ISO 22301 Foundation Course Instructor Guide by ITpreneurs

t rin rR ep fo ot N lia er at M pl e

ISO 22301 Business Continuity Management Foundation release 1.0.0 INSTRUCTOR GUIDE

e Portfolio

rR ep

Classroom course, release 1.0.0

rin

ISO 22301 Business Continuity Management Foundation,

Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.

pl e

The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

rin

rR ep

Before you start the course, please take a moment to:

“Like us” on Facebook

http://www.facebook.com/ITpreneurs

“Follow us” on Twitter

http://twitter.com/ITpreneurs

"Add us in your circle" on Google Plus

http://gplus.to/ITpreneurs

"Link with us" on Linkedin

http://www.linkedin.com/company/ITpreneurs

"Watch us" on YouTube

pl e

http://www.youtube.com/user/ITpreneurs

rin

his pl pae geM haa steb reiea nl l -efNt b loan t fk int or ent i R ona ep lly

m T

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

rR ep

rin

Contents

-------------------------------------------------------------

Day 2

-------------------------------------------------------------

119

Appendix A: Case Study

-------------------------------------

N/A

Day 1

213

----------------------------------

Appendix B: Exercises List

Appendix C: Correction Key for Exercises ---------------

227 237

Instructor Feedback Form ------------------------------------

239

pl e

Appendix D: Release Notes ---------------------------------

rin

his pl pae geM haa steb reiea nl l -efNt b loan t fk int or ent i R ona ep lly

m T

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

pl e

rR ep

rin

ISO 22301 Business Continuity Management Foundation

Day 1

rR ep

rin

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

DAY

Certified ISO 22301 Foundation

Schedule for Day 1

Section 01: Course objective and structure Section 02: Standard and regulatory framework Section 03: Business Continuity Management System (BCMS) Section 04: Fundamental concepts and principles of business continuity Section 05: Understanding the organization and clarifying the business continuity objectives, scope & policy Section 06: Business Impact Analysis Section 07: Risk assessment and mitigation measures Section 08: Organizational structure

pl e

Documents provided to participants are strictly reserved for training purposes and are copyrighted by PECB. Unless otherwise specified, no part of this publication may be, without PECB’s written permission, reproduced or used in any way or format or by any means whether it be electronic or mechanical including photocopy and microfilm.

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

Normative references used in this training

rR ep

rin

ISO 22300:2012, Societal security — Business continuity management systems — Terminology. ISO 22301:2012, Societal security — Business continuity management systems — Requirements. ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management. ISO 31000:2009, Risk Management – Principles and Guidelines.

1. Main standards

2. Other standards references

pl e

NFPA 1600: 2010: Standard on Disaster/Emergency Management and Business Continuity Programs. ISO 9000:2005, Quality management systems – Fundamentals and vocabulary. ISO 9001:2008, Quality management systems – Requirements. ISO 14001:2004, Environmental management systems – Requirements with guidance for use. ISO 17021:2011, Conformity assessment — Requirements for bodies providing audit and certification of management systems. ISO 17024:2003, Conformity assessment — General requirements for bodies operating certification of persons. ISO 19011:2011, Guidelines for auditing management systems. OHSAS 18001:2007, Occupational Health and Safety Management Systems — Requirements. ISO/IEC 20000-1:2011 Information Technology — Service Management. Information technology — Part 1: Service management system requirements. ISO/IEC 20000-2:2012, Information technology — Service management — Part 2: Guidance on the application of service management systems. ISO 22000:2005, Food safety management systems — Requirements for any organization in the food chain. ISO/IEC 24762, Information technology – Security techniques – Guidelines for Information and communications technology disaster recovery services. BS 25999-1:2006, Business continuity management — Code of practice. BS 25999-2:2007, Business continuity management — Specification. ISO/IEC 27000:2009, Information technology — Security techniques — Information security management systems — Overview and vocabulary. ISO/IEC 27001:2005, Information Security Management Systems – Requirements. ISO/IEC 27002:2005, Information technology — Security techniques — Code of practice for information security management. ISO/IEC 27031:2011, Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity. ISO 28000:2007, Specification for security management systems for the supply chain. ISO/IEC 31010:2009, Risk management – risk assessment techniques.

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

rin rR ep fo ot

pl e

ANSI: American National Standards Institute BC: Business continuity BCC: Business continuity coordinator BCM: Business continuity management BCMS: Business continuity management system BCP: Business continuity plan BIA: Business impact analysis CERT: Computer Emergency Response Team CMM: Capability Maturity Model CMS: Content Management System CMT: Crisis Management Team CPD: Continuing Professional Development DMS: Document Management System EDM: Electronic Document Management System EMS: Environment management system EOC: Emergency Operations Center FEMA: Federal Emergency Management Agency ISMS: Information security management system ISO: International Standards Organization MAO: Maximum Acceptable Outage MBCO: Minimum Business Continuity Objective NC: Non-conformity NIST: National Institute of Standards and Technology QMS: Quality management system PECB: Professional Evaluation and Certification Board RPO: Recovery Point Objective RTO: Recovery Time Objective SMS: Service management system

List of acronyms and abbreviations used in this training

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

Certified ISO 22301 Foundation Training

Section 1

rin

Course objectives and structure

rR ep

a. Meet and greet b. General Information c. Training objectives d. Educational approach e. Examination and certification

f. PECB

g. Schedule for the training

Activity

pl e

Meet and greet

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

To break the ice, participants introduce themselves stating:

rR ep

rin

Name; Current position; Knowledge of and experience in business continuity; Knowledge of and experience with ISO 22301 and other business continuity standards (BS 25999, ISO 27031, etc.); Knowledge and experience with other management systems (ISO 9001, ISO 14001, ISO 20000, ISO 27001, etc.); Course expectations and objectives.

Duration of activity: 20 minutes

Use of a computer and access to the Internet

Smoking area

Use of mobile phones and recording devices

General Information

Meals

Absences

Timetable and breaks

pl e

For simplification, only the masculine is used throughout this training and is not meant to offend anyone. In case of emergency, please be aware of exits. Agree on course schedule and two breaks (be on time). Set your cell phone on vibration and if you need to take a call, please do it outside the classroom. Recording devices are prohibited because they may restrict free discussions.

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

Training Objectives

Explain the components and the operation of a Business Continuity Management System based on ISO 22301 and its principal processes

rR ep

rin

Acquiring knowledge

Understand the goal, content and correlation between ISO 22301 and ISO 22313 as well as with other standards and regulatory frameworks

Understand the concepts, approaches, standards, methods and techniques for the implementation and effective management of a BCMS

The training focuses on the acquisition of knowledge necessary for the implementation of a compliance framework for ISO 22301 and not on the acquisition of expertise in business continuity. Minimal knowledge of business continuity concepts is however recommended for successful completion of the course.

To obtain more in-depth knowledge of the implementation and the management of a BCMS, it is recommended to take the Certified ISO 22301 Lead Implementer course.

pl e

To obtain more in-depth knowledge of the audit techniques of a BCMS, it is recommended to take the Certified ISO 22301 Lead Auditor course.

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

Educational Approach

rR ep

rin

Students at the center

This course is primarily based on: Trainer lead sessions, where questions are welcomed. Student involvement in various ways: exercises, case studies, notes, reactions, discussions (participant experiences).

Remember, this course is yours: you are the main players of its success.

Students are encouraged to take additional notes. Extra blank pages are available at the end of each day notes.

pl e

Exercises are essential in the acquisition of the competencies necessary to acquire the foundation level. Thus it is very important to do them conscientiously. Moreover, even if they are not scored, exercises prepare students for the exam.

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

rR ep

z Candidates who met all the prerequisites for certification will receive a certificate:

rin

z The exam only contains essay questions. The duration of the exam is one hour. The minimum passing score is 70%

Exam and Certificate

The objective of the exam is to assure that candidate has the basic knowledge and skills to participate in the implementation of a Business Continuity Management System (BCMS) based on ISO 22301.

The exam consists of essay-type questions. During the examination participants may use all PECB provided documentation plus their own course notes but will not be permitted to use any computer, laptop or any other electronic device. The exam lasts one hour.

pl e

The exam is available in several languages. When taking the exam, please ask the trainer or check the “examination” section on the PECB website to know the list of available languages.

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

ISO 22301 Foundation

Pass the exam

1 2 3 4

rin

Prerequisites for certification

rR ep

Adhere to the PECB Code of Ethics

No professional experience required

No business continuity experience required

ISO 22301 Foundation 8

Passing the exam is one of the pre-requisites for attaining an ISO 22301 Foundation professional credential. A second important pre-requisite is to adhere to the PECB Code of Ethics. As the ISO 22301 Foundation professional certification is an entry-level credential, it is not required that students have professional experience, BCMS project and/or audit experience.

pl e

The criteria and process leading to certification will be explained in full during Day 2 of the course.

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

What is PECB?

Main services:

rR ep

1. Certification of personnel (Auditor and Implementer) 2. Certification of training organizations 3. Certification of trainers

rin

Professional Evaluation and Certification Board

Founded in 2005, PECB is a personnel certification body for various standards, including ISO 9001 (Quality), ISO 14001 (Environment), OHSAS 18001 (Health & Safety), ISO 20000 (IT Service), ISO 22000 (Food safety), ISO 22301 (Business continuity), ISO 26000 (Social Responsibility), ISO 27001 (Information security), ISO 27005 (Information security risk) and ISO 28000 (Supply Chain Security).

Our mission is to provide our clients with comprehensive individual examination and certification services. PECB develops, maintains and continually improves high quality recognized certification programs. PECB is accredited by ANSI under ISO/IEC 17024 (accreditation ID: 1003). PECB is the only personnel certification body certified ISO 9001 and ISO 27001.

The purpose of PECB, as stated in its Bylaws, is to develop and promote professional standards for certification and to administer credible certification programs for individuals who practice in disciplines involving the audit and the implementation of a compliant management system. This principal purpose includes: Establishing the minimum requirements necessary to qualify certified professionals; Reviewing and verifying the qualifications of applicants for eligibility to sit for the certification examinations; Developing and maintaining reliable, valid, and current certification examinations; Granting certificates to qualified candidates, maintaining certificant records, and publishing a directory of the holders of valid certificates; Establishing requirements for the periodic renewal of certification and determining compliance with those requirements; Ascertaining that certificants meet and continue to meet the PECB Code of Ethics; Representing its members, where appropriate, in matters of common interest; Promoting the benefits of certification to employers, public officials, practitioners in related fields, and the public.

pl e

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

Customer Service

rin

Comments, questions and complaints

rR ep

1. Submit a complaint

Training Provider

Participant

2. Answer in writing

4. Final arbitration

PECB

3. Appeal

In order to ensure your satisfaction and continually improve the training, examination and certification processes, PECB Customer Service has established a support ticket system for handling complaints and services for our clients.

As a first step, we invite you to discuss the situation with the trainer. If necessary, do not hesitate to contact the head of the training organization where you are registered. In all cases, we remain at your disposal to arbitrate any dispute that might arise between you and these parties.

To send comments, questions or complaints, please open a ticket on PECB’s website in the Contact Us section.

If you have suggestions for improving PECB’s training materials, we'd like to hear from you. We read and evaluate the input we get from our members. Please open a ticket directed to Training Department on PECB’s website in the Contact Us section.

pl e

In case of dissatisfaction with the training (trainer, training room, equipment,...), the examination or the certification processes, please open a ticket under “Make a complaint” category on PECB’s website in the Contact Us section.

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

rR ep

rin

Schedule for the Training

Day 1 (AM): Introduction to ISO 22301 and planning of a BCMS Section 1 : Course objectives and structure Section 2 : Standard and regulatory framework Section 3 : Business Continuity Management System (BCMS) Section 4: Fundamental principles of business continuity

Day 1 (PM): ISO 22301 Requirements Section 5: Understanding the organization and clarifying the business continuity objectives, scope & policy Section 6: Business Impact Analysis Section 7: Risk assessment and mitigation measures Section 8: Organizational structure

pl e

Day 2 (AM): Implementation of a BCMS Section 9: Business continuity strategy Section 10: Business continuity plans and procedures Section 11: Communication, training and awareness plan Section 12: Exercising and testing

Day 2 (PM): Evaluation of a BCMS, Continuous Improvement and exam Section 13: Measurement, monitoring and evaluation of the BCMS Section 14: Internal Audit Section 15: Management Review Section 16: Treatment of non-conformities and continual improvement Section 17: Closing the training Exam

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

rR ep

rin

QUESTIONS?

Section 2

Certified ISO 22301 Foundation Training

Standard and regulatory framework

a. What is ISO?

b. Fundamental ISO principles

pl e

c. Management system standards d. Business Continuity standards

e. ISO 22301 and ISO 27001 f. Certification schema and process g. ISO 22301 advantages

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

rin

ISO documents are copyright protected. Each participant has a responsibility to possess a legal copy of the standards required for this course. If a standard is included or was given to you for the period of this training, you must follow the conditions for use stated by ISO.

During this training, we will adopt the following convention: standards will often be referenced as “ISO XXXX” in the slide instead of their official designation “ISO/IEC XXXXX:20XX” without specifying their publication date, each referring to its latest version.

rR ep

No part of this publication may be reproduced by any means or use in any way whether it be electronic our mechanical, including photocopies and microfilms, without written permission from ISO (see address below) or a member of the ISO organization located in the country of the person of the related organization.

Copies of the different ISO standards can be bought online on the ISO website (www.iso.org) or from the accreditation authority of each country. For example, you can buy ISO standards from ANSI (webstore.ansi.org) or from AFNOR (www.boutique.afnor.org).

Important note on terminology: Depending on the standard, there are different terms used to refer to a specific part of a standard like clause, section, paragraph or chapter. In this course we will use "clause" to express any reference to a specific part of a norm or standard.

What is ISO?

ISO is a network of national standardization bodies from over 160 countries

The final results of ISO works are published as international standards

Over 19 000 standards have been published since 1947

pl e

History In 1946, delegates from 25 countries met in London and decided to create a new international organization, of which the object would be "to facilitate the international coordination and unification of industrial standards". The new organization officially began operations on 23 February 1947, in Geneva, Switzerland. The International Standards Organization (ISO) is a non-governmental organization that holds a special position between the public sector and the private sector. Its members include national standards organizations who often are part of government structures in their countries or who are mandated by these governments. Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

rR ep

rin

Goals/Advantages The role of ISO is to facilitate international coordination and the standardization of industrial standards. To reach these objectives, ISO publishes technical standards. These standards contribute to the development, manufacturing and delivery of products and services that are more effective, safer and clearer. They facilitate fair trade between countries. In addition, they bring a technical foundation for health, security, and environmental legislation to governments; and they help transfer technologies to developing countries. ISO standards are also used to protect consumers and general users of products and services. These standards are also used to simplify their lives.

Other members belong to the private sector as national partnerships of industry associations.

Note on terminology: Because "International Organization for Standardization" would have different acronyms in different languages ("IOS" in English, "OIN" in French for Organisation internationale de normalisation), its founders decided to give it also a short, all-purpose name. They chose "ISO", derived from the Greek isos, meaning "equal".

Source: www.iso.org

Management System Standards

Primary standards against which an organization can be certified ISO 9001

ISO 14001

OHSAS 18001

ISO 20000

Environment

Health and Safety at work

IT Service

Quality

ISO 22000

ISO 22301

ISO 27001

Business continuity

Information Security

ISO 28000 Supply Chain Security

pl e

Food Safety

Since 1947 ISO has published over 19 000 international standards. ISO publishes standards related to traditional activities such as agriculture and construction, media devices and the most recent development in information technologies, such as the digital coding of audiovisual signals for multimedia applications. ISO 9000 and ISO 14000 families are among the best known ISO standards. The ISO 9000 standard has become an international reference in regard to the quality requirements in commerce and business transactions. The ISO 14000 standard, for its part, is used to help organizations meet challenges of an environmental nature.

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

pl e

rR ep

rin

ISO 22301 Business Continuity Management Foundation

Day 2

119

rR ep

rin

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

DAY

Certified ISO 22301 Foundation

Schedule for Day 2

pl e

Section 09: Business continuity strategy Section 10: Business continuity plans and procedures Section 11: Communication, training and awareness plan Section 12: Exercising and testing Section 13: Measurement, monitoring and evaluation of the BCMS Section 14: Internal audit Section 15: Management review Section 16: Treatment of non-conformities and continual improvement Section 17: Closing the training

120

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

Certified ISO 22301 Foundation Training

Section 9

rin

Business continuity strategy

b. Analysis and selection of the Strategy c. Constraints affecting the Strategy choice

Requirements

d. Comparaison of the main BC strategy options

rR ep

a. Strategy model for business continuity

ISO 22301, clause 8.3.1

8.3 Business continuity strategy 8.3.1 Determination and selection Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment.

pl e

The organization shall determine an appropriate business continuity strategy for: a) protecting prioritized activities; b) stabilizing, continuing, resuming and recovering prioritized activities and their dependencies and supporting resources; and c) mitigating, responding to and managing impacts.

The determination of strategy shall include approving prioritized time frames for the resumption of activities. The organization shall conduct evaluations of the business continuity capabilities of suppliers. 3

121

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

An organization wishing to comply with ISO 22301 shall at least: Determine an appropriate business continuity strategy; Evaluate the business continuity capabilities of the suppliers of the organization.

The objective of Strategy Selection is to assist in defining the action items needed to protect the organization and to select the most appropriate recovery solutions for critical business functions and supporting resources

In the selection of a strategy, you must weigh the cost of being without the service at various points in time (the duration of the outage) against the cost of the solution. The objective is to minimize the total cost of the impact and the solution

rR ep

rin

Definition of the Strategy Model

The business continuity strategy forms the basis for the Business Continuity Plans. “Strategy” is a broad, all-encompassing term. It usually refers to the formation of a vision and direction for an organization; setting mission statements, identifying markets and objectives so that the mission of the organization can be achieved.

In the context of Business Continuity Management (BCM), it concerns the determination and selection of alternative operating strategies to be used to maintain the organizations critical activities. Experience and good practice clearly identify that the early provision of an organizational (Corporate) BCM Strategy will ensure BCM activities are aligned with and support the organization's overall business strategy.

pl e

The Business Continuity Strategy can be an integral component of an institution’s corporate strategy.

122

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

Strategic Business Continuity Models

3 basic models This traditional BC model is based on an ‘active’ operating site with a corresponding backup site. This includes both data processing and operations. The model relies on relocating staff from the active to the backup site and maintaining backup copies of technology and data.

rR ep

rin

Active/Backup Model

Active/Active (Split Operations) Model

This emerging BC model relies upon two or more widely separated (geographically) ‘active’ operational sites for Mission Critical Activities that inherently backup for one another.

This BC model provides a variation of the ‘Active/Backup’ and ‘Active/Active’ models where a backup site periodically functions as the primary site for a period of time.

Alternate Site Model

Alternate sites may be owned and operated by the organization (internal recovery), or commercial sites may be available under contract.

If contracting for the site with a commercial vendor, adequate testing time, work space, security requirements, hardware requirements, telecommunications requirements, support services, and recovery days (how long the organization can occupy the space during the recovery period) must be negotiated and clearly stated in the contract.

pl e

Customers should be aware that multiple organizations may have a contract with a vendor for the same alternate site; as a result, the site may be unable to accommodate all of the customers if a disaster affects more of those customers simultaneously. The vendor’s policy on how this situation should be addressed and how priority status is determined should be negotiated.

123

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

Analysis of the BC Strategy Options

X. Mirror site

rR ep

C O S T

rin

Available BC strategies and the RTO they satisfy

IX. Hot site

O F

VIII. Relocation in other group cilities facilities

S T R A T E G Y

V. Reciprocall agreementt

IV. Mobile e site

III. Cold d site

II. Rebuilt and restoration

I. No S Strategy

VI. Warm rm site

VII. ote Remote ng working

TIME OF RECOVERY 6

There are obvious cost and ready-time differences among the options. In these examples, the mirror site is the most expensive choice, but it ensures close to 100 percent availability. Cold sites are least expensive to maintain, although they may require substantial time to acquire and install necessary equipment.

Partially equipped sites, such as warm sites, fall in the middle of the spectrum. In many cases, mobile sites may be delivered to the desired location within 24 hours, but the time necessary for equipment installation and setup can increase this response time.

pl e

The selection of fixed-site locations should account for the time and mode of transportation necessary to move personnel and/or equipment there. In addition, the fixed site should be in a geographic area that is unlikely to be negatively affected by the same hazard as the organizationâ&#x20AC;&#x2122;s primary site.

124

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

t rin

No strategy defined No documentation for business recovery and continuity Data are not sent off-site, and there is no alternate site identified ¾ Strategy used by organizations with high risk appetite or for a site with low criticallity; also, can be seen where a product has a limited life span

rR ep

Caracteristics

I. No Strategy

Advantages

Disadvantages

The most expensive strategy after a disaster…

The least expensive strategy to implement

pl e

In some circumstances it might be appropriate to change, suspend or end the service, product, function or process. This option should only be considered where there is no conflict with the organization’s objectives, statutory compliance and stakeholder expectation. This approach is most likely to be considered where a product or service has a limited lifespan.

125

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

t rin

Strategy focus mainly on insurance Documentation of the material assets and facilities Data are not sent off-site, and there is no alternate site identified ¾ Strategy used by organizations with moderate risk appetite or for a site with low critically

rR ep

Caracteristics

II. Rebuild and Restoration

Advantages

Disadvantages

Low cost strategy and easy to implement

Strategy usually does not take in consideration the business processes and immaterial assets

Protection against the financial loss for physical assets

Strategy does not include a plan to ensure continuity of operation during a disaster

Insurance is often seen as the first business continuity strategy option to be considered as a consequence of its impact on the financing of other options.

pl e

Purchase of insurance can provide some financial recompense for some losses, but will not meet all costs (e.g. uninsured events, brand, reputation, stakeholder value, market share and human consequences). A financial settlement alone is unlikely to fully protect the organization and satisfy stakeholder expectations. Insurance cover is more likely to be used in conjunction with one or more other strategies.

126

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

t rin

Facility with electrical power, Heating Ventilation and Air Conditioning (HVAC) Ready for equipment but no computer hardware on site Communications links may or may not be ready ¾ Strategy used by organizations with moderate risk appetite or for a site with low critically

rR ep

Caracteristics

III. Cold Site

Advantages

Disadvantages False sense of security

Fast to implement

Length of time for recovery can be long depending of the complexity of the technology and equipment used by the organization

Low cost Easy to maintain

Service provider may oversell processing capabilities 9

These are sites that have only the basic environment (electrical wiring, air conditioning, flooring, etc.) to operate an information processing facility reducing the cost. The cold site is ready to receive equipment but does not offer any components at the site in advance of the need. Activation of the site may take several weeks.

pl e

Important note: For warm site and cold site, the general industry trend is a maximum of 25 to 1 i.e. each desk is sold a maximum of 25 times, but great care should be taken to understand who are the other 24 customers potentially using each desk e.g. some suppliers provide client details by post code. The parameters acceptable to an organization should be clearly defined within its BC Strategy and should not be left to individual contract negotiations.

127

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

t rin

Trailer that can be quickly transported to an alternate site Can be preconfigured with servers, desktop computers, communications equipment, microwave and satellite data links ¾ Useful alternative when there are no recovery facilities in the geographic area

rR ep

Caracteristics

IV. Mobile Site

Advantages

Disadvantages

Low cost

Capacity of the equipment can be insufficient for the need

Fast to implement Easy to maintain

Flexibility

A mobile site is especially designed trailer that can be quickly transported to an alternate site. Mobile sites or trailers may be owned by the organization or leased.

They are self-contained portable data centers with power generators. They can be preconfigured with servers, desktop computers, communications equipment, microwave and satellite data links. They are a useful alternative when there are no recovery facilities in the geographic area. However, there is a time delay while the trailer is driven to the recovery location, set up and configured and data loaded.

pl e

The mobile backup site is almost like a cold site.

128

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

rin

Arrangement with another company with similar hardware or software configurations Agreement by both parties, assumes sufficient capacity in time of need (Big Assumption) ¾ Should only be considered if no other options, or perfect partner with compatible technology environment

rR ep

Caracteristics

V. Reciprocal Agreement

Advantages

Disadvantages

Highly unlikely the capacity will exist

If processing requirements are similar it may be workable

Severely limits responsiveness and support

Low or no cost

Two or more organizations with similar or identical system configurations and backup technologies may enter into a formal agreement to serve as alternate sites for each other or enter into a joint contract for an alternate site. This type of site is set up via a reciprocal agreement or memorandum of understanding (MOU). A reciprocal agreement should be entered into carefully because each site must be able to support the other, in addition to its own workload, in the event of a disaster.

This type of agreement requires the recovery sequence for the systems from both organizations to be prioritized from a joint perspective, favorable to both parties. Testing should be conducted at the partnering sites to evaluate the extra processing thresholds, compatible system and backup configurations, sufficient telecommunications connections, compatible security measures, and the sensitivity of data that might be accessible by other privileged users, in addition to functionality of the recovery strategy. Consideration should also be given to system interconnections and possible interconnection security agreements (ISAs).

pl e

Reciprocal agreements can work in some selected services but due diligence must be taken when establishing this type of arrangement. Such arrangements must be enforceable and subject to testing via Service Level Agreements (SLA) or formal contracts.

Several principles: The site chosen cannot be subject to the same disaster as the main site; There must be coordination and compatibility between hardware and software; Resources availability must be ensured; Both companies must agree to add applications until all the recovery resources are fully used; Regular testing is necessary.

ISO 22301, clause 3.30: Mutual aid agreement Pre-arranged understanding between two or more entities to render assistance to each other.

129

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

¾ Strategy used by organizations with moderate or low risk appetite or for a site with low or medium critically

t rin

Facility with electrical power, Heating Ventilation and Air Conditioning (HVAC) and communication link Workstations and printers are available but software may not be installed

rR ep

Caracteristics

VI. Warm Site

Advantages

Disadvantages

Cost – much less than hot

Service provider may oversell processing capabilities

Location – since less control required sites can be more flexible

pl e

These are sites that are partially configured, usually with network connections and selected peripheral equipment, such as disk drives and tape drives and controllers, but without the main computer. The assumption behind the warm site concept is that the computer can usually be obtained quickly for emergency installation (provided it is a widely used model), and since the computer is the most expensive unit, such an arrangement is less costly than a hot site.

130

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

¾ Strategy used by small organizations or for some business units

t rin

Includes the concept of “working from home” and working from other noncorporate locations e.g. hotels

rR ep

Caracteristics

VII. Remote Working

Advantages

Disadvantages

No cost

Due to security and confidentiality issues this option is not always suitable

Flexible solution

Difficult to coordinate for large organizations

In case of a disruptive incident of an organizational division, the relocation will be done in another facillity of the same organization

Caracteristics

VIII. Relocation in other group facilities

pl e

¾ Strategy used by large organizations with several facillities

Advantages

Disadvantages

Cost can be low to medium

Does not have an assurance that the capacity will exist when needed

Easy to implement In most case, compatibility of the technology

Resource contention during disaster

Quick response to activate

131

ISO 22301 Business Continuity Management | Foundation | Instructor Guide

¾ Strategy used by organizations with very low risk appetite or for a site with high critically

t rin

Applications are installed on the servers and workstations Workstations and servers are kept up to date

rR ep

Caracteristics

IX. Hot Site

Advantages

Disadvantages

24/7 availability, exclusivity of use

Expensive Requires constant maintenance of hardware, software, data and applications Security of hot site, primary site security must be duplicated

Immediately available

Supports short and long term outages

pl e

These are sites that are fully configured and ready to operate within several hours. The equipment and network, and systems software must be compatible with the primary installation being backed up. The hot site is intended for emergency operations of a limited time period and not for long-term extended use. The are high costs associated with this arrangement but are often cost justified for critical applications.

132