ISO 22301 and its iteration with other standards and good practices

1
ATENÇÃO: O conteúdo desta apresentação é CONFIDENCIAL. Nada poderá ser divulgado por qualquer
forma ou meio, em qualquer tempo, sem a prévia autorização por escrito da STROHL Brasil.
Consultoria ı Ferramentas ı Capacitação
ISO 22301
And its iteration with other
standards and good practices
October21st,2015

2
Introductions
Sidney R. Modenesi
• Manager at STROHL Brasil;
• ISO 22301 BSI Technical
Expert, 2013;
• MBCI since 2006;
• Over 35 years experience in
DRP and BCM;
• Former ICT professional since
1977;
• International BCM trainer (ISO
22301, 22313 & others);
• BCI - Business Continuity
Institute forum leader in Brazil.
STROHL Brasil
• Brazilian company;
• 20+ years dedicated solely to
BCM;
• Solid and proved experience
in many different industries;
• Providing consultancy, training
and BCM software;
• Sungard Availability Service
Authorized Representative in
Brazil;
• PECB training partner.
222

3
Agenda
In today´s webinar we will cover briefly the
ISO 22301 evolution and the main iterations
between ISO 22301 with other relevant
standards and good practices.
NOTE: Potentially we may have iterations
with other ISO, BS and local standards or
good practices I may not be aware of.
3

4
BEFORE WE START
4

5
ISO 22301 Item 4.2.2
Legal and regulatory requirements
The organization shall establish, implement and
maintain a procedure(s) to identify, have access to, and
assess the applicable legal and regulatory requirements
to which the organization subscribes related to the
continuity of its operations, products and services, as
well as the interests of relevant interested parties.
We can use the same approach regarding new or
recently updated standards and good practices,
improving the efficiency of the BCMS and the
resiliency of the organization.
5

6
A BIT OF HISTORY …
6

7
A bit of history
7
At the
beginning
there was
darkness ...
September 11
Attacks - 2001
PAS 56 Guide to
business continuity
management
2003
BCI Good Practice
Guidelines
2002 2006 2007
BS 25999-1 Business
Continuity Management
Code of Practice
BS 25999-2 Specification
for Business Continuity
Management
PAS 77 IT Service
Continuity Management
Code of Practice
2008
BS 25777
IT Service Continuity
Management
2011
July 07, 2005
London bombings
Principles for the Sound
Management of
Operational Risk - BIS
2012
ISO 22301 Business
continuity management
systems. Requirements
2013
ISO 22313 Business
continuity management
systems. Guidance
ISO 27031
Guidelines for ICT readiness
for business continuity

8
THE 22300 FAMILY OF STANDARDS
8

9
The 22300 family of standards
 “ISO 22300:2012 - Societal security – Terminology”
 “ISO 22301:2012 - Societal security -- Business continuity management systems ---
Requirements”
 “ISO 22311:2012 - Societal security -- Video-surveillance -- Export interoperability”
 “ISO/TR 22312:2011 - Societal security -- Technological capabilities”
 “ISO 22313:2012 - Societal security -- Business continuity management systems – Guidance”
 “ISO 22315:2014 - Societal security -- Mass evacuation -- Guidelines for planning”
 “ISO/TS 22317:2015 - Societal security -- Business continuity management systems -- Guidelines
for business impact analysis (BIA)”
 “ISO/TS 22318:2015 - Societal security -- Business continuity management systems -- Guidelines
for supply chain continuity”
 “ISO 22320:2011 - Societal security -- Emergency management -- Requirements for incident
response”
 “ISO 22322:2015 - Societal security -- Emergency management -- Guidelines for public warning”
 “ISO 22324:2015 - Societal security -- Emergency management -- Guidelines for colour-coded
alerts”
 “ISO/TR 22351:2015 - Societal security -- Emergency management -- Message structure for
exchange of information”
 “ISO 22397:2014 - Societal security -- Guidelines for establishing partnering arrangements”
 “ISO 22398:2013 - Societal security -- Guidelines for exercises”
9

10
ISO 22301 - CHAPTER 0
INTRODUCTION
10

11
PDCA Model
0.1 General
…
Business continuity contributes to a more resilient
society. The wider community and the impact of the
organization’s environment on the organization and
therefore other organizations may need to be involved
in the recovery process.
“BS 65000:2014 Guidance on
organizational resilience”
11

12
PDCA Model
0.2 The Plan-Do-Check-Act (PDCA) model
This International Standard applies the “Plan-Do-Check-Act” (PDCA)
model to planning, establishing, implementing, operating, monitoring,
reviewing, maintaining and continually improving the effectiveness of an
organization’s BCMS.
This ensures a degree of consistency with other management systems
standards, such as “ISO 9001 Quality management systems”, “ISO 14001,
Environmental management systems”, “ISO/IEC 27001, Information
security management systems”, “ISO/IEC 20000-1, Information technology
— Service management”, and “ISO 28000, Specification for security
management systems for the supply chain”, thereby supporting consistent
and integrated implementation and operation with related management
systems.
As known as, by BSI, the High Level Structure.
12

13
PDCA Model
13

14
BIBLIOGRAPHY
14

15
Bibliography
• [1] ISO 9001, Quality management systems —
Requirements
• [2] ISO 14001, Environmental management systems —
Requirements with guidance for use
• [3] ISO 19011, Guidelines for auditing management systems
• [4] ISO/IEC 20000-1, Information Technology — Service
Management
• [5] ISO 22300, Societal security — Terminology
• [6] ISO/PAS 22399, Societal security — Guideline for
incident preparedness and operational continuity
management
• [7] ISO/IEC 24762, Information technology — Security
techniques — Guidelines for Information and
communications technology disaster recovery services
• [8] ISO/IEC 27001, Information Security Management
Systems
• [9] ISO/IEC 27031, Information technology — Security
techniques — Guidelines for information and communication
technology readiness for business continuity
• [10] ISO 31000, Risk Management — Principles and
Guidelines
• [11] ISO/IEC 31010, Risk management — Risk assessment
techniques
• [12] ISO/IEC Guide 73, Risk management — Vocabulary
• [13] BS 25999-1, Business continuity management — Code of
practice, British Standards Institution (BSI)
• [14] BS 25999-2, Business continuity management —
Specification, British Standards Institution (BSI)
• [15] SI 24001, Security and continuity management systems
— Requirements and guidance for use, Standards Institution
of Israel
• [16] NFPA 1600, Standard on disaster/emergency
management and business continuity programs, National Fire
Protection Association (USA)
• [17] Business Continuity Plan Drafting Guideline, Ministry
of Economy, Trade and Industry (Japan), 2005
• [18] Business Continuity Guideline, Central Disaster
Management Council, Cabinet Office, Government of Japan,
2005
• [19] ANSI/ASIS SPC.1, Organizational Resilience: Security,
Preparedness, and Continuity Managements
• [20] ANSI/ASIS/BSI BCM.01, Business Continuity
Management Systems: Requirements with Guidance for Use
15

16
CONTEXT OF THE ORGANIZATION
16

17
4.1 Understanding of the organization
and its context
…
The organization shall identify and document the following:
a) the organization’s activities, functions, services, products, partnerships, supply
chains, relationships with interested parties, and the potential impact related to a
disruptive incident;
 “ISO 9001:2015 Quality management systems – Requirements” requires that a
business unit be responsible to manage the organization´s businesses, “business
mapping”, through process mapping. This business mapping will be very helpful
when executing item 8.2.2 Business impact analysis.
b) links between the business continuity policy and the organization’s objectives and
other policies, including its overall risk management strategy; and
c) the organization’s risk appetite.
 There is a note in item 8.2.3 Risk Assessment saying this process could be made
in accordance with “ISO 31000 Risk management. Principles and guidelines”.
 “Review of the Principles for the Sound Management of Operational Risk”,
Bank for International Settlements, October 2014, Principle 10: Business
resilience and continuity as part of the Corporate Operational Risk. (www.bis.org)
17

18
Risk Management standards
• “ISO 31000:2009 Risk management -- Principles and
guidelines”
• “ISO/TR 31004:2013 Risk management -- Guidance
for the implementation of ISO 31000”
• “ISO Guide 73:2009 Risk management –
Vocabulary”
• “IEC 31010:2009 Risk management -- Risk
assessment techniques”
18

19
LEADERSHIP
19

20
5.3 Policy
Top management shall establish a business
continuity policy that
a) is appropriate to the purpose of the organization,
b) provides a framework for setting business continuity
objectives,
c) includes a commitment to satisfy applicable
requirements,
d) includes a commitment to continual
improvement of the BCMS.
“ISO 19600:2014 Compliance
management systems. Guidelines”
20

21
SUPPORT
21

22
7.4 Communication
The organization shall determine the need for internal
and external communications relevant to the BCMS
including
a) on what it will communicate,
b) when to communicate,
c) with whom to communicate.
“ISO 22320:2011 Societal security –
Emergency management -- Requirements
for incident response” - Annex B (normative)
Operational information process criteria
22

23
7.5.2 Creating and updating
When creating and updating documented
information, the organization shall ensure
appropriate
a) identification and description (e.g. a title, date,
author or reference number),
b) format (e.g. language, software version,
graphics) and media (e.g. paper, electronic), and
review and approval for suitability and adequacy.
 “ISO 9001:2015 Quality management systems.
Requirements”
23

24
OPERATION
24

25
8.2.2 Business impact analysis
The organization shall establish, implement, and maintain a
formal and documented evaluation process for determining
continuity and recovery priorities, objectives and targets. This
process shall include assessing the impacts of disrupting
activities that support the organization’s products and
services. (aka BIA)
 “ISO/TS 22317:2015 Societal security —
Business continuity management systems —
Guidelines for business impact analysis (BIA)”
 “BCI Good Practice Guidelines 2013”,
pages 52-63
25

26
8.2.3 Risk assessment
The organization shall establish, implement, and
maintain a formal documented risk assessment process
that systematically identifies, analyses, and evaluates
the risk of disruptive incidents to the organization.
NOTE This process could be made in accordance with
ISO 31000.
“ISO 31000:2009 Risk management — Principles
and guidelines”
Other organizations may use “COSO - Committee of
Sponsoring Organizations of the Treadway
Commission” to manage their corporate risks.
26

27
Risks can be classified in 5 main groups:
1. Information and Communication Technology;
2. Information security;
3. Facilities or premises;
4. Supply chain;
5. Human assets.
Requiring controls and/or managed systems to
mitigate any of these risks.
27

28
Information and Communication Technology
“ISO/IEC 20000 Information technology — Service
management” family;
“ITIL - Information Technology Infrastructure Library”
“COBIT® - Control Objectives for Information and
related Technology”
28

29
Information Security
“ISO/IEC 27001:2013 - Information technology --
Security techniques -- Information security
management systems – Requirements”;
Security techniques -- Code of practice for
information security controls”;
Security techniques -- Guidance on the integrated
implementation of ISO/IEC 27001 and ISO/IEC
20000-1”
29

30
Facilities or premises
ISO 14000 family of standards;
“ISO 14001:2015 – Environmental
management systems – Requirements
with guidance for use”;
There are many other standards
related to facilities and
infrastructure issues.
30

31
Supply chain
ISO 28000 family of standards;
“ISO 28001:2007 - Security management systems for
the supply chain”;
“ISO/TS 22318:2015 - Societal security --
Business continuity management systems --
Guidelines for supply chain continuity”
“PAS 7000:2014 - Supply chain risk
management. Supplier prequalification”
31

32
Human assets
“BS OHSAS 18001:2007. Occupational health and
safety management systems. Requirements”
“BS OHSAS 18002:2008. Occupational health and
safety management systems. Guidelines for the
implementation of OHSAS 18001:2007”
32

33
8.4.2 Incident response structure
8.4.3 Warning and communication
• 8.4.2 The organization shall establish, document, and implement
procedures and a management structure to respond to a disruptive incident
using personnel with the necessary responsibility, authority and
competence to manage an incident …
• 8.4.3 The organization shall establish, implement and maintain procedures
for a) detecting an incident, b) regular monitoring of an incident …
 “ISO 22320:2011 - Societal security -- Emergency management --
Requirements for incident response”
Guidelines for public warning”
Guidelines for colour-coded alerts”
 “ISO/TR 22351:2015 - Societal security -- Emergency management --
Message structure for exchange of information”
33

34
8.4.4 Business continuity plans
The organization shall establish documented
procedures for responding to a disruptive incident
and how it will continue or recover its activities
within a predetermined timeframe. Such
procedures shall address the requirements of those
who will use them.
 “ISO 9001:2015 Quality management systems.
Requirements”
34

35
8.5 Exercising and testing
The organization shall exercise and test its
business continuity procedures to ensure that they
are consistent with its business continuity
objectives.
The organization shall conduct exercises and tests
that …
 “ISO 22398:2013 - Societal security --
Guidelines for exercises”
35

36
PERFORMANCE EVALUATION
36

37
9.2 Internal audit
The organization shall conduct internal audits at
planned intervals to provide information on whether
the business continuity management system …
“ISO 19011:2011 – Guidelines
for auditing management systems”
“ISO 19600:2014 - Compliance
management systems. Guidelines”
37

38
OTHER RELEVANT
DOCUMENTATION
38

39
Other relevant documentation
“ISO 21500:2012 - Guidance on project
management”;
“PMM - Project Management Methodology”;
“NFPA 1600: STANDARD ON
DISASTER/EMERGENCY MANAGEMENT AND
BUSINESS CONTINUITY PROGRAMS”;
“Six Sigma”;
“TOGAF - The Open Group Architecture
Framework”.
39

40
CLOSING
40

41
Closing
ISO 22301/22313
standards
implementation can be
highly improved with the
utilization and integration
of other management
systems, standards and
good practices
increasing, consequently,
the management and the
resilience of the
organizations.
41

42
• ISO standards can be purchased at the ISO Store -
www.iso.org/iso/home/store.htm or through the ISO
representative in your country
• BS standards can be purchased at the BSI Shop -
shop.bsigroup.com/
• The BCI Good Practice Guidelines can be purchased at
www.thebci.org/index.php/resources/the-good-practice-
guidelines
• NFPA 1600 can be downloaded at http://www.nfpa.org/codes-
and-standards/document-information-
pages?mode=code&code=1600
42

43
Questions
Sidney R. Modenesi, MBCI
Sidney_modenesi@strohlbrasil.com.br
+55 11 5583-0033
Skypeid sidneymd-strohl
Thank you, very much for your attendance.
43

44
forma ou meio, em qualquer tempo, sem a prévia autorização por escrito da STROHL Brasil.Consultoria ı Ferramentas ı Capacitação
Contatos:
Tel. 11 5583-0033
contingencia@strohlbrasil.com.br
www.strohlbrasil.com.br
44

ISO 22301 and its iteration with other standards and good practices

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (15)

Semelhante a ISO 22301 and its iteration with other standards and good practices

Semelhante a ISO 22301 and its iteration with other standards and good practices (20)

Mais de Sidney Modenesi, MBCI

Mais de Sidney Modenesi, MBCI (20)

ISO 22301 and its iteration with other standards and good practices