ISO 22301 Foundation Course Student Handbook by ITpreneurs

t rin rR ep fo ot N lia er at M pl e

ISO 22301 Business Continuity Management Foundation release 1.0.0 PARTICIPANT HANDBOOK

e Portfolio

rR ep

Classroom course, release 1.0.0

rin

ISO 22301 Business Continuity Management Foundation,

Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.

pl e

The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

rin

Before you start the course, please take a moment to:

rR ep

“Like us” on Facebook http://www.facebook.com/ITpreneurs

“Follow us” on Twitter

http://twitter.com/ITpreneurs

http://gplus.to/ITpreneurs

"Add us in your circle" on Google Plus

"Link with us" on Linkedin

http://www.linkedin.com/company/ITpreneurs

"Watch us" on YouTube

pl e

http://www.youtube.com/user/ITpreneurs

rin

his pl pae geM haa steb reiea nl l -efNt b loan t fk int or ent i R ona ep lly

m T

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

rR ep

rin

Contents

Day 1

-------------------------------------------------------------

Day 2

-------------------------------------------------------------

-------------------------------------

N/A

----------------------------------

125

Appendix B: Exercises List

Appendix A: Case Study

139

Appendix D: Release Notes ---------------------------------

149

Participant Feedback Form ----------------------------------

151

pl e

Appendix C: Correction Key for Exercises ---------------

rin

his pl pae geM haa steb reiea nl l -efNt b loan t fk int or ent i R ona ep lly

m T

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

pl e

rR ep

rin

ISO 22301 Business Continuity Management Foundation

Day 1

rR ep

rin

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

DAY

Certified ISO 22301 Foundation

Section 1

Certified ISO 22301 Foundation Training

Course objectives and structure

a. Meet and greet

b. General Information

pl e

c. Training objectives d. Educational approach

e. Examination and certification f. PECB g. Schedule for the training

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

Activity

rR ep

rin

Meet and greet

General Information

Use of a computer and access to the Internet

Smoking area

pl e

Use of mobile phones and recording devices

Timetable and breaks

Meals

Absences 4

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

Training Objectives

Explain the components and the operation of a Business Continuity Management System based on ISO 22301 and its principal processes

rR ep

rin

Acquiring knowledge

Understand the goal, content and correlation between ISO 22301 and ISO 22313 as well as with other standards and regulatory frameworks

Understand the concepts, approaches, standards, methods and techniques for the implementation and effective management of a BCMS 5

Educational Approach

pl e

Students at the center

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

rR ep

z Candidates who met all the prerequisites for certification will receive a certificate:

rin

z The exam only contains essay questions. The duration of the exam is one hour. The minimum passing score is 70%

Exam and Certificate

ISO 22301 Foundation

1 2 3 4

Pass the exam Adhere to the PECB Code of Ethics No professional experience required No business continuity experience required

pl e

Prerequisites for certification

ISO 22301 Foundation 8

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

What is PECB?

Main services:

rR ep

1. Certification of personnel (Auditor and Implementer) 2. Certification of training organizations 3. Certification of trainers

rin

Professional Evaluation and Certification Board

Customer Service

1. Submit a complaint

Comments, questions and complaints

Training Provider

Participant

pl e

2. Answer in writing

4. Final arbitration

3. Appeal PECB

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

pl e

QUESTIONS?

rR ep

rin

Schedule for the Training

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

Certified ISO 22301 Foundation Training

Section 2

rin

Standard and regulatory framework

rR ep

a. What is ISO? b. Fundamental ISO principles c. Management system standards d. Business Continuity standards e. ISO 22301 and ISO 27001

f. Certification schema and process

What is ISO?

g. ISO 22301 advantages

ISO is a network of national standardization bodies from over 160 countries

The final results of ISO works are published as international standards

pl e

Over 19 000 standards have been published since 1947

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

Management System Standards

ISO 22000

ISO 20000 IT Service

ISO 22301

ISO 27001

Business continuity

Information Security

rin

OHSAS 18001 Health and Safety at work

ISO 28000

Supply Chain Security

pl e

Food Safety

ISO 14001 Environment

rR ep

Quality

ISO 9001

Primary standards against which an organization can be certified

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

pl e

rR ep

rin

ISO 22301 Business Continuity Management Foundation

Day 2

rR ep

rin

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

DAY

Certified ISO 22301 Foundation

Section 9

Certified ISO 22301 Foundation Training

Business continuity strategy

a. Strategy model for business continuity b. Analysis and selection of the Strategy

pl e

c. Constraints affecting the Strategy choice

d. Comparaison of the main BC strategy options

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

Requirements

rin

rR ep

8.3 Business continuity strategy 8.3.1 Determination and selection Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment.

ISO 22301, clause 8.3.1

The organization shall determine an appropriate business continuity strategy for: a) protecting prioritized activities; b) stabilizing, continuing, resuming and recovering prioritized activities and their dependencies and supporting resources; and c) mitigating, responding to and managing impacts.

The determination of strategy shall include approving prioritized time frames for the resumption of activities.

The organization shall conduct evaluations of the business continuity capabilities of suppliers.

The objective of Strategy Selection is to assist in defining the action items needed to protect the organization and to select the most appropriate recovery solutions for critical business functions and supporting resources

Definition of the Strategy Model

In the selection of a strategy, you must weigh the cost of being without the service at various points in time (the duration of the outage) against the cost of the solution. The objective is to minimize the total cost of the impact and the solution

pl e

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

Strategic Business Continuity Models

3 basic models This traditional BC model is based on an ‘active’ operating site with a corresponding backup site. This includes both data processing and operations. The model relies on relocating staff from the active to the backup site and maintaining backup copies of technology and data.

rR ep

rin

Active/Backup Model

Active/Active (Split Operations) Model

This emerging BC model relies upon two or more widely separated (geographically) ‘active’ operational sites for Mission Critical Activities that inherently backup for one another.

This BC model provides a variation of the ‘Active/Backup’ and ‘Active/Active’ models where a backup site periodically functions as the primary site for a period of time.

Alternate Site Model

Analysis of the BC Strategy Options

X. Mirror site

C O S T

Available BC strategies and the RTO they satisfy

IX. Hot site

pl e

O F S T R A T E G Y

VIII. Relocation in other group cilities facilities VII. ote Remote ng working VI. Warm rm site

V. Reciprocall agreementt

IV. Mobile e site

III. Cold d site

II. Rebuilt and restoration

I. No S Strategy

TIME OF RECOVERY 6

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

No strategy defined

rin

No documentation for business recovery and continuity Data are not sent off-site, and there is no alternate site identified ¾ Strategy used by organizations with high risk appetite or for a site with low criticallity; also, can be seen where a product has a limited life span

rR ep

Caracteristics

I. No Strategy

Advantages

Disadvantages

The most expensive strategy after a disaster…

The least expensive strategy to implement

Strategy focus mainly on insurance Documentation of the material assets and facilities Data are not sent off-site, and there is no alternate site identified ¾ Strategy used by organizations with moderate risk appetite or for a site with low critically

pl e

Caracteristics

II. Rebuild and Restoration

Advantages

Disadvantages

Low cost strategy and easy to implement Protection against the financial loss for physical assets

Strategy usually does not take in consideration the business processes and immaterial assets Strategy does not include a plan to ensure continuity of operation during a disaster

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

Ready for equipment but no computer hardware on site Communications links may or may not be ready ¾ Strategy used by organizations with moderate risk appetite or for a site with low critically

rin

Facility with electrical power, Heating Ventilation and Air Conditioning (HVAC)

rR ep

Caracteristics

III. Cold Site

Advantages

Disadvantages False sense of security

Fast to implement

Length of time for recovery can be long depending of the complexity of the technology and equipment used by the organization

Low cost Easy to maintain

Service provider may oversell processing capabilities

Trailer that can be quickly transported to an alternate site Can be preconfigured with servers, desktop computers, communications equipment, microwave and satellite data links ¾ Useful alternative when there are no recovery facilities in the geographic area

pl e

Caracteristics

IV. Mobile Site

Advantages

Low cost Fast to implement

Disadvantages Capacity of the equipment can be insufficient for the need

Easy to maintain Flexibility

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

Agreement by both parties, assumes sufficient capacity in time of need (Big Assumption) ¾ Should only be considered if no other options, or perfect partner with compatible technology environment

t rin

Arrangement with another company with similar hardware or software configurations

rR ep

Caracteristics

V. Reciprocal Agreement

Advantages

Disadvantages

Highly unlikely the capacity will exist

If processing requirements are similar it may be workable

Severely limits responsiveness and support

Low or no cost

Facility with electrical power, Heating Ventilation and Air Conditioning (HVAC) and communication link Workstations and printers are available but software may not be installed

Caracteristics

VI. Warm Site

pl e

¾ Strategy used by organizations with moderate or low risk appetite or for a site with low or medium critically Advantages

Disadvantages

Location – since less control required sites can be more flexible

Service provider may oversell processing capabilities

Cost – much less than hot

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

¾ Strategy used by small organizations or for some business units

t rin

Includes the concept of “working from home” and working from other noncorporate locations e.g. hotels

rR ep

Caracteristics

VII. Remote Working

Advantages

Disadvantages

No cost

Due to security and confidentiality issues this option is not always suitable

Flexible solution

Difficult to coordinate for large organizations

In case of a disruptive incident of an organizational division, the relocation will be done in another facillity of the same organization

Caracteristics

VIII. Relocation in other group facilities

pl e

¾ Strategy used by large organizations with several facillities

Advantages

Disadvantages

Cost can be low to medium

Does not have an assurance that the capacity will exist when needed

Easy to implement In most case, compatibility of the technology

Resource contention during disaster

Quick response to activate

ISO 22301 Business Continuity Management | Foundation | Participant Handbook

¾ Strategy used by organizations with very low risk appetite or for a site with high critically

rin

Workstations and servers are kept up to date

Applications are installed on the servers and workstations

rR ep

Caracteristics

IX. Hot Site

Advantages

Disadvantages

24/7 availability, exclusivity of use

Expensive Requires constant maintenance of hardware, software, data and applications Security of hot site, primary site security must be duplicated

Immediately available

pl e

Supports short and long term outages