performed with
Precision success vs. planned
Precision of the data input at the standby facility compared to
normal precision vs. planned
Lessons Learned Identification of mistakes and omissions
Recommendations What needs to be implemented to improve the BCP
17
2.7.8. Exercise/Test Report
Example Reasons / Root Causes Cognitions (Lessons Learned)
Difficulties/ Problems … …
during the exercise/test … …
<Text> … …
<Text> … …
<Text>
<Text>
…
What went well …
during the test? …
What went not well 18
during the test?
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 210
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
19
Certified ISO 22301
Lead Implementer Training
Section 26
Monitoring, measurement, analysis and evaluation
a. Monitoring, measurement, analysis and evaluation process
b. Determination of measurement objectives
c. Object of monitoring and measurement
d. Determination of the frequency and method
e. Reporting the results
f. BCMS Dashboard
20
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 211
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.1. Monitoring, Measurement, Analysis
and Evaluation of the BCMS
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation
the organization assessment
3.2 Internal audit 4.2 Continual
1.3 Analyze the 2.3 Business 3.3 Management improvement
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
21
Requirements
ISO 22301, clause 9.1
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General
The organization shall determine:
a) what needs to be measured and monitored;
b) the methods for monitoring, measurement, analysis and evaluation, as
applicable, to ensure valid results;
c) when the monitoring and measuring shall be performed;
d) when the analysis and evaluation of monitoring and measurement results
shall be performed.
The organization shall retain appropriate documented information as evidence
of the results.
The organization shall evaluate the BCMS performance and the effectiveness
of the BCMS.
Additionally, the organization shall:
− take action when necessary to address adverse trends or results before a
non-conformity occurs
− retain relevant documented information as evidence of the results
22
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 212
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Definitions
From ISO 22301
Monitoring (3.29)
Determining the status of a system, a
process or an activity
Measurement (3.27)
Process to determine a value
Performance evaluation (3.36)
Process of determining measurable
results
23
Monitoring, Measurement, Analysis
and Evaluation Process
The main goal is the improvement of the BCMS
Objective A REVIEW AND
Objective B IMPROVEMENT
Objective C
OBJECT OF MEASUREMENT DASHBOARD
Attribute A Performance indicator A
Attribute B Performance indicator B
Attribute C Performance indicator C
24
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 213
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.1. Monitoring, Measurement, Analysis
and Evaluation of the BCMS
List of Activities
2. Implement 3.1.1. Measurement 3.1.2. Objects of 3.1.3. Creation
the BCMS objectives Monitoring and of indicators
(Do) Measurement
3.1.4. Creation of 3.2. Internal 3.3. Management
dashboards audit review
25
3.1.1. Determination of measurement
objectives
Measurement Objectives 10
0 20
The standard does not indicate what
needs to be monitored or measured
It is up to the organization to
determine what it needs to be
monitored and measured
It is best practice to focus monitoring
and measurement on the activities
that are linked to the critical
processes that enable the
organization to achieve its continuity
objectives and targets
Too many measures can distort an
organization’s focus and blur what is
truly important
26
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 214
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.1.2. Object of Monitoring and
Measurement
What minimally needs to be monitored and measured?
1. The extent to which 2.300 2. The processes,
the organization’s procedures and functions
business continuity that protect its prioritized
policy, objectives and
targets are met activities
5. Data and results of 3. Historical evidence
monitoring and of deficient BCMS’
measurement sufficient
to facilitate subsequent performance, e.g. non-
corrective and preventive conformity, near
action analysis
misses, false alarms,
failures, incidents
4. Compliance with applicable legal and regulatory
requirements, industry best practices, and
conformance with its own business continuity
management policy and objectives
27
Performance Indicators
Examples % of staff who have % of plans tested % of nonconformity
received BC training not closed in the
% of false alarms and qualifications Nb of exercises done delay fixed
with event detection in the last year
Nb of hours of training Nb of days in average
Average cost of an by employees to close a
incident nonconformity
Training Exercises
Incidents Non-conformities
28
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 215
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.1.3. Determination of the Frequency and
Method of Monitoring and Measurement
How and when to monitor and measure?
Practices
HOW The standard does not indicate how, nor how often,
monitoring or measuring must be performed or
evaluated
It is up to the organization to determine how to monitor,
measure and how often
It is best practice to use dashboards to record and
report on monitoring and measurement activities with
performance indicators
Dashboards should indicate actual performance vs. pre-
determined performance targets
29
3.1.4. Reporting the results
Example of Dashboard
Execution – Operational
Presents to the operational continuity actors the reality
of the controls implemented
Management – Tactical
Measures the progress towards the achievement of the tactical objectives
Top Management – Strategic
Brings back the progress of the continuity strategy implementation
30
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 216
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
I. Operational Dashboard Presentation of data in bar
form
Example
Percentage on Y axis
Legend Date
31
Points on X axis
II. Tactical Dashboard
Example
Evaluation of the procedures
Nr. Procedure evaluated Notes to the weakness worse Level ofscaomme pliance Comply
and strength
1 Document control procedure 123456789
X
2 Control of records procedure X
X
3 Competence, awareness and training X
procedure
X
4 Internal audits procedure
5 Corrective action procedure
6 Preventive action procedure X
7 Management review procedure X
8 Monitoring and measuring procedure X
9 Resource management procedure X
10 Purchasing procedure X
Overall Assessment X
32
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 217
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
III. Strategic Dashboard
Example Indicator 2 Indicator 3 Indicator 4
Indicator 1
January February March April
80 Description B Description A 45 20
70 65 71 20 27
60 61
50 60
40 39 49 48
27
28 19 2006 50
30 2005 41
20 36
10 15 29
0 Description A Description B
2004 Description C Description D
Description E
2007 2008 2009 2010
33
Questions?
34
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 218
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Exercise 13
Monitoring, measurement, analysis and evaluation
35
Certified ISO 22301
Lead Implementer Training
Section 27
Internal Audit
a. Differences between Internal and External Audits
b. Role of Internal Audit Function
c. Independence, objectivity and impartiality
d. Planning audit activities
e. Managing and allocating resources
f. Create an audit procedure
g. Perform audit activities
h. Non-conformity follow-up activities
36
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 219
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.2. Internal Audit
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 37
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Requirements
ISO 22301, clause 9.2
9.2 Internal audit
The organization shall conduct internal audits at planned intervals to provide information to
assist in the determination of whether the BCMS:
a) conforms to:
1) the organization’s own requirements for its BCMS,
2) the requirements of this International Standard;
b) is effectively implemented and maintained.
The organization shall:
− plan, establish, implement and maintain (an) audit programme(s), including the frequency,
methods,
− responsibilities, planning requirements and reporting. The audit programme(s) shall take
into consideration the importance of the processes concerned and the results of previous
audits,
− define the audit criteria and scope for each audit,
− select auditors and conduct audits to ensure objectivity and the impartiality of the audit
process,
− ensure that the results of the audits are reported to relevant management, and
− retain documented information as evidence of the implementation of the audit programme
and the audit results.
38
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 220
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
What is an Audit?
ISO 19011, clause 3.1
Systematic, independent and documented process
to obtain audit evidence and to evaluate them to
determine how much they meet the audit criteria
In brief:
Auditing means asking the auditee
what he does, and checking to see if he does it
39
Types of Audits
Second Party Audit External Second Party Audit
Our customer audits our Our organization audits
Internal
organization our supplier
First Party Audit
Our organization audits Supplier
its own systems 40
Customer
Third Party Audit Organization
Our organization is
audited by an
independent
organization
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 221
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Differences between Internal
and External Audits
Main characteristics
Internal Audit External Audit
1. Independent of the activities 1. Total independent of the
audited (not of the audited organization and its
organization) activities
2. Considers the effectiveness 2. Only considers the
and efficiency of the effectiveness of the
management system management system
3. Advisory role within the 3. No advisory role within the
organization for continual organization (only general
improvement recommendations)
4. May be conducted ongoing 4. Audit activity always planned
in a timely manner
41
Main Services and Activities of the
Internal Audit
8. Coordination between Main 1. Evaluation of the objectives of
internal and external audit objectives the management system
7. Evaluation of the continual 2. Evaluation of the
improvement governance of the
6. Evaluation of the management system
measurement and the review
of the management system 3. Evaluation of the ongoing
risk management
5. Evaluation of the effectiveness and
efficiency of the lifecycle 4. Evaluation of the effectiveness and
management of the management efficiency of processes and measures
system
42
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 222
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
ISO 19011
Audit guide for management systems
Definitions covering the concepts
of auditing management systems
Description of the characteristics
and basic principles of auditing
and the auditor profession
Description of all the key elements
of the audit process
Description of key aspects of an
audit programme
Guidelines on the qualifications of
auditors
43
3.2. Internal Audit
List of activities
3.1 Monitoring, 3.2.1 Create the 3.2.2 Designate a 3.2.3 Establish
measurement, internal audit Responsible Independence,
analysis and programme person
objectify and
evaluation impartiality
3.2.4 Plan audit 3.2.5 Allocate and 3.2.6 Create audit 3.2.7 Perform audit
activities manage resources procedures activities
3.2.8 Non-conformity 3.3 Management
Follow-up review
44
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 223
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.2.1. Create the Internal Audit
Programme
ISO 19011, Clause 5
Establishing the audit programme (5.2)
- Objectives & extent - Roles & responsibilities
Act
Check Do Plan- Competence- Audit programme risk
- Procedures - Resources
Reviewing and Implementing the audit programme (5.3) Competencies and
improving audit - Defining individual audit objective, scope and criteria evaluation of
programme (5.5) auditors
- Determining the audit method(s) (Clause 7)
- Selecting the audit team Audit activities
(Clause 6)
- Assigning responsibilities to auditors
- Managing & maintaining audit programme records 45
Audit programme monitoring (5.4)
- Review and approve audit reports
- Determine the necessity of any follow-up audit
- Evaluate the performance of the audit team
members, feedback from all stakeholders
3.2.2. Designate a Responsible Person
Roles and responsibilities
1. Develop an internal audit programme (roles and responsibilities,
procedures, work papers, auditor training…)
2. Plan audit activities
3. Manage resources
4. Develop performance criteria and ensure that the audit meets these
criteria
5. Write audit reports
6. Ensure that best practices are being followed and audit procedures
followed during the conduct of the audit.
7. Implement a continual auditor evaluation programme
8. Follow-up on non-conformities and recommendations
from previous audits
46
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 224
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Generic Knowledge and Competencies
ISO 19011, clause 7.2.3.2 Prepare, conduct and close an
audit, written and oral
communication of audit
conclusions
Evaluation and Audit Operation of a
management of audit principles
risks and those related to
management system and
the operation of a
management system interaction between
Audit Management systems
risk
system
Main processes present Organiza- Legal Main laws and
in all organizations (HR, tional aspects regulations, contract
Finance, Production, process clauses
etc.)
47
3.2.3. Establishing the Independence,
Objectivity and Impartiality
Audit charter
Formal definition of the purpose and activities of the
internal audit
Formal definition of the scope and extent of
internal audit
Structure of the audit Definition of responsibilities and services to be
charter provided by the internal audit
Formal definition of the access authorization of
Internal Auditors
Establishing the independence of the internal audit
48
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 225
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Access and Independence
Principles
Access to resources and collaboration
1 • Internal auditors should have unrestricted access to executives, employees,
offices, information, explanations and documentation necessary for the proper
conduct of the audit
• This need for access must be documented (usually in the audit charter)
Independence
2 • Internal auditors must be independent of the processes being audited, and this is
generally ensured if the auditor reports to the audit board of the organization
rather than directly to the higher management
• This need for independence should be reflected in the organization chart
49
3.2.4. Planning the Activities
Short and long term planning
A high-level planning of audit
activities over three years
This planning must take into
account that the overall
management system should be
audited every three years
A more detailed annual planning
This planning must take into
account that there is no
requirement for the auditor to
audit all processes and controls of
the management system during
that year
50
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 226
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.2.5. Allocate and Manage Resources
of the Audit Programme
ISO 19011, clause 5.3.6
Financial resources Human resources Tools
Audit policies and procedures Logistics
51
3.2.6. Create Audit Procedures
ISO 19011, clause 5.3.5
Audit procedures should include information on how to:
1. Plan and schedule audits 4. Select appropriate audit 7. Report the outcome
considering audit risks teams and assign their of the audit programme
roles and responsibilities
to the audit client
2. Manage information security 5. Conduct audits, 8. Maintain audit
and confidentiality and including the use of programme records
manage the audit risks appropriate sampling methods
3. Assure the competence 6. Conduct audit follow-up, 9. Monitor the operation,
of auditors and audit if applicable risks and effectiveness
team leaders of the audit programme
For small organizations, the above activities
can be covered by a single procedure
52
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 227
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.2.7. Perform Audit Activities
Source of information
Use of appropriate
audit procedures including
sampling
Audit evidence
Evaluation against audit
criteria
Audit findings
Review
Audit conclusion
53
Non-conformity
Definition
According to the definition of the ISO 9000: 2005
standard, a non-conformity is the “non-fulfillment
of a requirement”
There are two types of non-conformities
Minor non-conformity
Major non-conformity
54
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 228
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.2.8. Follow-up of Non-conformities
Guidelines
An internal auditor should follow up action plans submitted in
response to non-conformities (resulting from internal and
external audits)
The person in charge of the BCMS must inform the internal
auditor of the progress of corrective actions
The role of the internal auditor is limited to validate the action
plans and corrective actions
Corrective actions do not all have to be implemented
immediately
Based on his experience and knowledge, the internal auditor should
exercise good judgment and assess whether action plans are
appropriate and can address the intrinsic causes of non-conformities
55
Questions?
56
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 229
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 28
Management Review
a. Management review preparation
b. Conducting a management review
c. Closing the management review
d. Management review follow-up activities
57
3.3. Management Review
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 58
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 230
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
ISO 22301, clause 9.3
.Management review
Top management shall review the organization's BCMS, at planned intervals, to
ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the business
continuity management system;
c) information on the business continuity performance, including trends in:
1) non-conformities and corrective actions;
2) monitoring and measurement evaluation results;
3) audit results; and
d) opportunities for continual improvement.
59
Management Review
Definition
A periodic review of the Management System performed by
top management to analyze its continuing suitability,
adequacy and effectiveness
Term Concept
Suitability Results are achieved in the best possible way
Adequacy Outputs fulfill established criteria
Effectiveness The system fulfills the organization’s needs
60
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 231
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.3. Management Review
List of activities
1-2 Implementation 3.1 Monitoring, 3.2 Internal 3.3.1 Prepare
of the BCMS measurement, audit Management
analysis and
Review
evaluation
3.3.2 Perform 3.3.3 Close 3.3.4 Follow-up of 4. Continual
Management Management Management Improvement
Review Review Review
61
3.3.1. Prepare the Management Review
Management reviews must be conducted
at planned intervals (at least once a year)
Management reviews can be included in a management
meeting and be a topic on the agenda
It is good practice to send all documentation related
to the management committee (audit report, results
of reviews, action plans…) before the review
62
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 232
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.3.2. Perform a Management Review
Subjects to be on the agenda
The input to a management review should include information on:
1. Results of BCMS audits and reviews
2. Techniques, products or procedures, which could be used in the
organization to improve the BCMS' performance and effectiveness
3. Status of preventive and corrective actions
4. Results of exercising and testing
5. Vulnerabilities or threats not adequately addressed in a previous risk
assessment
6. Results from effectiveness measurements
7. Follow-up actions from previous management reviews
8. Any changes that could affect the BCMS, whether internal or external
9. Adequacy of policy
10. Recommendations for improvement
11. Lessons arising from incidents
12. Emerging good practice and guidance
63
3.3.3. Review Output
Decisions and resolutions
The output from the management review shall include any decisions and
actions related to the following:
1. Variations to the scope of the BCMS;
2. Improvement of the effectiveness of the BCMS;
3. Update of the risk assessment, impact analysis and incident preparedness and
response procedures;
4. Modification of procedures and controls that effect risks, including changes to:
Business and operational requirements
Risk reduction and security requirements
Operational conditions processes affecting the existing operational requirements
Regulatory or legal requirements
Contractual obligations
Levels of risk and/or criteria for accepting risks,
Resource needs
Funding and budget requirements
Improvement to how the effectiveness of controls is being measured
64
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 233
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
3.3.4. Follow-Up on
Management Review
Management reviews must be documented
The organization should provide reports on the
management review to all those who are part of it
The BCMS coordinator and the internal audit team have
the responsibility to ensure that follow-up action plans
are approved by management
65
Questions?
66
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 234
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 29
Treatment of problems and non-conformities
a. Root-cause analysis process
b. Root-cause analysis tool
c. Corrective action procedure
d. Preventive action procedure
67
4.1. Treatment of Problems and Non-
conformities
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
68
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 235
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
ISO 22301, clause 10.1
10 Improvement
10.1 Non-conformity and corrective action
The organization shall:
a) identify non-conformity(ies);
b) react to the non-conformity, and as applicable
1) take action to control, contain and correct it,
2) deal with the consequences.
c) evaluate the need for action to eliminate the causes of the nonconformity,
in order that it does not recur or occur elsewhere
d) implement any action needed,
e) review the effectiveness of any corrective action taken,
f) make changes to the business continuity management system, if
necessary. Corrective actions shall be appropriate to the effects of the
nonconformities encountered.
69
Definitions
ISO 9000
Continual Recurring activity to increase the ability to fulfil
improvement requirements (ISO 9000, 3.2.13)
Correction Action to eliminate a detected non-conformity (ISO 9000,
3.6.6)
Corrective Action to eliminate the cause of a detected non-conformity
action or other undesirable situation (ISO 9000, 3.6.5)
Preventive Action to eliminate the cause of a potential non-conformity
action or other undesirable potential situation (ISO 9000, 3.6.4)
70
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 236
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
4.1. Treatment of Problems and Non-
conformities
List of activities
2. Implementation 3.1. BCMS 3.2. Internal 4.1.1 Process to
of the BCMS measurement audit resolve problems
and non-conformities
4.1.2. Corrective 4.1.3. Preventive 4.1.4. Action plans 4.2. Continual
action procedure action procedure improvement
71
4.1.1. Define a Process to Resolve
Problem and Nonconformities
Example of the Eight Disciplines Problem Solving method
Start 4 Define / Verify Choose / Verify Permanent 5
Root Cause(s) Corrective Actions (PCAs)
Planning Phase
Select Likely Causes Implement 6
0 Identify the Problem and validate PCAs
1 Establish the Team/ Is the Prevent recurrence 7
Use a Team approach No Cause
2 Describe the Problem a Root Congratulate your Team 8
Cause?
3 Develop Interim Finish
Containment Plan Yes
Develop possible
Solution(s)
72
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 237
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Root-cause Analysis Tool
Cause-and-effect-diagrams
Assessments Resources Staff
IT staff does not Inadequate external provider Change procedures for
measure the website update are not
Obsolete
performance of equipment adeqautely followed
website provider
IT staff unappropriately
trained to manage website
adequately
No procedure to manage No website managements Website is
website training for employees frequently
No awareness training Insufficient resources down
provided to manage website
No process established to Priority causes
deal with website down
Procedures Management
73
Asking the Right Questions
Needed for the analysis of any problem
Current Questioning Solution Option(s) kept
Situation tracking
What has been Why is this What else could What will be
done? necessary? we do? done?
How is it done?
Why is it done this How to do it How will this be
Who did it? done?
way? differently
Where is it done?
Why this person? Who else could do Who will do it?
it?
Why is it done at Where else could How will this be
this place? we do it? done?
When is it done? Why is it done at Could we do it When will it be
done?
that moment? another time?
74
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 238
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
4.1.2. Corrective Action Procedure
Continual improvement Review and follow-up of actions taken
Corrective action Implementation of solutions and records
of actions taken
Situation analysis
Analysis of Evaluation Selection of
Identification of root causes of options solutions
the non-conformity
Identification and documentation of the
non-conformity
75
4.1.3. Preventive Action Procedure
The organization shall determine the actions to
eliminate the potential non-conformity
causes in accordance with the conditions of the
BCMS
Effectiveness Costs
Preventive actions
Corrective actions
76
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 239
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
4.1.4. Drafting Action Plans
Can be written in a summarized fashion
Must allow to correct the non-conformity
Should be based on a preventive and corrective approach
Must include an execution period
Must allow to obtain verifiable results
77
Submission of Action Plans
Following an Audit
An action plan must be submitted for each non-
conformity, not a global action plan for all non-
conformities
Action plans must be approved by management
The auditor will analyze the cause and evaluate if the
specific correction and corrective actions taken, or
planned to be taken, will allow to eliminate detected non-
conformities, within a defined time
78
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 240
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Action Plans
Example
1 Store archived data and emails on a more reliable file server (2nd quarter
2008)
2 A new version of the BC policy must be published to include a framework
for setting objectives (within 2 months)
The names of the persons to be contacted in case of disaster must be
3 explicitely mentioned in the business continuity plan (immediately) and the
procedures to contact these persons must be documented and
communicated (theme included in the 2009 awareness plan)
79
Questions?
80
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 241
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Exercise 14
Corrective action plans
81
Certified ISO 22301
Lead Implementer Training
Section 30
Continual improvement
a. Continuous monitoring process of change factors
b. Maintenance and improvement of the BCMS
c. Continual update of the documentation and records
d. Document the improvements
82
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 242
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
4.2. Continual Improvement
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 83
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Requirements
ISO 22301, clause 10
10 Improvement
10.2 Continual improvement
The organization shall continually improve the suitability, adequacy or
effectiveness of the BCMS.
NOTE The organization can use the processes of the BCMS such as
leadership, planning and performance evaluation, to achieve improvement.
84
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 243
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Continual Improvement
Continual improvement is a process of increasing
the effectiveness and efficiency of the organization
to fulfill its policy and objectives
In small but certain steps
85
4.2. Continual Improvement
List of Activities
2. Implementation 3. Check 4.1. Treatment of 4.2.1 Monitoring
of the BCMS (Do) problems and of change factors
non-conformities
4.2.2. Maintenance 4.2.3. Update of 4.2.4. Document Certification
and improvement the documentation the improvements audit
86
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 244
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
4.2.1. Continuous Monitoring Process of
Change Factors
Changes Organizational changes Changes in
from BCMS technologies
Mission
Business continuity policy Business objectives Hardware
New risk scenarios Budget and resources Software
Changes of procedures New product and services IT procedures
Result of tests and exercises Change in personnal IT processes
Result of audit
BCMS change
factors to
monitor
External changes
Laws and regulations
Clients , suppliers concerns and
requirements
Vendors SLA
Changes in the environement (ex:
competitors)
87
4.2.2. Maintenance and Improvement of
the BCMS
Improvement The BCMS needs to be
maintained and updated
Maintenance periodically
Implementation
Any agreed improvements to
the process or actions
necessary to improve
conformity to the process
should be notified to the
appropriate managers to have
assurance that no risk or risk
element is overlooked or
underestimated before
implementation of changes
88
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 245
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
4.2.3. Continual Update of the
Documentation and Records
Continual change Factors of change
BCMS documentation Organizational evolution
New rules
BCMS policy Changes in Business scope
BIA Incidents
Risk Analysis Faulty operation
Strategy Failures
Business continuity and Risk management reports
Test results
resumption plans Internal audits
Awareness programs External audits
Education programs
Exercise planning and results
Agreed service levels
Review and adapt
89
4.2.4. Document the Improvements
Usually by the change management procedure
90
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 246
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
91
Certified ISO 22301
Lead Implementer Training
Section 31
Preparing for the certification audit
a. Selecting the certification body
b. Preparing for the certification audit
c. Stage 1 audit
d. Stage 2 audit
e. Follow-up audit
f. Certification decision
g. Surveillance audit
92
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 247
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
ISO 22301, clause 4.4
Business continuity management system
The organization shall establish, implement, maintain and continually
improve a BCMS, including the processes needed and their
interactions, in accordance with the requirements of this International
Standard.
93
Certification Body
ISO 17021
Certification body: Third party that performs the
assessment of conformity of management systems
Certification: Procedure in which a third party
ensures in writing that a product, process, or service is
conform to indicated conditions
94
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 248
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
List of Activities
Certification process
Before the audit BCMS Internal Audit and 1. Selecting a
Implementation Management Certification body
Review
4. Stage 2 audit
Initial audit 2. Audit preparation 3. Stage 1 audit (on-site audit)
Audit follow-up 5. Follow-up audit 6. Certification Continual
(if necessary) decision Improvement and
surveillance audit
95
Before the Audit
Before being audited, a BCMS must be
in operation for a certain time
Normally, a three-month minimal delay is required
Minimally, at least one internal audit must have been
conducted as well as a management review
96
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 249
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1. Selecting a Certification Body
Main criteria
1 Notoriety and credibility
2 Geographical presence
3 References in your sector
4 Possibility of a combined audit
5 Skills and experience of the audit team
6 Price
97
Rejection of an Auditor Example of valid
reasons:
It is possible to request the
replacement of audit team Auditor is in a conflict of
members for valid reasons interest situation
(real or potential)
The audit team could
withdraw if it deems that the Auditor has previously
reasons cited are not valid displayed
unprofessional conduct
Auditor does not hold
the security clearance
required by the auditee
98
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 250
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
2. Preparing for the Certification Audit
Recommendations
Preparing for
the audit
1. Self- 2. Preparing 3. Practice
evaluation personnel audit
99
3. Stage 1 Audit
1. Site visit Assessment of client's location and site-specific
conditions
Meeting/contacting auditee’s personnel
Observation of technologies used
General observation of BCMS operations
2. Interviews with key actors Validation of scope as well as applicable legal,
regulatory and contractual constraints
Validation that internal audits and management
reviews have been performed
Preparation of stage 2 audit
3. Document review General understanding of the workings of the
management system
Evaluation of the design of the management system
as well as related processes and controls
Validation that internal audits and management
reviews have been performed
Note: The document review is the principal activity of a stage 1 audit
100
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 251
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
4. Stage 2 Audit
On-site audit
OBJECTIVES OF THE STAGE 2 AUDIT
Ensure that the BCMS:
– Fulfills all requirements of ISO 22301
– Is effectively implemented
– Enables the organization to achieve its security
objectives
101
Certification Recommendation
When concluding the audit the auditor must issue
one of the four following recommendations related
to certification:
1. Recommendation for certification
2. Recommendation for certification on condition of the
filing of corrective action plans without prior visit
3. Recommendation for certification on condition of the
filing of corrective action plans with prior visit
4. Unfavorable recommendation
102
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 252
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
BCMS Material
Discover the best professional documents and content resources in AnyFlip Document Base.
Search