ISO 22301: The New Standard for Business Continuity Best Practice

ISO 22301 The New Standard for Business Continuity Best Practice Sponsored By

Emergency Notification | Incident Management

Agenda 1 2 3 4

5 6

• So what is ISO 22301? • The Benefits of ISO 22301 • BS 25999 compared to ISO 22301 • Planning to comply with ISO 22301

• The Certification Process •Q & A ISO 22301

Reputation Combat: Protecting Your Company’s Online Reputation

2

2

©Copyright 2011, Jonathan Bernstein

Sponsored by

Smarter Crisis Management Emergency Notification Incident Management Mobile Crisis Communications

www.missionmode.com/mobile ISO 22301

Reputation Combat: Protecting Your Company’s Online Reputation

3

3

©Copyright 2011, Jonathan Bernstein

This presentation is from a recorded webinar. To view and listen to the video presentation, visit: www.missionmode.com/webinars

ISO 22301

Reputation Combat: Protecting Your Company’s Online Reputation

4

4

©Copyright 2011, Jonathan Bernstein

John McGill Managing Partner, ISO 22301 Ltd.

ISO 22301

Reputation Combat: Protecting Your Company’s Online Reputation

5

5

©Copyright 2011, Jonathan Bernstein

So What Is ISO 22301?

ISO 22301 has sprung from a need for global standardisation. “I couldn’t help with the spill, I couldn’t do anything about getting the ship off the rocks”. Statement 10 days after the Exxon Valdez incident by Lawrence Rawl, CEO Exxon Mobile

ISO 22301

7

ISO 22301 was developed by the International Organization for Standardization (ISO), the world’s largest developer of international standards. ISO 22301

8

 ISO 22301 identifies the fundamentals of best practice business continuity.  107 Steps to excellence

ISO 22301

9

5

4 Understanding The Business

Leadership

The Automata

Terms and Definitions

6 Planning

7 9 Evaluation

Support

3 Scope and References

Fortress Model Improvement of1/2 10

Introduction

0

ISO 22301

Operation

8

B u s iness 10

The Benefits of ISO 22301

 Establish, implement, maintain and improve business continuity.  Meet the requirements of your business continuity policy.  Give key stakeholders confidence.  Save time and money

ISO 22301

12

So why will an organisation’s leaders decide they want to align with ISO 22301, or even become certified in it? "I think the environmental impact of this disaster is likely to have been very, very modest." —Tony Hayward, BP CEO ISO 22301

13

BS 25999 vs. ISO 22301

All core 25999 business continuity requirements are in ISO 22301.

ISO 22301

15

ISO 22301 puts emphasis on:  Interested Parties  Understanding the organisation  Monitoring performance and metrics  Legal and regulatory requirements  Crisis Communications

ISO 22301

16

BS 25999 vs. ISO 22301 BS 25999 and ISO 22301 Area of change Understand the organisation Understanding the needs and expectations of interested parties Management commitment Communication & warning system Monitoring, measurement, analysis and evaluation Determine the scope S Business continuity objectives O Business continuity policy P Document information Risk assessment

BS 25999

4.3.3.3 4.4.3 3.2.1 3.2.1.1 3.2.2 3.4 4.1.2

ISO 22301 Magnitude 4.1 4.1 5.2 7.4, 8.4.2, 8.4.3 9.1 4.3 6.2 5.3 7.5 8.2.1, 8.2.3

Full chart will be available for download. ISO 22301

17

Planning to comply with ISO 22301

ISO 22301 specifically requires you to define your approach for measurement and monitoring.

ISO 22301

19

ISO 22301

20

ISO 22301

21

Business Continuity Management System (BCMS)

ISO 22301

22

The key aspects of your ISO 22301 project: 1. Scope of business continuity 2. Business continuity Policy 3. Business continuity Objectives 4. Strategy for meeting the objectives ISO 22301

23

The Business Impact Analysis (BIA)

Develop the BIA into a risk log and then create Business Continuity Plans Evaluate the Recovery Timeframes

Identify Priority Activities (PA)

Review the needs of interested parties Review the initial impact and then the impact were the disruption to continue

ISO 22301

Consider the impact were the resources upon which the PAs depend are unavailable

25

Develop Incident Management  Train  Test

ISO 22301

26

Resource requirements: BCMS project leader ………………………….1,000 Hours Project team members ……………………… 36 Hours Project board chairman …………………….. 130 Hours Incident Management team members 20 Hours Executive ………………………………………….. 20 Hours Staff ……………………………………............... 1 Hour

ISO 22301

27

The Certification Process

Certification process:  Identify accredited certification companies  Meet a shortlist of companies  Appoint a certification company  Agree schedule with chosen company  Schedule audit and pre-audit meetings ISO 22301

29

ISO 22301 outlines BCMS requirements, but does not dictate how to plan in a prescriptive manner.

Heads Up: The auditor cannot act as a consultant and advise you. ISO 22301

30

Phase 1 audit: one day Focuses on a review of your documents

ISO 22301

31

 Phase 1 non-conformities must be resolved before the Phase 2 audit.  Phase 2 will last two days and will comprise some further review of documents.  The outcomes are as per the Phase 1 audit, plus the option for certification. ISO 22301

32

The project to obtain certification should not be self serving. Proof that your business continuity planning is following best practice. ISO 22301

33

The ISO 22301 Standard can be downloaded at a cost of CHF 116 ($124 /€94). Additional guidance can be downloaded in ISO 22313 at a cost of CHF 154 ($165/€126). ISO 22301

34

Sponsored by

Smarter Crisis Management Emergency Notification Incident Management Mobile Crisis Communications

[email protected] www.missionmode.com/mobile ISO 22301

Reputation Combat: Protecting Your Company’s Online Reputation

35

©Copyright 2011, Jonathan Bernstein

John McGill [email protected]

ISO 22301

36

This presentation is from a recorded webinar. To view and listen to the video presentation, visit: www.missionmode.com/webinars

ISO 22301

Reputation Combat: Protecting Your Company’s Online Reputation

37

©Copyright 2011, Jonathan Bernstein