icor presents: moving your bcm program to a management …drj.com/images/conferences/orl2012/m/sws-4...

ICOR Presents: Moving your BCM Program to a

Management System

Implementing ISO 22201: 2012

ISO 223 Societal Security Management System Series

ISO 22300: VocabularyISO 22301: BCMS (BS 25999)ISO 22311: Video surveillance-Export interoperabilityISO 22312: Technological capabilitiesISO 22312: Technological capabilitiesISO 22313: BCMS GuidelinesISO 22320: Emergency management – Requirements on

command and control (NFPA 1600)ISO 22322: Emergency management – Public warningISO 22323: Organizational Resilience (ASIS SPC.1)ISO 22324: Emergency management–Colour coded alert ISO 22351: Emergency management - General rules for writingISO 22351: Emergency management General rules for writing

data elements and codes for information sharing ISO 22352: Emergency management - Data elements and codes for information sharing.ISO 22397: Public/Private partnerships ISO 22398: Guidelines for exercises and testing

©2012 ICOR ALL RIGHTS RESERVED 2

How Mature is Your BCM Program?

P j t?Project?

Program?

Management System?

3©2012 ICOR ALL RIGHTS RESERVED

Using a Management System Approach

What is a management system?A proven framework for managing and continually improving your organization’s policies, procedures and processes• The best businesses work as complete units with a

shared vision

• EncompassInformation sharing– Information sharing

– Benchmarking – Team working– Working to the highest quality


Using a Management System Approach

A management system helps your organization to achieve these goals through

b f t t i i l dia number of strategies, including Process optimization, Management focus and Disciplined management thinking


Management Systems in Simple Terms


Plan-Do-Check-Act


Lifecycle Process of Continual Improvement

Policy

PlanningManagement Review


Implementation & Operation

Checking & Corrective

Action

Key Components of Management Systems

Key components of all management systems include the following:

A policy;People with defined responsibilities;Management processes relating to;• Policy;• Planning;• Implementation & operation;• Performance assessment;• Management review; andManagement review; and• Improvement;

A set of documentation providing auditable evidence; andTopic specific processes relating to the subject.


Why do Management Systems Matter?

Businesses operating in the 21st century face many significant challenges, including:

Profitability Competitiveness Globalization Speed of changeAdaptability Growth Technology

Balancing these and other business requirements can

Increasing number of risks and threats to

the organization

Balancing these and other business requirements can be a difficult and daunting process. That's where management systems can help, by unlocking the

potential in your organization.


Why Move to a Management System?

The ISO 22301 t d d

ISO 14001

ISO 27001

ISO 31000

ISO 9001

standard can tie to

management systems

already inalready in place in many organizations


Management Systems

What managementWhat management systems does your

organization already have i l ?

©2012 ICOR ALL RIGHTS RESERVED

in place?

12

Business Continuity Management Defined

Holistic management process that identifies potential threats to an organization and the i t t b i ti thimpacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the p ginterests of its key stakeholders, reputation, brand and value-creating activities.


Published June 2012? - Developed from BS 25999-2:2007Scope of the standard

Business Continuity Management: ISO 22301

Scope of the standardApplicable to all types and sizes of organizations that wish to:• Establish, implement, maintain, & improve a

BCMS;• Assure conformance with stated BCM policy;• Demonstrate conformance to others;Demonstrate conformance to others;• Seek certification/registration of its BCMS by an

accredited third party certification body; or • Make a self-determination and self-declaration of

conformance with this International Standard.


Review of ISO 22301 by Category

4. Context of the Organization5. Leadership6. Planning7. Support8. Operation*9. Performance evaluation10. Improvement

*contains bulk of the requirements


4 Context of the Organization

4.1 Understanding the organization and its context

16

Internal Factors External Factors


Internal & External Factors

• Social & cultural

• Financial & economic

• Political, legal & regulatory

Products & Services

Resources & Knowledge:Services

Partnerships

Supply Chains

Knowledge:

Capital, Time,

People, Processes

Policies, Objectives,

Values

Information Systems,

Information Flows

• Competitive environment

• Trends

• Supply chain commitments

• Outside relationships

Values, Culture,

Governance

Flows, Decision Making

Processes


4.2 Understanding Needs & Expectations of Interested Parties


4.2.2 Legal & Regulatory Requirements

Identify and accommodate all legal and regulatory requirements that relate to continuity of its operationscontinuity of its operations

Incident response: Health & safetyContinuity: Scope of program & extent or speed of responseRisk: Scope or methods of risk management

dHazards: Dangerous materials?


4.3 Determining Scope of the System

The whole organization?organization?

Or part of the i i ?

©2012 ICOR ALL RIGHTS RESERVED BCM 5000.1.20

organization?

4.3 Determining Scope of the System

Consider External and internal factorsNeeds and requirementsNeeds and requirements

Determine issues or concerns to Assure system can achieve its expected outcomesPrevent undesired effectsAddress opportunities for improvement


4.3 Determining Scope of the SystemThe organization shalla) Clearly define what is in and out of scope

• Explain exclusions• Such exclusions shall not affect the organization’s ability and

responsibility to provide continuity of business and operations thatresponsibility to provide continuity of business and operations that meet the BCMS requirements, as determined by BIA or RA and applicable legal or regulatory requirements

b) Establish BCMS requirements considering how it supports the organization’s overall mission, goals, legal responsibilities and internal and external obligations in order to preserve the integrity of the organization.

c) Identify products and services and all related ) y pactivities within the scope of the BCMS

d) Take into account needs and interests of all interested parties

e) Define the scope in terms of and appropriate to the size, nature and complexity of the organization


5 Leadership

DemonstratedManagement Commitment

BCM Policy

Roles, Responsibilities & Authorities

Defined


Commitment Defined

Management Shall Demonstrate Leadership

5.2 Management CommitmentTop management shall demonstrate its commitment bya) Ensuring the BCMS is compatible with the strategic

direction of the organizationdirection of the organizationb) Integrating the BCMS requirements into the

organization’s business processesc) Providing the resources to establish, implement,

operate, monitor, review, and improve the BCMSd) Communicating the importance of effective BCM ) g p

and conforming to the BCMS requirementse) Ensuring that the BCMS achieves its expected

outcomesf) Directing and supporting continual improvement©2012 ICOR ALL RIGHTS RESERVED 24

5.2 Management Commitment: Evidence

a) Policyb) BCMS objectives & planc) Roles responsibilities and competenciesc) Roles, responsibilities and competenciesd) Appointment of one or more persons with

responsibility and authority for accountability of implementation and maintenance

e) Communication and promotion ofe) Communication and promotion of awareness within the organization of the importance of meeting objectives and conforming to policy


5.2 Management Commitment: Evidence

f) Sufficient resourcesg) Definitions of criteria for accepting risksh) E i i i i d t tih) Engaging in exercising and testingi) Ensuring internal audits are conductedj) Conducting management reviewsk) Demonstrating commitment to continual

improvementimprovement


5.3 Policy Development

The policy shall bea) Approved by top managementb) Communicated to all persons working for b) Communicated to all persons working for

or on behalf of the organizationc) Available to stakeholders as approved by

managementd) Reviewed at planned intervals or when

i ifi t h


significant changes occur

5.3 Policy Development

The policy shalla) Be appropriate to the purpose of the

organizationb) Provide a framework for setting

objectivesc) Include a commitment to satisfy

applicable needs and requirementsd) Include a commitment to continual

improvement of the BCMSimprovement of the BCMSe) Be implementedf) Be reviewed for continuing suitabilityg) Be available to interested parties


6 Planning

• Assure the BCMS can achieve its intended outcomes

• Prevent undesired effects• Realize opportunities for improvement

6.1 Actions to Address

Ri k &ea e oppo tu t es o p o e e t

• Evaluate the need to plan actions to address these risks and opportunities

Risks & Opportunities

• Be consistent with policy• Take account of the minimum level of products

d i t bl t hi it bj ti

6.2 BC Objectives and services acceptable to achieve its objectives

• Be measurable• Take into account requirements• Be monitored and updated as appropriate

Objectives & Plans to Achieve Them


6.2 BCM Objectives

a) Who will be responsible?

b) What will be done?

c) What resources will be required?

d) When will it be completed?

e) How will the results be evaluated?

The organization must identify HOW the it will achieve its objectives by answering these

questions for each identified objective.


7 Support

7.1 Resources

7 2 Competence7.2 Competence

7.3 Awareness

7 4 Communication

31

7.4 Communication

7.5 Documented Information


7 Resources

7.1 General Resourcesa) Achieve policy, objectives and targetsb) Meet the changing requirementsb) Meet the changing requirementsc) Ensure effective communication on

BCMS matters both internally and externally

d) Provide for on-going operation and ti l i tcontinual improvement


7.1.2 BCMS Resources

People

• Time

Facilities

• Work

Technology

• Applications

Documentation

• Policies• Training,

Education, Awareness, Exercising

locations• Infrastructure

that support effective and efficient program management

• Interested parties

• Legal documents

• Contracts• Service level

agreements


7.1.3 Incident Response Personnel

d d

Responsible for managing any disruptive incident that has the potential to significantly impact the organization with clearly

defined responsibilities and authorities

Incident detection, assessment, and escalationActivationEvacuationTriage & first aidP t it

Liaison with emergency services and local authoritiesOperations Coordination and communication of the

Parameter securityControl of trafficEstablishment and operation of emergency operations center

incident responsePost incident analysis and reporting


7.2 Competence

Determine the necessary competence of person(s) doing work under its controlEnsure these persons are competent on theEnsure these persons are competent on the basis of appropriate education, training, & experienceTake actions to acquire the necessary competence and evaluate the effectiveness of the actions takenRetain appropriate documented information as evidence


Examples of Appropriate Training

BCM Program ManagementHow to conduct a BIA and/or RADeveloping and Implementing BCM documentationRunning an exerciseCommunication skillsHandling of media inquiries


7.3 Awareness

BCM Policy

Benefits of Improved

BCM Performance

Effects of Divergence

from Requirements


Persons working under the organization’s control should have appropriate awareness of the BCMS – ensuring they

are aware of their role.

7.3 Awareness

Development of a BCM culture is supported by

Involvement of all personnelInvolvement of all personnelLeadership from managersAssignment of responsibilitiesPerformance indicatorsAwareness raisingSkills trainingExercising procedures


7.4 Communication

Employees & Interested

PartiesFacilitating

What to Communicate?

When to Communicate?

Internal & External

Communication Systems

Customers & Partners

Receiving, documenting, & responding to

Ensuring availability of the

means of

gstructured

communications with appropriate

authorities


p gcommunications from interested

partiesAdapting threat advisory

systems as needed

means of communication

during a disruptive incident

To whom will it Communicate?


All BCMS information should be documented



Create & updateIts identification & description

Control of informationDistributionAccess

Consideration of how the information will be captured and presentedIts review and approval for

Storage and preservationRetrieval and useVersion changesPreservation of legibilityadequacy when

applicablelegibilityPrevented of unintended use of obsolete informationRetention & disposition


8 Operation

8.1 Operational Planning & Control

8 2 BIA & Risk Assessment8.2 BIA & Risk Assessment

8.3 Business Continuity Strategy

8 4 Business Continuity Procedures

42

8.4 Business Continuity Procedures

8.5 Exercising & Testing


Plan-Do-Check-Act Cycle Applied to BCMS

Establish

Continual improvement of preparedness & continuity management system

(Plan)

Implement & Operate

(Do)

Maintain & Improve

(Act)

Stakeholders

Requirements for

preparedness & continuity

Stakeholders

Managed preparedness & continuity

Monitor & Review(Check)


& continuity management

& continuity

8.1 Operational Planning & Control

The organization shall determine, plan, implement, and control those activities needed to address the risks andneeded to address the risks and opportunities bya) Establish criteria for those activities or

processesb) Implementing controls) K i d t d i f ti t c) Keeping documented information to

demonstrate that they have been carried out as planned


8.1.1 BCM Program Elements

Understanding the

Organization

Embedding Competence & Awareness

Selecting BC Options

Exercising & Testing

BC Program Management

Developing & Implementing a BC Response


8.1.2 Managing the BCM Environment

Ensure the relevance of the scope, roles and responsibilitiesPromote and embed continuity across thePromote and embed continuity across the organizationManaging costs associated with BCEstablish and monitor change management and succession management regimesArranging or providing appropriate trainingArranging or providing appropriate training for staffMaintaining program documentation


8.1.3 Managing the BC Capability

Keeping the program current through good practiceAdministering the exercise programCoordinating the regular review and update of the capability

Including the BIA and Risk AssessmentE i i t f thEnsuring maintenance of the response documentation


8.1.4 Measuring Effectiveness

Monitoring the performance of the BC capability

d hMonitoring and reviewing the arrangements for outsourced activities and the BCM capabilities of suppliers


8.1.5 Outcomes of an Effective Programa) Key products and

services identified and protected

b) Incident management

e) Regular exercising so staff are trained to respond effectively

f) Staff receives adequateb) Incident management capability enabled and provides an effective response

c) Understanding of itself and relationship with others is understood

f) Staff receives adequate support and communications

g) Supply chain is securedh) Reputation is protectedi) Compliant with legal

d l tothers is understoodd) Requirements of

interested parties are understood and able to be delivered

and regulatory obligations

j) Financial controls are maintained


8.2 The BIA & Risk AssessmentThe organization shall have a formal and documented process for

business impact analysis and risk assessment that:Accounts for

legal and other

Includes systematic

Defines criteria

Evaluates potential impact of a disruptive

incident

other requirements analysis

Prioritization of risk treatments

and costs

Defines required output


BIA & RA

Establishes context

Information is kept up to date and confidential

8.2.1 The BIA and Risk Assessment

Limit the impact of a disruption on

Enable the organization to identify measures that:

p pthe organization’s key services

Shorten the period of disruption


Reduce the likelihood of a disruption

8.2.2 Business Impact Analysis

Organization Internal Context

External Context

Purpose of the Organization

/S/S

Suppliers and

OutsourcePartners

Product/ServiceProduct/Service

Activity Activity Activity ActivityActivity Customers

Partners

Product / Service

Activity

Supporting


Assets and Resources

Dependencies and Supporting Activities

Supporting Activities

Assets & Resources

8.2.2 The Business Impact Analysis

Identify activities that support the provision of products and servicesAssess the impacts over time of not performingAssess the impacts over time of not performing these activitiesSetting prioritized for resuming these activities at a specified minimum acceptable level –taking into consideration the time within which the impacts of not resuming them would become unacceptablebecome unacceptableIdentifying dependencies and supporting resources for these activities including suppliers, outsource partners and other relevant interested parties


8.2.2 Assessing Potential Impacts Over Time

Consequences of Non-compliance

Damage to Reputation

Effects on Staff & Public Well-Being


Deterioration of Product or Service QualityReputation Reduced Financial

Viability

Environmental Damage

100%

Focus of Risk/Disaster Scenarios

Crisis Event

100% Resumption

Step 3

Step 2

Relationship Between RTO, RPO, & MTPD

Work in process /

Last complete back up

Period in which primary business Time

ResumptionStep 2

Step 1

Critical Business Resumption


MTPD (Maximum Tolerable Period of Disruption)

RPO (Recovery

Point Objective)

RTO (Recovery Time Objective)

process / data loss

and applications are not available

8.2.2 Methods of Collecting BIA Information

Interviews Workshops Surveys

Senior Middle Line


Management Management Management

56

8.2.3 Risk Assessment



The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyzes, and evaluates the risk of disruptive incidents to the organization.

This process could be made in This process could be made in accordance with ISO 31000:2009



The organization shalla) Identify risks of disruption to the

organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them

b) Systematically analyze riskc) Evaluate which disruption related risks

require treatmentrequire treatmentd) Identify treatments commensurate with

BC objectives and in accordance with the organization’s risk appetite


Note…

The organization must be aware that certain financial or governmental obligations require the communication of these risks at variousthe communication of these risks at various

levels of detail.

In addition, certain societal needs can also warrant sharing of this information at an

appropriate levelappropriate level.


ISO 31000 Risk Management Process

What may happen and why?

What are the consequences?

What is the probability?


How to mitigate or reduce

probability of the risk?

The process needs to take into consideration

FinancialGovernmentalGovernmentalSocietal obligations

The organization should understand the threats to and vulnerabilities of each resource required for each activity and in particular those


thoseRequired by activities with high priorityWith significant replacement lead-time

Identifying, Analyzing & Evaluating Risks

Determination of the criteria for risk acceptanceIdentification of acceptable levels of riskIdentification of acceptable levels of riskAnalysis of

Specific threats • Flood, fire, staff loss, computer viruses, etc.

Vulnerabilities might occur as weaknesses within the resources and may be exploited by the threats• Single points of failure, staffing levels, IT security,

etc.


8.3 Business Continuity Strategy


8.3.1 Determination & SelectionDetermination and selection of strategy shall be based on the outputs from the BIA and the risk assessment.The organization shall determine appropriateThe organization shall determine appropriate business continuity strategy for

Protecting prioritized activitiesStabilizing, continuing, resuming, and recovering prioritized activities and their dependencies and supporting resourcesMitigating responding to and managing Mitigating, responding to, and managing impacts

Include prioritized time frames for resumption and evaluations of the BC capabilities of

suppliers.©2012 ICOR ALL RIGHTS RESERVED 65

8.3.1 Determination & Selection

Remove Risk to Activity Cease or Change

the Activity

Transfer Risk to another part of the Organization or a

Third Party


Control or mitigate

Financing / Insurance Acceptance

8.3.1 Determination & Selection

Resource Relocation Redundancy Resource & Skills Replacement


Temporary Workaround

Manual Procedures

Asset Restoration

8.3.2 Establishing Resource Requirements

Facilities, Equipment, Utilities

& Consumables

Information, Data, Technology &

Telecommunications Systems

Employees & Stakeholders


Transportation, Partners & Suppliers

Reputation Finance

8.3.3 Protection & Mitigation

Limit the impact of a disruption on

The organization shall consider proactive measures that:

p pthe organization’s key services

Shorten the period of disruption


Reduce the likelihood of a disruption

8.4 Establish & Implement BC Procedures

8.4.1 General

8 4 2 Incident Response Structure8.4.2 Incident Response Structure

8.4.3 Warning & Communication

8 4 4 Business Continuity Plans

70

8.4.4 Business Continuity Plans

8.4.5 Recovery


8.4.1 Establish & Implement BC Procedures

The organization shall establish, implement, and maintain BC procedures to manage a p gdisruptive incident and continue activities based on recovery objectives identified in the BIAThe organization shall document procedures to ensure continuity of activities andto ensure continuity of activities and management of a disruptive event



a) Establish an appropriate internal and

The procedures shall:a) Establish an appropriate internal and

external communications protocolb) Be specific regarding the immediate steps

that are to be taken during a disruptionc) Be flexible to respond to unanticipated ) p p

threats and changing internal and external conditions



d) Focus on the impact of events that could The procedures shall:

potentially disrupt operationse) Be developed based on stated

assumptions and an analysis of interdependencies

f) Be effective in minimizing consequencesf) Be effective in minimizing consequences through implementation of appropriate mitigation strategies


8.4.2 Incident Response Structure

The organization shall establish, document, and implement procedures and a management structure to respond to amanagement structure to respond to a

Strategic

Tactical

disruptive incident using personnel with the necessary responsibility, authority,

d t t


Operational

and competence to manage an incident.

8.4.2 The Incident Response Structure

The response structure shalla) Identify impact thresholds that justify

initiation of formal response;a o o o a po ;b) Assess the nature and extent of the disruptive

incident and its potential impact;c) Activate an appropriate business continuity

response;d) Have processes and procedures for the

activation operation coordination and


activation, operation, coordination, and communication of the response; and

e) Communicate with interested parties and authorities as well as the media.

75


The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties whether torelevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision.

If the decision is to communicate then the organization shall establish and implementorganization shall establish and implement procedures for this external communication, alerts, and warnings including the media as appropriate.©2012 ICOR ALL RIGHTS RESERVED 76


The response structure should be simple and capable of being formed quickly. When determining the structure, consideration should be given to:be given to:

Having one or more competent personnel available to establish the ramifications of the incident and evaluate the impact or potential impact of the incident and its timescaleBeing able to mobilize teams to take control, contain the incident, and initiate the

i b i i i appropriate business continuity responseIncluding appropriate resources which may include staff, contractors, equipment, and finance.


8.4.3 Communication and Warning

The organization shall establish, implement, and maintain procedures for

a) Detecting an incidenta) Detecting an incidentb) Regular monitoring of an incidentc) Internal communication within the

organization and receiving, documenting, and responding to communication from interested partiescommunication from interested parties

d) Receiving, documenting, and responding to any national or regional risk advisory system or equivalent



e) Assuring availability of the means of communication during a disruptive event

f) Facilitating structured communication f) Facilitating structured communication with emergency responders

g) Recording of vital information about the incident, actions taken and decisions made



The following shall also be considered and implemented where applicable

) Al ti i t t d ti t ti ll a) Alerting interested parties potentially impacted by an actual or impending disruptive incident

b) Assuring the interoperability of multiple responding organizations and personnel

) O i f i i f ilic) Operations of a communications facility

The communication and warning procedures shall be regularly exercised.



The organization shall establish documented procedures for responding to a disruptive i id t d h it ill ti itincident and how it will continue or recover its activities within a predetermined timeframe.

Such procedures shall address the requirements of those who will use themrequirements of those who will use them.



The business continuity plans shall collectively contain:

a) Defined roles and responsibilities for people d t h i th it d i d and teams having authority during and

following an incidentb) A process for activating the responsec) Details to manage the immediate

consequences of a disruptive incident giving due regard to1) The welfare of individuals


) e e a e o d dua s2) Strategic, tactical, and operational options for

responding to the disruption3) Prevention of further loss or unavailability of prioritized

activities

82

8.4.4 Business Continuity Plansd) Details on how and under what circumstances the

organization will communicate with employees and their relatives, key interested parties, and emergency contactsemergency contacts

e) How the organization will continue or recover its prioritized activities within predetermined timeframes

f) Details on the organization’s media response following an incident including:1) A communications strategy;


2) Preferred interface with the media; 3) Guideline or template for drafting a statement for the media; and4) Appropriate spokespeople.

g) A process for standing down once the incident is over

83


Each plan shall define:a) Purpose and scope;b) Objectives;c) Activation criteria and procedures;d) Implementation procedures;e) Roles responsibilities and authorities;f) Communication requirements and

procedures;g) Internal and external interdependencies

d


and interactionsh) Resource requirements; andi) Information flow and documentation

process

84

8.4.4.3 Specific Types of Procedures

8.4.4.3.1 Incident / Strategic

8 4 4 3 2 Communications8.4.4.3.2 Communications

8.4.4.3.3 Incident & Welfare

8 4 4 3 4 Resuming Activities

85

8.4.4.3.4 Resuming Activities

8.4.4.3.5 Recovery of ICT


8.4.4.3.1 Incident /Strategic Management

Purpose: To allow top management to take control during the initial phase of an incident when its reputation is most likely toincident when its reputation is most likely to be threatened. Should provide the basis for managing all possible issues.

Identify a location from which an incident can be managed• Also an alternate location from the primary

• Can be a hotel room or a formal “command center”

• Can be ‘virtual’


8.4.4.3.1 Incident /Strategic Management

Space for the required number of peopleEffective primary and secondary means of p y ycommunicationFacilities for assessing and sharing information, including monitoring the news media


8.4.4.3.2 Communications

Can be included in the incident management response or a separate procedure

Establish a suitable venue to support liaison with the media or other groupsAppropriate number of competent, trained people to answer telephone enquiries from the pressUse all communication channels including Use all communication channels including social mediaPrepare background material about the organization and its operations


8.4.4.3.2 Communications

A process for identifying and prioritizing communications with other key interested

partiesparties

id i i f i i i i d k


Provide criteria for setting priorities and make provisions for allocating persons to each

stakeholder or group of stakeholders

8.4.4.3.3 Incident and WelfareCover the initial stage of an incident involving damage or threat to safety.

Site evacuation / shelter-in-placeFirst aid / evacuation assistance teamsLocating and accounting for personnelTranslation servicesTransport servicesContact information for emergency services, first responders etcfirst responders, etc.Locating contractors, displaced workersManaging telephone help linesCounseling services (physical and emotional)


8.4.4.3.3 Incident and Welfare

EquipmentSuppliesS fSources of energyCommunication systemsSalvage prioritiesSecurity of premises


8.4.4.3.4 Resuming Activities

Prioritized activities to be resumedTimescalesRecovery levelsResource numbers at different points of timeMobilization of 3rd party resourcesp yManual workarounds, system recovery, etc.


8.4.4.3.5 Recovery of ICT Systems

Reference disaster recovery proceduresInvoking the DR procedures and d l i ldeploying personnelAccessing back-up data and acquiring alternative hardwareRestoration of data and communications


8.4.5 Recovery

The organization shall have documented procedures to restore and return business activities from the temporary measuresactivities from the temporary measures adopted to support normal business requirements after an incident.


8.4.5 Recovery

Goal: Get operations back to the state they were in before the incident.

Repair damageRepair damageMigrate operations from temporary premised back to restored or new location


8.4.5 Recovery

Make claims against insurance policiesObtain additional manpower to support recovery effortRecover lost informationConduct a post recovery reviewConduct due diligence on audit and governance requirements


8.5 Exercising & TestingThe organization shall conduct exercises and tests that:

a) Are consistent with the scope of the BCMS;b) Are based on appropriate scenarios that are well planned

with clearly defined aims and objectives;c) Taken together over time validate the whole of its business

continuity arrangements involving relevant interested parties;

d) Minimize the risk of disruption to operations;e) Produce formalized post-exercise reports that contain

outcomes, recommendations, and actions to implement improvements;

f) Are reviewed within the context of promoting continual f) Are reviewed within the context of promoting continual improvement; and

g) Are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates.


8.5 Exercising & Testing

Discussion Based

Seminar

Operational Based

The principle types of exercises are described in ISO 22398

SeminarWorkshopTabletop Game

SimulationDrillFunctionalFull-scale


The Exercise Program

5 F ll S l

1. Plan Review

2. Table Top

5. Full-ScaleComprehensive

• Start simple• Build upon mastery• Add complexity


3. Walkthrough

4. SimpleSimulation

Add complexity

Sections 9 & 10: Continuous Improvement


9 Performance Evaluation

9.1 Monitoring, Measurement, Analysis, and Evaluation

9.2 Internal Audit

101

9.3 Management Review



9.1.1 The organization shall determinea) what needs to be measured and

monitoredmonitoredb) The methods for monitoring to ensure

valid resultsc) When it shall be performedd) When the analysis of the results shalld) When the analysis of the results shall

be performedEvaluate the performance and the

effectiveness of the BCMS©2012 ICOR ALL RIGHTS RESERVED 102


Additionally, the organization shall:a) Take action when necessary to address

adverse trends or results before a adverse trends or results before a nonconformity occurs; and

b) Retain relevant documented information as evidence of the results.



The procedures for monitoring performance shall provide for:a) The setting of performance metrics appropriate to the

needs of the organization;g ;b) Monitoring the extent to which the organization’s

business continuity policy, objectives and targets are met;c) Performance of the processes, procedures and functions

that protect its prioritized activities;d) Monitoring compliance with this standard and the

business continuity objectives; e) Monitoring historical evidence of deficient BCMS’e) Monitoring historical evidence of deficient BCMS

performance; f) Recording data and results of monitoring and

measurement to facilitate subsequent corrective actions.NOTE: Deficient performance could include non-conformity, near misses, false alarms, and actual incidents.©2012 ICOR ALL RIGHTS RESERVED 104

9.1.2 Evaluation of Continuity Proceduresa) The organization shall conduct evaluations of its business

continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness;

b) This evaluation shall be undertaken through periodic reviews exercising testing post incident reporting andreviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner;

c) The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and

d) The organization shall conduct evaluations at plannedd) The organization shall conduct evaluations at planned intervals and when significant changes occur.

When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake

a post-incident review and record the results.


9.2 Internal Audit

The organization shall conduct internal audits at planned intervals to provide information to assist in the determination of whether theassist in the determination of whether the BCMS:a) Conforms to:

1. the organization’s own requirements for its BCMS;

2. the requirements of this International Standard; and

b) Is effectively implemented and maintained.


9.2 Internal Audit

The organization shall:a) Plan, establish, implement and maintain an audit

programme(s), including the frequency, methods, responsibilities planning requirements andresponsibilities, planning requirements and reporting, while taking into consideration the importance of the processes concerned and the results of previous audits;

b) Define the audit criteria and scope for each audit;c) Select auditors and conduct audits to ensure

objectivity and the impartiality of the audit process;objectivity and the impartiality of the audit process; d) Ensure that the results of the audits are reported to

relevant management; ande) Retain documented information as evidence of the

results.


9.2 Internal AuditThe audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits The audit procedures shall cover the scopeaudits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results.The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undueand corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results.


9.3 Management ReviewTop management shall review the organization's BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.

The management review shall include consideration of:The management review shall include consideration of:a) the status of actions from previous management

reviews; b) changes in external and internal issues that are

relevant to the business continuity management system;

c) information on the business continuity performance, including trends in:including trends in:1) nonconformities and corrective actions;2) monitoring and measurement evaluation results; 3) audit results; and

d) opportunities for continual improvement.


9.3 Management Reviewa) Follow-up actions from previous

management reviews;b) The need for changes to the

BCMS, including the policy and

g) Results of exercising and testing;

h) Risks or issues not adequately addressed in any previous risk assessment;, g p y

objectives; c) Opportunities for improvement;d) Results of BCMS audits and

reviews, including those of key suppliers and partners where appropriate;

e) Techniques, products or

assessment;i) Any changes that could affect

the BCMS, whether internal or external to the scope of the BCMS;

j) Adequacy of policy; k) Recommendations for

improvement;l) Lessons learned and actionse) Techniques, products or

procedures, which could be used in the organization to improve the BCMS' performance and effectiveness;

f) Status of corrective actions;

l) Lessons learned and actions arising from disruptive incidents; and

m) Emerging good practice and guidance.



The output from the management review shall include decisions and actions related to continual improvement opportunities and thecontinual improvement opportunities and the possible need for changes to the BCMS and include the following:

a) Variations to the scope of the BCMS;b) Improvement of the effectiveness of the

BCMSBCMS;c) Update of the risk assessment, business

impact analysis, business continuity plans and related procedures;



d) modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to:1) business and operational requirements;2) risk reduction and security requirements;3) operational conditions and processes;4) legal and regulatory requirements;5) contractual obligations;6) levels of risk and/or criteria for accepting risks;6) levels of risk and/or criteria for accepting risks;7) resource needs;8) funding and budget requirements; and

e) how the effectiveness of controls are measured.



The organization shall retain documented information as evidence of the results of management reviews.management reviews.The organization shall:

a) communicate the results of management review to relevant interested parties; and

b) t k i t ti l ti t th b) take appropriate action relating to those results.


10 Improvement

10.1 Nonconformity and corrective action

The organization shall:a) Identify nonconformities; andb) React to the nonconformities, and as

applicable1. Take action to control, contain and correct them;

2. Deal with the consequences


10.1 Nonconformity and Corrective ActionThe organization shall also evaluate the need for action to eliminate the causes of nonconformities, including:

a) Reviewing nonconformities;a) Reviewing nonconformities;b) Determining the causes of nonconformities;c) Identifying if potential similar nonconformities

exist elsewhere in the BCMS;d) Evaluating the need for action to ensure that

nonconformities do not recur or occur elsewhere;elsewhere;

e) Determining and implementing action needed; f) Reviewing the effectiveness of any corrective

action taken; andg) Making changes to the BCMS, if necessary.


10.1 Nonconformity and Corrective Action

Corrective actions shall be appropriate to the effects of the nonconformities

t dencountered.The organization shall retain documented information as evidence ofa) The nature of the nonconformities and

any subsequent actions taken; andany subsequent actions taken; andb) The results of any corrective action.


10.2 Continual Improvement

The organization shall continually improve the suitability, adequacy or effectiveness of the BCMSthe BCMS.NOTE: The organization can use the processes of the BCMS such as leadership, planning and performance evaluation, to achieve improvement.


Questions?

Lynnda NelsonPresident, ICOR

[email protected] North America+1630-705-0910 International

www.theICOR.org


icor presents: moving your bcm program to a management …drj.com/images/conferences/orl2012/m/sws-4...

Documents