Professional Documents
Culture Documents
Presentation2ISO 22301 BCM
Presentation2ISO 22301 BCM
Presentation2ISO 22301 BCM
• ISO
• Business continuity
• Importance of formalized business continuity
management system
• ISO 22301
• Principles and requirements of ISO 22301 2019
WHAT IS ISO?
Acronorm for the International Organization for
Standardization
Democratic.
Voluntary
ISO itself does not regulate or legislate.
Market-driven
Consensus
ISO standards retain their position as the state of the art.
Globally relevant
ISO standards are technical agreements which provide
the framework for compatible technology worldwide. They
are designed to be globally relevant - useful everywhere
in the world.
ISO standards are useful everywhere in the world.
What is business continuity and why is it important?
• Business continuity is an organization's ability to maintain
essential functions during and after a disaster has occurred.
Business continuity planning establishes risk management
processes and procedures that aim to prevent interruptions to
mission-critical services, and reestablish full function to the
organization as quickly and smoothly as possible.
• The most basic business continuity requirement is to keep
essential functions up and running during a disaster and to
recover with as little downtime as possible. A
business continuity plan considers various unpredictable events,
such as natural disasters, fires, disease outbreaks, cyberattacks
and other external threats.
What is business continuity and why is it important?
Background
Contributors
..
I I
4
Publication Timeline…
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q3
2013
2011 2011 2011 2011 2012 2012 2012 2012 2019
ISO22301
0 Introduction 4 Context of the organisation
5 Leadership
1 Scope
6 Planning
7 Support
2 Normative References
-Guide 73: Risk mgmt. vocab.
-ISO 22300 Terminology 8 Operation
*
9 Performance
Evaluation
3 Terms and
Definitions
10 Improvement
10
Vl
IMaximum acceptable t i
c
0 I
me
I
I
I
2. Shortened disruption
4 -
0
Time
Fig ure 2 - I l lustrat ion of BCM being effectiv e for sudden disruption
13
Benefit of BCM -gradual
disruption
3
I I
ime
! Maximum acceptable t
ime
0
..... -- ,-----------+-----:- --I +---
\ I
ro
.!.....
w ----------------
' \ I I
c.. \ 2. Shortened disruption /
0
41- -- - Controlled
" - - - - - , ' \
\ I
I I
I
0 response \
I I
Recowe ry with ./
w rI --··-BCM-----------l-------
> -----------------------\'\ , : M inimum
i-•----------------responding
--------- - - ..- -,......
' 1. Mitigating, . .
.. . ------------------,acceptab
. . I
le
w ·-------- '' to and managing impacts ,,... level of
' i
.....J ' , I, , · operat ions
I
J'
'------------- 1 / i Recovery without
\ I
o I
BCM
Time
Figure 3 - Ulustrat ion of BCM being effective for gradua l disruption (e.g.
approach in g pandemic}
9
BS25999
3 Planning the BCMS
4 Context of the organisation -Scope, Objectives, Policy
-Resources
5 Leadership -Competency
-Embedding
6 Planning -Documentation
7.2 Competence
• The organisation (generally acknowledged to be through its
7. Support
Top Management) has a responsibility to ensure that sufficient
and appropriate resource is available for the BCMS.
Appropriateness is often determined through competency
analysis
• It is people who take action when an incident occurs
– Competence relates both to operating the BCMS AND
to performing following an incident
– Note also 7.3 d) – everyone has to be aware of their role during
disruptive incidents
7.3 Awareness
Persons doing work under the organization's control shall
be aware of:
• a) the business continuity policy;
• b) their contribution to the effectiveness of the BCMS,
including the benefits of improved business continuity
performance;
• c) the implications of not conforming with the BCMS
requirements;
• d) their own role and responsibilities before, during and
after disruptions.
7.4 Communication
The organization shall determine the internal and external
communications relevant to the BCMS including:
• a) on what it will communicate;
• b) when to communicate;
• c) with whom to communicate;
• d) how to communicate;
• e) who will communicate.
19
7.5.1 General
• The organization's BCMS shall include:
• a) documented information required by this
document;
• b) documented information determined by the
organization as being necessary for the
effectiveness of the BCMS.
7.5.2 Creating and updating
When creating and updating documented
information, the organization shall ensure
appropriate:
• a) identification and description (e.g. a title,
date, author or reference number);
• b) format (e.g. language, software version,
graphics) and media (e.g. paper, electronic),
• c) review and approval for suitability and
adequacy
7.5.3 Control of documented information
Performance Evaluation…