How to transition to ISO 22301 How to transition to ISO 22301 . . . - PowerPoint PPT Presentation

How to transition to ISO 22301 How to transition to ISO 22301 . . . the new business continuity standard . . . the new business continuity standard Phil Willoughby Phil Willoughby ICT Technical Service Manager LRQA Limited

ISO 22301 and BS 25999 Comparison Societal security

Download LRQA’s presentation support pack • www.lrqa.co.uk/bsiconference • Pack includes: • Copy of the presentation slides • Online copy of the Needhams case study • Links to LRQA Training Courses

Agenda • Overview • Detailed review • Section 4 – understanding • Section 5 – leadership • Section 6 – planning • Section 7 – support • Section 8 – operation • Section 9 – performance • Section 10 – improvement.

Structural changes • Name change – Societal security – contributing to a resilient society • The new format is more consistent with other ISO management system standards (e.g. ISO 9001, ISO 14001), but retains the existing BC lifecycle • 105 ‘Shall’s’ compared PDCA comparison with the 56 of BS 25999 50 45 Count of requirements 40 • Some simplification, 35 30 BS25999 clarification or re-wording 25 ISO22301 20 and some new 15 10 requirements. 5 0 Plan Do Check Act

Change Categorisation • New requirements • Enhanced requirements • Clarification • Alignment to other Management system standards • Word changes not really affecting requirements.

Important terminology changes Gone New • Key • Prioritized • Critical • Establishing timeframe and recovery levels. • MTPoD • Preventive action

New Requirements Summary • Management Commitment • Business Continuity Objectives • Legal and regulatory requirements • Resource Planning • 3rd Party Management • Measures and Effectiveness • Formalisation of external and internal issues relevant to BCMS outcomes.

Enhanced requirements 5.2 Management commitment 5.3 Policy requirements 6.2 Business Continuity Objectives 7.1 Resources 7.2 Communications.

Section 4 - Understanding the organisation and its context • Focuses on external and internal issues relevant to its purpose and that affect its ability to achieve the expected outcomes of its BCMS • Increased documentation likely to be required, e.g. Supply chain information • Documented procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements . . . related to the continuity of its operations, products and services, as well as the interests of relevant interested parties.

Section 4 - Understanding the organisation and its context (continued…) • These requirements are taken into account in establishing, implementing and maintaining its BCMS • This information must be documented, updated and communicated to affected employees and other interested parties when requirements change • Define, document and explain any exclusions.

Section 5 - Leadership • Top management demonstrate Leadership • Compatibility of BCMS to company strategic direction • Integration, achievement of outcomes • Policy enhancements include: • Provide the framework for setting business continuity objectives, • Be communicated within the organization to all persons working for or on behalf of the organization within the scope of the BCMS This clarifies existing requirements and aligns it to the normal management system expectations (e.g. roles, responsibility & authority definition, resource determination and review).

Section 6 - Planning 6.1 Actions to address risks and opportunities • Replaces preventive action clause (6.1.2) • Improvement (6.2) This risk assessment is aimed at a corporate level risks (for which a BCMS is effective mitigation) rather than operational risks that might trigger a BCMS response.

Section 6 - Planning (continued…) 6.2 Business Continuity Objectives Requirements for objectives clarified • Link to policy • Consider acceptable minimum level of products and services • Be measurable • Take into account applicable requirements, and • Be monitored and updated as appropriate The plans to achieve these objectives must be defined.

Section 7 - Support New section covering • Resource requirements • Competence & awareness • Communication • Document and record control

7.1 Resource requirements • Clarifies the types of resources required to be considered • All resources under the organisation’s control to be identified together with associated competences • Resource requirements for the continuity strategies should be identified and could include: o People, information and data, buildings, work environment and associated utilities, facilities, equipment and consumables, information and communication technology (ICT) systems, transportation, finance, and partners and suppliers.

7.2 Competence 7.3 Awareness Competence requirements clarified • Includes full time and contract staff with BCMS roles and responsibilities – “under organisation’s control” • Removed reference to training needs analysis • Changed records to appropriate documentation.

7.4 Communication • Essentially now need to define What, When and Whom • Procedure(s) for o Internal communications o External communications with customers, partner entities, local community, media and IP’s o Processing communication from interested parties, o Ensuring communications availability during a disruptive incident, o Communications with appropriate authorities and interoperability of multiple responding organizations o Operating and testing of communications capabilities.

7.5 Document Control • Inline with other management systems standards • No longer a list of the required documents • Records are a special type of document • Need a process for . . rather than a procedure • Format is required information (e.g. language, software version, graphics) and media (e.g. paper, electronic)

Section 8 - Operational planning and control • Determine and manage processes needed to address BCMS risks and opportunities • Control planned changes • Take action on unintended effects • Control processes that are contracted-out or outsourced.

Section 8 - Operational planning and control (continued…) For this purpose “ management control ” of a process consists of: • Knowledge and control of inputs • Knowledge, use and interpretation of outputs • Definition, measurement and monitoring of related metrics • Definition, measurement and review of process improvements • SLA or contract in place o Defines service expectations o Defines procedures to follow • Regular reports or service reviews.

Section 8.2 Business Impact and Risk Assessment • Requires overview process linking BIA and RA • More detail on risk assessment and impact on BC objectives • Change of emphasis from incident response to business continuity strategy with associated need for resource planning • Further detail on response procedures in particular need for effective communication and preservation of life.

8.2.2 Business Impact Analysis Less prescriptive than 25999: • No MTPoD, No critical activities, No RTO • All activities are recovered but to a prioritised timeframe and a specified level taking into account the implications of missing the target timescale. • There is a general requirement to keep the information confidential from the BIA and RA • Contracted out work must be controlled rather than determined.

8.2.2 Business Impact Analysis (continued…) Still requires a documented process that: • a) Establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident • b) Takes into account legal and other requirements to which the organization subscribes, • c) Includes systematic analysis, prioritization of risk treatments, and their related costs, • d) Defines the required output from the business impact analysis and risk assessment, and

8.2.3 Risk Assessment • No significant changes but substantial rewording • ‘prioritized’ activities, indicates a BIA is completed before the risk assessment • Requirement now to treat identified risks using 3 types of proactive measures rather than identified treatments for all critical activities.

8.3 Business continuity strategy • Largely the same requirements to determine strategies to recover prioritized activities based on outputs from BIA and RA • Strategy includes approving prioritized activities and time frames for the resumption • Strategy includes conducting evaluations of the business continuity capabilities of suppliers.

8.4.2 Incident Response Largely the same as now but: • Using life safety as the first priority to decide whether to communicate externally.

8.4.4 Business Continuity Plans • Largely the same requirements, with a few items removed and some additions • All plans should be re-evaluated against the new requirements • Each plan shall define: o Purpose and scope, o Objectives, o Activation criteria and procedures, o Implementation procedures, o Roles, responsibilities, and authorities, o Communication requirements and procedures, o Internal and external interdependencies and interactions, o Resource requirements, and o Information flow and documentation processes.