ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 7
Analysis of the existing management system
a. Information gathering
b. Conducting an Interview
c. Gap analysis
95
1.3. Analysis of the Existing
Management System
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 96
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 53
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
List of Activities
Analysis of the existing management system
1.2 Understanding 1.3.1 Information 1.3.2 Gap analysis 1.3.3 Targets and
the organization gathering gap analysis
report
1.4 Leadership and
planning
97
1.3.1. Information Gathering
Techniques
Questionnaire Sending questionnaires to a sample of people who
Surveys represent the stakeholders
Interviews Interviews with key persons at different hierarchical
levels within the organization
Documentation Reading and analysis of relevant documentation:
review internal policies, procedures, previous audit reports,
legal opinions, contracts, etc.
98
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 54
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Individual and Group Interview
Individual interviews usually provide
more accurate and detailed
information and allow to have a
more correct assessment
Individual Interview Group
Group interviews are effective to
rapidly understand the operations of
a process in a global view
99
Conducting an Interview
Use open-ended questions and avoid close-ended
or guided questions
Ensure you cover all the subjects while controlling
the time
Take notes during the interview
Ask questions to clarify a response or situation
100
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 55
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.3.2. Gap Analysis
Gap Analysis
Technique to determine the steps to
move from current state to a desired
future state
1. Comparison of the current
performance of the business
continuity management system
with the ISO 22301 requirements
2. Identifying the improvement
needs
3. Basis for drafting the BCMS
project plan
101
Determine the Current State
Gap analysis and level of maturity
Typical questions:
1. Is the process present in the organization? Is it standardized?
2. Is the process followed by the relevant users?
3. Is the process documented? How?
4. Is there a responsible appointed for the effectiveness of the
process? Are the roles and responsibilities determined?
5. Has it been communicated to all concerned people? By who? Is
there training available?
6. Is the process controlled? How is it? Measured?
7. Is the process automated? Are tools used?
8. Is there a process for updating the process?
9. Is the performance of the process compared with the industry
practices?
102
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 56
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.3.3. Establishing Targets and
Publication of a Gap Analysis Report
0 1 2 3 4 5
Non-existent Inital Managed Defined Quantitatively Optimized
Managed
Present Target
situation
103
Establishing Targets
Gap analysis and the level of maturity
You can set targets for processes
based on target maturity levels
Processes
optimized
Processes
monitored and
Processes measured
are documented
and
communicated
Total absence Processes Non standard
of identifiable implemented processes
case by case in place
processes without any method
2.
0. 1. 3. 4. 5.
Managed Quantitatively
Non-existent Initial Defined Optimized
Managed
104
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 57
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
105
Certified ISO 22301
Lead Implementer Training
Section 8
Scope of the BCMS
a. Organizational boundaries
b. Business lines boundaries
c. Physical boundaries
d. Scope
106
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 58
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.4. Scope of the BCMS
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 107
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Requirements
ISO 22301, clause 4.3.2
Scope of the BCMS
The organization shall:
a) establish the parts of the organization to be included in the BCMS,
b) establish BCMS requirements, considering the organization’s mission, goals, internal and
external obligations (including those related to interested parties), and legal and
regulatory responsibilities,
c) identify products and services and all related activities within the scope of the BCMS,
d) take into account interested parties’ needs and interests, such as customers, investors,
shareholders, the supply chain, public and/or community input and needs, expectations
and interests (as appropriate), and
e) define the scope of the BCMS in terms of and appropriate to the size, nature and
complexity of the organization.
When defining the scope, the organization shall document and explain exclusions; any such
exclusions shall not affect the organization’s ability and responsibility to provide continuity of
business and operations that meet the BCMS requirements, as determined by business impact
analysis or risk assessment and applicable legal or regulatory requirements.
108
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 59
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Scope
Importance
A clear definition of the scope, focusing on key
activities of the organization, is an important success
factor for the BCMS implementation. This will make it
easier to:
1. Get the support of management
2. Mobilize stakeholders for the project
3. Justify added value to the interested parties
Important note: the extent of the scope is the first factor
influencing the amount of effort required for the project
109
1.4. Scope of the BCMS
List of activities
1.2 Understanding 1.3 Analyze the 1.4.1 1.4.2 Business lines
the organization existing System Organizational boundaries
boundaries
1.4.3 Physical 1.4.4 Scope 1.5 Leadership & 1.6 BC Policy
boundaries planning
110
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 60
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Boundary of the BCMS
3 dimensions to consider
Physical
111
1.4.1 Defining the Organizational
Boundaries of the Scope
A key process
A department
The organization
as a whole
The organization and
its stakeholders
Note: Where part of an organization is
excluded from the scope of its BCMS,
the organization should document and
explain the exclusion
112
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 61
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.4.2. Defining the Business Lines
Boundaries of the Scope
The organization need to identify the products and
services in scope
Example:
An hospital could include only the emergency
services in the scope
A post office could include all services in scope with
the exclusion of parcel delivery
A manufacture could maintain only the production of
one product
Etc.
113
1.4.3. Define Physical Boundaries of the
Scope
All physical locations, both internal and external,
included in the BCMS should be taken into account
The sites include all locations within the scope or within
part of the scope and the physical means required for
them to work
In the case of outsourced physical sites, the interfaces
with the BCMS and the applicable
service agreements have to be
considered
114
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 62
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.4.4. Defining the BCMS Scope
The scope definition document should include:
1. Key characteristics of the organization
2. Business processes covered by the BCMS
3. List of products and services and all related activities
within the scope of the BCMS
4. List of main resources (information systems,
facilities, etc.)
5. List of geographic locations
6. Details and reasons for exclusions
115
Scope Statement
Example
The scope statement is public and in general
available on the website of the certification body that has
issued the certificate
This summary statement will be written on the certificate.
It should be:
1. As simple as possible
2. Understandable by someone external to the
organization
3. Precise enough to express what is covered by the
certification
Example: This business continuity management system
applies to the global delivery centre providing
outsourcing and customer contact services of ABC inc
116
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 63
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Change in Scope
Any change in scope must be
evaluated, approved and
documented
117
Extension of the Scope
ISO 17021, clause 9.5.1
Several audited firms prefer to define a scope
for a reduced initial certification and complete an
application for extension in the following years
The extension audit can be performed during
a surveillance audit
If the extension certification is not granted, the
organization does not loose its current certificate
118
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 64
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
119
Exercise 4
Scope definition
120
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 65
67
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 9
Leadership and planning
a. BCMS business case
b. Project team
c. BCMS objectives
d. Project plan
e. Communication plan for the BCMS project
f. Management approval
2
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 68
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.5. Leadership and Planning
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 3
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Requirements
ISO 22301, clause 5.1, 5.2, 7.1 & 8.3.2
5.1 Leadership and commitment
Persons in top management and other relevant management roles throughout the organization shall
demonstrate leadership with respect to the BCMS.
5.2 Management commitment
Top management shall demonstrate leadership and commitment with respect to the BCMS by:
− ensuring that policies and objectives are established for the business continuity management
system and are compatible with the strategic direction of the organization,
− ensuring the integration of the business continuity management system requirements into the
organization’s business processes,
− ensuring that the resources needed for the business continuity management system are
available,
− communicating the importance of effective business continuity management and conforming to
the BCMS requirements,
− ensuring that the BCMS achieves its intended outcome(s),
− directing and supporting persons to contribute to the effectiveness of the BCMS,
− promoting continual improvement, and
− supporting other relevant management roles to demonstrate their leadership and commitment as
it applies to their areas of responsibility
7.1 Resources
The organization shall determine and provide the resources needed for the BCMS.
4
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 69
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.5. Leadership and Planning
List of activities
1.4 BCMS scope
1.5.1 Business case 1.5.2 BCMS 1.5.3 Determination 1.5.4 Resource
project team of the objectives requirements
1.5.5 BCMS 1.5.6 Communication 1.5.7 Management 1.6 BC policy
project plan plan approval
5
1.5.1. Creating and Presenting a
Business Case
A business case is:
1. A decision support tool 2. A document used to
for the management promote the BCMS project
3. An initial structuring
of the project
6
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 70
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Content of the Business Case
PMBOK
1. Environment 2. Purpose & 3. Project 4. Expected
objectives summary benefits
5. Preliminary 6. Critical 7. Preliminary 8. Deadlines
scope success factors project plan and Milestones
9. Roles and 10. Necessary 11. Budget 12. Constraints
resources
Responsibilities
Note: The content about project management in this section is based on PMBOK
but other frameworks as Prince 2 are equivalent
7
1.5.2. Establishing the BCMS Project
Team
BCMS
Project
Champion
BCMS
Manager
Project
Manager
Project Management
Team
Project Team
Interested Parties
8
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 71
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
BCMS Project Manager
Required competences
The BCMS project manager should have knowledge and skills in
the following areas:
1. Knowledge and skills in project management
2. Knowledge of the organization and its environment
3. Knowledge of business continuity management
4. Interpersonal skills (effective
communication, negotiation,
problem solving, leadership
skills, etc...)
9
Steering Committee
During the BCMS project
Objective Ensure the planning and monitoring of the BCMS
Missions 1. Plan the BCMS implementation
2. Defining the BCMS project in line with the objectives set by
Members
Meeting the Management
frequency 3. Define the roles and responsibilities for the BCMS project
4. Define the roles and responsibilities related to operations
and maintenance of the BCMS (after implementation)
5. Select the method of risk analysis and the BIA
6. Managing resources
7. Perform project reviews of the implementation of the BCMS
BCMS Project Manager, responsible persons for key services
involved in the following application domains (IT, audit, legal,
finance, HR, physical security, etc.)
Monthly
10
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 72
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.5.3. Determination of the BCMS
Objectives
ISO 22301, clause 3.32 & 6.2
Determine the objectives
123
Improved business Effective business Business advantage
resilience continuity management Does the implementation
• Can the BCMS improve • Can the BCMS improve the of a BCMS provide
resilience of the effectiveness of Business competitive advantages?
organization in case of a Continuity management ?
disruptive incident? 11
Determine the Objectives
Examples
Objectives related to the BCMS implementation can be:
Ensure compliance with legal, regulatory and contractual
obligations of the organization
Demonstrate due diligence & due care of the Management
Inspire confidence of stakeholders of the organization
Protect availability of the critical activities of the
organization
Assure effective management of Business Continuity
according to best practices
Improve the response time to incidents and disasters
Ensure compliance of Business Continuity for a project,
delivering a service or product, etc.
12
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 73
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.5.4. Determination of Resource
Requirements for the BCMS Project
ISO 22301, clause 8.3.2
Resources are the means we use to achieve the project
objectives
The primary resource is obviously people with applicable
skills and competencies
The other main grouping of resources we need include
capital, facilities, equipment, material and information
There is usually a gap between the investment reach of
a project and the project demands…
13
1.5.5. Drafting the BCMS Project Plan
PMBOK
An iterative approach
Resources Costs Project
plan
Project
Content
Delays Risks
14
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 74
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Content of the BCMS Project Plan
PMBOK
A project plan typically includes the following:
1. Project Charter
2. Description of the approach or project management strategy
3. Formulation of project content, with project deliverables and
objectives
4. Work Breakdown Structure of the project ("WBS“ structure)
5. Estimated cost, projected start date, and assignment of
responsibilities
6. References; cost and time performance measurement
7. Major milestones with their provisional date
8. Key or needed personnel
9. Key risks, with the constraints and assumptions, and the proposed
answers
10. Current problems and pending decisions
15
Review and Submission of the BCMS
Project Plan
PMBOK
Review of project objectives and success factors
Review the proposed method
Highlighting risks and uncertainties inherent in the project
Estimated the needed internal resources
Definition of the sequence of phases and the planned execution
Review of deliverables to provide
Review roles
Review of project documents
Definition of the frequency and content of progress meetings
16
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 75
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.5.6. Communication Plan for the
BCMS Project
ISO 22301, clause 7.4
When setting the BCMS, the organization need to have
effective communication and consultation procedures for
the exchange of information with interested parties
The organization should provide effective communication
as part of its awareness programme
17
1.5.7. Management Approval of the
BCMS Project
ISO 22301, clause 5.2
Key Benefits
of Management Commitment
• Increased knowledge of laws
• Optimal allocation of resources
• Identification of critical assets
• Business continuity processes
and plan checked and measured
18
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 76
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Role of the Top Management
During the BCMS project
Objective Align the BCMS with the objectives and business strategy
Missions 1. Ensure that the BCMS is compatible with the strategic direction of the
organization
Members
Meeting 2. Ensure compliance with applicable laws, regulations and contractual
frequency requirements
3. Validate the roles and responsibilities of key stakeholders in the project
4. Approve the business continuity policy, the BIA and the risk assessment
result
5. Communicating the importance of effective business continuity
management and conforming to the BCMS requirements
6. Provide adequate resources for the implementation of the BCMS
7. Ensure that internal audit are conducted
8. Conduct management review of the BCMS
9. Supporting improvement of the BCMS
Top Management (CEO, CIO, CFO…)
Some meetings at the milestones of the project: quick-off meeting, risk
analysis and BIA report, Management review, etc.
19
Questions?
20
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 77
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Exercise 5
Roles and responsibilities of the stakeholders
21
Certified ISO 22301
Lead Implementer Training
Section 10
Business continuity policy
a. Creating policy models
b. Policy drafting process
c. Management approval
d. Publication
e. Training, communication and awareness
f. Control, evaluation and review
22
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 78
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.6. Business Continuity Policy
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 23
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Requirements
ISO 22301, clause 5.3
Policy
Top management shall establish a business continuity policy that:
a) is appropriate to the purpose of the organization,
b) provides a framework for setting business continuity objectives,
c) includes a commitment to satisfy applicable requirements,
d) includes a commitment to continual improvement of the BCMS.
The BCMS policy shall:
− be available as documented information,
− be communicated within the organization,
− be available to interested parties, as appropriate,
− be reviewed for continuing suitability at defined intervals and when
significant changes occur
The organization shall retain documented information on the business
continuity policy.
24
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 79
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Business Continuity Policy Definition
ISO 22399, clause 3.19
Overall intentions and direction of an organization,
related to its incident preparedness and operational
continuity, as formally expressed by top management
25
1.6. Business Continuity Policy
List of activities
1.5 Leadership & 1.6.1 Policy 1.6.2 Policy 1.6.3 Management
planning drafting process drafting approval
1.6.4 Publication 1.6.5 Training, 1.6.6 Control, 1.7 Organizational
communication and evaluation and structure
awareness review
26
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 80
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.6.1. Defining the Policy Drafting Process
General Process
1. 2. 3. 4. 5.
Define a person Define Drafting Validation Endorsement
the policy
responsible components the of the by the
sections contents stakeholders
and
the format
it is important to ensure the support and understanding of a policy before its publication
27
1.6.2. Drafting the Business Continuity
Policy
Topics usually included in the policy
1. A framework that allows to define objectives and establish a
direction and policy guidelines for the management of
Business Continuity
2. A consideration of legal and regulatory obligations imposed
on the organization as well as other commitments
3. Aligning the business continuity management with the
strategic objectives of the organization
4. Attribution of roles and responsibilities
5. Formal approval of the above
by management
28
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 81
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.6.3. Management Approval
The BCMS policy must:
Demonstrate the commitment of management
Be approved by the management
The policy must be signed by an individual
(often the CEO) but the approval process may belong to
a committee:
Board of Directors
Management Board
29
1.6.4. Publication of the Business
Continuity Policy
Main modes of communication
Intranet Meeting
Distribution of New employee
paper copies orientation session
30
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 82
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.6.5. Training, Communication and
Awareness
Communication Plan
Target audience
Difusion (meetings, intranet,
extranet, documents…)
Communication
Recurring Awareness Training
process
No dept
Objective
achieved? 31
Yes
Control, evaluation and
revision
1.6.6. Control, Evaluation and Review
Review Control
• Maintain • Ensure
conformity
Evaluation
• Measure the
degree of
conformity
32
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 83
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Questions?
33
Certified ISO 22301
Lead Implementer Training
Section 11
Organizational structure
a. Governance structure
b. Organizational Structure for managing business continuity
c. Nomination of a Business continuity coordinator
d. Roles & responsibilities of the stakeholders
e. Roles & responsibilities of the key committees
f. Business continuity teams
g. Decision and control process
34
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 84
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.7. Organizational Structure
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 35
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Requirements
ISO 22301, clause 5.4
Organizational roles, responsibilities and authorities
Top management shall ensure that the responsibilities and authorities
for relevant roles are assigned and communicated within the
organization.
Top management shall assign the responsibility and authority for:
a) ensuring that the management system is established and
implemented in accordance with the requirements of this
International Standard; and
b) reporting on the performance of the BCMS to top management.
36
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 85
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Organizational Structure
Principles
To be effective, a business continuity programme should be
an integrated management process driven from the top of the
organization, endorsed and promoted by the principal
managers and executives
It should be managed at both the operational and
organizational levels
A number of professionals and staff from other management
disciplines and departments may be required to support and
manage the programme
The quantity of resources required will be dependent upon the
size and diversity of the organization
37
1.7. Organizational Structure
List of activities
1.6 Business 1.7.1 governance 1.7.2 Business 1.7.3 Roles &
continuity policy & organizational continuity coordinator responsibilities
of the stakeholders
structure
1.7.4 Roles & 1.7.5 business 1.7.6 Decision & 1.8 Documented
responsibilities continuity teams control process information
of key committees
38
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 86
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.7.1. Definition of the Governance & Organizational
Structure for Managing Business Continuity
Governance structure
Board of
Directors
Crisis Committee
CEO Business Continuity
Committee
Operations Human Internal Administrative Information Sales Business
Resources Audit Services Technology & Marketing Continuity
(IT)
39
Involved Parties
Main actors Crisis Committee Media
Top management Media
Horizontal interventions Business Continuity Manager Business External Organisms
Business Continuity Commitee Continuity
Public Security
Plan Government Authorities
CERT
vertical Interventions Business Unit 1 Business Unit 2 IT Management Facility Management
Site Manager Site Manager Chief Information Facility Manager
Officer
Site BC management Site BC Management Emergency Response
Coordinator Coordinator IT Recovery Coordinator
Coordinator
Business Local Business Local IT Recovery & IT Procedures Emergency Emergency
Restoration Response Plan Procedures
Continuity Plan procedures Continuity Plan procedures Plans
adapted for the unit adapted for the unit
Business Processes Support Processes
40
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 87
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.7.2. Nomination of a Business
Continuity Coordinator
Role and responsabilities
The Business Continuity Coordinator has overall
responsibility for the design, development, coordination,
implementation, administration, training, awareness
programs, and maintenance of the Business Continuity
Plan and the BCMS
The BCC should be at a management level function
He is responsible for the co-operation and collaboration
on Business Continuity of managers, users, system
administrators, auditors, security personnel, and
specialist skills in areas such as insurance, legal issues,
human resources, IT or risk management
41
1.7.3. Definition of the the Roles and
Responsibilities of the Stakeholders
Role Main Responsibilities
Legal Counsel Identify compliance requirements (legal, regulatory and contractual) and analysis
Head of IT Implement and manage solutions and technical measures and ensuring the daily
operations
Head of Information
Security Coordinate activities related to information security management
Head of Human Implement and manage the training and awareness plan, responsible for the recruitment
Resources
Head of Real Estate Implement and manage the physical security controls (access control to buildings,
protection against fire, electrical maintenance, etc...
Head of service center
/ "Help Desk" Implement and manage services to users, and the related processes (access control,
incident management, etc.)
Public Relations Validation of the impact on the reputation of the organization, communications with external
Officer stakeholders
Internal Auditor Validation of BCMS Compliance
Responsible for Ensure, at all stages of the document life cycle, they have the qualities necessary for good
document management of knowledge and information heritage, preservation of evidence
management
42
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 88
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.7.4. Definition of the Roles and
Responsibilities of the Key Committees
1. Executive Committee & Crisis Committee
2. Business Continuity Committee
3. Operational Committees
& Local BC Committee
43
1.7.5. Creation of the Needed Business
Continuity Teams
Example
Crisis
Management
Team Leader
(Senior Executive)
Risk Business Business Unit IT/HR/Legal/
Assessment Continuity Representatives Finance
Coordinator
Manager
Emergency Damage Public Recovery Restoration Telecommu- Resource
Response Assessment Relation Team Team nication Procurement
Team and Logistics
Team Team Team
Team
Important note: Creation of teams and committees are not a requirement. To implement if needed
44
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 89
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook 45
1.7.6. Define a Decision and Control
Process
Model of a command and control structure
Level 1
Strategic
Level 2
Tactical
Level 3
Operational
Questions?
46
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 90
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Certified ISO 22301
Lead Implementer Training
Section 12
Documented information
a. Documented information requirements
b. Value of documentation
c. Creation of templates
d. Documention management
e. Implementing a document management system
f. Drafting the BCMS documented information
g. Control of records
47
1.8. Documented Information
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 48
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 91
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Requirements
ISO 22301, clause 7.5
7.5 Documented information
7.5.1 General
The organization’s BCMS shall include:
− documented information required by this International Standard;
− documented information determined by the organization as being required
for the effectiveness of the BCMS.
7.5.2 Creating and update
When creating and updating documented information, the organization shall
ensure appropriate:
a) identification and description (e.g. a title, date, author or reference
number),
b) format (e.g. language, software version, graphics) and media (e.g. paper,
electronic), and review and approval for suitability and adequacy.
49
Requirements
ISO 22301, clause 7.5
7.5.3 Control of documented Information
Documented information required by the BCMS and by this International Standard shall be
controlled to ensure:
a) it is available and suitable for use, where and when it is needed,
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of
integrity).
For the control of documented information, the organization shall address the following
activities, as applicable
− distribution, access, retrieval and use,
− storage and preservation, including preservation of legibility,
− control of changes (e.g. version control),
− retention and disposition
− retrieval and use,
− preservation of legibility (i.e. clear enough to read), and
− prevention of the unintended use of obsolete information.
Documented information of external origin determined by the organization to be necessary for
the planning and operation of the BCMS shall be identified, as appropriate, and controlled.
When establishing control of documented information, the organization shall ensure that there
is adequate protection for the documented information (e.g. protection against compromise,
unauthorized modification or deletion).
50
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 92
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Documented Information Requirements
Summary
Content Format Document Life
Cycle
51
Management System Documentation
Types of documented information
Level 1 Governance Policies, scope, management review, and
framework other strategic documents
descriptions
Level 2 Describes processes, Description of the process,
controls and procedures activities controls and procedures
(who, what, when, how, where
and why)
Level 3 Worksheets, forms,
checklists, etc.
Describes in detail how the tasks and
activities are conducted
Level 4 Provides objective evidence of Records
compliance with the standard requirements
52
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 93
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Value of Documentation
Important notes
In many organizations, the creation of the
documentation is disproportional
The preparation of documents should not
be a target in itself. This must be a value-
added activity supporting the BCMS
Documentation which is too heavy is
difficult to manage, often not understood by
users - therefore, not used ...
Each organization determines the extent of
the necessary documentation and media to
use
53
1.8. Documented Information
List of activities
1.7 Organizational 1.8.1 Creation of 1.8.2 Control 1.8.3 Document
structure templates of document management
system
1.8.4 Draft the BCMS 1.8.5 Control 1.9 Competence &
documentation of records awareness
54
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 94
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.8.1. Creation of Templates
Type of documents
Type Objectives
Policy Overall intentions and direction of an organization as formally expressed by Top Management
Procedure Specific instructions that clearly explain the steps to determine how the policy, guidelines and supporting
standards will be actually implemented in an operational environment
Guidelines General declaration to achieve the policy objectives by providing guidance on good practice to be followed
Business Continuity Comprehensive, prepared set of measures (including checklists and work aids) designed to facilitate of
Plan continuous business activity or the orderly and rapid recovery of (business-)critical processes in the event
a crisis
Charter Description of agreements in place between the organization and a group of actors such as users,
employees, suppliers or service providers
Schematic process Schema illustrating the working of a process
Narrative processes Detailed explanation of the functioning of a process as a narrative description
Form Paper or electronic form which is designed to provide or record information about an operation (request for
change, request for authorization, incident reporting, etc.)
Guide Practical document giving detailed instructions on use and/or installation, maintenance, operation
Datasheet
Document that summarizes the technical information (specifications) needed to install, use, maintain, etc.
equipment, software, etc.
55
1.8.2. Documentation Management
Developing a documentation management process and
drafting of a procedure
b) Identification c) Classification, indexing
and security
a) Creation
i) Disposal d) Modification
h) Preservation e) Approval
and archiving
f) Distribution
g) Adequate use
56
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 95
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.8.3. Implemention of a Document
Management System
Facilitate the archiving, access, consultation,
dissemination of documents and their information
Take care of the entire lifecycle of documents
Ensuring traceability
Secure access to documents
Optimizing search
and updating
57
1.8.4. Drafting the BCMS Required
Documented Information
As a minimum, the BCMS should contain the following documentation:
1. The context of the organization (4.1)
2. Legal, regulatory and other requirements and evidence of compliance
(4.2.2)
3. Scope of the BCMS and any exclusions (4.3.2)
4. Business continuity policy (5.3)
5. Business continuity objectives (6.2)
6. Competence (7.2)
7. Business impact analysis and risk assessment process (8.2)
8. Business continuity strategy (8.3) including strategy options considered
9. Continuity, incident management and recovery procedures (8.4)
10. Post-exercise reports (8.5)
11. BCMS monitoring (9.1)
12. Internal audits (9.2)
13. Management reviews (9.3)
14. Nonconformity and corrective action (10.1)
58
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 96
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Documented Information that may be
Required
In addition, documented information covering the following information
may be required to ensure the effectiveness of the BCMS:
1. Customer contracts and service levels
2. Results of business impact analyses
3. Results of risk assessments
4. Determination and selection of business continuity strategies
5. Incident response overview
6. Awareness programme
7. BCMS and incident communications with staff and interested parties
8. Training programmes for the organization and individuals;
9. Exercise schedule
10. Contracts and service level agreements with suppliers
11. Contractor and supplier notification and response procedures
12. Evidence of inspection, maintenance and calibration
13. Post-incident reports of incidents and near-hits
14. BCMS review meeting minutes 59
Creation of a Master List of Documents
Good practice
Create a single list of all documentation related to the
BCMS with basic information such as:
The unique identifier
Title
The document type
The names, functions and services of the authors
(and/or the owners)
The name of the approver and the date of approval
Date of Issue
The version and revision date
Page numbering
Classification level
60
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 97
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.8.5. Control of Records
Controls to ensure the identification, storage, protection,
availability, shelf life and disposal of records must be
documented and implemented
The records must be protected, remain legible, readily
identifiable and accessible
Example of records:
Minutes of meeting
Training certificates
Letters send to stakeholders
Audit reports
Test result report
61
Master List of Records
Example
Identification Stored Responsibility Conservation Classification
duration
Training logs HR Department HR Director 3 years Internal Use
2 years Confidential
Incidents report Service Center Service Center 5 years Very Confidential
sheet Director
Risk Management 7 years Very Confidential
BC Exercises and Department BC Manager
tests records
Secretary of the
Management Executive Executive
Review Committee Committee
62
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 98
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Documentation Management
Most Common Issues
Issue Potential cause
Difficulty finding or managing a document Too large mass of documents misclassified
and not indexed
Inability to quickly extract useful information Voluminous document, too literary, often
from a document with multiple annexes
Updates of tedious character Document management processes are not
established or poorly exploited
Difference between records and actual Employees related to operations have not
business processes been involved in drafting documents
Ambiguous / incomprehensible texts or No validation with users, lack of training
graphics and awareness, incompetent editor
Proliferation of versions of documents No document management system in place
63
Questions?
64
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 99
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Exercise 6
Master list of documents
65
Certified ISO 22301
Lead Implementer Training
Section 13
Competence and awareness
a. Difference between training, awareness and communication
b. Defining a competence development programme
c. Assessment of the required competences
d. Defining a training programme
e. Defining an awareness programme
f. Evaluation & continual improvement of the
competency development programme
66
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 100
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
1.9. Competence and Awareness
1. Plan 2. Do 3. Check 4. Act
1.1 Initiating the 2.1 Business Impact 3.1 Monitoring, 4.1 Nonconformities
BCMS Analysis (BIA) measurement, & corrective action
analysis and
1.2 Understanding 2.2 Risk evaluation 4.2 Continual
the organization assessment improvement
3.2 Internal audit
1.3 Analyze the 2.3 Business 3.3 Management 67
existing system continuity
strategy review
1.4 Scope
1.5 Leadership and 2.4 Protection
& mitigation
planning measures
1.6 BC policy
1.7 Organizational 2.5 Business
continuity plan
structure & procedures
1.8 Documented
2.6 Communication
information 2.7 Exercising and
1.9 Competence &
testing
awareness
Requirements
ISO 22301, clause 7.2 & 7.3
7.2 Competence
The organization shall:
a) determine the necessary competence of person(s) doing work under its control that affects
its performance,
b) ensure that these persons are competent on the basis of appropriate education, training,
and experience,
c) where applicable, take actions to acquire the necessary competence, and evaluate the
effectiveness of the actions taken, and
d) retain appropriate documented information as evidence of competence.
NOTE Applicable actions can include, for example: the provision of training to, the mentoring
of, or the re-assignment of current employees; or the hiring or contracting of competent
persons.
7.3 Awareness
Persons doing work under the organization’s control shall be aware of:
a) the business continuity policy;
b) their contribution to the effectiveness of the BCMS, including the benefits of improved
business continuity management performance;
c) the implications of not conforming with the BCMS requirements;
d) their own role during disruptive incidents.
68
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 101
ISO 22301 Business Continuity Management | Lead Implementer | Participant Handbook
Competence and Training
ISO 9000, clause 3.1.6 & ISO 10015, clause 3.2
Competence
Demonstrated ability
to implement
knowledge and skills
Training
Process to provide and
develop knowledge,
skills and behavior to
meet requirements
69
Training, Awareness and Communication
Differences
Training Awareness Communication
Acquiring skills Changing habits Be informed
Addressed to the Intended primarily to Addressed to the intellect
intellect emotions and behavior
What skills do they What behavior do we want What messages do we
have to acquire?
to strengthen or change? send?
70
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 102
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
BCMS Material
Discover the best professional documents and content resources in AnyFlip Document Base.
Search