I S O 2 2 3 1 3 1

AGENDA

Why guidance?Why guidance?Why guidance?Why guidance?

Rules followed during ISO 22313 developmentRules followed during ISO 22313 developmentRules followed during ISO 22313 developmentRules followed during ISO 22313 development

ISO 22313ISO 22313ISO 22313ISO 22313

� Structure

� Signposting

� Examples

� Explanations� Explanations

� Terminology

� Types of plan

I S O 2 2 3 1 3 2

WHY GUIDANCE?

Eliminate confusionEliminate confusionEliminate confusionEliminate confusion

Clarification of termsClarification of termsClarification of termsClarification of terms

Alternative interpretationsAlternative interpretationsAlternative interpretationsAlternative interpretations

Expand and clarifyExpand and clarifyExpand and clarifyExpand and clarify

Identify relationshipsIdentify relationshipsIdentify relationshipsIdentify relationships

IllustrationsIllustrationsIllustrationsIllustrationsIllustrationsIllustrationsIllustrationsIllustrations

I S O 2 2 3 1 3 3

RULES FOLLOWED

Relationship with ISO 22301:2012 Relationship with ISO 22301:2012 Relationship with ISO 22301:2012 Relationship with ISO 22301:2012

Not prescriptiveNot prescriptiveNot prescriptiveNot prescriptive

New structure and text for all management systems New structure and text for all management systems New structure and text for all management systems New structure and text for all management systems

• JTCG : Guide 83 now Annex SLJTCG : Guide 83 now Annex SLJTCG : Guide 83 now Annex SLJTCG : Guide 83 now Annex SL

I S O 2 2 3 1 3 4

APPLICATION OF PDCA MODEL

Following table indicates which sections are applicable Following table indicates which sections are applicable Following table indicates which sections are applicable Following table indicates which sections are applicable

Establish(Plan)

Continual improvement of business continuity management system (BCMS)

Interested parties4,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,7

Implement and operate

(Do)

Monitor and review(Check)

Maintain and improve

(Act)

Interested parties

Requirements for business continuity

parties

Managed business continuity

4,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,74,5,6,7

88888888

99999999

1010101010101010

I S O 2 2 3 1 3 5

STRUCTURE

Same highSame highSame highSame high----level structure as ISO 22301level structure as ISO 22301level structure as ISO 22301level structure as ISO 22301

Additional lower level headings e.g.Additional lower level headings e.g.Additional lower level headings e.g.Additional lower level headings e.g.

8.38.38.38.3 Business Continuity StrategyBusiness Continuity StrategyBusiness Continuity StrategyBusiness Continuity Strategy

8.3.2 Establishing resource requirements

8.3.2.1 General

8.3.2.2 People

8.3.2.3 Information and data8.3.2.3 Information and data

8.3.2.4 Buildings, work environment and associated utilities

8.3.2.5 Facilities, equipment and consumables

8.3.2.6 Information communications technology (ICT) systems

8.3.2.7 Transportation

8.3.2.8 Finance

8.3.2.9 Suppliers

I S O 2 2 3 1 3 6

SECTION 8

I S O 2 2 3 1 3 7

LISTS AND CROSS-REFERENCES

Documented information required by this International Standard Documented information required by this International Standard Documented information required by this International Standard Documented information required by this International Standard

includes:includes:includes:includes:

� The context of the organization (4.1)

� Legal, regulatory and other …(4.2.2)

� Scope of the BCMS and any exclusions (4.3.2)

� Business continuity policy (5.3)� Business continuity policy (5.3)

…………………………………………….…………………………………………….…………………………………………….…………………………………………….

In addition, documented information covering the following information In addition, documented information covering the following information In addition, documented information covering the following information In addition, documented information covering the following information

may be required to ensure the effectiveness of the BCMS:may be required to ensure the effectiveness of the BCMS:may be required to ensure the effectiveness of the BCMS:may be required to ensure the effectiveness of the BCMS:

� Customer contracts…..

I S O 2 2 3 1 3 8

INTERESTED PARTIES

I S O 2 2 3 1 3 9

EXAMPLES AND SUGGESTIONS

The organization should review current and pending statutory and The organization should review current and pending statutory and The organization should review current and pending statutory and The organization should review current and pending statutory and

regulatory requirements in their locations which may include:regulatory requirements in their locations which may include:regulatory requirements in their locations which may include:regulatory requirements in their locations which may include:

a) Incident Response: including emergency management and health,

safety and welfare legislation;

b) Continuity: which may specify the scope of the programme or the b) Continuity: which may specify the scope of the programme or the

extent or speed of response;

c) Risk: requirements defining the scope or methods of a risk

management programme; and

d) Hazards: operating requirements relating to dangerous materials

stored at the location.

NOTE Organizations operating in multiple locations often have to satisfy

the requirements of different jurisdictions.

I S O 2 2 3 1 3 10

EXAMPLES AND SUGGESTIONS

Business continuity strategy optionsBusiness continuity strategy optionsBusiness continuity strategy optionsBusiness continuity strategy options

� Protecting prioritized activities

� Stabilising, continuing, resuming and recovering activities

BUT – what if prohibitively expensive?

I S O 2 2 3 1 3 11

EXPLANATIONLeve

l of opera

tions

Mitigating impacts through effective business continuity – gradual disruption

WarningWarningWarningWarning

Incident

Incident

Incident

Incident

Resumption of activities at acceptable

level within acceptable timeframe

Recovery Time Objective

Time at which impacts become unacceptable

I S O 2 2 3 1 3 12

Leve

l of opera

tions

Time

Controlled

response

Incident

Incident

Incident

Incident

Minimum

acceptable level

of operations

Minimum

acceptable level

of operations

1. 1. Mitigating, responding Mitigating, responding

to and managing impactsto and managing impacts

2. Shortened disruption2. Shortened disruption

WithWithWithWithWithWithWithWith business continuitybusiness continuity

WithoutWithoutWithoutWithoutWithoutWithoutWithoutWithout business continuitybusiness continuity

TERMINOLOGY

No glossary No glossary No glossary No glossary –––– shared definitions with ISO 22301shared definitions with ISO 22301shared definitions with ISO 22301shared definitions with ISO 22301

Prioritized activities = No longer “critical”Prioritized activities = No longer “critical”Prioritized activities = No longer “critical”Prioritized activities = No longer “critical”

MTPD MTPD MTPD MTPD ---- Estimating how long it would take for the impacts associated Estimating how long it would take for the impacts associated Estimating how long it would take for the impacts associated Estimating how long it would take for the impacts associated

with disruption of the organization’s activities to become with disruption of the organization’s activities to become with disruption of the organization’s activities to become with disruption of the organization’s activities to become

unacceptable;unacceptable;unacceptable;unacceptable;

NOTE 4: The time it would take for impacts to become unacceptable NOTE 4: The time it would take for impacts to become unacceptable

can be referred to as ‘maximum tolerable period of disruption’,

‘maximum tolerable period’ or ‘maximum acceptable outage’. The

minimum level of product or service that is acceptable to the

organization can be expressed as the minimum business continuity

objective (MBCO)

I S O 2 2 3 1 3 13

BUSINESS CONTINUITY, BCM AND BCMS

Business continuityBusiness continuityBusiness continuityBusiness continuity

� The capabilitycapabilitycapabilitycapability of an organization to continue delivery of products or

services at acceptable predefined levels following a disruptive

incident

Business continuity management (BCM)Business continuity management (BCM)Business continuity management (BCM)Business continuity management (BCM)

� The processprocessprocessprocess of achieving business continuity

� Preparing an organization to deal with disruptive incidents that might � Preparing an organization to deal with disruptive incidents that might

otherwise prevent it from achieving its objectives

Business continuity management system (BCMS)Business continuity management system (BCMS)Business continuity management system (BCMS)Business continuity management system (BCMS)

� The systemsystemsystemsystem that enables BCM to be controlled, evaluated and

continually improved

I S O 2 2 3 1 3 14

TYPES OF PLANS

Incident management / strategic management proceduresIncident management / strategic management proceduresIncident management / strategic management proceduresIncident management / strategic management procedures

Communications proceduresCommunications proceduresCommunications proceduresCommunications procedures

Safety and welfare proceduresSafety and welfare proceduresSafety and welfare proceduresSafety and welfare procedures

Salvage and security proceduresSalvage and security proceduresSalvage and security proceduresSalvage and security procedures

Procedures for resuming activitiesProcedures for resuming activitiesProcedures for resuming activitiesProcedures for resuming activities

Recovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systemsRecovery of information communications technology (ICT) systems

I S O 2 2 3 1 3 15

Lots of useful Lots of useful Lots of useful Lots of useful information and information and information and information and signpostingsignpostingsignpostingsignposting� Eliminate confusion

�Clarification of terms

� Alternative interpretations

Supplements ISO Supplements ISO Supplements ISO Supplements ISO 22301:201222301:201222301:201222301:2012ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:ISO 22313 is not:

x Substitute for ISO 22301:2012

x Guide to BCM

CONCLUSION

interpretations

� Expand and clarify

� Identify relationships

� Illustrations

The Future?The Future?The Future?The Future?

� Further Guidance?

�Revision cycle

I S O 2 2 3 1 3 16