ICOR Presents: Moving your BCM Program to a
Management System
Implementing ISO 22201: 2012
ISO 223 Societal Security Management System Series
ISO 22300: VocabularyISO 22301: BCMS (BS 25999)ISO 22311: Video surveillance-Export interoperabilityISO 22312: Technological capabilitiesISO 22312: Technological capabilitiesISO 22313: BCMS GuidelinesISO 22320: Emergency management – Requirements on
command and control (NFPA 1600)ISO 22322: Emergency management – Public warningISO 22323: Organizational Resilience (ASIS SPC.1)ISO 22324: Emergency management–Colour coded alert ISO 22351: Emergency management - General rules for writingISO 22351: Emergency management General rules for writing
data elements and codes for information sharing ISO 22352: Emergency management - Data elements and codes for information sharing.ISO 22397: Public/Private partnerships ISO 22398: Guidelines for exercises and testing
©2012 ICOR ALL RIGHTS RESERVED 2
How Mature is Your BCM Program?
P j t?Project?
Program?
Management System?
3©2012 ICOR ALL RIGHTS RESERVED
Using a Management System Approach
What is a management system?A proven framework for managing and continually improving your organization’s policies, procedures and processes• The best businesses work as complete units with a
shared vision
• EncompassInformation sharing– Information sharing
– Benchmarking – Team working– Working to the highest quality
©2012 ICOR ALL RIGHTS RESERVED 4
Using a Management System Approach
A management system helps your organization to achieve these goals through
b f t t i i l dia number of strategies, including Process optimization, Management focus and Disciplined management thinking
©2012 ICOR ALL RIGHTS RESERVED 5
Management Systems in Simple Terms
©2012 ICOR ALL RIGHTS RESERVED 6
Plan-Do-Check-Act
©2012 ICOR ALL RIGHTS RESERVED 7
Lifecycle Process of Continual Improvement
Policy
PlanningManagement Review
©2012 ICOR ALL RIGHTS RESERVED 8
Implementation & Operation
Checking & Corrective
Action
Key Components of Management Systems
Key components of all management systems include the following:
A policy;People with defined responsibilities;Management processes relating to;• Policy;• Planning;• Implementation & operation;• Performance assessment;• Management review; andManagement review; and• Improvement;
A set of documentation providing auditable evidence; andTopic specific processes relating to the subject.
©2012 ICOR ALL RIGHTS RESERVED 9
Why do Management Systems Matter?
Businesses operating in the 21st century face many significant challenges, including:
Profitability Competitiveness Globalization Speed of changeAdaptability Growth Technology
Balancing these and other business requirements can
Increasing number of risks and threats to
the organization
Balancing these and other business requirements can be a difficult and daunting process. That's where management systems can help, by unlocking the
potential in your organization.
©2012 ICOR ALL RIGHTS RESERVED 10
Why Move to a Management System?
The ISO 22301 t d d
ISO 14001
ISO 27001
ISO 31000
ISO 9001
standard can tie to
management systems
already inalready in place in many organizations
11©2012 ICOR ALL RIGHTS RESERVED
Management Systems
What managementWhat management systems does your
organization already have i l ?
©2012 ICOR ALL RIGHTS RESERVED
in place?
12
Business Continuity Management Defined
Holistic management process that identifies potential threats to an organization and the i t t b i ti thimpacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the p ginterests of its key stakeholders, reputation, brand and value-creating activities.
©2012 ICOR ALL RIGHTS RESERVED 13
Published June 2012? - Developed from BS 25999-2:2007Scope of the standard
Business Continuity Management: ISO 22301
Scope of the standardApplicable to all types and sizes of organizations that wish to:• Establish, implement, maintain, & improve a
BCMS;• Assure conformance with stated BCM policy;• Demonstrate conformance to others;Demonstrate conformance to others;• Seek certification/registration of its BCMS by an
accredited third party certification body; or • Make a self-determination and self-declaration of
conformance with this International Standard.
©2012 ICOR ALL RIGHTS RESERVED 14
Review of ISO 22301 by Category
4. Context of the Organization5. Leadership6. Planning7. Support8. Operation*9. Performance evaluation10. Improvement
*contains bulk of the requirements
15©2012 ICOR ALL RIGHTS RESERVED
4 Context of the Organization
4.1 Understanding the organization and its context
16
Internal Factors External Factors
©2012 ICOR ALL RIGHTS RESERVED
Internal & External Factors
• Social & cultural
• Financial & economic
• Political, legal & regulatory
Products & Services
Resources & Knowledge:Services
Partnerships
Supply Chains
Knowledge:
Capital, Time,
People, Processes
Policies, Objectives,
Values
Information Systems,
Information Flows
• Competitive environment
• Trends
• Supply chain commitments
• Outside relationships
Values, Culture,
Governance
Flows, Decision Making
Processes
17©2012 ICOR ALL RIGHTS RESERVED
4.2 Understanding Needs & Expectations of Interested Parties
18©2012 ICOR ALL RIGHTS RESERVED
4.2.2 Legal & Regulatory Requirements
Identify and accommodate all legal and regulatory requirements that relate to continuity of its operationscontinuity of its operations
Incident response: Health & safetyContinuity: Scope of program & extent or speed of responseRisk: Scope or methods of risk management
dHazards: Dangerous materials?
19©2012 ICOR ALL RIGHTS RESERVED
4.3 Determining Scope of the System
The whole organization?organization?
Or part of the i i ?
©2012 ICOR ALL RIGHTS RESERVED BCM 5000.1.20
organization?
4.3 Determining Scope of the System
Consider External and internal factorsNeeds and requirementsNeeds and requirements
Determine issues or concerns to Assure system can achieve its expected outcomesPrevent undesired effectsAddress opportunities for improvement
©2012 ICOR ALL RIGHTS RESERVED 21
4.3 Determining Scope of the SystemThe organization shalla) Clearly define what is in and out of scope
• Explain exclusions• Such exclusions shall not affect the organization’s ability and
responsibility to provide continuity of business and operations thatresponsibility to provide continuity of business and operations that meet the BCMS requirements, as determined by BIA or RA and applicable legal or regulatory requirements
b) Establish BCMS requirements considering how it supports the organization’s overall mission, goals, legal responsibilities and internal and external obligations in order to preserve the integrity of the organization.
c) Identify products and services and all related ) y pactivities within the scope of the BCMS
d) Take into account needs and interests of all interested parties
e) Define the scope in terms of and appropriate to the size, nature and complexity of the organization
©2012 ICOR ALL RIGHTS RESERVED 22
5 Leadership
DemonstratedManagement Commitment
BCM Policy
Roles, Responsibilities & Authorities
Defined
©2012 ICOR ALL RIGHTS RESERVED 23
Commitment Defined
Management Shall Demonstrate Leadership
5.2 Management CommitmentTop management shall demonstrate its commitment bya) Ensuring the BCMS is compatible with the strategic
direction of the organizationdirection of the organizationb) Integrating the BCMS requirements into the
organization’s business processesc) Providing the resources to establish, implement,
operate, monitor, review, and improve the BCMSd) Communicating the importance of effective BCM ) g p
and conforming to the BCMS requirementse) Ensuring that the BCMS achieves its expected
outcomesf) Directing and supporting continual improvement©2012 ICOR ALL RIGHTS RESERVED 24
5.2 Management Commitment: Evidence
a) Policyb) BCMS objectives & planc) Roles responsibilities and competenciesc) Roles, responsibilities and competenciesd) Appointment of one or more persons with
responsibility and authority for accountability of implementation and maintenance
e) Communication and promotion ofe) Communication and promotion of awareness within the organization of the importance of meeting objectives and conforming to policy
©2012 ICOR ALL RIGHTS RESERVED 25
5.2 Management Commitment: Evidence
f) Sufficient resourcesg) Definitions of criteria for accepting risksh) E i i i i d t tih) Engaging in exercising and testingi) Ensuring internal audits are conductedj) Conducting management reviewsk) Demonstrating commitment to continual
improvementimprovement
©2012 ICOR ALL RIGHTS RESERVED 26
5.3 Policy Development
The policy shall bea) Approved by top managementb) Communicated to all persons working for b) Communicated to all persons working for
or on behalf of the organizationc) Available to stakeholders as approved by
managementd) Reviewed at planned intervals or when
i ifi t h
©2012 ICOR ALL RIGHTS RESERVED BCM 5000.1.27
significant changes occur
5.3 Policy Development
The policy shalla) Be appropriate to the purpose of the
organizationb) Provide a framework for setting
objectivesc) Include a commitment to satisfy
applicable needs and requirementsd) Include a commitment to continual
improvement of the BCMSimprovement of the BCMSe) Be implementedf) Be reviewed for continuing suitabilityg) Be available to interested parties
©2012 ICOR ALL RIGHTS RESERVED 28
6 Planning
• Assure the BCMS can achieve its intended outcomes
• Prevent undesired effects• Realize opportunities for improvement
6.1 Actions to Address
Ri k &ea e oppo tu t es o p o e e t
• Evaluate the need to plan actions to address these risks and opportunities
Risks & Opportunities
• Be consistent with policy• Take account of the minimum level of products
d i t bl t hi it bj ti
6.2 BC Objectives and services acceptable to achieve its objectives
• Be measurable• Take into account requirements• Be monitored and updated as appropriate
Objectives & Plans to Achieve Them
29©2012 ICOR ALL RIGHTS RESERVED
6.2 BCM Objectives
a) Who will be responsible?
b) What will be done?
c) What resources will be required?
d) When will it be completed?
e) How will the results be evaluated?
The organization must identify HOW the it will achieve its objectives by answering these
questions for each identified objective.
30©2012 ICOR ALL RIGHTS RESERVED
7 Support
7.1 Resources
7 2 Competence7.2 Competence
7.3 Awareness
7 4 Communication
31
7.4 Communication
7.5 Documented Information
©2012 ICOR ALL RIGHTS RESERVED
7 Resources
7.1 General Resourcesa) Achieve policy, objectives and targetsb) Meet the changing requirementsb) Meet the changing requirementsc) Ensure effective communication on
BCMS matters both internally and externally
d) Provide for on-going operation and ti l i tcontinual improvement
32©2012 ICOR ALL RIGHTS RESERVED
7.1.2 BCMS Resources
People
• Time
Facilities
• Work
Technology
• Applications
Documentation
• Policies• Training,
Education, Awareness, Exercising
locations• Infrastructure
that support effective and efficient program management
• Interested parties
• Legal documents
• Contracts• Service level
agreements
33©2012 ICOR ALL RIGHTS RESERVED
7.1.3 Incident Response Personnel
d d
Responsible for managing any disruptive incident that has the potential to significantly impact the organization with clearly
defined responsibilities and authorities
Incident detection, assessment, and escalationActivationEvacuationTriage & first aidP t it
Liaison with emergency services and local authoritiesOperations Coordination and communication of the
Parameter securityControl of trafficEstablishment and operation of emergency operations center
incident responsePost incident analysis and reporting
34©2012 ICOR ALL RIGHTS RESERVED
7.2 Competence
Determine the necessary competence of person(s) doing work under its controlEnsure these persons are competent on theEnsure these persons are competent on the basis of appropriate education, training, & experienceTake actions to acquire the necessary competence and evaluate the effectiveness of the actions takenRetain appropriate documented information as evidence
©2012 ICOR ALL RIGHTS RESERVED 35
Examples of Appropriate Training
BCM Program ManagementHow to conduct a BIA and/or RADeveloping and Implementing BCM documentationRunning an exerciseCommunication skillsHandling of media inquiries
©2012 ICOR ALL RIGHTS RESERVED 36
7.3 Awareness
BCM Policy
Benefits of Improved
BCM Performance
Effects of Divergence
from Requirements
©2012 ICOR ALL RIGHTS RESERVED 37
Persons working under the organization’s control should have appropriate awareness of the BCMS – ensuring they
are aware of their role.
7.3 Awareness
Development of a BCM culture is supported by
Involvement of all personnelInvolvement of all personnelLeadership from managersAssignment of responsibilitiesPerformance indicatorsAwareness raisingSkills trainingExercising procedures
©2012 ICOR ALL RIGHTS RESERVED 38
7.4 Communication
Employees & Interested
PartiesFacilitating
What to Communicate?
When to Communicate?
Internal & External
Communication Systems
Customers & Partners
Receiving, documenting, & responding to
Ensuring availability of the
means of
gstructured
communications with appropriate
authorities
©2012 ICOR ALL RIGHTS RESERVED 39
p gcommunications from interested
partiesAdapting threat advisory
systems as needed
means of communication
during a disruptive incident
To whom will it Communicate?
7.5 Documented Information
All BCMS information should be documented
©2012 ICOR ALL RIGHTS RESERVED 40
7.5 Documented Information
Create & updateIts identification & description
Control of informationDistributionAccess
Consideration of how the information will be captured and presentedIts review and approval for
Storage and preservationRetrieval and useVersion changesPreservation of legibilityadequacy when
applicablelegibilityPrevented of unintended use of obsolete informationRetention & disposition
©2012 ICOR ALL RIGHTS RESERVED 41
8 Operation
8.1 Operational Planning & Control
8 2 BIA & Risk Assessment8.2 BIA & Risk Assessment
8.3 Business Continuity Strategy
8 4 Business Continuity Procedures
42
8.4 Business Continuity Procedures
8.5 Exercising & Testing
©2012 ICOR ALL RIGHTS RESERVED
Plan-Do-Check-Act Cycle Applied to BCMS
Establish
Continual improvement of preparedness & continuity management system
(Plan)
Implement & Operate
(Do)
Maintain & Improve
(Act)
Stakeholders
Requirements for
preparedness & continuity
Stakeholders
Managed preparedness & continuity
Monitor & Review(Check)
©2012 ICOR ALL RIGHTS RESERVED 43
& continuity management
& continuity
8.1 Operational Planning & Control
The organization shall determine, plan, implement, and control those activities needed to address the risks andneeded to address the risks and opportunities bya) Establish criteria for those activities or
processesb) Implementing controls) K i d t d i f ti t c) Keeping documented information to
demonstrate that they have been carried out as planned
©2012 ICOR ALL RIGHTS RESERVED 44
8.1.1 BCM Program Elements
Understanding the
Organization
Embedding Competence & Awareness
Selecting BC Options
Exercising & Testing
BC Program Management
Developing & Implementing a BC Response
©2012 ICOR ALL RIGHTS RESERVED 45
8.1.2 Managing the BCM Environment
Ensure the relevance of the scope, roles and responsibilitiesPromote and embed continuity across thePromote and embed continuity across the organizationManaging costs associated with BCEstablish and monitor change management and succession management regimesArranging or providing appropriate trainingArranging or providing appropriate training for staffMaintaining program documentation
©2012 ICOR ALL RIGHTS RESERVED 46
8.1.3 Managing the BC Capability
Keeping the program current through good practiceAdministering the exercise programCoordinating the regular review and update of the capability
Including the BIA and Risk AssessmentE i i t f thEnsuring maintenance of the response documentation
©2012 ICOR ALL RIGHTS RESERVED 47
8.1.4 Measuring Effectiveness
Monitoring the performance of the BC capability
d hMonitoring and reviewing the arrangements for outsourced activities and the BCM capabilities of suppliers
©2012 ICOR ALL RIGHTS RESERVED 48
8.1.5 Outcomes of an Effective Programa) Key products and
services identified and protected
b) Incident management
e) Regular exercising so staff are trained to respond effectively
f) Staff receives adequateb) Incident management capability enabled and provides an effective response
c) Understanding of itself and relationship with others is understood
f) Staff receives adequate support and communications
g) Supply chain is securedh) Reputation is protectedi) Compliant with legal
d l tothers is understoodd) Requirements of
interested parties are understood and able to be delivered
and regulatory obligations
j) Financial controls are maintained
©2012 ICOR ALL RIGHTS RESERVED 49
8.2 The BIA & Risk AssessmentThe organization shall have a formal and documented process for
business impact analysis and risk assessment that:Accounts for
legal and other
Includes systematic
Defines criteria
Evaluates potential impact of a disruptive
incident
other requirements analysis
Prioritization of risk treatments
and costs
Defines required output
©2012 ICOR ALL RIGHTS RESERVED 50
BIA & RA
Establishes context
Information is kept up to date and confidential
8.2.1 The BIA and Risk Assessment
Limit the impact of a disruption on
Enable the organization to identify measures that:
p pthe organization’s key services
Shorten the period of disruption
©2012 ICOR ALL RIGHTS RESERVED 51
Reduce the likelihood of a disruption
8.2.2 Business Impact Analysis
Organization Internal Context
External Context
Purpose of the Organization
/S/S
Suppliers and
OutsourcePartners
Product/ServiceProduct/Service
Activity Activity Activity ActivityActivity Customers
Partners
Product / Service
Activity
Supporting
©2012 ICOR ALL RIGHTS RESERVED 52
Assets and Resources
Dependencies and Supporting Activities
Supporting Activities
Assets & Resources
8.2.2 The Business Impact Analysis
Identify activities that support the provision of products and servicesAssess the impacts over time of not performingAssess the impacts over time of not performing these activitiesSetting prioritized for resuming these activities at a specified minimum acceptable level –taking into consideration the time within which the impacts of not resuming them would become unacceptablebecome unacceptableIdentifying dependencies and supporting resources for these activities including suppliers, outsource partners and other relevant interested parties
©2012 ICOR ALL RIGHTS RESERVED 53
8.2.2 Assessing Potential Impacts Over Time
Consequences of Non-compliance
Damage to Reputation
Effects on Staff & Public Well-Being
©2012 ICOR ALL RIGHTS RESERVED 54
Deterioration of Product or Service QualityReputation Reduced Financial
Viability
Environmental Damage
100%
Focus of Risk/Disaster Scenarios
Crisis Event
100% Resumption
Step 3
Step 2
Relationship Between RTO, RPO, & MTPD
Work in process /
Last complete back up
Period in which primary business Time
ResumptionStep 2
Step 1
Critical Business Resumption
©2012 ICOR ALL RIGHTS RESERVED BCM 5000.1.55
MTPD (Maximum Tolerable Period of Disruption)
RPO (Recovery
Point Objective)
RTO (Recovery Time Objective)
process / data loss
and applications are not available
8.2.2 Methods of Collecting BIA Information
Interviews Workshops Surveys
Senior Middle Line
©2012 ICOR ALL RIGHTS RESERVED
Management Management Management
56
8.2.3 Risk Assessment
©2012 ICOR ALL RIGHTS RESERVED BCM 5000.1.57
8.2.3 Risk Assessment
The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyzes, and evaluates the risk of disruptive incidents to the organization.
This process could be made in This process could be made in accordance with ISO 31000:2009
©2012 ICOR ALL RIGHTS RESERVED 58
8.2.3 Risk Assessment
The organization shalla) Identify risks of disruption to the
organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them
b) Systematically analyze riskc) Evaluate which disruption related risks
require treatmentrequire treatmentd) Identify treatments commensurate with
BC objectives and in accordance with the organization’s risk appetite
©2012 ICOR ALL RIGHTS RESERVED 59
Note…
The organization must be aware that certain financial or governmental obligations require the communication of these risks at variousthe communication of these risks at various
levels of detail.
In addition, certain societal needs can also warrant sharing of this information at an
appropriate levelappropriate level.
©2012 ICOR ALL RIGHTS RESERVED 60
ISO 31000 Risk Management Process
What may happen and why?
What are the consequences?
What is the probability?
©2012 ICOR ALL RIGHTS RESERVED BCM 5000.1.61
How to mitigate or reduce
probability of the risk?
The process needs to take into consideration
FinancialGovernmentalGovernmentalSocietal obligations
The organization should understand the threats to and vulnerabilities of each resource required for each activity and in particular those
©2012 ICOR ALL RIGHTS RESERVED BCM 5000.1.62
thoseRequired by activities with high priorityWith significant replacement lead-time
Identifying, Analyzing & Evaluating Risks
Determination of the criteria for risk acceptanceIdentification of acceptable levels of riskIdentification of acceptable levels of riskAnalysis of
Specific threats • Flood, fire, staff loss, computer viruses, etc.
Vulnerabilities might occur as weaknesses within the resources and may be exploited by the threats• Single points of failure, staffing levels, IT security,
etc.
©2012 ICOR ALL RIGHTS RESERVED 63
8.3 Business Continuity Strategy
©2012 ICOR ALL RIGHTS RESERVED 64
8.3.1 Determination & SelectionDetermination and selection of strategy shall be based on the outputs from the BIA and the risk assessment.The organization shall determine appropriateThe organization shall determine appropriate business continuity strategy for
Protecting prioritized activitiesStabilizing, continuing, resuming, and recovering prioritized activities and their dependencies and supporting resourcesMitigating responding to and managing Mitigating, responding to, and managing impacts
Include prioritized time frames for resumption and evaluations of the BC capabilities of
suppliers.©2012 ICOR ALL RIGHTS RESERVED 65
8.3.1 Determination & Selection
Remove Risk to Activity Cease or Change
the Activity
Transfer Risk to another part of the Organization or a
Third Party
©2012 ICOR ALL RIGHTS RESERVED 66
Control or mitigate
Financing / Insurance Acceptance
8.3.1 Determination & Selection
Resource Relocation Redundancy Resource & Skills Replacement
©2012 ICOR ALL RIGHTS RESERVED 67
Temporary Workaround
Manual Procedures
Asset Restoration
8.3.2 Establishing Resource Requirements
Facilities, Equipment, Utilities
& Consumables
Information, Data, Technology &
Telecommunications Systems
Employees & Stakeholders
©2012 ICOR ALL RIGHTS RESERVED 68
Transportation, Partners & Suppliers
Reputation Finance
8.3.3 Protection & Mitigation
Limit the impact of a disruption on
The organization shall consider proactive measures that:
p pthe organization’s key services
Shorten the period of disruption
©2012 ICOR ALL RIGHTS RESERVED 69
Reduce the likelihood of a disruption
8.4 Establish & Implement BC Procedures
8.4.1 General
8 4 2 Incident Response Structure8.4.2 Incident Response Structure
8.4.3 Warning & Communication
8 4 4 Business Continuity Plans
70
8.4.4 Business Continuity Plans
8.4.5 Recovery
©2012 ICOR ALL RIGHTS RESERVED
8.4.1 Establish & Implement BC Procedures
The organization shall establish, implement, and maintain BC procedures to manage a p gdisruptive incident and continue activities based on recovery objectives identified in the BIAThe organization shall document procedures to ensure continuity of activities andto ensure continuity of activities and management of a disruptive event
©2012 ICOR ALL RIGHTS RESERVED 71
8.4.1 Establish & Implement BC Procedures
a) Establish an appropriate internal and
The procedures shall:a) Establish an appropriate internal and
external communications protocolb) Be specific regarding the immediate steps
that are to be taken during a disruptionc) Be flexible to respond to unanticipated ) p p
threats and changing internal and external conditions
©2012 ICOR ALL RIGHTS RESERVED 72
8.4.1 Establish & Implement BC Procedures
d) Focus on the impact of events that could The procedures shall:
potentially disrupt operationse) Be developed based on stated
assumptions and an analysis of interdependencies
f) Be effective in minimizing consequencesf) Be effective in minimizing consequences through implementation of appropriate mitigation strategies
©2012 ICOR ALL RIGHTS RESERVED 73
8.4.2 Incident Response Structure
The organization shall establish, document, and implement procedures and a management structure to respond to amanagement structure to respond to a
Strategic
Tactical
disruptive incident using personnel with the necessary responsibility, authority,
d t t
©2012 ICOR ALL RIGHTS RESERVED 74
Operational
and competence to manage an incident.
8.4.2 The Incident Response Structure
The response structure shalla) Identify impact thresholds that justify
initiation of formal response;a o o o a po ;b) Assess the nature and extent of the disruptive
incident and its potential impact;c) Activate an appropriate business continuity
response;d) Have processes and procedures for the
activation operation coordination and
©2012 ICOR ALL RIGHTS RESERVED
activation, operation, coordination, and communication of the response; and
e) Communicate with interested parties and authorities as well as the media.
75
8.4.2 The Incident Response Structure
The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties whether torelevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision.
If the decision is to communicate then the organization shall establish and implementorganization shall establish and implement procedures for this external communication, alerts, and warnings including the media as appropriate.©2012 ICOR ALL RIGHTS RESERVED 76
8.4.2 The Incident Response Structure
The response structure should be simple and capable of being formed quickly. When determining the structure, consideration should be given to:be given to:
Having one or more competent personnel available to establish the ramifications of the incident and evaluate the impact or potential impact of the incident and its timescaleBeing able to mobilize teams to take control, contain the incident, and initiate the
i b i i i appropriate business continuity responseIncluding appropriate resources which may include staff, contractors, equipment, and finance.
©2012 ICOR ALL RIGHTS RESERVED 77
8.4.3 Communication and Warning
The organization shall establish, implement, and maintain procedures for
a) Detecting an incidenta) Detecting an incidentb) Regular monitoring of an incidentc) Internal communication within the
organization and receiving, documenting, and responding to communication from interested partiescommunication from interested parties
d) Receiving, documenting, and responding to any national or regional risk advisory system or equivalent
©2012 ICOR ALL RIGHTS RESERVED 78
8.4.3 Communication and Warning
e) Assuring availability of the means of communication during a disruptive event
f) Facilitating structured communication f) Facilitating structured communication with emergency responders
g) Recording of vital information about the incident, actions taken and decisions made
©2012 ICOR ALL RIGHTS RESERVED 79
8.4.3 Communication and Warning
The following shall also be considered and implemented where applicable
) Al ti i t t d ti t ti ll a) Alerting interested parties potentially impacted by an actual or impending disruptive incident
b) Assuring the interoperability of multiple responding organizations and personnel
) O i f i i f ilic) Operations of a communications facility
The communication and warning procedures shall be regularly exercised.
©2012 ICOR ALL RIGHTS RESERVED 80
8.4.4 Business Continuity Plans
The organization shall establish documented procedures for responding to a disruptive i id t d h it ill ti itincident and how it will continue or recover its activities within a predetermined timeframe.
Such procedures shall address the requirements of those who will use themrequirements of those who will use them.
©2012 ICOR ALL RIGHTS RESERVED 81
8.4.4 Business Continuity Plans
The business continuity plans shall collectively contain:
a) Defined roles and responsibilities for people d t h i th it d i d and teams having authority during and
following an incidentb) A process for activating the responsec) Details to manage the immediate
consequences of a disruptive incident giving due regard to1) The welfare of individuals
©2012 ICOR ALL RIGHTS RESERVED
) e e a e o d dua s2) Strategic, tactical, and operational options for
responding to the disruption3) Prevention of further loss or unavailability of prioritized
activities
82
8.4.4 Business Continuity Plansd) Details on how and under what circumstances the
organization will communicate with employees and their relatives, key interested parties, and emergency contactsemergency contacts
e) How the organization will continue or recover its prioritized activities within predetermined timeframes
f) Details on the organization’s media response following an incident including:1) A communications strategy;
©2012 ICOR ALL RIGHTS RESERVED
2) Preferred interface with the media; 3) Guideline or template for drafting a statement for the media; and4) Appropriate spokespeople.
g) A process for standing down once the incident is over
83
8.4.4 Business Continuity Plans
Each plan shall define:a) Purpose and scope;b) Objectives;c) Activation criteria and procedures;d) Implementation procedures;e) Roles responsibilities and authorities;f) Communication requirements and
procedures;g) Internal and external interdependencies
d
©2012 ICOR ALL RIGHTS RESERVED
and interactionsh) Resource requirements; andi) Information flow and documentation
process
84
8.4.4.3 Specific Types of Procedures
8.4.4.3.1 Incident / Strategic
8 4 4 3 2 Communications8.4.4.3.2 Communications
8.4.4.3.3 Incident & Welfare
8 4 4 3 4 Resuming Activities
85
8.4.4.3.4 Resuming Activities
8.4.4.3.5 Recovery of ICT
©2012 ICOR ALL RIGHTS RESERVED
8.4.4.3.1 Incident /Strategic Management
Purpose: To allow top management to take control during the initial phase of an incident when its reputation is most likely toincident when its reputation is most likely to be threatened. Should provide the basis for managing all possible issues.
Identify a location from which an incident can be managed• Also an alternate location from the primary
• Can be a hotel room or a formal “command center”
• Can be ‘virtual’
©2012 ICOR ALL RIGHTS RESERVED 86
8.4.4.3.1 Incident /Strategic Management
Space for the required number of peopleEffective primary and secondary means of p y ycommunicationFacilities for assessing and sharing information, including monitoring the news media
©2012 ICOR ALL RIGHTS RESERVED 87
8.4.4.3.2 Communications
Can be included in the incident management response or a separate procedure
Establish a suitable venue to support liaison with the media or other groupsAppropriate number of competent, trained people to answer telephone enquiries from the pressUse all communication channels including Use all communication channels including social mediaPrepare background material about the organization and its operations
©2012 ICOR ALL RIGHTS RESERVED 88
8.4.4.3.2 Communications
A process for identifying and prioritizing communications with other key interested
partiesparties
id i i f i i i i d k
©2012 ICOR ALL RIGHTS RESERVED 89
Provide criteria for setting priorities and make provisions for allocating persons to each
stakeholder or group of stakeholders
8.4.4.3.3 Incident and WelfareCover the initial stage of an incident involving damage or threat to safety.
Site evacuation / shelter-in-placeFirst aid / evacuation assistance teamsLocating and accounting for personnelTranslation servicesTransport servicesContact information for emergency services, first responders etcfirst responders, etc.Locating contractors, displaced workersManaging telephone help linesCounseling services (physical and emotional)
©2012 ICOR ALL RIGHTS RESERVED 90
8.4.4.3.3 Incident and Welfare
EquipmentSuppliesS fSources of energyCommunication systemsSalvage prioritiesSecurity of premises
©2012 ICOR ALL RIGHTS RESERVED 91
8.4.4.3.4 Resuming Activities
Prioritized activities to be resumedTimescalesRecovery levelsResource numbers at different points of timeMobilization of 3rd party resourcesp yManual workarounds, system recovery, etc.
©2012 ICOR ALL RIGHTS RESERVED 92
8.4.4.3.5 Recovery of ICT Systems
Reference disaster recovery proceduresInvoking the DR procedures and d l i ldeploying personnelAccessing back-up data and acquiring alternative hardwareRestoration of data and communications
©2012 ICOR ALL RIGHTS RESERVED 93
8.4.5 Recovery
The organization shall have documented procedures to restore and return business activities from the temporary measuresactivities from the temporary measures adopted to support normal business requirements after an incident.
©2012 ICOR ALL RIGHTS RESERVED 94
8.4.5 Recovery
Goal: Get operations back to the state they were in before the incident.
Repair damageRepair damageMigrate operations from temporary premised back to restored or new location
©2012 ICOR ALL RIGHTS RESERVED 95
8.4.5 Recovery
Make claims against insurance policiesObtain additional manpower to support recovery effortRecover lost informationConduct a post recovery reviewConduct due diligence on audit and governance requirements
©2012 ICOR ALL RIGHTS RESERVED 96
8.5 Exercising & TestingThe organization shall conduct exercises and tests that:
a) Are consistent with the scope of the BCMS;b) Are based on appropriate scenarios that are well planned
with clearly defined aims and objectives;c) Taken together over time validate the whole of its business
continuity arrangements involving relevant interested parties;
d) Minimize the risk of disruption to operations;e) Produce formalized post-exercise reports that contain
outcomes, recommendations, and actions to implement improvements;
f) Are reviewed within the context of promoting continual f) Are reviewed within the context of promoting continual improvement; and
g) Are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates.
©2012 ICOR ALL RIGHTS RESERVED 97
8.5 Exercising & Testing
Discussion Based
Seminar
Operational Based
The principle types of exercises are described in ISO 22398
SeminarWorkshopTabletop Game
SimulationDrillFunctionalFull-scale
©2012 ICOR ALL RIGHTS RESERVED 98
The Exercise Program
5 F ll S l
1. Plan Review
2. Table Top
5. Full-ScaleComprehensive
• Start simple• Build upon mastery• Add complexity
©2012 ICOR ALL RIGHTS RESERVED BCM 5000.1.99
3. Walkthrough
4. SimpleSimulation
Add complexity
Sections 9 & 10: Continuous Improvement
©2012 ICOR ALL RIGHTS RESERVED 100
9 Performance Evaluation
9.1 Monitoring, Measurement, Analysis, and Evaluation
9.2 Internal Audit
101
9.3 Management Review
©2012 ICOR ALL RIGHTS RESERVED
9.1 Monitoring, Measurement, Analysis, and Evaluation
9.1.1 The organization shall determinea) what needs to be measured and
monitoredmonitoredb) The methods for monitoring to ensure
valid resultsc) When it shall be performedd) When the analysis of the results shalld) When the analysis of the results shall
be performedEvaluate the performance and the
effectiveness of the BCMS©2012 ICOR ALL RIGHTS RESERVED 102
9.1 Monitoring, Measurement, Analysis, and Evaluation
Additionally, the organization shall:a) Take action when necessary to address
adverse trends or results before a adverse trends or results before a nonconformity occurs; and
b) Retain relevant documented information as evidence of the results.
©2012 ICOR ALL RIGHTS RESERVED 103
9.1 Monitoring, Measurement, Analysis, and Evaluation
The procedures for monitoring performance shall provide for:a) The setting of performance metrics appropriate to the
needs of the organization;g ;b) Monitoring the extent to which the organization’s
business continuity policy, objectives and targets are met;c) Performance of the processes, procedures and functions
that protect its prioritized activities;d) Monitoring compliance with this standard and the
business continuity objectives; e) Monitoring historical evidence of deficient BCMS’e) Monitoring historical evidence of deficient BCMS
performance; f) Recording data and results of monitoring and
measurement to facilitate subsequent corrective actions.NOTE: Deficient performance could include non-conformity, near misses, false alarms, and actual incidents.©2012 ICOR ALL RIGHTS RESERVED 104
9.1.2 Evaluation of Continuity Proceduresa) The organization shall conduct evaluations of its business
continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness;
b) This evaluation shall be undertaken through periodic reviews exercising testing post incident reporting andreviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner;
c) The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and
d) The organization shall conduct evaluations at plannedd) The organization shall conduct evaluations at planned intervals and when significant changes occur.
When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake
a post-incident review and record the results.
©2012 ICOR ALL RIGHTS RESERVED 105
9.2 Internal Audit
The organization shall conduct internal audits at planned intervals to provide information to assist in the determination of whether theassist in the determination of whether the BCMS:a) Conforms to:
1. the organization’s own requirements for its BCMS;
2. the requirements of this International Standard; and
b) Is effectively implemented and maintained.
©2012 ICOR ALL RIGHTS RESERVED 106
9.2 Internal Audit
The organization shall:a) Plan, establish, implement and maintain an audit
programme(s), including the frequency, methods, responsibilities planning requirements andresponsibilities, planning requirements and reporting, while taking into consideration the importance of the processes concerned and the results of previous audits;
b) Define the audit criteria and scope for each audit;c) Select auditors and conduct audits to ensure
objectivity and the impartiality of the audit process;objectivity and the impartiality of the audit process; d) Ensure that the results of the audits are reported to
relevant management; ande) Retain documented information as evidence of the
results.
©2012 ICOR ALL RIGHTS RESERVED 107
9.2 Internal AuditThe audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits The audit procedures shall cover the scopeaudits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results.The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undueand corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results.
©2012 ICOR ALL RIGHTS RESERVED 108
9.3 Management ReviewTop management shall review the organization's BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:The management review shall include consideration of:a) the status of actions from previous management
reviews; b) changes in external and internal issues that are
relevant to the business continuity management system;
c) information on the business continuity performance, including trends in:including trends in:1) nonconformities and corrective actions;2) monitoring and measurement evaluation results; 3) audit results; and
d) opportunities for continual improvement.
©2012 ICOR ALL RIGHTS RESERVED 109
9.3 Management Reviewa) Follow-up actions from previous
management reviews;b) The need for changes to the
BCMS, including the policy and
g) Results of exercising and testing;
h) Risks or issues not adequately addressed in any previous risk assessment;, g p y
objectives; c) Opportunities for improvement;d) Results of BCMS audits and
reviews, including those of key suppliers and partners where appropriate;
e) Techniques, products or
assessment;i) Any changes that could affect
the BCMS, whether internal or external to the scope of the BCMS;
j) Adequacy of policy; k) Recommendations for
improvement;l) Lessons learned and actionse) Techniques, products or
procedures, which could be used in the organization to improve the BCMS' performance and effectiveness;
f) Status of corrective actions;
l) Lessons learned and actions arising from disruptive incidents; and
m) Emerging good practice and guidance.
©2012 ICOR ALL RIGHTS RESERVED 110
9.3 Management Review
The output from the management review shall include decisions and actions related to continual improvement opportunities and thecontinual improvement opportunities and the possible need for changes to the BCMS and include the following:
a) Variations to the scope of the BCMS;b) Improvement of the effectiveness of the
BCMSBCMS;c) Update of the risk assessment, business
impact analysis, business continuity plans and related procedures;
©2012 ICOR ALL RIGHTS RESERVED 111
9.3 Management Review
d) modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to:1) business and operational requirements;2) risk reduction and security requirements;3) operational conditions and processes;4) legal and regulatory requirements;5) contractual obligations;6) levels of risk and/or criteria for accepting risks;6) levels of risk and/or criteria for accepting risks;7) resource needs;8) funding and budget requirements; and
e) how the effectiveness of controls are measured.
©2012 ICOR ALL RIGHTS RESERVED 112
9.3 Management Review
The organization shall retain documented information as evidence of the results of management reviews.management reviews.The organization shall:
a) communicate the results of management review to relevant interested parties; and
b) t k i t ti l ti t th b) take appropriate action relating to those results.
©2012 ICOR ALL RIGHTS RESERVED 113
10 Improvement
10.1 Nonconformity and corrective action
The organization shall:a) Identify nonconformities; andb) React to the nonconformities, and as
applicable1. Take action to control, contain and correct them;
2. Deal with the consequences
©2012 ICOR ALL RIGHTS RESERVED 114
10.1 Nonconformity and Corrective ActionThe organization shall also evaluate the need for action to eliminate the causes of nonconformities, including:
a) Reviewing nonconformities;a) Reviewing nonconformities;b) Determining the causes of nonconformities;c) Identifying if potential similar nonconformities
exist elsewhere in the BCMS;d) Evaluating the need for action to ensure that
nonconformities do not recur or occur elsewhere;elsewhere;
e) Determining and implementing action needed; f) Reviewing the effectiveness of any corrective
action taken; andg) Making changes to the BCMS, if necessary.
©2012 ICOR ALL RIGHTS RESERVED 115
10.1 Nonconformity and Corrective Action
Corrective actions shall be appropriate to the effects of the nonconformities
t dencountered.The organization shall retain documented information as evidence ofa) The nature of the nonconformities and
any subsequent actions taken; andany subsequent actions taken; andb) The results of any corrective action.
©2012 ICOR ALL RIGHTS RESERVED 116
10.2 Continual Improvement
The organization shall continually improve the suitability, adequacy or effectiveness of the BCMSthe BCMS.NOTE: The organization can use the processes of the BCMS such as leadership, planning and performance evaluation, to achieve improvement.
©2012 ICOR ALL RIGHTS RESERVED 117
Questions?
Lynnda NelsonPresident, ICOR
[email protected] North America+1630-705-0910 International
www.theICOR.org
©2012 ICOR ALL RIGHTS RESERVED 118