tips for a better reading experience

33

Upload: others

Post on 20-Nov-2021

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Tips for a Better Reading Experience
Page 2: Tips for a Better Reading Experience

COPYRIGHTPROTECTEDDOCUMENT©ISO2012Allrightsreserved.Unlessotherwisespecified,nopartofthispublicationmaybereproducedorutilizedinanyformorbyanymeans,electronicormechanical,includingphotocopyingandmicrofilm,withoutpermissioninwritingfromeitherISOattheaddressbeloworISO’smemberbodyinthecountryoftherequester.

ISOcopyrightofficeCasepostale56•CH-1211Geneva20Tel.+41227490111Fax+41227490947E-mailcopyright@iso.orgWebwww.iso.org

PublishedinSwitzerland

TipsforaBetterReadingExperience— DisableFullJustification:InSettings,gotoiBooks,thentapOntoturnthesettingoff.

— EnlargeImages:Someimagesmayappeartoosmalltoseetheirdetails.Double-tapanimagetotemporarilyincreaseit’sviewsize.Double-taptheimageagaintoresumereading.

— EnlargeTables:Sometablesaretoolargetofitonasinglepage.Asaresult,sometextcanbeclippedatthebottom,top,orrightedgeofthepage.Double-tapatabletoviewtheentiretableinfullscreenmode.Whileviewingatable,youcanzoominandoutbypinchingtwofingerstogetherorapart.Toresumereading,double-tapthetableagain.

Page 3: Tips for a Better Reading Experience

ContentsForeword

0Introduction0.1General0.2ThePlan-Do-Check-Act(PDCA)model0.3ComponentsofPDCAinthisInternationalStandard

1Scope

2Normativereferences

3Termsanddefinitions

4Contextoftheorganization4.1Understandingoftheorganizationanditscontext4.2Understandingtheneedsandexpectationsofinterestedparties4.3Determiningthescopeofthebusinesscontinuitymanagementsystem4.4Businesscontinuitymanagementsystem

5Leadership5.1Leadershipandcommitment5.2Managementcommitment5.3Policy5.4Organizationalroles,responsibilitiesandauthorities

6Planning6.1Actionstoaddressrisksandopportunities6.2Businesscontinuityobjectivesandplanstoachievethem

7Support7.1Resources7.2Competence7.3Awareness7.4Communication7.5Documentedinformation

8Operation8.1Operationalplanningandcontrol8.2Businessimpactanalysisandriskassessment8.3Businesscontinuitystrategy8.4Establishandimplementbusinesscontinuityprocedures8.5Exercisingandtesting

9Performanceevaluation9.1Monitoring,measurement,analysisandevaluation9.2Internalaudit

Page 4: Tips for a Better Reading Experience

9.3Managementreview

10Improvement10.1Nonconformityandcorrectiveaction10.2Continualimprovement

Bibliography

Page 5: Tips for a Better Reading Experience

ForewordISO(theInternationalOrganizationforStandardization)isaworldwidefederationofnationalstandardsbodies(ISOmemberbodies).TheworkofpreparingInternationalStandardsisnormallycarriedoutthroughISOtechnicalcommittees.Eachmemberbodyinterestedinasubjectforwhichatechnicalcommitteehasbeenestablishedhastherighttoberepresentedonthatcommittee.Internationalorganizations,governmentalandnon-governmental,inliaisonwithISO,alsotakepartinthework.ISOcollaboratescloselywiththeInternationalElectrotechnicalCommission(IEC)onallmattersofelectrotechnicalstandardization.

InternationalStandardsaredraftedinaccordancewiththerulesgivenintheISO/IECDirectives,Part2.

ThemaintaskoftechnicalcommitteesistoprepareInternationalStandards.DraftInternationalStandardsadoptedbythetechnicalcommitteesarecirculatedtothememberbodiesforvoting.PublicationasanInternationalStandardrequiresapprovalbyatleast75%ofthememberbodiescastingavote.

Attentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumentmaybethesubjectofpatentrights.ISOshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrights.

ISO22301waspreparedbyTechnicalCommitteeISO/TC223,Societalsecurity.

ThiscorrectedversionofISO22301:2012incorporatesthefollowingcorrections:

— firstlistin6.1changedfromanumberedtoanunnumberedlist;

— commasaddedattheendoflistitemsin7.5.3and8.3.2;

— bibliographyitems[19]and[20]separated,whichweremergedintheoriginal;

— fontsizeadjustedinseveralplaces.

Page 6: Tips for a Better Reading Experience

0Introduction0.1 GeneralThisInternationalStandardspecifiesrequirementsforsettingupandmanaginganeffectiveBusinessContinuityManagementSystem(BCMS).

ABCMSemphasizestheimportanceof

— understandingtheorganization’sneedsandthenecessityforestablishingbusinesscontinuitymanagementpolicyandobjectives,

— implementingandoperatingcontrolsandmeasuresformanaginganorganization’soverallcapabilitytomanagedisruptiveincidents,

— monitoringandreviewingtheperformanceandeffectivenessoftheBCMS,and

— continualimprovementbasedonobjectivemeasurement.

ABCMS,likeanyothermanagementsystem,hasthefollowingkeycomponents:

a) apolicy;

b) peoplewithdefinedresponsibilities;

c) managementprocessesrelatingto

1) policy,

2) planning,

3) implementationandoperation,

4) performanceassessment,

5) managementreview,and

6) improvement;

d) documentationprovidingauditableevidence;and

e) anybusinesscontinuitymanagementprocessesrelevanttotheorganization.

Businesscontinuitycontributestoamoreresilientsociety.Thewidercommunityandtheimpactoftheorganization’senvironmentontheorganizationandthereforeotherorganizationsmayneedtobeinvolvedintherecoveryprocess.

0.2 ThePlan-Do-Check-Act(PDCA)modelThisInternationalStandardappliesthe“Plan-Do-Check-Act”(PDCA)modeltoplanning,establishing,implementing,operating,monitoring,reviewing,maintainingandcontinuallyimprovingtheeffectivenessofanorganization’sBCMS.

Thisensuresadegreeofconsistencywithothermanagementsystemsstandards,suchasISO9001Qualitymanagementsystems,ISO14001,Environmentalmanagementsystems,ISO/IEC27001,Informationsecuritymanagementsystems,ISO/IEC20000-1,Informationtechnology—Servicemanagement,andISO28000,Specificationforsecuritymanagementsystemsforthesupplychain,therebysupporting

Page 7: Tips for a Better Reading Experience

consistentandintegratedimplementationandoperationwithrelatedmanagementsystems.

Figure1illustrateshowaBCMStakesasinputsinterestedparties,requirementsforcontinuitymanagementand,throughthenecessaryactionsandprocesses,producescontinuityoutcomes(i.e.managedbusinesscontinuity)thatmeetthoserequirements.

Figure1—PDCAmodelappliedtoBCMSprocesses

Table1—ExplanationofPDCAmodel

Plan(Establish)

Establishbusinesscontinuitypolicy,objectives,targets,controls,processesandproceduresrelevanttoimprovingbusinesscontinuityinordertodeliverresultsthatalignwiththeorganization’soverallpoliciesandobjectives.

Do(Implementandoperate)

Implementandoperatethebusinesscontinuitypolicy,controls,processesandprocedures.

Check(Monitorandreview)

Monitorandreviewperformanceagainstbusinesscontinuitypolicyandobjectives,reporttheresultstomanagementforreview,anddetermineandauthorizeactionsforremediationandimprovement.

Act(Maintainandimprove)

MaintainandimprovetheBCMSbytakingcorrectiveaction,basedontheresultsofmanagementreviewandreappraisingthescopeoftheBCMSandbusinesscontinuitypolicyandobjectives.

0.3 ComponentsofPDCAinthisInternationalStandardInthePlan-Do-Check-ActmodelasshowninTable1,Clause4throughClause10inthisInternationalStandardcoverthefollowingcomponents.

— Clause4isacomponentofPlan.ItintroducesrequirementsnecessarytoestablishthecontextoftheBCMSasitappliestotheorganization,aswellasneeds,requirements,andscope.

— Clause5isacomponentofPlan.Itsummarizestherequirementsspecifictotopmanagement’srolein

Page 8: Tips for a Better Reading Experience

theBCMS,andhowleadershiparticulatesitsexpectationstotheorganizationviaapolicystatement.

— Clause6isacomponentofPlan.ItdescribesrequirementsasitrelatestoestablishingstrategicobjectivesandguidingprinciplesfortheBCMSasawhole.ThecontentofClause6differsfromestablishingrisktreatmentopportunitiesstemmingfromriskassessment,aswellasbusinessimpactanalysis(BIA)derivedrecoveryobjectives.

NOTE ThebusinessimpactanalysisandriskassessmentprocessrequirementsaredetailedinClause8.

— Clause7isacomponentofPlan.ItsupportsBCMSoperationsastheyrelatetoestablishingcompetenceandcommunicationonarecurring/as-neededbasiswithinterestedparties,whiledocumenting,controlling,maintainingandretainingrequireddocumentation.

— Clause8isacomponentofDo.Itdefinesbusinesscontinuityrequirements,determineshowtoaddressthemanddevelopstheprocedurestomanageadisruptiveincident.

— Clause9isacomponentofCheck.Itsummarizesrequirementsnecessarytomeasurebusinesscontinuitymanagementperformance,BCMScompliancewiththisInternationalStandardandmanagement’sexpectations,andseeksfeedbackfrommanagementregardingexpectations.

— Clause10isacomponentofAct.ItidentifiesandactsonBCMSnon-conformancethroughcorrectiveaction.

Page 9: Tips for a Better Reading Experience

Societalsecurity—Businesscontinuitymanagementsystems—Requirements1 ScopeThisInternationalStandardforbusinesscontinuitymanagementspecifiesrequirementstoplan,establish,implement,operate,monitor,review,maintainandcontinuallyimproveadocumentedmanagementsystemtoprotectagainst,reducethelikelihoodofoccurrence,preparefor,respondto,andrecoverfromdisruptiveincidentswhentheyarise.

TherequirementsspecifiedinthisInternationalStandardaregenericandintendedtobeapplicabletoallorganizations,orpartsthereof,regardlessoftype,sizeandnatureoftheorganization.Theextentofapplicationoftheserequirementsdependsontheorganization’soperatingenvironmentandcomplexity.

ItisnottheintentofthisInternationalStandardtoimplyuniformityinthestructureofaBusinessContinuityManagementSystem(BCMS),butforanorganizationtodesignaBCMSthatisappropriatetoitsneedsandthatmeetsitsinterestedparties’requirements.Theseneedsareshapedbylegal,regulatory,organizationalandindustryrequirements,theproductsandservices,theprocessesemployed,thesizeandstructureoftheorganization,andtherequirementsofitsinterestedparties.

ThisInternationalStandardisapplicabletoalltypesandsizesoforganizationsthatwishto

a) establish,implement,maintainandimproveaBCMS,

b) ensureconformitywithstatedbusinesscontinuitypolicy,

c) demonstrateconformitytoothers,

d) seekcertification/registrationofitsBCMSbyanaccreditedthirdpartycertificationbody,or

e) makeaself-determinationandself-declarationofconformitywiththisInternationalStandard.

ThisInternationalStandardcanbeusedtoassessanorganization’sabilitytomeetitsowncontinuityneedsandobligations.

2 NormativereferencesThefollowingdocuments,inwholeorinpart,arenormativelyreferencedinthisdocumentandareindispensableforitsapplication.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocument(includinganyamendments)applies.

Therearenonormativereferences.

3 TermsanddefinitionsForthepurposesofthisdocument,thefollowingtermsanddefinitionsapply.

3.1activityprocessorsetofprocessesundertakenbyanorganization(oronitsbehalf)thatproducesorsupportsoneormoreproductsandservicesEXAMPLE Suchprocessesincludeaccounts,callcentre,IT,manufacture,distribution.

Page 10: Tips for a Better Reading Experience

3.2auditsystematic,independentanddocumentedprocessforobtainingauditevidenceandevaluatingitobjectivelytodeterminetheextenttowhichtheauditcriteriaarefulfilledNOTE1 Anauditcanbeaninternalaudit(firstparty)oranexternalaudit(secondpartyorthirdparty),anditcanbeacombinedaudit(combiningtwoormoredisciplines).

NOTE2 “Auditevidence”and“auditcriteria”aredefinedinISO19011.

3.3businesscontinuitycapabilityoftheorganizationtocontinuedeliveryofproductsorservicesatacceptablepredefinedlevelsfollowingdisruptiveincident

[SOURCE:ISO22300]

3.4businesscontinuitymanagementholisticmanagementprocessthatidentifiespotentialthreatstoanorganizationandtheimpactstobusinessoperationsthosethreats,ifrealized,mightcause,andwhichprovidesaframeworkforbuildingorganizationalresiliencewiththecapabilityofaneffectiveresponsethatsafeguardstheinterestsofitskeystakeholders,reputation,brandandvalue-creatingactivities

3.5businesscontinuitymanagementsystemBCMSpartoftheoverallmanagementsystemthatestablishes,implements,operates,monitors,reviews,maintainsandimprovesbusinesscontinuityNOTE Themanagementsystemincludesorganizationalstructure,policies,planningactivities,responsibilities,procedures,processesandresources.

3.6businesscontinuityplandocumentedproceduresthatguideorganizationstorespond,recover,resume,andrestoretoapre-definedlevelofoperationfollowingdisruptionNOTE Typicallythiscoversresources,servicesandactivitiesrequiredtoensurethecontinuityofcriticalbusinessfunctions.

3.7businesscontinuityprogrammeongoingmanagementandgovernanceprocesssupportedbytopmanagementandappropriatelyresourcedtoimplementandmaintainbusinesscontinuitymanagement

3.8businessimpactanalysisprocessofanalyzingactitivitesandtheeffectthatabusinessdisruptionmighthaveuponthem

[SOURCE:ISO22300]

3.9competenceabilitytoapplyknowledgeandskillstoachieveintendedresults

Page 11: Tips for a Better Reading Experience

3.10conformityfulfilmentofarequirement

[SOURCE:ISO22300]

3.11continualimprovementrecurringactivitytoenhanceperformance

[SOURCE:ISO22300]

3.12correctionactiontoeliminateadetectednonconformity

[SOURCE:ISO22300]

3.13correctiveactionactiontoeliminatethecauseofanonconformityandtopreventrecurrenceNOTE Inthecaseofotherundesirableoutcomes,actionisnecessarytominimizeoreliminatecausesandtoreduceimpactorpreventrecurrence.Suchactionsfalloutsidetheconceptof“correctiveaction”inthesenseofthisdefinition.

[SOURCE:ISO22300]

3.14documentinformationanditssupportingmediumNOTE1 Themediumcanbepaper,magnetic,electronicoropticalcomputerdisc,photographormastersample,oracombinationthereof.

NOTE2 Asetofdocuments,forexamplespecificationsandrecords,isfrequentlycalled“documentation”.

3.15documentedinformationinformationrequiredtobecontrolledandmaintainedbyanorganizationandthemediumonwhichitiscontainedNOTE1 Documentedinformationcanbeinanyformatandonanymediafromanysource.

NOTE2 Documentedinformationcanreferto

— themanagementsystem,includingrelatedprocesses;

— informationcreatedinorderfortheorganizationtooperate(documentation);

— evidenceofresultsachieved(records).

3.16effectivenessextenttowhichplannedactivitiesarerealizedandplannedresultsachieved

[SOURCE:ISO22300]

3.17eventoccurrenceorchangeofaparticularsetofcircumstances

Page 12: Tips for a Better Reading Experience

NOTE1 Aneventcanbeoneormoreoccurrences,andcanhaveseveralcauses.

NOTE2 Aneventcanconsistofsomethingnothappening.

NOTE3 Aneventcansometimesbereferredtoasan“incident”or“accident”.

NOTE4 Aneventwithoutconsequencesmayalsobereferredtoasa“nearmiss”,“incident”,“nearhit”,“closecall”.

[SOURCE:ISO/IECGuide73]

3.18exerciseprocesstotrainfor,assess,practice,andimproveperformanceinanorganizationNOTE1 Exercisescanbeusedfor:validatingpolicies,plans,procedures,training,equipment,andinter-organizationalagreements;clarifyingandtrainingpersonnelinrolesandresponsibilities;improvinginter-organizationalcoordinationandcommunications;identifyinggapsinresources;improvingindividualperformance;andidentifyingopportunitiesforimprovement,andcontrolledopportunitytopracticeimprovisation.

NOTE2 Atestisauniqueandparticulartypeofexercise,whichincorporatesanexpectationofapassorfailelementwithinthegoalorobjectivesoftheexercisebeingplanned.

[SOURCE:ISO22300]

3.19incidentsituationthatmightbe,orcouldleadto,adisruption,loss,emergencyorcrisis

[SOURCE:ISO22300]

3.20infrastructuresystemoffacilities,equipmentandservicesneededfortheoperationofanorganization

3.21interestedpartystakeholderpersonororganizationthatcanaffect,beaffectedby,orperceivethemselvestobeaffectedbyadecisionoractivityNOTE Thiscanbeanindividualorgroupthathasaninterestinanydecisionoractivityofanorganization.

3.22internalauditauditconductedby,oronbehalfof,theorganizationitselfformanagementreviewandotherinternalpurposes,andwhichmightformthebasisforanorganization’sself-declarationofconformityNOTE Inmanycases,particularlyinsmallerorganizations,independencecanbedemonstratedbythefreedomfromresponsibilityfortheactivitybeingaudited.

3.23invocationactofdeclaringthatanorganization’sbusinesscontinuityarrangementsneedtobeputintoeffectinordertocontinuedeliveryofkeyproductsorservices

3.24managementsystemsetofinterrelatedorinteractingelementsofanorganizationtoestablishpoliciesandobjectives,and

Page 13: Tips for a Better Reading Experience

processestoachievethoseobjectivesNOTE1 Amanagementsystemcanaddressasingledisciplineorseveraldisciplines.

NOTE2 Thesystemelementsincludetheorganization’sstructure,rolesandresponsibilities,planning,operation,etc.

NOTE3 Thescopeofamanagementsystemcanincludethewholeoftheorganization,specificandidentifiedfunctionsoftheorganization,specificandidentifiedsectionsoftheorganization,oroneormorefunctionsacrossagroupoforganizations.

3.25maximumacceptableoutageMAOtimeitwouldtakeforadverseimpacts,whichmightariseasaresultofnotprovidingaproduct/serviceorperforminganactivity,tobecomeunacceptableNOTE Seealsomaximumtolerableperiodofdisruption.

3.26maximumtolerableperiodofdisruptionMTPDtimeitwouldtakeforadverseimpacts,whichmightariseasaresultofnotprovidingaproduct/serviceorperforminganactivity,tobecomeunacceptableNOTE Seealsomaximumacceptableoutage.

3.27measurementprocesstodetermineavalue

3.28minimumbusinesscontinuityobjectiveMBCOminimumlevelofservicesand/orproductsthatisacceptabletotheorganizationtoachieveitsbusinessobjectivesduringadisruption

3.29monitoringdeterminingthestatusofasystem,aprocessoranactivityNOTE Todeterminethestatustheremaybeaneedtocheck,superviseorcriticallyobserve.

3.30mutualaidagreementpre-arrangedunderstandingbetweentwoormoreentitiestorenderassistancetoeachother

[SOURCE:ISO22300]

3.31nonconformitynon-fulfilmentofarequirement

[SOURCE:ISO22300]

3.32objectiveresulttobeachieved

Page 14: Tips for a Better Reading Experience

NOTE1 Anobjectivecanbestrategic,tacticaloroperational.

NOTE2 Objectivescanrelatetodifferentdisciplines(suchasfinancial,healthandsafety,andenvironmentalgoals)andcanapplyatdifferentlevels[suchasstrategic,organization-wide,project,productandprocess).

NOTE3 Anobjectivecanbeexpressedinotherways,e.g.asanintendedoutcome,apurpose,anoperationalcriterion,asasocietalsecurityobjectiveorbytheuseofotherwordswithsimilarmeaning(e.g.aim,goal,ortarget).

NOTE4 Inthecontextofsocietalsecuritymanagementsystemsstandards,societalsecurityobjectivesaresetbytheorganization,consistentwiththesocietalsecuritypolicy,toachievespecificresults.

3.33organizationpersonorgroupofpeoplethathasitsownfunctionswithresponsibilities,authoritiesandrelationshipstoachieveitsobjectivesNOTE1 Theconceptoforganizationincludes,butisnotlimitedto,sole-trader,company,corporation,firm,enterprise,authority,partnership,charityorinstitution,orpartorcombinationthereof,whetherincorporatedornot,publicorprivate.

NOTE2 Fororganizationswithmorethanoneoperatingunit,asingleoperatingunitcanbedefinedasanorganization.

3.34outsource(verb)makeanarrangementwhereanexternalorganizationperformspartofanorganization’sfunctionorprocessNOTE Anexternalorganizationisoutsidethescopeofthemanagementsystem,althoughtheoutsourcedfunctionorprocessiswithinthescope.

3.35performancemeasurableresultNOTE1 Performancecanrelateeithertoquantitativeorqualitativefindings.

NOTE2 Performancecanrelatetothemanagementofactivities,processes,products(includingservices),systemsororganizations.

3.36performanceevaluationprocessofdeterminingmeasurableresults

3.37personnelpeopleworkingforandunderthecontroloftheorganizationNOTE Theconceptofpersonnelincludes,butisnotlimitedtoemployees,part-timestaff,andagencystaff.

3.38policyintentionsanddirectionofanorganizationasformallyexpressedbyitstopmanagement

3.39procedurespecifiedwaytocarryoutanactivityoraprocess

3.40processsetofinterrelatedorinteractingactivitieswhichtransformsinputsintooutputs

3.41

Page 15: Tips for a Better Reading Experience

productsandservicesbeneficialoutcomesprovidedbyanorganizationtoitscustomers,recipientsandinterestedparties,e.g.manufactureditems,carinsuranceandcommunitynursing

3.42prioritizedactivitiesactivitiestowhichprioritymustbegivenfollowinganincidentinordertomitigateimpactsNOTE Termsincommonusetodescribeactivitieswithinthisgroupinclude:critical,essential,vital,urgentandkey.

[SOURCE:ISO22300]

3.43recordstatementofresultsachievedorevidenceofactivitiesperformed

3.44recoverypointobjectiveRPOpointtowhichinformationusedbyanactivitymustberestoredtoenabletheactivitytooperateonresumptionNOTE Canalsobereferredtoas“maximumdataloss”.

3.45recoverytimeobjectiveRTOperiodoftimefollowinganincidentwithinwhich

— productorservicemustberesumed,or

— activitymustberesumed,or

— resourcesmustberecoveredNOTE Forproducts,servicesandactivities,therecoverytimeobjectivemustbelessthanthetimeitwouldtakefortheadverseimpactsthatwouldariseasaresultofnotprovidingaproduct/serviceorperforminganactivitytobecomeunacceptable.

3.46requirementneedorexpectationthatisstated,generallyimpliedorobligatoryNOTE1 “Generallyimplied”meansthatitisacustomaryorcommonpracticefortheorganizationandinterestedpartiesthattheneedorexpectationunderconsiderationisimplied.

NOTE2 Aspecifiedrequirementisonethatisstated,forexampleindocumentedinformation.

3.47resourcesallassets,people,skills,information,technology(includingplantandequipment),premises,andsuppliesandinformation(whetherelectronicornot)thatanorganizationhastohaveavailabletouse,whenneeded,inordertooperateandmeetitsobjective

3.48riskeffectofuncertaintyonobjectives

Page 16: Tips for a Better Reading Experience

NOTE1 Aneffectisadeviationfromtheexpected—positiveornegative.

NOTE2 Objectivescanhavedifferentaspects(suchasfinancial,healthandsafety,andenvironmentalgoals)andcanapplyatdifferentlevels(suchasstrategic,organization-wide,project,productandprocess).Anobjectivecanbeexpressedinotherways,e.g.asanintendedoutcome,apurpose,anoperationalcriterion,asabusinesscontinuityobjectiveorbytheuseofotherwordswithsimilarmeaning(e.g.aim,goal,ortarget).

NOTE3 Riskisoftencharacterizedbyreferencetopotentialevents(Guide73,3.5.1.3)andconsequences(Guide73,3.6.1.3),oracombinationofthese.

NOTE4 Riskisoftenexpressedintermsofacombinationoftheconsequencesofanevent(includingchangesincircumstances)andtheassociatedlikelihood(Guide73,3.6.1.1)ofoccurrence.

NOTE5 Uncertaintyisthestate,evenpartial,ofdeficiencyofinformationrelatedto,understandingorknowledgeof,anevent,itsconsequence,orlikelihood.

NOTE6 Inthecontextofbusinesscontinuitymanagementsystemstandards,businesscontinuityobjectivesaresetbytheorganization,consistentwiththebusinesscontinuitypolicy,toachievespecificresults.Whenapplyingthetermriskandcomponentsofriskmanagement,thisshouldberelatedtotheobjectivesoftheorganizationthatinclude,butarenotlimitedtothebusinesscontinuityobjectivesasspecifiedin6.2.

[SOURCE:ISO/IECGuide73]

3.49riskappetiteamountandtypeofriskthatanorganizationiswillingtopursueorretain

3.50riskassessmentoverallprocessofriskidentification,riskanalysisandriskevaluation

[SOURCE:ISOGuide73]

3.51riskmanagementcoordinatedactivitiestodirectandcontrolanorganizationwithregardtorisk

[SOURCE:ISOGuide73]

3.52testingprocedureforevaluation;ameansofdeterminingthepresence,quality,orveracityofsomethingNOTE1 Testingmaybereferredtoa“trial”.

NOTE2 Testingisoftenappliedtosupportingplans.

[SOURCE:ISO22300]

3.53topmanagementpersonorgroupofpeoplewhodirectsandcontrolsanorganizationatthehighestlevelNOTE1 Topmanagementhasthepowertodelegateauthorityandprovideresourceswithintheorganization.

NOTE2 Ifthescopeofthemanagementsystemcoversonlypartofanorganizationthentopmanagementreferstothosewhodirectandcontrolthatpartoftheorganization.

3.54verificationconfirmation,throughtheprovisionofevidence,thatspecifiedrequirementshavebeenfulfilled

3.55

Page 17: Tips for a Better Reading Experience

workenvironmentsetofconditionsunderwhichworkisperformedNOTE Conditionsincludephysical,social,psychologicalandenvironmentalfactors(suchastemperature,recognitionschemes,ergonomicsandatmosphericcomposition.

[SOURCE:ISO22300]

4 Contextoftheorganization4.1 UnderstandingoftheorganizationanditscontextTheorganizationshalldetermineexternalandinternalissuesthatarerelevanttoitspurposeandthataffectitsabilitytoachievetheintendedoutcome(s)ofitsBCMS.

Theseissuesshallbetakenintoaccountwhenestablishing,implementingandmaintainingtheorganization’sBCMS.

Theorganizationshallidentifyanddocumentthefollowing:

a) theorganization’sactivities,functions,services,products,partnerships,supplychains,relationshipswithinterestedparties,andthepotentialimpactrelatedtoadisruptiveincident;

b) linksbetweenthebusinesscontinuitypolicyandtheorganization’sobjectivesandotherpolicies,includingitsoverallriskmanagementstrategy;and

c) theorganization’sriskappetite.

Inestablishingthecontext,theorganizationshall

1) articulateitsobjectives,includingthoseconcernedwithbusinesscontinuity,

2) definetheexternalandinternalfactorsthatcreatetheuncertaintythatgivesrisetorisk,

3) setriskcriteriatakingintoaccounttheriskappetite,and

4) definethepurposeoftheBCMS.

4.2 Understandingtheneedsandexpectationsofinterestedparties4.2.1 General

WhenestablishingitsBCMS,theorganizationshalldetermine

a) theinterestedpartiesthatarerelevanttotheBCMS,and

b) therequirementsoftheseinterestedparties(i.e.theirneedsandexpectationswhetherstated,generallyimpliedorobligatory).

4.2.2 Legalandregulatoryrequirements

Theorganizationshallestablish,implementandmaintainaprocedure(s)toidentify,haveaccessto,andassesstheapplicablelegalandregulatoryrequirementstowhichtheorganizationsubscribesrelatedtothecontinuityofitsoperations,productsandservices,aswellastheinterestsofrelevantinterestedparties.

Theorganizationshallensurethattheseapplicablelegal,regulatoryandotherrequirementstowhichtheorganizationsubscribesaretakenintoaccountinestablishing,implementingandmaintainingitsBCMS.

Theorganizationshalldocumentthisinformationandkeepitup-to-date.Neworvariationstolegal,

Page 18: Tips for a Better Reading Experience

regulatoryandotherrequirementsshallbecommunicatedtoaffectedemployeesandotherinterestedparties.

4.3 Determiningthescopeofthebusinesscontinuitymanagementsystem4.3.1 General

TheorganizationshalldeterminetheboundariesandapplicabilityoftheBCMStoestablishitsscope.

Whendeterminingthisscope,theorganizationshallconsider

— theexternalandinternalissuesreferredtoin4.1,and

— therequirementsreferredtoin4.2.

Thescopeshallbeavailableasdocumentedinformation.

4.3.2 ScopeoftheBCMS

Theorganizationshall

a) establishthepartsoftheorganizationtobeincludedintheBCMS,

b) establishBCMSrequirements,consideringtheorganization’smission,goals,internalandexternalobligations(includingthoserelatedtointerestedparties),andlegalandregulatoryresponsibilities,

c) identifyproductsandservicesandallrelatedactivitieswithinthescopeoftheBCMS,

d) takeintoaccountinterestedparties’needsandinterests,suchascustomers,investors,shareholders,thesupplychain,publicand/orcommunityinputandneeds,expectationsandinterests(asappropriate),and

e) definethescopeoftheBCMSintermsofandappropriatetothesize,natureandcomplexityoftheorganization.

Whendefiningthescope,theorganizationshalldocumentandexplainexclusions;anysuchexclusionsshallnotaffecttheorganization’sabilityandresponsibilitytoprovidecontinuityofbusinessandoperationsthatmeettheBCMSrequirements,asdeterminedbybusinessimpactanalysisorriskassessmentandapplicablelegalorregulatoryrequirements.

4.4 BusinesscontinuitymanagementsystemTheorganizationshallestablish,implement,maintainandcontinuallyimproveaBCMS,includingtheprocessesneededandtheirinteractions,inaccordancewiththerequirementsofthisInternationalStandard.

5 Leadership5.1 LeadershipandcommitmentPersonsintopmanagementandotherrelevantmanagementrolesthroughouttheorganizationshalldemonstrateleadershipwithrespecttotheBCMS.EXAMPLE ThisleadershipandcommitmentcanbeshownbymotivatingandempoweringpersonstocontributetotheeffectivenessoftheBCMS.

5.2 Managementcommitment

Page 19: Tips for a Better Reading Experience

TopmanagementshalldemonstrateleadershipandcommitmentwithrespecttotheBCMSby

— ensuringthatpoliciesandobjectivesareestablishedforthebusinesscontinuitymanagementsystemandarecompatiblewiththestrategicdirectionoftheorganization,

— ensuringtheintegrationofthebusinesscontinuitymanagementsystemrequirementsintotheorganization’sbusinessprocesses,

— ensuringthattheresourcesneededforthebusinesscontinuitymanagementsystemareavailable,

— communicatingtheimportanceofeffectivebusinesscontinuitymanagementandconformingtotheBCMSrequirements,

— ensuringthattheBCMSachievesitsintendedoutcome(s),

— directingandsupportingpersonstocontributetotheeffectivenessoftheBCMS,

— promotingcontinualimprovement,and

— supportingotherrelevantmanagementrolestodemonstratetheirleadershipandcommitmentasitappliestotheirareasofresponsibility.

NOTE1 Referenceto“business”inthisInternationalStandardisintendedtobeinterpretedbroadlytomeanthoseactivitiesthatarecoretothepurposesoftheorganization’sexistence.

Topmanagementshallprovideevidenceofitscommitmenttotheestablishment,implementation,operation,monitoring,review,maintenance,andimprovementoftheBCMSby

— establishingabusinesscontinuitypolicy,

— ensuringthatBCMSobjectivesandplansareestablished,

— establishingroles,responsibilities,andcompetenciesforbusinesscontinuitymanagement,and

— appointingoneormorepersonstoberesponsiblefortheBCMSwiththeappropriateauthorityandcompetenciestobeaccountablefortheimplementationandmaintenanceoftheBCMS.

NOTE2 Thesepersonscanholdotherresponsibilitieswithintheorganization.

Topmanagementshallensurethattheresponsibilitiesandauthoritiesforrelevantrolesareassignedandcommunicatedwithintheorganizationby

— definingthecriteriaforacceptingrisksandtheacceptablelevelsofrisk,

— activelyengaginginexercisingandtesting,

— ensuringthatinternalauditsoftheBCMSareconducted,

— conductingmanagementreviewsoftheBCMS,and

— demonstratingitscommitmenttocontinualimprovement.

5.3 PolicyTopmanagementshallestablishabusinesscontinuitypolicythat

a) isappropriatetothepurposeoftheorganization,

b) providesaframeworkforsettingbusinesscontinuityobjectives,

c) includesacommitmenttosatisfyapplicablerequirements,

Page 20: Tips for a Better Reading Experience

d) includesacommitmenttocontinualimprovementoftheBCMS.

TheBCMSpolicyshall

— beavailableasdocumentedinformation,

— becommunicatedwithintheorganization,

— beavailabletointerestedparties,asappropriate,

— bereviewedforcontinuingsuitabilityatdefinedintervalsandwhensignificantchangesoccur

Theorganizationshallretaindocumentedinformationonthebusinesscontinuitypolicy.

5.4 Organizationalroles,responsibilitiesandauthoritiesTopmanagementshallensurethattheresponsibilitiesandauthoritiesforrelevantrolesareassignedandcommunicatedwithintheorganization.

Topmanagementshallassigntheresponsibilityandauthorityfor

a) ensuringthatthemanagementsystemconformstotherequirementsofthisInternationalStandard,and

b) reportingontheperformanceoftheBCMStotopmanagement.

6 Planning6.1 ActionstoaddressrisksandopportunitiesWhenplanningfortheBCMS,theorganizationshallconsidertheissuesreferredtoin4.1andtherequirementsreferredtoin4.2anddeterminetherisksandopportunitiesthatneedtobeaddressedto

— ensurethemanagementsystemcanachieveitsintendedoutcome(s),

— prevent,orreduce,undesiredeffects,

— achievecontinualimprovement.

Theorganizationshallplan

a) actionstoaddresstheserisksandopportunities,

b) howto

1) integrateandimplementtheactionsintoitsBCMSprocesses(see8.1),

2) evaluatetheeffectivenessoftheseactions(see9.1).

6.2 BusinesscontinuityobjectivesandplanstoachievethemTopmanagementshallensurethatbusinesscontinuityobjectivesareestablishedandcommunicatedforrelevantfunctionsandlevelswithintheorganization.

Thebusinesscontinuityobjectivesshall

a) beconsistentwiththebusinesscontinuitypolicy,

b) takeaccountoftheminimumlevelofproductsandservicesthatisacceptabletotheorganizationtoachieveitsobjectives,

Page 21: Tips for a Better Reading Experience

c) bemeasurable,

d) takeintoaccountapplicablerequirements,and

e) bemonitoredandupdatedasappropriate.

Theorganizationshallretaindocumentedinformationonthebusinesscontinuityobjectives.

Toachieveitsbusinesscontinuityobjectives,theorganizationshalldetermine

— whowillberesponsible,

— whatwillbedone,

— whatresourceswillberequired,

— whenitwillbecompleted,and

— howtheresultswillbeevaluated.

7 Support7.1 ResourcesTheorganizationshalldetermineandprovidetheresourcesneededfortheestablishment,implementation,maintenanceandcontinualimprovementoftheBCMS.

7.2 CompetenceTheorganizationshall

a) determinethenecessarycompetenceofperson(s)doingworkunderitscontrolthataffectsitsperformance,

b) ensurethatthesepersonsarecompetentonthebasisofappropriateeducation,training,andexperience,

c) whereapplicable,takeactionstoacquirethenecessarycompetence,andevaluatetheeffectivenessoftheactionstaken,and

d) retainappropriatedocumentedinformationasevidenceofcompetence.NOTE Applicableactionscaninclude,forexample:theprovisionoftrainingto,thementoringof,orthereassignmentofcurrentemployedpersons;orthehiringorcontractingofcompetentpersons.

7.3 AwarenessPersonsdoingworkundertheorganization’scontrolshallbeawareof

a) thebusinesscontinuitypolicy,

b) theircontributiontotheeffectivenessoftheBCMS,includingthebenefitsofimprovedbusinesscontinuitymanagementperformance,

c) theimplicationsofnotconformingwiththeBCMSrequirements,and

d) theirownroleduringdisruptiveincidents.

7.4 Communication

Page 22: Tips for a Better Reading Experience

TheorganizationshalldeterminetheneedforinternalandexternalcommunicationsrelevanttotheBCMSincluding

a) onwhatitwillcommunicate,

b) whentocommunicate,

c) withwhomtocommunicate.

Theorganizationshallestablish,implement,andmaintainprocedure(s)for

— internalcommunicationamongstinterestedpartiesandemployeeswithintheorganization,

— externalcommunicationwithcustomers,partnerentities,localcommunity,andotherinterestedparties,includingthemedia,

— receiving,documenting,andrespondingtocommunicationfrominterestedparties,

— adaptingandintegratinganationalorregionalthreatadvisorysystem,orequivalent,intoplanningandoperationaluse,ifappropriate,

— ensuringavailabilityofthemeansofcommunicationduringadisruptiveincident,

— facilitatingstructuredcommunicationwithappropriateauthoritiesandensuringtheinteroperabilityofmultiplerespondingorganizationsandpersonnel,whereappropriate,and

— operatingandtestingofcommunicationscapabilitiesintendedforuseduringdisruptionofnormalcommunications.

NOTE Furtherrequirementsforcommunicationinresponsetoanincidentarespecifiedin8.4.3.

7.5 Documentedinformation7.5.1 General

Theorganization’sBCMSshallinclude

— documentedinformationrequiredbythisInternationalStandard,and

— documentedinformationdeterminedbytheorganizationasbeingnecessaryfortheeffectivenessoftheBCMS.

NOTE TheextentofdocumentedinformationforaBCMScandifferfromoneorganizationtoanotherdueto

— thesizeoforganizationanditstypeofactivities,processes,productsandservices,

— thecomplexityofprocessesandtheirinteractions,and

— thecompetenceofpersons.

7.5.2 Creatingandupdating

Whencreatingandupdatingdocumentedinformation,theorganizationshallensureappropriate

a) identificationanddescription(e.g.atitle,date,authororreferencenumber),

b) format(e.g.language,softwareversion,graphics)andmedia(e.g.paper,electronic),andreviewandapprovalforsuitabilityandadequacy.

7.5.3 Controlofdocumentedinformation

DocumentedinformationrequiredbytheBCMSandbythisInternationalStandardshallbecontrolledto

Page 23: Tips for a Better Reading Experience

ensure

a) itisavailableandsuitableforuse,whereandwhenitisneeded,

b) itisadequatelyprotected(e.g.fromlossofconfidentiality,improperuse,orlossofintegrity).

Forthecontrolofdocumentedinformation,theorganizationshalladdressthefollowingactivities,asapplicable

— distribution,access,retrievalanduse,

— storageandpreservation,includingpreservationoflegibility,

— controlofchanges(e.g.versioncontrol),

— retentionanddisposition,

— retrievalanduse,

— preservationoflegibility(i.e.clearenoughtoread),and

— preventionoftheunintendeduseofobsoleteinformation.

DocumentedinformationofexternalorigindeterminedbytheorganizationtobenecessaryfortheplanningandoperationoftheBCMSshallbeidentified,asappropriate,andcontrolled.

Whenestablishingcontrolofdocumentedinformation,theorganizationshallensurethatthereisadequateprotectionforthedocumentedinformation(e.g.protectionagainstcompromise,unauthorizedmodificationordeletion).NOTE Accessimpliesadecisionregardingthepermissiontoviewthedocumentedinformation,orthepermissionandauthoritytoviewandchangethedocumentedinformation,etc.

8 Operation8.1 OperationalplanningandcontrolTheorganizationshallplan,implementandcontroltheprocessesneededtomeetrequirements,andtoimplementtheactionsdeterminedin6.1,by

a) establishingcriteriafortheprocesses,

b) implementingcontroloftheprocessesinaccordancewiththecriteria,and

c) keepingdocumentedinformationtotheextentnecessarytohaveconfidencethattheprocesseshavebeencarriedoutasplanned.

Theorganizationshallcontrolplannedchangesandreviewtheconsequencesofunintendedchanges,takingactiontomitigateanyadverseeffects,asnecessary.

Theorganizationshallensurethatoutsourcedprocessesarecontrolled.

8.2 Businessimpactanalysisandriskassessment8.2.1 General

Theorganizationshallestablish,implementandmaintainaformalanddocumentedprocessforbusinessimpactanalysisandriskassessmentthat

Page 24: Tips for a Better Reading Experience

a) establishesthecontextoftheassessment,definescriteriaandevaluatesthepotentialimpactofadisruptiveincident,

b) takesintoaccountlegalandotherrequirementstowhichtheorganizationsubscribes,

c) includessystematicanalysis,prioritizationofrisktreatments,andtheirrelatedcosts,

d) definestherequiredoutputfromthebusinessimpactanalysisandriskassessment,and

e) specifiestherequirementsforthisinformationtobekeptup-to-dateandconfidential.NOTE Therearevariousmethodologiesforbusinessimpactanalysisandriskassessmentwhichwilldeterminetheorderinwhichthesewillbeconducted.

8.2.2 Businessimpactanalysis

Theorganizationshallestablish,implement,andmaintainaformalanddocumentedevaluationprocessfordeterminingcontinuityandrecoverypriorities,objectivesandtargets.Thisprocessshallincludeassessingtheimpactsofdisruptingactivitiesthatsupporttheorganization’sproductsandservices.

Thebusinessimpactanalysisshallincludethefollowing:

a) identifyingactivitiesthatsupporttheprovisionofproductsandservices;

b) assessingtheimpactsovertimeofnotperformingtheseactivities;

c) settingprioritizedtimeframesforresumingtheseactivitiesataspecifiedminimumacceptablelevel,takingintoconsiderationthetimewithinwhichtheimpactsofnotresumingthemwouldbecomeunacceptable;and

d) identifyingdependenciesandsupportingresourcesfortheseactivities,includingsuppliers,outsourcepartnersandotherrelevantinterestedparties.

8.2.3 Riskassessment

Theorganizationshallestablish,implement,andmaintainaformaldocumentedriskassessmentprocessthatsystematicallyidentifies,analyses,andevaluatestheriskofdisruptiveincidentstotheorganization.NOTE ThisprocesscouldbemadeinaccordancewithISO31000.

Theorganizationshall

a) identifyrisksofdisruptiontotheorganization’sprioritizedactivitiesandtheprocesses,systems,information,people,assets,outsourcepartnersandotherresourcesthatsupportthem,

b) systematicallyanalyserisk,

c) evaluatewhichdisruptionrelatedrisksrequiretreatment,and

d) identifytreatmentscommensuratewithbusinesscontinuityobjectivesandinaccordancewiththeorganization’sriskappetite.

NOTE Theorganizationmustbeawarethatcertainfinancialorgovernmentalobligationsrequirethecommunicationoftheserisksatvaryinglevelsofdetail.Inaddition,certainsocietalneedscanalsowarrantsharingofthisinformationatanappropriatelevelofdetail.

8.3 Businesscontinuitystrategy8.3.1 Determinationandselection

Determinationandselectionofstrategyshallbebasedontheoutputsfromthebusinessimpactanalysis

Page 25: Tips for a Better Reading Experience

andriskassessment.

Theorganizationshalldetermineanappropriatebusinesscontinuitystrategyfor

a) protectingprioritizedactivities,

b) stabilizing,continuing,resumingandrecoveringprioritizedactivitiesandtheirdependenciesandsupportingresources,and

c) mitigating,respondingtoandmanagingimpacts.

Thedeterminationofstrategyshallincludeapprovingprioritizedtimeframesfortheresumptionofactivities.

Theorganizationshallconductevaluationsofthebusinesscontinuitycapabilitiesofsuppliers.

8.3.2 Establishingresourcerequirements

Theorganizationshalldeterminetheresourcerequirementstoimplementtheselectedstrategies.Thetypesofresourcesconsideredshallincludebutnotbelimitedto

a) people,

b) informationanddata,

c) buildings,workenvironmentandassociatedutilities,

d) facilities,equipmentandconsumables,

e) informationandcommunicationtechnology(ICT)systems,

f) transportation,

g) finance,and

h) partnersandsuppliers.

8.3.3 Protectionandmitigation

Foridentifiedrisksrequiringtreatment,theorganizationshallconsiderproactivemeasuresthat

a) reducethelikelihoodofdisruption,

b) shortentheperiodofdisruption,and

c) limittheimpactofdisruptionontheorganization’skeyproductsandservices.

Theorganizationshallchooseandimplementappropriaterisktreatmentsinaccordancewithitsriskappetite.

8.4 Establishandimplementbusinesscontinuityprocedures8.4.1 General

Theorganizationshallestablish,implement,andmaintainbusinesscontinuityprocedurestomanageadisruptiveincidentandcontinueitsactivitiesbasedonrecoveryobjectivesidentifiedinthebusinessimpactanalysis.

Theorganizationshalldocumentprocedures(includingnecessaryarrangements)toensurecontinuityofactivitiesandmanagementofadisruptiveincident.

Page 26: Tips for a Better Reading Experience

Theproceduresshall

a) establishanappropriateinternalandexternalcommunicationsprotocol,

b) bespecificregardingtheimmediatestepsthataretobetakenduringadisruption,

c) beflexibletorespondtounanticipatedthreatsandchanginginternalandexternalconditions,

d) focusontheimpactofeventsthatcouldpotentiallydisruptoperations,

e) bedevelopedbasedonstatedassumptionsandananalysisofinterdependencies,and

f) beeffectiveinminimizingconsequencesthroughimplementationofappropriatemitigationstrategies.

8.4.2 Incidentresponsestructure

Theorganizationshallestablish,document,andimplementproceduresandamanagementstructuretorespondtoadisruptiveincidentusingpersonnelwiththenecessaryresponsibility,authorityandcompetencetomanageanincident.

Theresponsestructureshall

a) identifyimpactthresholdsthatjustifyinitiationofformalresponse,

b) assessthenatureandextentofadisruptiveincidentanditspotentialimpact,

c) activateanappropriatebusinesscontinuityresponse,

d) haveprocesses,andproceduresfortheactivation,operation,coordination,andcommunicationoftheresponse,

e) haveresourcesavailabletosupporttheprocessesandprocedurestomanageadisruptiveincidentinordertominimizeimpact,and

f) communicatewithinterestedpartiesandauthorities,aswellasthemedia.

Theorganizationshalldecide,usinglifesafetyasthefirstpriorityandinconsultationwithrelevantinterestedparties,whethertocommunicateexternallyaboutitssignificantrisksandimpactsanddocumentitsdecision.Ifthedecisionistocommunicatethentheorganizationshallestablishandimplementproceduresforthisexternalcommunication,alertsandwarningsincludingthemediaasappropriate.

8.4.3 Warningandcommunication

Theorganizationshallestablish,implementandmaintainproceduresfor

a) detectinganincident,

b) regularmonitoringofanincident,

c) internalcommunicationwithintheorganizationandreceiving,documentingandrespondingtocommunicationfrominterestedparties,

d) receiving,documentingandrespondingtoanynationalorregionalriskadvisorysystemorequivalent,

e) assuringavailabilityofthemeansofcommunicationduringadisruptiveincident,

f) facilitatingstructuredcommunicationwithemergencyresponders,

g) recordingofvitalinformationabouttheincident,actionstakenanddecisionsmade,andthefollowing

Page 27: Tips for a Better Reading Experience

shallalsobeconsideredandimplementedwhereapplicable:

— alertinginterestedpartiespotentiallyimpactedbyanactualorimpendingdisruptiveincident;

— assuringtheinteroperabilityofmultiplerespondingorganizationsandpersonnel;

— operationofacommunicationsfacility.

Thecommunicationandwarningproceduresshallberegularlyexercised.

8.4.4 Businesscontinuityplans

Theorganizationshallestablishdocumentedproceduresforrespondingtoadisruptiveincidentandhowitwillcontinueorrecoveritsactivitieswithinapredeterminedtimeframe.Suchproceduresshalladdresstherequirementsofthosewhowillusethem.

Thebusinesscontinuityplansshallcollectivelycontain

a) definedrolesandresponsibilitiesforpeopleandteamshavingauthorityduringandfollowinganincident,

b) aprocessforactivatingtheresponse,

c) detailstomanagetheimmediateconsequencesofadisruptiveincidentgivingdueregardto

1) thewelfareofindividuals,

2) strategic,tacticalandoperationaloptionsforrespondingtothedisruption,and

3) preventionoffurtherlossorunavailabilityofprioritizedactivities;

d) detailsonhowandunderwhatcircumstancestheorganizationwillcommunicatewithemployeesandtheirrelatives,keyinterestedpartiesandemergencycontacts,

e) howtheorganizationwillcontinueorrecoveritsprioritizedactivitieswithinpredeterminedtimeframes,

f) detailsoftheorganization’smediaresponsefollowinganincident,including

1) acommunicationsstrategy,

2) preferredinterfacewiththemedia,

3) guidelineortemplatefordraftingastatementforthemedia,and

4) appropriatespokespeople;

g) aprocessforstandingdownoncetheincidentisover.

Eachplanshalldefine

— purposeandscope,

— objectives,

— activationcriteriaandprocedures,

— implementationprocedures,

— roles,responsibilities,andauthorities,

Page 28: Tips for a Better Reading Experience

— communicationrequirementsandprocedures,

— internalandexternalinterdependenciesandinteractions,

— resourcerequirements,and

— informationflowanddocumentationprocesses.

8.4.5 Recovery

Theorganizationshallhavedocumentedprocedurestorestoreandreturnbusinessactivitiesfromthetemporarymeasuresadoptedtosupportnormalbusinessrequirementsafteranincident.

8.5 ExercisingandtestingTheorganizationshallexerciseandtestitsbusinesscontinuityprocedurestoensurethattheyareconsistentwithitsbusinesscontinuityobjectives.

Theorganizationshallconductexercisesandteststhat

a) areconsistentwiththescopeandobjectivesoftheBCMS,

b) arebasedonappropriatescenariosthatarewellplannedwithclearlydefinedaimsandobjectives,

c) takentogetherovertimevalidatethewholeofitsbusinesscontinuityarrangements,involvingrelevantinterestedparties,

d) minimizetheriskofdisruptionofoperations,

e) produceformalizedpost-exercisereportsthatcontainoutcomes,recommendationsandactionstoimplementimprovements,

f) arereviewedwithinthecontextofpromotingcontinualimprovement,and

g) areconductedatplannedintervalsandwhentherearesignificantchangeswithintheorganizationortotheenvironmentinwhichitoperates.

9 Performanceevaluation9.1 Monitoring,measurement,analysisandevaluation9.1.1 General

Theorganizationshalldetermine

a) whatneedstobemonitoredandmeasured,

b) themethodsformonitoring,measurement,analysisandevaluation,asapplicable,toensurevalidresults,

c) whenthemonitoringandmeasuringshallbeperformed,and

d) whentheresultsfrommonitoringandmeasurementshallbeanalysedandevaluated.

Theorganizationshallretainappropriatedocumentedinformationasevidenceoftheresults.

TheorganizationshallevaluatetheBCMSperformanceandtheeffectivenessoftheBCMS.

Additionally,theorganizationshall

Page 29: Tips for a Better Reading Experience

— takeactionwhennecessarytoaddressadversetrendsorresultsbeforeanonconformityoccurs,and

— retainrelevantdocumentedinformationasevidenceoftheresults.

Theproceduresformonitoringperformanceshallprovidefor

— thesettingofperformancemetricsappropriatetotheneedsoftheorganization,

— monitoringtheextenttowhichtheorganization’sbusinesscontinuitypolicy,objectivesandtargetsaremet,

— performanceoftheprocesses,proceduresandfunctionsthatprotectitsprioritizedactivities,

— monitoringcompliancewiththisInternationalStandardandthebusinesscontinuityobjectives,

— monitoringhistoricalevidenceofdeficientBCMS’performance,and

— recordingdataandresultsofmonitoringandmeasurementtofacilitatesubsequentcorrectiveactions.NOTE Deficientperformancecouldincludenon-conformity,nearmisses,falsealarms,andactualincidents.

9.1.2 Evaluationofbusinesscontinuityprocedures

a) Theorganizationshallconductevaluationsofitsbusinesscontinuityproceduresandcapabilitiesinordertoensuretheircontinuingsuitability,adequacyandeffectiveness;

b) Theseevaluationsshallbeundertakenthroughperiodicreviews,exercising,testing,post-incidentreportingandperformanceevaluations.Significantchangesarisingshallbereflectedintheprocedure(s)inatimelymanner;

c) Theorganizationshallperiodicallyevaluatecompliancewithapplicablelegalandregulatoryrequirements,industrybestpractices,andconformancewithitsownbusinesscontinuitypolicyandobjectives;and

d) Theorganizationshallconductevaluationsatplannedintervalsandwhensignificantchangesoccur.

Whenadisruptiveincidentoccursandresultsintheactivationofitsbusinesscontinuityprocedures,theorganizationshallundertakeapost-incidentreviewandrecordtheresults.

9.2 InternalauditTheorganizationshallconductinternalauditsatplannedintervalstoprovideinformationonwhetherthebusinesscontinuitymanagementsystem

a) conformsto

1) theorganization’sownrequirementsforitsBCMS,

2) therequirementsofthisInternationalStandard,and

b) iseffectivelyimplementedandmaintained.

Theorganizationshall

— plan,establish,implementandmaintain(an)auditprogramme(s),includingthefrequency,methods,responsibilities,planningrequirementsandreporting.Theauditprogramme(s)shalltakeintoconsiderationtheimportanceoftheprocessesconcernedandtheresultsofpreviousaudits,

— definetheauditcriteriaandscopeforeachaudit,

Page 30: Tips for a Better Reading Experience

— selectauditorsandconductauditstoensureobjectivityandtheimpartialityoftheauditprocess,

— ensurethattheresultsoftheauditsarereportedtorelevantmanagement,and

— retaindocumentedinformationasevidenceoftheimplementationoftheauditprogrammeandtheauditresults.

Theauditprogramme,includinganyschedule,shallbebasedontheresultsofriskassessmentsoftheorganization’sactivities,andtheresultsofpreviousaudits.Theauditproceduresshallcoverthescope,frequency,methodologiesandcompetencies,aswellastheresponsibilitiesandrequirementsforconductingauditsandreportingresults.

Themanagementresponsiblefortheareabeingauditedshallensurethatanynecessarycorrectionsandcorrectiveactionsaretakenwithoutunduedelaytoeliminatedetectednonconformitiesandtheircauses.Follow-upactivitiesshallincludetheverificationoftheactionstakenandthereportingofverificationresults.

9.3 ManagementreviewTopmanagementshallreviewtheorganization’sBCMS,atplannedintervals,toensureitscontinuingsuitability,adequacyandeffectiveness.

Themanagementreviewshallincludeconsiderationof

a) thestatusofactionsfrompreviousmanagementreviews,

b) changesinexternalandinternalissuesthatarerelevanttothebusinesscontinuitymanagementsystem,

c) informationonthebusinesscontinuityperformance,includingtrendsin

1) nonconformitiesandcorrectiveactions,

2) monitoringandmeasurementevaluationresults,and

3) auditresults,

d) opportunitiesforcontinualimprovement.

Managementreviewsshallconsidertheperformanceoftheorganization,including

— follow-upactionsfrompreviousmanagementreviews,

— theneedforchangestotheBCMS,includingthepolicyandobjectives,

— opportunitiesforimprovement,

— resultsofBCMSauditsandreviews,includingthoseofkeysuppliersandpartnerswhereappropriate,

— techniques,productsorprocedures,whichcouldbeusedintheorganizationtoimprovetheBCMS’performanceandeffectiveness,

— statusofcorrectiveactions,

— resultsofexercisingandtesting,

— risksorissuesnotadequatelyaddressedinanypreviousriskassessment,

— anychangesthatcouldaffecttheBCMS,whetherinternalorexternaltothescopeoftheBCMS,

Page 31: Tips for a Better Reading Experience

— adequacyofpolicy,

— recommendationsforimprovement,

— lessonslearnedandactionsarisingfromdisruptiveincidents,and

— emerginggoodpracticeandguidance.

TheoutputsofthemanagementreviewshallincludedecisionsrelatedtocontinualimprovementopportunitiesandthepossibleneedforchangestotheBCMS,andincludethefollowing:

a) variationstothescopeoftheBCMS;

b) improvementoftheeffectivenessoftheBCMS;

c) updateoftheriskassessment,businessimpactanalysis,businesscontinuityplansandrelatedprocedures;

d) modificationofproceduresandcontrolstorespondtointernalorexternaleventsthatmayimpactontheBCMS,includingchangesto

1) businessandoperationalrequirements,

2) riskreductionandsecurityrequirements,

3) operationalconditionsandprocesses,

4) legalandregulatoryrequirements,

5) contractualobligations,

6) levelsofriskand/orcriteriaforacceptingrisks,

7) resourceneeds,

8) fundingandbudgetrequirements;and

e) howtheeffectivenessofcontrolsaremeasured.

Theorganizationshallretaindocumentedinformationasevidenceoftheresultsofmanagementreviews.

Theorganizationshall

— communicatetheresultsofmanagementreviewtorelevantinterestedparties,and

— takeappropriateactionrelatingtothoseresults.

10 Improvement10.1 NonconformityandcorrectiveactionWhennonconformityoccurs,theorganizationshall

a) identifythenonconformity,

b) reacttothenonconformity,and,asapplicable,

1) takeactiontocontrolandcorrectit,and

2) dealwiththeconsequences.

Page 32: Tips for a Better Reading Experience

c) evaluatetheneedforactiontoeliminatethecausesofthenonconformity,inorderthatitdoesnotrecuroroccurelsewhere,by

1) reviewingthenonconformity,

2) determiningthecausesofthenonconformity,and

3) determiningifsimilarnonconformitiesexist,orcouldpotentiallyoccur,

4) evaluatingtheneedforcorrectiveactiontoensurethatnonconformitiesdonotrecuroroccurelsewhere,

5) determiningandimplementingcorrectiveactionneeded,

6) reviewingtheeffectivenessofanycorrectiveactiontakenand

7) makingchangestotheBCMS,ifnecessary.

d) implementanyactionneeded,

e) reviewtheeffectivenessofanycorrectiveactiontaken,

f) makechangestothebusinesscontinuitymanagementsystem,ifnecessary.

Correctiveactionsshallbeappropriatetotheeffectsofthenonconformitiesencountered.

Theorganizationshallretaindocumentedinformationasevidenceof

— thenatureofthenonconformitiesandanysubsequentactionstaken,and

— theresultsofanycorrectiveaction.

10.2 ContinualimprovementTheorganizationshallcontinuallyimprovethesuitability,adequacyoreffectivenessoftheBCMS.NOTE TheorganizationcanusetheprocessesoftheBCMSsuchasleadership,planningandperformanceevaluation,toachieveimprovement.

Page 33: Tips for a Better Reading Experience

Bibliography[1] ISO9001,Qualitymanagementsystems—Requirements

[2] ISO14001,Environmentalmanagementsystems—Requirementswithguidanceforuse

[3] ISO19011,Guidelinesforauditingmanagementsystems

[4] ISO/IEC20000-1,InformationTechnology—ServiceManagement

[5] ISO22300,Societalsecurity—Terminology

[6] ISO/PAS22399,Societalsecurity—Guidelineforincidentpreparednessandoperationalcontinuitymanagement

[7] ISO/IEC24762,Informationtechnology—Securitytechniques—GuidelinesforInformationandcommunicationstechnologydisasterrecoveryservices

[8] ISO/IEC27001,InformationSecurityManagementSystems

[9] ISO/IEC27031,Informationtechnology—Securitytechniques—Guidelinesforinformationandcommunicationtechnologyreadinessforbusinesscontinuity

[10] ISO31000,RiskManagement—PrinciplesandGuidelines

[11] ISO/IEC31010,Riskmanagement—Riskassessmenttechniques

[12] ISO/IECGuide73,Riskmanagement—Vocabulary

[13] BS25999-1,Businesscontinuitymanagement—Codeofpractice,BritishStandardsInstitution(BSI)

[14] BS25999-2,Businesscontinuitymanagement—Specification,BritishStandardsInstitution(BSI)

[15] SI24001,Securityandcontinuitymanagementsystems—Requirementsandguidanceforuse,StandardsInstitutionofIsrael

[16] NFPA1600,Standardondisaster/emergencymanagementandbusinesscontinuityprograms,NationalFireProtectionAssociation(USA)

[17] BusinessContinuityPlanDraftingGuideline,MinistryofEconomy,TradeandIndustry(Japan),2005

[18] BusinessContinuityGuideline,CentralDisasterManagementCouncil,CabinetOffice,GovernmentofJapan,2005

[19] ANSI/ASISSPC.1,OrganizationalResilience:Security,Preparedness,andContinuityManagementSystems–RequirementswithGuidanceforUse

[20] SS540:2008,SingaporeStandardforBusinessContinuityManagement

[21] ANSI/ASIS/BSIBCM.01,BusinessContinuityManagementSystems:RequirementswithGuidanceforUse