"ISO 22301, the First Ever ISO Standard for BCM.“ Societal Security – Business Continuity Management Systems
Muhammad Ghazali – MBCI Head of BCM Service Protiviti Member Firm Kuwait Forum Leader, The BCI Kuwait Forum
What’s In A Name? Addition of “Societal Security” with “Business Continuity”.
“Societal Security,” recognizes that no organization operates in a vacuum “Societal Security – Business Continuity Management Systems
Operate within the context of society, through customers, partners, suppliers, local, regional, national and foreign governments, and more.
This change in title is a significant shift between the BS25999:2 and ISO 22301 to explain it is about society
Why ISO Standard for Business Continuity? ›
Finally a global standard for Business Continuity Management which speaks the same language across the boarders
›
Auditable Specification to validate the effectiveness
›
Clearer expectations from organization’s management
›
First standard Developed on Guide 83, which is the new roadmap for standard developer. All ISO Standards will follow the same structure with the new version to come.
›
Making Leadership accountable to inculcate competence besides the awareness.
›
Organizations can offer their customers and clients greater assurance continuity, following any disruption
ISO 22301 Vs. BS 25999 ›
Larger canvas for BCMS ›
›
Clearer expectation from Top Management ›
›
Expansion in the canvas from Organizational BCMS to Societal Security –BCMS
Leadership participation is required. Top Management leadership shall be more demonstrable and active.
More careful planning and preparation of the resource ›
Preventive action has been replaced with “actions to address risks and opportunities” Resilient organizations.
Overall Structure 4
Context of Organization Leadership
5 6
Planning
7
Support
8 9
Operation
Performance Evaluation
10 Improvement
Mapping with PDCA Cycle 44
Context of Organization Leadership
5
Plan
6 7
8 9 1 10 0
Planning Support
Operation Performance Evaluation
Improvement
DO Check Act
Areas of ISO 22301
Context of the Organization
Leadership
Planning
Support
Operations
Performance and Evaluation
Improvement
Understand the Org and its Context
Management Commitment
Actions to address Risk and Opportunity
Resource
Operation AND Planning Control
Monitoring and Measurement analysis
Nonconformity and Corrective Action
Expectation of Interested Parties
BC Policy
BC Objective
Competence
BIA and RA
Internal audit
Continual Improvement
Legal and Regulatory
Roles and Responsibilities
Awareness
BC Strategy
Management review
Scope of Management Systems
Communication
Establish and Implement BCM
BCMS
Documented Information
Exercise and Testing
Context of Organization › Understanding the organization and its environment is an essential step. i.e. Culture, people, mix of nationalities. › Micro environment i.e. customers, suppliers, partners, contractors, distributors and arbitrators › Macro environment i.e. Social, Political, economic, ethics of trade, local regulators, environmental considerations › The parts of the organization to be included in the BCMS shall be identified. Any exclusions shall not affect the organization’s ability to provide continuity of its services and operations.
4
Context of Organization
People Customers
Top Management Responsible for establishing framework
Media Competitors Industry Unions
Suppliers Management Owners of Business Continuity
Neighbors
Owners
Incident Response Team
Insurers
Media Communicator
Employee Unions Staff Dependents Concerned Agencies
Government
Response Team
Technology
Regulators
Rest of the Organization
Contractors
Shareholders Investors
Recovery Service Providers
Leasers
5
Leadership Setting the BC Policy
Roles, responsibilities and authorities
• Ensuring that policies and objectives of BCMS are compatible with the strategic direction of the organization
• Requires top management to assign responsibility for the establishment, implementation and monitoring of the BCMS.
• Ensuring the integration of the BCMS with organization Business Process. • Communication of the BCMS vision across organization
Continual Support to BCMS
• That the Continual Supports is available to BCMS once Implemented
6
Planning
› Addition in ISO 22301 which requires › This clause requires the organization to clearly define the business continuity objectives and to have plans (projects) to achieve them. › the risks and opportunities that need to be addressed to ensure that the BCMS can achieve its intended outcome
› identification of responsible individual for delivering those objectives,
7
Support
› Addition in ISO 22301 which requires › An organization to ensure persons are competent on the basis of education, training and experience.
› Organization wide awareness of BCM Policy and understanding about the effectiveness of BCMS › Sets out requirements for receiving and responding to communications from interested parties, through integrated warning system
8
Operation
Documentation of Business Continuity Plans
Requires the organization to ensure processes to manage BCMS
Establish and implement business continuity procedures Conduct Business Impact Analysis, with MTPD, RTO and RPO
Identification of Risk that could impact the prioritized activities
Exercise and Testing of BCMS on appropriate scenarios for continual improvement
9
Performance Evaluation
› Yet another addition in ISO 22301 which requires
› Internal Audit and Management Review continue to be key method of reviewing performance of BCMS › Monitoring, measurement, analysis and evaluation to ensure that appropriate metrics are in place and implemented
› Communicate the results of [the] management review to relevant interested parties and take appropriate action
10 Improvement
› Key Element of Deming’s Approach of Quality Management › Continual Improvement is based on Japanese Philosophy of Kaizen, means “Change for Better” › ISO 22301 requires that organization shall also ‘evaluate the need for action to eliminate the causes of the nonconformity, by
› › › ›
Cause of nonconformity Need of Improvement Making Change BCMS Making Change in business process (if required)
Key Procedure and Processes Required 4.2.2
Legal and regulatory requirement
7.4
Communication Procedure
8.4.1
Documented Procedure for managing a disruptive incident
8.4.2
Documented Procedure for response to a disruptive incident
8.4.3
Warning and Communication procedure
8.4.4
Documented Procedure for BC Plans
8.4.5
Documented Procedure for recovery to business as usual
9.1.1
Monitoring performance Procedure
9.2
Internal Audit Procedure
8.1
Risk Control Process
8.2.1, 8.2.2, 8.2.3 8.4.4
BIA, Risk Assessment: Documented Process
BCM Activation Process
Path for Certification The usual path for an organization that wishes to be certified against ISO 22301 is the following: 1. 2. 3. 4. 5. 6. 7.
Implementation of the management system Internal audit and review by top management Selection of the certification body (registrar) Pre-assessment audit (optional) Stage 1 audit for conformity of design Stage 2 audit to evaluate whether the declared management system conforms to all requirements of the standard, is actually being implemented in the organization and can support the organization in achieving its objectives. 8. Follow-up audit (optional) in the case of non-conformities that require additional 9. Confirmation of registration after compliance to the requirement 10. Continual improvement and surveillance audits after certification
Conclusion • ISO 22301 is an important next step in the evolution of international standards for business continuity • ISO 22313, “Guidance to Creating a Business Continuity Management System” is under ISO development, and is anticipated before the end of 2012. • Organizations of every size can implement ISO 22301 framework to help them achieve a level of maturity within their continuity planning process. • So far, the most comprehensive Certifiable document for Business Continuity Management
Question and Answers !