Bussiness Continuity Fundamental

PROTECT YOUR ASSETS!
Process Excellence and Resilience...

Creating Corporate Sustainability
MYSELF
Daman Dev Sood Experience exceeding 27 years
Fellow of the BCS, Member of the BCI, Senior Member of IEEE, and Chair
of Computer Society Chapter IEEE Delhi Section.
Technical Expert and Assessor for BS 25999
Earlier associated with TCS, Xansa/ Steria
Asias first BCS Accredited Trainer for Green IT Workshop
Has authored the Green IT Maturity Model (copyright CORE)

Has delivered over 300 talks/ workshops in national and international events
on topics around Business Continuity Management, Sustainability and
Green IT
BCI Merit Award (Global) Winner 2012
BC Manager of the Year Award Winner, 2009 in India
Email: d.sood@continuityandresilience.com
BUSINESS CONTINUITY MANAGEMENT

SYSTEM
..Part of the overall management system that

establishes, implements, operates, monitors,
reviews, maintains and improves business
continuity
ISO 22301, Clause 3.5

WHAT IS BUSINESS CONTINUITY

MANAGEMENT?
..Holistic management process that identifies

potential threats to an organisation and the
impacts to the business operations those threats,
if realised, might cause, and which provides a
framework for building organisational resilience
with the capability of an effective response that
safeguards the interests of its key stakeholders,
reputation, brand and value-creating activities
ISO 22301, Clause 3.4

WHAT'S IN THE NAME?

The name is Societal Security Business
Continuity Management Systems
Requirements
Societal security
No organisation operates in vacuum
They operate within the context of society
Delivery of their products and services has ramifications far beyond their
four walls
ISO 22301 is not just about business, it is about

society

ISO 22301 - EVOLUTION
BS 25999 Part 1
BS 25999 Part 2
PAS 56
NFPA 1600
National Standards
(Australia, New
Zealand, Singapore,
Japan Canada)

ISO 22301: 2012

ISO 22313 : 2012
WHY IN PLURAL?
Business Continuity Management Systems

Because its a suite of standards
ISO 22300:2012
Terminology
ISO 22301: 2012
Business Continuity
Management
Systems --Requirements
ISO/DIS 22311
Video-Surveillance Export
Interoperability

SOCIAL SECURITY ISO 22300 SERIES

ISO / TR22312:2011
Technological Capabilities
ISO 22313:2012
Business Continuity
Management Systems -Guidance
ISO / NP 22315
Mass Evacuation
ISO 22320:2011
Emergency Management - Requirements for

Incident Response


ISO / CD 22322
Emergency Management -- Public

Warning
ISO / WD 22323
Organizational Resilience
Management Systems Requirements with Guidance for
Use
ISO / NP 22324
Emergency Management
Colour-Coded Alert
ISO / NP 22351
Emergency Management -- Shared

Situation Awareness


ISO / CD 22397
Public Private Partnership -Guidelines to set up

partnership
ISO / DIS 22398
Guidelines for
Exercises and Testing
ISO / PAS 22399:2007
Guidelines for Incident

Preparedness and
Operational Continuity
Management


The Two Most Common Of The Lot
ISO 22301 : 2012
ISO 22313 : 2012

ISO 22301 - PURPOSE

This international standard for business continuity
management specifies requirements to
plan, establish, implement, operate, monitor,
review, maintain and continually improve a
documented management system to
protect against, reduce the likelihood of occurrence,
prepare for, respond to, and recover from
disruptive incidents when they arise.
PDCA CYCLE IN ISO 22301

Continual improvement of Business Continuity Management System (BCMS)
Interested
Parties
Requirements
for Business
Continuity
Establish
Maintain
and
Improve

Implement
and
Operate
Plan
Do
Act
Check
Monitor
and
Review
Interested
Parties
Managed
Business
Continuity
ISO 22301 PDCA CYCLE

Clause 4, component of PLAN, introduces
requirements necessary to establish the context
of the BCMS as it applies to the organisation, as
well as needs, requirements and scope


Clause 5, component of PLAN, summarises the
requirements specific to top managements role
in the BCMS, and how leadership articulates its
expectations to the organisation via a policy
statement


Clause 6, component of PLAN, describes
requirements as it relates to establishing strategic
objectives and guiding principles for the BCMS as
a whole.


Clause 7, component of PLAN, supports BCMS
operations as they relate to competence and
communication on a recurring/ as needed basis
with interested parties, while documenting,
controlling, marinating and retaining required
documentation


Clause 8, component of DO, defines business
continuity requirements, determines how to
address them and develops the procedures to
manage a disruptive incident


Clause 9, component of CHECK, summarises
requirements necessary to measure business
continuity management performance, BCMS
compliance with ISO 22301 and management's
expectations, and seeks feedback from
management regarding expectations


Clause 10, component of ACT, identifies and acts
on BCMS non-conformance through corrective
action

MAXIMUM FOCUS IS ON PLANNING

PORTION
More than 50% (57 to be precise) clauses pertain
to Plan portion

ISO 22301 KEY CLAUSES

ISO 22301 SOME DEFINITIONS

3.8 Business Impact Analysis
Process of analysing activities and the effect that a business disruption
might have upon them
3.9 Competence
Ability to apply knowledge and skills to achieve intended results
3.12 Correction
Action to eliminate a detected nonconformity
3.13 Corrective action

Action to eliminate the cause of a nonconformity and to prevent recurrence


3.14 Document
Information and its supporting medium
3.15 Documented information

Information required to be controlled and maintained by an organisation and
the medium on which it is contained
3.16 Effectiveness
Extent to which planned activities are realised and planned results achieved
3.18 Exercise
Process to train for, assess, practice, and improve performance in an
organisation


3.20 Infrastructure
System of facilities, equipment and services needed for the operation of an
organisation
3.21 Interested party

Person or organisation that can affect, be affected by, or perceive
themselves to be affected by a decision or activity
3.23 Invocation
Act of declaring that and organisations business continuity arrangements
need to be put into effect in order to continue delivery of key products or services


3.25 Maximum acceptable outage (MAO)
Time it would take for adverse impacts, which might arise as a result of not
providing product/ service or performing an activity, to become unacceptable
3.26 Maximum tolerable period of disruption

(MTPD)
Time it would take for adverse impacts, which might arise as a result of not
providing product/ service or performing an activity, to become unacceptable


3.28 Minimum business continuity objective
(MBCO)
Minimum level of services and/ or products that is acceptable to the
organisation to achieve its business objectives during a disruption
3.30 Mutual aid agreement

Pre-arranged understanding between two or more entities to render
assistance to each other
3.35 Performance
Measurable result


3.36 Performance evaluation
Process of determining measurable results
3.38 Policy
Intentions and direction of an organisation as formally expressed by its top
management
3.42 Prioritised activities

Activities to which priority must be given following an incident in order to
mitigate impacts
3.43 Record
Statement of results achieved or evidence of activities performed


3.44 Recovery point objective
Point to which the information used by an activity must be restored to enable
the activity to operate on resumption
3.45 Recovery time objective

Period of time following an incident within which
Products or service must be resumed, or
Activity must be resumed, or

Resources must be recovered
3.46 Requirement
Need or expectation stated, generally implied or obligatory


3.47 Resources
All assets, people, skills, information, technology (including plan and
equipment), and suppliers and information (whether electronic or not) that an
organisation has to have available to use, when needed, in order to operate and
meet its objective
3.48 Risk
Effect of uncertainty on objectives
3.49 Risk appetite

Amount and type of risk that an organisation is willing to pursue or retain


3.52 Testing
Procedure for evaluation; a means of determining the presence, quality or
veracity of something

DIVISION OF ACTIVITIES
Clause
PDCA Area
Key Activities
Responsibility
Context of the
organisation,
Leadership,
Planning, Support
Plan
Program management,
policy, templates,
guidelines, framework
Top management,
core BCM Team
Operation
Do
Conducting BIA,
Developing Plan, Testing
Plan
Department
Coordinators
Performance
Evaluation
Check
Verification
Core BCM Team
Improvement
Act
Refine BCMS
Core BCM Team,

Department
Coordinators

FINAL THOUGHTS MY MIND MAP ON

PERFORMANCE EVALUATION

ISO 22301 SUMMARY

ISO 22301 SUMMARY

It is an international standard
It is auditable and certifiable
Has evolved through BS 25999
Is live now
Certifications have already started
BS 25999 will cease to exist
Migration / implementation planning must start
now

Some Cases of Successful Implementation
Vodafone, UK first in the UK

Needhams, UK first in the UK
DISCO, Japan first Japanese company
Fujitsu, Japan first organization in the world
Bankinter, Spain first financial institution in the world
Delhi International Airport (P) Ltd, India first Airport in
the world
Many more under migration
* As available in the public domain

BENEFITS OF CERTIFICATION
There is value in certification. While it works like an insurance policy, it provides:
Assurance of
established continuity
practices
Competitive edge
Enhanced stakeholders
satisfaction
(employees,
customers)
Enhanced confidence
of the investors and
shareholders
Enhanced compliance
(where applicable)
Maturity on Corporate
Governance
Safety of assets
(people, process/
technology, building)

Global benchmarks
EXAMPLE
A successful BCMS Implementation

D.Sood@continuityandresilience.com

Bussiness Continuity Fundamental

Uploaded by

Copyright:

Available Formats

You might also like

Bussiness Continuity Fundamental

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bussiness Continuity Fundamental

Uploaded by

Copyright:

Available Formats

PROTECT YOUR ASSETS!

Process Excellence and Resilience...

Has authored the Green IT Maturity Model (copyright CORE)

BUSINESS CONTINUITY MANAGEMENT

..Part of the overall management system that

ISO 22301, Clause 3.5

Process Excellence and Resilience...

WHAT IS BUSINESS CONTINUITY

..Holistic management process that identifies

ISO 22301, Clause 3.4

Process Excellence and Resilience...

WHAT'S IN THE NAME?

No organisation operates in vacuum

They operate within the context of society

ISO 22301 is not just about business, it is about

Process Excellence and Resilience...

ISO 22301 - EVOLUTION

Process Excellence and Resilience...

ISO 22301: 2012

Business Continuity Management Systems

ISO 22301: 2012

Process Excellence and Resilience...

SOCIAL SECURITY ISO 22300 SERIES

Emergency Management - Requirements for

Process Excellence and Resilience...

SOCIAL SECURITY ISO 22300 SERIES

Emergency Management -- Public

Emergency Management -- Shared

Process Excellence and Resilience...

SOCIAL SECURITY ISO 22300 SERIES

Public Private Partnership -Guidelines to set up

ISO / DIS 22398

ISO / PAS 22399:2007

Guidelines for Incident

Process Excellence and Resilience...

SOCIAL SECURITY ISO 22300 SERIES

ISO 22301 : 2012

ISO 22313 : 2012

Process Excellence and Resilience...

ISO 22301 - PURPOSE

PDCA CYCLE IN ISO 22301

Process Excellence and Resilience...

ISO 22301 PDCA CYCLE

Process Excellence and Resilience...

ISO 22301 PDCA CYCLE

Process Excellence and Resilience...

ISO 22301 PDCA CYCLE

Process Excellence and Resilience...

ISO 22301 PDCA CYCLE

Process Excellence and Resilience...

ISO 22301 PDCA CYCLE

Process Excellence and Resilience...

ISO 22301 PDCA CYCLE

Process Excellence and Resilience...

ISO 22301 PDCA CYCLE

Process Excellence and Resilience...

MAXIMUM FOCUS IS ON PLANNING

Process Excellence and Resilience...

ISO 22301 KEY CLAUSES