Business Continuity and ISO 22301 April 2018
Protect © IT Governance Ltd 2018
●
Comply 1
●
Thrive [Topic] v1.0
IT Governance Green Paper
Business continuity and ISO 22301 Introduction This definition has since expanded to describe the recovery of business generally, and not just computer systems.
Organisations face a myriad of risks both internal and external, which include cyber attacks, natural disasters, power failures, industrial action and human error. These risks are often unpredictable and have the potential to severely interrupt business operations.
The benefits of business continuity Our world is increasingly interconnected, and being able to respond to an incident quickly is imperative. Even a small glitch that lasts two hours can be enough to cause revenue loss and long-term reputational effects.
No business wants its critical functions disrupted, or to be prevented from accessing essential information. It is therefore imperative to have a system in place that maintains access to business operations when an incident occurs.
Being able to optimally recover from a potentially damaging event, however, is likely to benefit your organisation’s reputation. Making business continuity arrangements can minimise any costs incurred by a disruptive incident and improve overall insurance rates.
Organisations are increasingly discovering that having business continuity measures in place are essential to survive – one survey highlighted that 86.3% of responding organisations expected to see changes to their business continuity management (BCM)1. Such changes included embarking on an implementation project, revising present strategies, or exercising and testing current plans.
Additionally, some business contracts require guarantees of organisational resilience, so being able to demonstrate your ability to survive such incidents may also provide new business opportunities. Finally, a growing body of legislation requires organisations to enhance their organisational resilience by mitigating risks and successfully recovering from an incident, should one occur. An example of such legislation is the EU Directive on security of network and information systems (NIS Directive), which aims to achieve a high common level of security across EU member states and is due to be transposed into national laws by 9 May 2018.
Implementing a business continuity management system (BCMS) is the most effective way to ensure your organisation returns to ‘business as usual’ as quickly as possible in the event of a disruption. The international standard for business continuity, ISO 22301:2012 (ISO 22301), sets out the specifications for a comprehensive BCMS. Business continuity vs disaster recovery Although business continuity focuses on preserving an organisation’s ability to function, disaster recovery (DR) prioritises returning to full functionality. Obviously, there is a significant overlap.
The NIS Directive The NIS Directive sets a minimum standard for resilience in essential infrastructure, which applies to operators of essential services (OES) and to digital service providers (DSPs). Individual EU member states are expected to classify which sectors and organisations will be subject to the NIS Directive.
DR as a discipline arose when computer systems became intrinsic to organisations. It referred specifically to services that computer manufacturers and dedicated service providers offered to achieve system recovery in the aftermath of a disruption. © IT Governance Ltd 2018
To comply with the Directive’s requirements, organisations will be 2
BC-ISO22301 v1.0
IT Governance Green Paper
expected to enhance their cyber security b y employing appropriate risk management and security measures, as well as adequate incident response capabilities. Implementing a BCMS would be a sound approach to complying with the requirements of the NIS Directive.
When planning to implement any management system, it is important to remember that the board and/or senior management are unlikely to commit to a plan that has not been clearly defined. One of the first considerations should be the management system’s scope and objectives.
There are also requirements for cooperation between member states, which will support OES and DSPs that operate across borders, while also providing the reassurance of a certain amount of resilience for organisations operating throughout the EU.
BIA
The BIA is perhaps the most critical process involved in a BCMS. It is used to identify an organisation’s critical activities and its dependencies, which are then used to determine priorities for recovery following a disruption.
The UK government has recently published information about how it will be implementing the requirements of the NIS Directive, and the Scottish government has also released its Public Sector Cyber Resilience Framework.
The BIA will help you work out how quickly each activity needs to be resumed following an incident. A critical outcome of the BIA is a recovery time objective (RTO) for each activity, which should also take into account that the impact of an incident usually increases with time. The RTOs will form the basis of the BCP.
Principles of a BCMS ISO 22301 is founded on a number of core principles. These include: • • • •
Management support; A business impact analysis (BIA); A risk assessment; and A business continuity plan (BCP).
Risk assessment
A BIA is not in itself enough to prepare your BCMS, as it only determines the value of your organisation’s activities. It neglects other important factors, such as:
A BCMS aligned with ISO 22301 will reflect these core principles. Management support
•
As with any major project, a BCMS must be supported by the board and/or senior management for it to be effective.
•
Support from management will help to ensure that: • •
•
•
•
A risk assessment, on the other hand, does consider these factors. Ultimately, risk is about the combination of impact – how serious an incident would be if it occurred – and how likely that occurrence is.
Necessary resources will be available; The BCMS will be consistent with the overall strategic direction of the organisation; Continual improvement is promoted; and The project will be supported throughout the organisation.
This ‘risk score’ can then be compared to the organisation’s risk acceptance criteria, which identifies the level of risk it is willing to accept. This will be heavily influenced by the nature and size of the organisation.
If management provide support throughout the project, staff are more likely to comply with the BCMS requirements, making it more effective overall.
© IT Governance Ltd 2018
The specific incidents/scenarios that can affect each of these business activities; How likely these incidents are; or How severe these incidents might be.
If the risk is low, you may choose to not do anything about it, thus accepting its existence.
3
BC-ISO22301 v1.0
IT Governance Green Paper
If the risk falls outside the risk acceptance criteria, the organisation should take action. This could be an extreme response, such as suspending an activity altogether, or it could be something more moderate, such as getting insured or providing backups.
ensures your BCMS is able to adapt to new threats and changes in the business environment. ISO 22301 specifically recommends the Plan-Do-Check-Act (PDCA) model for your BCMS. The idea is that you first plan what you intend to do, then execute (or do) that plan. Next, you check the performance and decide if anything needs to be fixed or improved. Finally, you act upon those decisions.
BCP
The content of the BCP is developed on the basis of the BIA and risk assessment. This ensures that it accurately reflects an organisation’s needs and specific circumstances.
The performance checking usually occurs after an exercise (typically on a biannual basis), internal audit or activation. Testing the BCP is vital to ensure that your plan works effectively and people know what to do if an incident occurs.
BCPs often include: •
•
•
Contact details for authorities, suppliers and other interested parties; Call trees featuring key staff to ensure availability of the right competence; and Checklists or steps to be taken in the case of specific events.
Cyber resilience Cyber resilience is becoming an increasingly critical survival trait for organisations – statistics show that the two top threats are cyber attacks and data breaches. 2 Developing cyber resilience involves implementing cyber security measures along with measures for business continuity management.
Ultimately, the goal is to stabilise the situation, allowing the organisation to continue operating despite the incident. BCP vs BCMS
The BCP is the core of any BCMS. It records the actions that an organisation will take in response to any incident that threatens its key activities.
Cyber resilience typically covers five key domains: 1. Identify potential threats. 2. Protect yourself against these threats. 3. Detect any breaches and other incidents. 4. Respond to any incidents that occur. 5. Recover from these incidents.
It is not uncommon to find organisations that have a BCP but not a BCMS in place. As a result, they lack the main benefits of a management system. In a full BCMS, the BCP is developed, tested and reviewed consistently, in line with a process that becomes more and more rigorous over time, thereby improving the BCP.
The fourth and fifth domains, respond and recover, refer to business continuity measures. As soon as an attack or other incident has been discovered, an organisation should take immediate action as mandated by its BCP.
In addition to this, employees are made aware of the BCP’s existence through a formal process, and understand their assigned roles and responsibilities in the event of an incident.
Cyber attacks and data breaches are the two threats that organisations should be most concerned about, as even the most stringent information security measures cannot offer absolute protection. However, if you are cyber resilient – drawing in key business continuity practices to keep the organisation functioning – your organisation will put itself in a very strong position.
Evaluating performance and continual improvement In order to meet the requirements of ISO 22301, you need a continual improvement process. This is generally a good idea even if you choose to implement a BCMS without taking the Standard into account, as it © IT Governance Ltd 2018
4
BC-ISO22301 v1.0
IT Governance business continuity resources IT Governance offers a unique range of products and services, including books, standards, pocket guides, training courses, staff awareness solutions and professional consultancy services.
Standards ISO 22301 BCMS Requirements The requirements for a BCMS to enable a company to prepare for a disruptive incident. This standard is essential for an ISO 22301 -certified BCMS.
ISO 22313 BCMS Guidance The international standard for implementing a BCMS that meets the requirements of ISO 22301.
Books ISO22301 – A Pocket Guide ISO22301 – A Pocket Guide will help you understand international business continuity best practice, and provides guidance on the best way to implement a BCMS tailored to your organisation.
A Manager’s Guide to ISO22301 This book is full of illustrative examples and practical guidance on d eveloping and implementing a BCMS. It discusses BIA and risk assessment in the context of business continuity, and outlines key areas, including strategy, procedures, testing, evaluation and improvement.
Toolkits The Complete ISO22301 (BCMS) Toolkit Suite Accelerate your ISO 22301 BCMS implementation project with this complete toolkit suite, which includes all the necessary information, direction and tools to streamline your project.
ISO22301 BCMS Documentation Toolkit Accelerate your BCMS implementation project and ensure your organisation’s survival by using this toolkit. It provides an easy-to-use set of customisable and fully ISO 22301-compliant documentation templates that will save you time and money.
© IT Governance Ltd 2018
5
BC-ISO22301 v1.0
Training ISO22301 Certified BCMS Foundation Training Course This course provides a comprehensive introduction to the ISO 22301:2012 standard and the requirements of a BCMS. Attendees who successfully complete this one-day classroom course will be awarded the ISO22301 Certified BCMS Foundation (CBC F) qualification. ISO22301 Certified BCMS Lead Implementer Training Course Gain the knowledge and skills required to implement an ISO 22301-compliant BCMS in your organisation in just three days with this practical course.
ISO22301 Certified BCMS Lead Auditor Training Course Gain the practical knowledge and skills required to plan and execute BCMS audits in line with the ISO 22301:2012 requirements with this practical 4.5 day course.
Consultancy FastTrack™ Business Continuity Management/ISO 22301 Consultancy
This unique consultancy service helps you to i mplement a robust BCMS and achieve ISO 22301 certification, with minimal business disruption and within a limited budget. ISO 22301 Internal Audit Service Benefit from the expertise of qualified auditors with experience of ISO 22301 and the audit process. This service consists of two separate audit days spread over one year.
ISO 22301 BCMS Managed Service Benefit from the reliable advice and practical experience of a BCMS specialist to manage, maintain, audit and continually improve your BCMS in line with the requirements of ISO 22301.
Business Continuity Management/ISO 22301 Gap Analysis Get the true picture of your business continuity management programme and how you measure up against the requirements of ISO 22301. Receive expert advice on scoping your BCMS project and establish resource requirements for implementing a BCMS.
© IT Governance Ltd 2018
6
BC-ISO22301 v1.0
IT Governance solutions IT Governance sources, creates and delivers products and services to meet the evolving IT governance needs of today’s organisations, directors, managers and practitioners. IT Governance is your one-stop shop for corporate and IT governance information, books, tools, training and consultancy. Our products and services are designed to work harmoniously together so you can benefit from them individually and also use different elements to enhance your cyber security. Books We sell sought-after publications covering all areas of corporate and IT governance. Our publishing team also manages a growing collection of titles that provide practical advice for staff taking part in IT governance projects, suitable for all levels of staff knowledge, responsibility and experience. Visit www.itgovernance.co.uk/shop/category/itgp-books to view our full catalogue. Toolkits Our unique documentation toolkits are designed to help organisations adapt quickly and adopt best management practice using pre-written policies, forms and d ocuments. Visit www.itgovernance.co.uk/product-demos to view and trial our toolkits. Training We offer training courses from staff awareness and Foundation courses, through to advanced programmes for IT practitioners and certified lead implementers and auditors. Our training team organises and runs i n-house and public training courses all year round, as well as Live Online and distance-learning classes, covering a growing number of IT governance topics. Visit www.itgovernance.co.uk/training for more information. Through our website, you can also browse and book training courses throughout the UK that are run by a number of different suppliers. Consultancy Our company is an acknowledged world leader in our field. Our experienced consultants, with multi-sector and multi-standard knowledge and experience, can help you accelerate your IT GRC (governance, risk, compliance) projects. Visit www.itgovernance.co.uk/consulting for more information. Software Our industry-leading software tools, developed with your need s and requirements in mind, make information security risk management straightforward and affordable for all, enabling organisations worldwide to be ISO 27001-compliant. Visit www.itgovernance.co.uk/software for more information.
Contact us:
+44 (0)333 800 7000
www.itgovernance.co.uk
[email protected]
© IT Governance Ltd 2018
7
BC-ISO22301 v1.0
1
Continuity Central, “Business continuity trends and challenges: Survey results”, April 2015, http://www.continuitycentral.com/feature1300.html.
2
Business Continuity Institute, “Horizon Scan Report 2018”, 2018, https://www.thebci.org/uploads/assets/uploaded/a3158900-52d9-4df6ae7412ef10f85567.pdf .
© IT Governance Ltd 2018
8
BC-ISO22301 v1.0