ISO 22301 The New Standard for Business Continuity Best Practice Sponsored By
Emergency Notification | Incident Management
Agenda 1 2 3 4
5 6
• So what is ISO 22301? • The Benefits of ISO 22301 • BS 25999 compared to ISO 22301 • Planning to comply with ISO 22301
• The Certification Process •Q & A ISO 22301
Reputation Combat: Protecting Your Company’s Online Reputation
2
2
©Copyright 2011, Jonathan Bernstein
Sponsored by
Smarter Crisis Management Emergency Notification Incident Management Mobile Crisis Communications
www.missionmode.com/mobile ISO 22301
Reputation Combat: Protecting Your Company’s Online Reputation
3
3
©Copyright 2011, Jonathan Bernstein
This presentation is from a recorded webinar. To view and listen to the video presentation, visit: www.missionmode.com/webinars
ISO 22301
Reputation Combat: Protecting Your Company’s Online Reputation
4
4
©Copyright 2011, Jonathan Bernstein
John McGill Managing Partner, ISO 22301 Ltd.
ISO 22301
Reputation Combat: Protecting Your Company’s Online Reputation
5
5
©Copyright 2011, Jonathan Bernstein
So What Is ISO 22301?
ISO 22301 has sprung from a need for global standardisation. “I couldn’t help with the spill, I couldn’t do anything about getting the ship off the rocks”. Statement 10 days after the Exxon Valdez incident by Lawrence Rawl, CEO Exxon Mobile
ISO 22301
7
ISO 22301 was developed by the International Organization for Standardization (ISO), the world’s largest developer of international standards. ISO 22301
8
ISO 22301 identifies the fundamentals of best practice business continuity. 107 Steps to excellence
ISO 22301
9
5
4 Understanding The Business
Leadership
The Automata
Terms and Definitions
6 Planning
7 9 Evaluation
Support
3 Scope and References
Fortress Model Improvement of1/2 10
Introduction
0
ISO 22301
Operation
8
B u s iness 10
The Benefits of ISO 22301
Establish, implement, maintain and improve business continuity. Meet the requirements of your business continuity policy. Give key stakeholders confidence. Save time and money
ISO 22301
12
So why will an organisation’s leaders decide they want to align with ISO 22301, or even become certified in it? "I think the environmental impact of this disaster is likely to have been very, very modest." —Tony Hayward, BP CEO ISO 22301
13
BS 25999 vs. ISO 22301
All core 25999 business continuity requirements are in ISO 22301.
ISO 22301
15
ISO 22301 puts emphasis on: Interested Parties Understanding the organisation Monitoring performance and metrics Legal and regulatory requirements Crisis Communications
ISO 22301
16
BS 25999 vs. ISO 22301 BS 25999 and ISO 22301 Area of change Understand the organisation Understanding the needs and expectations of interested parties Management commitment Communication & warning system Monitoring, measurement, analysis and evaluation Determine the scope S Business continuity objectives O Business continuity policy P Document information Risk assessment
BS 25999
4.3.3.3 4.4.3 3.2.1 3.2.1.1 3.2.2 3.4 4.1.2
ISO 22301 Magnitude 4.1 4.1 5.2 7.4, 8.4.2, 8.4.3 9.1 4.3 6.2 5.3 7.5 8.2.1, 8.2.3
Full chart will be available for download. ISO 22301
17
Planning to comply with ISO 22301
ISO 22301 specifically requires you to define your approach for measurement and monitoring.
ISO 22301
19
ISO 22301
20
ISO 22301
21
Business Continuity Management System (BCMS)
ISO 22301
22
The key aspects of your ISO 22301 project: 1. Scope of business continuity 2. Business continuity Policy 3. Business continuity Objectives 4. Strategy for meeting the objectives ISO 22301
23
The Business Impact Analysis (BIA)
Develop the BIA into a risk log and then create Business Continuity Plans Evaluate the Recovery Timeframes
Identify Priority Activities (PA)
Review the needs of interested parties Review the initial impact and then the impact were the disruption to continue
ISO 22301
Consider the impact were the resources upon which the PAs depend are unavailable
25
Develop Incident Management Train Test
ISO 22301
26
Resource requirements: BCMS project leader ………………………….1,000 Hours Project team members ……………………… 36 Hours Project board chairman …………………….. 130 Hours Incident Management team members 20 Hours Executive ………………………………………….. 20 Hours Staff ……………………………………............... 1 Hour
ISO 22301
27
The Certification Process
Certification process: Identify accredited certification companies Meet a shortlist of companies Appoint a certification company Agree schedule with chosen company Schedule audit and pre-audit meetings ISO 22301
29
ISO 22301 outlines BCMS requirements, but does not dictate how to plan in a prescriptive manner.
Heads Up: The auditor cannot act as a consultant and advise you. ISO 22301
30
Phase 1 audit: one day Focuses on a review of your documents
ISO 22301
31
Phase 1 non-conformities must be resolved before the Phase 2 audit. Phase 2 will last two days and will comprise some further review of documents. The outcomes are as per the Phase 1 audit, plus the option for certification. ISO 22301
32
The project to obtain certification should not be self serving. Proof that your business continuity planning is following best practice. ISO 22301
33
The ISO 22301 Standard can be downloaded at a cost of CHF 116 ($124 /€94). Additional guidance can be downloaded in ISO 22313 at a cost of CHF 154 ($165/€126). ISO 22301
34
Sponsored by
Smarter Crisis Management Emergency Notification Incident Management Mobile Crisis Communications
[email protected] www.missionmode.com/mobile ISO 22301
Reputation Combat: Protecting Your Company’s Online Reputation
35
©Copyright 2011, Jonathan Bernstein
John McGill
[email protected]
ISO 22301
36
This presentation is from a recorded webinar. To view and listen to the video presentation, visit: www.missionmode.com/webinars
ISO 22301
Reputation Combat: Protecting Your Company’s Online Reputation
37
©Copyright 2011, Jonathan Bernstein