BSI introducing ISO 22301
BACKGROUND How ISO 22301 was formed
Contributors
Context • Source documents included – BS25999-2 – NFPA 1600 – ASIS OR standard – Singapore standards – ISO 27031 – ISO Guide 73 – ISOPAS22399 • So ISO 22301 is not simply an international version of BS25999
Context • Move towards standardization of management systems headings and text – Was in development as we were writing – Only now coming to agreement around ISO Guide 83 – Rules on how to apply this were not always clear and seemed to change • Hence our interpretation may differ in detail from others like ISO 27001
Context • ISO 22301 is the requirements document • ISO 22313 is the guidance document that accompanies this – It was originally planned to publish these together but in practicality 22301 has run ahead of the guidance – It is aligned to 22301, clearly BS25999-1 was not • ISO 22313 should be published early next year – Currently at DIS
ISO 22301 Key points
Standardized structure • Sections 1-3 are as per usual (scope, normative references, terms and definitions) • Sections 4-7 and 9-10 are ISO Standardized management systems headings and text • We were permitted to add text to these sections where necessary • Section 8 is the heart of the BCM discipline • Note that 8.1 is standardized text!
Legal and regulatory requirements • 4.2.2 covers this area in 3 • However there is a paragraphs danger of making this unreasonably onerous • BS25999 did not cover in such explicit detail • BCI document assists in identifying these • BS25999 was assuming a (LRSG.PDF available from UK context, e.g. CCA and BCI web site) so on • ISO cannot make such assumptions and so far more explicit
7 Support • It is people who take action • 7.2 Competence when an incident occurs – Recognized weakness • Competence relates both to for those implementing operating the BCMS AND to BS25999 performing following an – Wording slightly incident different but still key • Note also 7.3 d) – everyone area has to be aware of their role during disruptive incidents
7 Support The organization shall establish, implement, and • 7.4 includes additional maintain procedure(s) for — internal communication amongst interested parties text and employees within the organization, — external communication with customers, partner • Interested parties – not entities, local community, and other interested parties, including the media, stakeholders — receiving, documenting, and responding to communication from interested parties, • New and specific — adapting and integrating a national or regional threat advisory system, or equivalent, into planning and compared to BS25999 operational use, if appropriate, — ensuring availability of the means of communication during a disruptive incident, — facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and — operating and testing of communications capabilities intended for use during disruption of normal communications.
Context Hurricanes, Tsunami, Earthquake, Flood and so on may all have national or regional warning systems This places an obligation on you to make sure that you get these messages and act upon them in a timely manner
Context You may need to talk to these chaps So you need to show how you are going to do this May be fire, police, ambulance for instance
Preparing for communicating in an incident • Much more explicit in requiring that you think about this in the context of how communications are disrupted by incidents – E.g. mobile networks get swamped, telecommunications damaged by earthquakes • NOTE: There are no fool proof perfect answers to these issues. Organizations can only take the steps that are reasonable for them – quite clearly what is required of the Police is not the same as what is required of a small business – but both must show that they have done this • NOTE: 8.4.3 returns to this area
8 Operation • This is the main area • BC practitioners should where business recognise these steps continuity is addressed • Like BS25999 • The old BCM Lifecycle is encapsulated here – BIA/RA – Strategy – Implementing solutions – Exercising
Strategy The organization shall conduct • A one liner that appears in evaluations of the business 8.3.1 with a wealth of continuity capabilities of meaning suppliers. • Not ALL suppliers please note – remember that this relates to the output from the BIA and RA • So they will need to show how they determine which suppliers to look at (if any) and how they do this
8.4 Establish and implement business continuity procedures The organization shall establish, implement, and maintain business continuity procedures to manage • Key area a disruptive incident and continue its activities based on recovery objectives identified in the • All based on BIA and recovery business impact analysis. objectives The organization shall document procedures (including necessary arrangements) to ensure • We tried to move away from talking continuity of activities and management of a about plans – limited success! disruptive incident. • 8.4.1 a good summary (my The procedures shall highlighting) a) establish an appropriate internal and external communications protocol , b) be specific regarding the immediate steps that are to be taken during a disruption, c) be flexible to respond to unanticipated threats and changing internal and external conditions, d) focus on the impact of events that could potentially disrupt operations, e) be developed based on stated assumptions and an analysis of interdependencies, and f) be effective in minimizing consequences through implementation of appropriate mitigation strategies.
Incident Response Structure • 8.4.2 broadly equivalent • External to 4.3.2 in BS25999 communications a specific requirement. Think about Buncefield or similar – they should warn the public and life safety is explicitly mentioned. In which case, how do they do this? (E.g. a siren?)
Warning and Communication a) detect incident • ISO 22301 contains a specific b) monitor incident requirement on c) internal communications warning and d) regional advisories communication in e) assure availability of 8.4.3 communications • Differs from f) communicate with emergency BS25999-2 responders g) record vital information
Warning and Communication a) alerting interested parties potentially • Additionally impacted by an actual or impending consider: disruptive incident; b) assuring the interoperability of multiple responding organizations and personnel; c) operation of a communications facility
Warning and Communication • You must also exercise these arrangements regularly
8.4.4 Business continuity plans • Less prescriptive than BS25999 but covers very much the same ground • Note my earlier comment that people take action – plans are there to support them when they are not thinking straight; they are not a manual of how to run the business nor are they a response to every possible risk
8.4.5 Recovery • In BS25999-1 we talked about 3 phases and the last of these being a “return to normal” • This never became a part of BS25999-2 – Viewed as “too difficult” to define • As ISO 22301 was being developed, a PD was being written in the UK on this very topic so we had a marker in the draft to use this as input • That never came to fruition for various reasons • We discussed taking this section out but it actually received a lot of international support to keep it in
Recovery The organization shall have • These might be very specific documented procedures to for some organizations but restore and return business could be pretty general in activities from the temporary other cases measures adopted to support This is a new area • normal business requirements • Clearly, thinking through how after an incident. you get the business running normally once the initial invocation has been completed is important! – E.g. I invoke my contract with ICM/IBM/SunGard – what happens after the contracted period is completed?
8.5 Exercising and testing • Covers pretty much the same ground as BS25999-2 • Note that it talks about exercises and tests • These are different and complimentary – Tests have a defined outcome which you achieve or don’t (pass/fail) – Exercises are more nuanced and will probably include elements of training and awareness building – So my generator either works or it doesn’t, but an exercise of the CMT will always produce learning points • Expect to see a programme – point is that over time these should provide objective assurance that the arrangements made will work as anticipated and when required: so does the programme really do this?
Section 9 • Performance evaluation is also a new requirement • How do you know if the BCMS is doing what it should unless you have some metrics? – E.g. I have 20 plans and they are all up to date – But beware of metrics too focussed on documents and not enough on competent people and teams who are ready to perform when needed • Note: Management review includes additional material to the standard text
BENEFITS
Recommend
More recommend