ISO 22301 BACKGROUND How ISO 22301 was formed Contributors - - PowerPoint PPT Presentation

iso 22301 background
SMART_READER_LITE
LIVE PREVIEW

ISO 22301 BACKGROUND How ISO 22301 was formed Contributors - - PowerPoint PPT Presentation

Aug 31, 2023 12 likes •333 views

BSI introducing ISO 22301 BACKGROUND How ISO 22301 was formed Contributors Context Source documents included BS25999-2 NFPA 1600 ASIS OR standard Singapore standards ISO 27031 ISO Guide 73 ISOPAS22399 So ISO

slide-1
SLIDE 1

BSI

introducing

ISO 22301

slide-2
SLIDE 2

BACKGROUND

How ISO 22301 was formed

slide-3
SLIDE 3

Contributors

slide-4
SLIDE 4

Context

  • Source documents included

– BS25999-2 – NFPA 1600 – ASIS OR standard – Singapore standards – ISO 27031 – ISO Guide 73 – ISOPAS22399

  • So ISO 22301 is not simply an international

version of BS25999

slide-5
SLIDE 5

Context

  • Move towards standardization of

management systems headings and text

– Was in development as we were writing – Only now coming to agreement around ISO Guide 83 – Rules on how to apply this were not always clear and seemed to change

  • Hence our interpretation may differ in detail

from others like ISO 27001

slide-6
SLIDE 6

Context

  • ISO 22301 is the requirements document
  • ISO 22313 is the guidance document that

accompanies this

– It was originally planned to publish these together but in practicality 22301 has run ahead of the guidance – It is aligned to 22301, clearly BS25999-1 was not

  • ISO 22313 should be published early next year

– Currently at DIS

slide-7
SLIDE 7

ISO 22301

Key points

slide-8
SLIDE 8
slide-9
SLIDE 9

Standardized structure

  • Sections 1-3 are as per usual

(scope, normative references, terms and definitions)

  • Sections 4-7 and 9-10 are ISO

Standardized management systems headings and text

  • We were permitted to add text to

these sections where necessary

  • Section 8 is the heart of the BCM

discipline

  • Note that 8.1 is standardized text!
slide-10
SLIDE 10

Legal and regulatory requirements

  • 4.2.2 covers this area in 3

paragraphs

  • BS25999 did not cover in

such explicit detail

  • BS25999 was assuming a

UK context, e.g. CCA and so on

  • ISO cannot make such

assumptions and so far more explicit

  • However there is a

danger of making this unreasonably onerous

  • BCI document assists in

identifying these (LRSG.PDF available from BCI web site)

slide-11
SLIDE 11

7 Support

  • 7.2 Competence

– Recognized weakness for those implementing BS25999 – Wording slightly different but still key area

  • It is people who take action

when an incident occurs

  • Competence relates both to
  • perating the BCMS AND to

performing following an incident

  • Note also 7.3 d) – everyone

has to be aware of their role during disruptive incidents

slide-12
SLIDE 12

7 Support

The organization shall establish, implement, and maintain procedure(s) for — internal communication amongst interested parties and employees within the organization, — external communication with customers, partner entities, local community, and other interested parties, including the media, — receiving, documenting, and responding to communication from interested parties, — adapting and integrating a national or regional threat advisory system, or equivalent, into planning and

  • perational use, if appropriate,

— ensuring availability of the means of communication during a disruptive incident, — facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and — operating and testing of communications capabilities intended for use during disruption of normal communications.

  • 7.4 includes additional

text

  • Interested parties – not

stakeholders

  • New and specific

compared to BS25999

slide-13
SLIDE 13

Context

Hurricanes, Tsunami, Earthquake, Flood and so on may all have national

  • r regional warning systems

This places an obligation on you to make sure that you get these messages and act upon them in a timely manner

slide-14
SLIDE 14

Context

You may need to talk to these chaps So you need to show how you are going to do this May be fire, police, ambulance for instance

slide-15
SLIDE 15

Preparing for communicating in an incident

  • Much more explicit in requiring that you think about

this in the context of how communications are disrupted by incidents

– E.g. mobile networks get swamped, telecommunications damaged by earthquakes

  • NOTE: There are no fool proof perfect answers to

these issues. Organizations can only take the steps that are reasonable for them – quite clearly what is required of the Police is not the same as what is required of a small business – but both must show that they have done this

  • NOTE: 8.4.3 returns to this area
slide-16
SLIDE 16

8 Operation

  • This is the main area

where business continuity is addressed

  • The old BCM Lifecycle is

encapsulated here

– BIA/RA – Strategy – Implementing solutions – Exercising

  • BC practitioners should

recognise these steps

  • Like BS25999
slide-17
SLIDE 17

Strategy

The organization shall conduct evaluations of the business continuity capabilities of suppliers.

  • A one liner that appears in

8.3.1 with a wealth of meaning

  • Not ALL suppliers please

note – remember that this relates to the output from the BIA and RA

  • So they will need to show

how they determine which suppliers to look at (if any) and how they do this

slide-18
SLIDE 18

8.4 Establish and implement business continuity procedures

  • Key area
  • All based on BIA and recovery
  • bjectives
  • We tried to move away from talking

about plans – limited success!

  • 8.4.1 a good summary (my

highlighting)

The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis. The organization shall document procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive incident. The procedures shall a) establish an appropriate internal and external communications protocol, b) be specific regarding the immediate steps that are to be taken during a disruption, c) be flexible to respond to unanticipated threats and changing internal and external conditions, d) focus on the impact of events that could potentially disrupt operations, e) be developed based on stated assumptions and an analysis of interdependencies, and f) be effective in minimizing consequences through implementation of appropriate mitigation strategies.

slide-19
SLIDE 19

Incident Response Structure

  • 8.4.2 broadly equivalent

to 4.3.2 in BS25999

  • External

communications a specific requirement. Think about Buncefield

  • r similar – they should

warn the public and life safety is explicitly

  • mentioned. In which

case, how do they do this? (E.g. a siren?)

slide-20
SLIDE 20

Warning and Communication

  • ISO 22301

contains a specific requirement on warning and communication in 8.4.3

  • Differs from

BS25999-2

a) detect incident b) monitor incident c) internal communications d) regional advisories e) assure availability of communications f) communicate with emergency responders g) record vital information

slide-21
SLIDE 21

Warning and Communication

  • Additionally

consider:

a) alerting interested parties potentially impacted by an actual or impending disruptive incident; b) assuring the interoperability of multiple responding organizations and personnel; c)

  • peration of a communications facility
slide-22
SLIDE 22

Warning and Communication

  • You must also exercise these arrangements

regularly

slide-23
SLIDE 23

8.4.4 Business continuity plans

  • Less prescriptive than BS25999 but covers

very much the same ground

  • Note my earlier comment that people take

action – plans are there to support them when they are not thinking straight; they are not a manual of how to run the business nor are they a response to every possible risk

slide-24
SLIDE 24

8.4.5 Recovery

  • In BS25999-1 we talked about 3 phases and the

last of these being a “return to normal”

  • This never became a part of BS25999-2

– Viewed as “too difficult” to define

  • As ISO 22301 was being developed, a PD was

being written in the UK on this very topic so we had a marker in the draft to use this as input

  • That never came to fruition for various reasons
  • We discussed taking this section out but it

actually received a lot of international support to keep it in

slide-25
SLIDE 25

Recovery

The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident.

  • These might be very specific

for some organizations but could be pretty general in

  • ther cases
  • This is a new area
  • Clearly, thinking through how

you get the business running normally once the initial invocation has been completed is important!

– E.g. I invoke my contract with ICM/IBM/SunGard – what happens after the contracted period is completed?

slide-26
SLIDE 26

8.5 Exercising and testing

  • Covers pretty much the same ground as BS25999-2
  • Note that it talks about exercises and tests
  • These are different and complimentary

– Tests have a defined outcome which you achieve or don’t (pass/fail) – Exercises are more nuanced and will probably include elements

  • f training and awareness building

– So my generator either works or it doesn’t, but an exercise of the CMT will always produce learning points

  • Expect to see a programme – point is that over time these

should provide objective assurance that the arrangements made will work as anticipated and when required: so does the programme really do this?

slide-27
SLIDE 27

Section 9

  • Performance evaluation is also a new

requirement

  • How do you know if the BCMS is doing what it

should unless you have some metrics?

– E.g. I have 20 plans and they are all up to date – But beware of metrics too focussed on documents and not enough on competent people and teams who are ready to perform when needed

  • Note: Management review includes additional

material to the standard text

slide-28
SLIDE 28

BENEFITS

slide-29
SLIDE 29

Benefits

  • Demonstrable good practice to

– Top management – Internal and External auditors – Customers – Other interested parties, including staff, shareholders, regulators

  • Possible to achieve accredited certification
  • Management systems approach like other similar disciplines

– Opportunity to integrate with other management systems – Easier to learn for new professionals – Removes old dichotomies of programme v project v ongoing task

  • Adoption by your suppliers affords some assurance
  • International Standard

– Replaces many national standards – Introduces recognized standard where none previously existed – Spreads good practice business continuity worldwide – Carries the business continuity message to new organizations and jurisdictions

slide-30
SLIDE 30

How to prepare

  • Read the standard

– I mean really read the standard – This means every word

  • Go through it and compare it to what you

currently do and ask yourself:

– Can we really satisfy this requirement? – How do I show evidence that we do? – If you don’t, why not?

  • Are there institutional obstructions?
  • Resource constraints?

– Develop a gap analysis and plan how to address these

slide-31
SLIDE 31

Dave Austin

Project Team Leader, TC223 WG4 Director of Operational Resilience Ltd.

31

slide-32
SLIDE 32