SlideShare a Scribd company logo

Awareness iso 22301 danang suryo

Download as PPTX, PDF
Danang suryo Wardhono, profile picture
Danang suryo Wardhono

The document provides information about Danang Suryo Wardhono, who is a registered auditor trainer for various ISO standards including ISO 22301. It lists his qualifications, contact information, and areas of expertise. It then provides an introduction to awareness of ISO 22301:2019 on business continuity management systems. It discusses key terms, the purpose and benefits of having a BCMS, the family of BCMS standards, and key clauses in ISO 22301:2019.

Education
1 of 89
Downloaded 156 times
1
2
3
4
Most read
5
6
7
8
9
Most read
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Most read
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
Awareness ISO 22301:2019 DANANG SURYO WARDHONO | REGISTERED TRAINER/AUDITOR 081567796679/08112999715
Introduction  Name: Danang Suryo Wardhono ST MM  Occupation:  Registered Auditor trainer ISO Series PECB , Trainer/ auditor management system for certification body LRBA previously LRQA, Mutu Certification International, Afnor Indonesia, IAPMO, TUV Rheinland, pusdiklat gadjahmada, NQA ,Sucofindo,Bina Profesi Institute, mutu institute , ITS tekno sains, WQA, ISQ, etc  LA IRCA/PECB certified ISO 9K, 14K, 18K, 22K, 22301, 27K, 37k, 45K,50k (waiting result) smk3 auditor, halal, national assessor (waiting result) BRC version 8 auditor conversion etc  Telp/WA: 081567796679, 08112999715  danangsuryowardhono@gmail.com
Film BCMS
MATERI  SCOPE and TERMS of BCMS  PURPOSE and BENEFITS OF BCMS  BCMS family of standards  Clausul ISO 22301:2019
scope This document specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptions when they arise.
Terms and definition business continuity, capability of an organization (3.31) to continue delivery of products and services (3.41) within acceptable time frames at predefined capacity relating to a disruption (3.12) [SOURCE: ISO 22300:2018, 3.24, modified.]. business continuity management system, BCMS, management system (3.25) for business continuity (3.3) Note 1 to entry: The management system includes organizational structure, policies, planning (3.36) activities (3.1), responsibilities, procedures (3.39), processes (3.40) and resources [SOURCE: ISO 22300:2018, 3.26, modified]
business continuity plan documented information (3.13) that guides an organization (3.31) to respond to a disruption (3.12) and resume, recover and restore the delivery of products and services consistent with its business continuity objectives [SOURCE: ISO 22300:2018, 3.27, modified. Note 1 to entry deleted.] business impact analysis process (3.40) of analyzing the impact (3.18) of a disruption (3.12) on the organization (3.31) Note 1 to entry: The outcome is a statement and justification of business continuity (3.3) requirements (3.45). [SOURCE: ISO 22300:2018, 3.29, modified. Note 1 to entry added.]
Incident event (3.16) that can be, or could lead to, a disruption (3.12), loss, emergency (3.15) or crisis [SOURCE: ISO 22300:2018, 3.111, modified.] Disruption incident (3.19), whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services (3.41) according to an organization’s (3.31) objectives (3.30) [SOURCE: ISO 22300:2018, 3.70, modified.]
Crisis management holistic management (3.135) process (3.180) that identifies potential impacts (3.107) that threaten an organization (3.158) and provides a framework for building resilience (3.192), with the capability for an effective response that safeguards the interests of the organization’s key interested parties (3.124), reputation, brand and value-creating activities (3.1), as well as effectively restoring operational capabilities Note 1 to entry: Crisis management also involves the management of preparedness (3.172), mitigation (3.146) response, and continuity (3.49) or recovery (3.187) in the event of an incident (3.111), as well as management of the overall program through training (3.265), rehearsals and reviews (3.197) to ensure the preparedness, response and continuity plans stay current and up-to- date. (ISO 22300:2018)
recovery time objective RTO period of time following an incident (3.111) within which a product or service (3.181) or an activity (3.1) is resumed, or resources (3.193) are recovered Note 1 to entry: For products, services and activities, the recovery time objective is less than the time it would take for the adverse impacts (3.107) that would arise as a result of not providing a product/service or performing an activity to become unacceptable. Source ISO 22300:2018
recovery point objective RPO point to which information (3.116) used by an activity (3.1) is restored to enable the activity to operate on resumption Note 1 to entry: Can also be referred to as “maximum data loss”. Source ISO 22300:2018
What is an BCMS? Business continuity is the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business continuity management (BCM) is the process of achieving business continuity and is about preparing an organization to deal with disruptive incidents that might otherwise prevent it from achieving its objectives. Placing BCM within the framework and disciplines of a management system creates a business continuity management system (BCMS) that enables BCM to be controlled, evaluated and continually improved. Any incident, large or small, natural, accidental or deliberate has the potential to cause major disruption to the organization’s operations and its ability to deliver products and services. However, implementing business continuity before a disruptive incident occurs, rather than waiting for this to happen will enable the organization to resume operations before unacceptable levels of impact arise.
fundamental principles a) awareness of the need for BCMS b) assignment of responsibility for BCMS c) incorporating management commitment and the interests of stakeholders d) enhancing societal values e) risk assessments determining appropriate controls to reach acceptable levels of risk f) security incorporated as an essential element of BCMS g) active prevention and detection of Business continuity incidents h) ensuring a comprehensive approach to Business continuity management i) continual reassessment of Business continuity and making of modifications as appropriate.
steps: 1. being clear on the organization’s key products and services and the activities that deliver them 2. knowing the priorities for resuming activities and the resources they require 3. having a clear understanding of the threats to these activities, including their dependencies, and knowing the impacts of not resuming them 4. having tried and trusted arrangements in place to resume these activities following a disruptive incident; and 5. making sure that these arrangements are routinely reviewed and updated so that they will be effective in all circumstances
PURPOSE BCMS By focusing on the impact of disruption rather than the cause, business continuity identifies those activities on which the organization depends for its survival, and enables the organization to determine what is required to continue to meet its obligations. Through business continuity, an organization can recognize what needs to be done to protect its resources (e.g. people, premises, technology and information), supply chain, interested parties and reputation, before a disruptive incident occurs. With that recognition, the organization is able to take a realistic view on the responses that are likely to be needed as and when a disruption occurs, so that it can be confident of managing the consequences and avoid unacceptable impacts
benefits Protects business from a range of threats Ensures business continuity Minimizes financial loss Optimizes return on investments Increases business opportunities
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
BCMS FAMILY STANDART ISO 22300, Security and resilience — Vocabulary ISO/IEC 22301, Business continuity management systems — Requirements ISO/IEC 22313, Societal security — Business continuity management systems — Guidance
Clausul ISO 22301:2019
Awareness iso 22301 danang suryo
Main difference to other ISO standard are 4.2.2 Legal and regulatory requirements And Clausal 8
Clausal 8 operation 8.1 Operational planning and control 8.2 Business impact analysis and risk assessment ◦ 8.2.1 General ◦ 8.2.2 Business impact analysis ◦ 8.2.3 Risk assessment 8.3 Business continuity strategies and solutions.. ◦ 8.3.1 General ◦ 8.3.2 Identification and selection of strategies and solutions ◦ 8.3.3 Resource requirements ◦ 8.3.4 Implementation of solutions
8.4 Business continuity plans and procedures ◦ 8.4.1 General. ◦ 8.4.2 Response structure ◦ 8.4.3 Warning and communication ◦ 8.4.4 Business continuity plans ◦ 8.4.5 Recovery 8.5 Exercise programme
8.2.2 BIA, process (3.40) of analyzing the impact (3.18) of a disruption (3.12) on the organization (3.31) a) defines impact categories and criteria relevant to the organization’s context; b) uses these impact categories and criteria for measuring impact; c) identifies activities that support the provision of products and services; d) analyses the impacts over time resulting from disruption of these activities; e) identifies the time within which the impacts of not resuming activities would become unacceptable to the organization; NOTE This may be referred to as maximum tolerable period of disruption (MTPD) f) sets prioritized timeframes within the time identified in e) above for resuming disrupted activities at a specified minimum acceptable capacity; NOTE This may be referred to as recovery time objective (RTO) g) uses the business impacts to identify prioritized activities; h) determines which resources are needed to support prioritized activities; i) determines the dependencies and interdependencies of prioritized activities.
Awareness iso 22301 danang suryo
BIA
threat
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
Self assessment BIA Is there a formal risk assessment process for analyzing the risk of disruptive incidents? Does this risk assessment method identify risk treatments appropriate to BC objectives? Is there evidence of prioritizing risk treatments with costs identified? Source BSI self assessment BIA
8.2.3 Risk assessment The organization shall implement and maintain a systematic risk assessment process. NOTE This process can be made in accordance with ISO 31000. The organization shall: a) identify risks of disruption to the organization's prioritized activities and to their supporting resources; b) systematically analyse risks of disruption; c) evaluate risks of disruption which require treatment
Risk Assesment
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
8.3 Business continuity strategies and solutions business continuity capability of an organization (3.158) to continue the delivery of products or services (3.181) at acceptable predefined levels following a disruption (3.70) continuity strategic and tactical capability, pre-approved by management (3.135), of an organization (3.158) to plan for and respond to conditions, situations and events (3.82) in order to continue operations at an acceptable predefined level
Based on the outputs from the business impact analysis and risk assessment. The organization shall identify and select business continuity strategies that consider option for before, during and after disruption. 8.3.2 Identification of strategies and solution 8.3.3 Selection of strategies and solutions 8.3.3 Resource requirements 8.3.4 Implementation of solutions
The organization shall identify and select appropriate business continuity strategies and solutions taking into consideration their associated costs for (goal for BC Strategy): a) responding to disruptions; b) continuing and recovering prioritized activities and their required resources to meet the delivery of products and services at the agreed capacity over time. For the prioritized activities, the organization shall identify and select strategies and solutions considering business continuity objectives and the amount and type of risk that the organization may or may not take that: a) reduce the likelihood of disruption; b) shorten the period of disruption; c) limit the impact of disruption on the organization's products and services
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
Self assessment BC strategy Is the BC strategy based on the outputs of the BIA and risk assessment? Does the BC strategy protect prioritized activities and provide appropriate continuity and recovery of them, their dependencies and resources? Does the BC strategy provide for mitigating, responding to and managing impacts? Have prioritized time frames been set for the resumption of all activities? Have the BC capabilities of suppliers been evaluated? Have the resource requirements for the selected strategy options been determined, including people, information and data, infrastructure, facilities, consumables, IT, transport, finance and partner/supplier services? Have measures to reduce the likelihood, duration or impact of a disruption for identified risks been considered and implemented, and are these in accordance with the organization’s risk appetite?
8.4 Business continuity plans and procedures The organization shall implement and maintain a structure that will enable timely warning and communication to relevant interested parties. It shall provides plans and procedures to manage the organization during a disruption. The plans and procedures shall be used when required to activate business continuity solutions. The procedures shall: a) be specific regarding the immediate steps that are to be taken during a disruption; b) be flexible to respond to changing internal and external conditions of a disruption; c) focus on the impact of incidents that potentially lead to disruption; d) be effective in minimizing impact through implementation of appropriate solutions; e) assign roles and responsibilities for tasks within it.
Self assessment BCP Have BC procedures been put in place to manage a disruptive incident, and have continuity activities based on recovery objectives been identified in the BIA? Are the business continuity procedures documented? Have internal and external communication protocols been established as part of these procedures? Source BSI self assessment ISO 22301
8.4.2 Response structure The organization shall implement and maintain a structure identifying one or more teams responsible for responding to disruptions For each team there shall be: a) identified personnel and their associates with the necessary responsibility, authority and competence to perform their designated role; b) documented procedures to guide their actions (see 8.4.4) including those for the activation, operation, coordination and communication of the response.
Self assessment Incident Response Structure (IRS) Is there the management structure and trained personnel in place to respond to a disruptive incident? Does the IRS and associated procedures include thresholds, assessment, activation, resource provision and communication? Do the people in your IRS have the necessary competency to perform their duties, and have you kept records to demonstrate their competence?
8.4.3 Warning and communication 8.4.3.1 The organization shall document and maintain procedures for: a) communicating internally and externally to relevant interested parties, including what, when, with whom and how to communicate; NOTE The organization may document and maintain procedures for how, and under what circumstances, the organization communicates with employees and their emergency contacts. b) receiving, documenting and responding to communications from interested parties, including any national or regional risk advisory system or equivalent; c) ensuring availability of the means of communication during a disruption; d) facilitating structured communication with emergency responders; e) details of the organization's media response following an incident, including a communications strategy; f) recording details of the disruption, actions taken and decisions made The communication and warning procedures shall be exercised as part of the organization’s exercise programme referred to in 8.5.
Self assessment Incident communications and warnings 1. Is there a procedure for detecting and monitoring incidents? 2. Is there a procedure for managing internal communications and external communications from interested parties during a disruptive incident? 3. Is there a procedure for receiving and responding to warnings from outside agencies and emergency responders? 4. Is there a structure to communicate with emergency responders and other authorities during an incident, or for responding organizations are communications interoperable with others? 5. Is there a procedure for recording vital information about the incident, actions taken and decisions made? 6. Is there a procedure for issuing alerts and warnings if appropriate? 7. Are the organization’s communication and warning systems regularly exercised, and records kept of the results?
8.4.4 Business continuity plans 8.4.4.1 The business continuity plans shall provide guidance and information that will assist the teams to respond to a disruption and assist the organization with response and recovery. Collectively, the business continuity plans shall contain: a) details of the actions that the teams will take in order to continue or recover prioritized activities within predetermined timeframes and to monitor the effects of the disruption and the organization’s response to it; b) reference to the pre-defined threshold and process for activating the response; c) procedures to enable the delivery of products and services at agreed capacity to interested parties; d) details to manage the immediate consequences of a disruption giving due regard to: 1) the welfare of individuals; 2) prevention of further loss or unavailability of prioritized activities; 3) protection of the environment; e) a process for standing down once the incident is over.
Business Continuity Plan shall has 1. purpose and scope, and objectives; 2. roles, responsibilities of the team that will implement the plan; 3. actions and resources to implement the solutions; 4. supporting information needed to activate (including activation criteria), operate, coordinate and communicate the team’s actions; 5. internal and external interdependencies; 6. resource requirements; 7. reporting requirements. Each plan shall be usable and available at the time and place at which it is required
Self assessment Business continuity response and recovery plans 1. Are there documented plans/procedures for restoring business operations after an incident? 2. Do these plans reflect the needs of those who will use them? 3. Do the plans define roles and responsibilities? 4. Do the plans define a process for activating the response? 5. Do the plans consider the management of the immediate consequences of a disruption, in particular the welfare of individuals, options for response and further loss prevention? 6. Do the plans detail how to communicate with the various interested parties during the disruption? 7. Do the plans contain details on how prioritized activities will be continued or recovered within predetermined time frames? 8. Is there a planned media response to an incident? 9. Do the plans include a procedure for standing down the response? 10. Does each plan contain the essential information to use it effectively?
8.4.5 Recovery The organization shall have documented processes to restore and return business activities from the temporary measures adopted to support normal business requirements during and after a disruption.
Self assessment Exercising and testing 1. Have business continuity procedures been tested to ensure they are consistent with your BC objectives? 2. Do top management “actively engage” in testing and exercising the BCMS? 3. Are the test exercises clearly defined, consistent with the scope of the BCMS and business continuity objectives, and based on appropriate scenarios? 4. Will the test exercises that have been conducted over time validate the whole of the organization’s business continuity arrangements? 5. Are the test exercises designed to minimize the risk of disruption to operations? 6. Have formal post-exercise reports been produced for the conducted tests? 7. Are the outcomes of exercises reviewed to ensure they lead to improvement? 8. Are test exercises undertaken at planned intervals, and when significant changes occur is this process documented within the BCMS?
8.5 Exercise programme The organization shall implement and maintain a program of exercising and testing to validate over time the effectiveness of its business continuity strategies and solutions. The organization shall conduct exercises and tests that: a) are consistent with its business continuity objectives; b) are based on appropriate scenarios that are well planned with clearly defined aims and objectives; c) develop teamwork, competence, confidence and knowledge for those who have roles to perform in relation to disruptions; d) taken together over time validate the whole of its business continuity strategies; e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements; f) are reviewed within the context of promoting continual improvement; g) are performed at planned intervals and when there are significant changes within the organization or the context in which it operates. The organization shall act on the results of its exercising and testing to implement changes and improvements
Short-term goals and performance objectives should be established and include the following: (1) Recovery of critical or time-sensitive personnel, systems, operations, records, and equipment (2) Agreed-upon priorities for restoration and mitigation (3) Length of downtime acceptable before restoration to a minimal level is required (4) Minimal acceptable level of resources needed to provide for the restoration of facilities, processes, programs, services, and infrastructure
certification
Awareness iso 22301 danang suryo
Interrelation ISO 27001 A.17 Information security aspects of business continuity management A.17.1 Information security continuity Objective: Information security continuity shall be embedded in the organization’s business continuity management systems. A.17.1.1 Planning information security continuity Control The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.
A.17.1.2 Implementing information security continuity Control The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the requiredlevel of continuity for information security during an adverse situation. A.17.1.3 Verify, review and evaluate information security continuity Control The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
ISO 22301 Mandatory documents List of legal, regulatory and other requirements (clause 4.2.2) – lists everything you need to comply with. Scope of the BCMS and explanation of exclusions (clause 4.3) – defines where your BCMS will be implemented. Business continuity policy (clause 5.2) – defines main responsibilities, and the intent of the management. Business continuity objectives (clause 6.2) – defines measurable objectives that are to be achieved with business continuity. Competencies of personnel (clause 7.2) – defines knowledge and skills needed. Business continuity plans and procedures (clause 8.4) – includes plans and procedures for response, communication, recovery (including disaster recovery plans), restore and return activities. Documented communication with interested parties (clause 8.4.3.1) – these could be emails, but also official communication from sources such as government agencies and others. Records of important information about the disruption, actions taken and decisions made (clause 8.4.3.1) – normally these records are done through minutes or by filling out checklists of performed activities.
Data and results of monitoring and measurement (clause 9.1.1) – this is the evaluation on whether your BCMS met the objectives. Internal audit program (clause 9.2) Results of internal audit (clause 9.2) – normally, this is the Internal audit report. Results of management review (clause 9.3) – usually, this is in the form of minutes or perhaps documented decisions. Nature of nonconformities and actions taken (clause 10.1) – this is a description of nonconformities, and their cause. Results of corrective actions (clause 10.1) – this is a description of what has been done to eliminate the cause of a nonconformity. Source advisera https://advisera.com/27001academy/knowledgebase/mandatory-documents- required-by-iso-22301/
Commonly used non-mandatory BCMS documents and records Procedure for identification of applicable legal and regulatory requirements (clause 4.2.2) Implementation plan for achieving the business continuity objectives (clause 6.2) Training and awareness plan (clauses 7.2 and 7.3) Procedure for control of documented information (clause 7.5) Contracts and service level agreements (SLAs) with suppliers and outsourcing partners (clause 8.1) Process for business impact analysis and risk assessment (clause 8.2.1) Results of business impact analysis (clause 8.2.2) Results of risk assessment (clause 8.2.3)
Strategies and solutions for business continuity (clause 8.3.3) Incident scenarios (clause 8.5) Exercise and testing plans (clause 8.5) Post-exercise reports (clause 8.5) Results of post-incident review (clause 8.6) Methods for monitoring, measurement, analysis and evaluation (clause 9.1.1) Procedure for internal audit (clause 9.2) Procedure for corrective action (clause 10.1) Source advisera https://advisera.com/27001academy/knowledgebase/mandatory-documents- required-by-iso-22301
Difference ISO 22301:2012 to 22301:2019 • The 2019 edition is significantly less detailed and prescriptive than its predecessor. However, in the process of removing the detail and providing less direction, the Standard places greater emphasis on the skills and competence of those individuals who are responsible for designing and implementing the management system processes. There are no substantial changes in the processes that make up a business continuity management system (BCMS) and the same end results are required. • Clause 6.1.2 now makes it clear that the risks (and opportunities) that need to be addressed relate to the effectiveness of the BCMS, as opposed to the risks of disruption, which are addressed by Clause 8.2.3. The same relationship is intended in other standards such as ISO 27001 and if you are implementing a BCMS, you will need to work out how to meet the requirements of this clause. Source: https://www.urmconsulting.com/2019/12/10/iso-223012019-released-5-key-changes/
• The requirements for conducting the pivotal business impact analysis (BIA) are now clearer. The relationship between unacceptable impact, maximum tolerable period of disruption and prioritized timeframes for activity resumption is defined as well as using the BIA to identify ‘prioritized activities’. The 2012 edition required prioritized timeframes simply to consider impact. It should be noted that there is no specific requirement with the 2019 version to document the BIA process. • A key assurance process, evaluation of procedures, specifically requires the suitability, adequacy and effectiveness of BIAs and risk assessments to be evaluated. This was previously only an implicit requirement in the name of effectiveness, but points to the key role played by BIAs and risk assessments. • The concept of minimum activity levels has shifted, from the need to identify minimum levels of products and services and minimum acceptable levels of activity, the linking of which is implicit, to the minimum acceptable capacity of resumed activities.
NFPA 1600:2019
NFPA 1600 2019 Chapter 5 Planning ................................ 5.1 Planning and Design Process. ......................... 5.2 Risk Assessment. ............................................... 5.3 Business Impact Analysis (BIA). ...................... 5.4 Resource Needs Assessment. ........................... Chapter 6 Implementation ……………………….... . 6.1 Common Plan Requirements .. ...... ............. . 6.2 Prevention. ....................................................... 6.3 Mitigation. ........................................................
6.4 Crisis Management. .......................................... 6.5 Crisis Communications and Public Information. .......... 6.6 Warning, Notifications, and Communications. ........ 6.7 Operational Procedures. ................................. 6.8 Incident Management. .................................... 6.9 Emergency Operations/Response Plan. ......... 6.10 Continuity and Recovery. ................................. 6.11 Employee Assistance and Support. .................
prevention strategy include the following: (1) Ongoing hazard identification (2) Threat assessment (3) Risk assessment (4) Analysis of impacts (5) Operational experience, including incident analysis (6) Information collection and analysis (7) Intelligence and information sharing (8) Regulatory requirements
Mitigation strategies can include the following: (1) Use of applicable building construction standards (2) Hazard avoidance through appropriate land use practices (3) Relocation, retrofitting, or removal of structures at risk (4) Removal or elimination of the hazard (5) Reduction or limitation of the amount or size of the hazard (6) Segregation of the hazard from that which is to be protected (7) Modification of the basic characteristics of the hazard (8) Control of the rate of release of the hazard
(9) Provision of protective systems or equipment for both cyber risks and physical risks (10) Establishment of hazard warning and communication procedures (11) Redundancy or diversity of essential personnel, critical systems, equipment, information, operations, or materials (12) Acceptance/retention/transfer of risk (insurance programs) (13) Protection of competitive/proprietary information
6.9 Emergency Operations/Response Plan. 6.9.1* Emergency operations/response plans shall define responsibilities for carrying out specific actions in an emergency. 6.9.2* The plan shall identify actions to be taken to protect people, including people with disabilities and other access and functional needs, information, property, operations, the environment, and the entity. 6 9.3* The plan shall identify actions for incident stabilization. Δ 6.9.4* The plan shall include the following: (1) Protective actions for life safety in accordance with 6.9.2 (2) Warning, notifications, and communication in accordance with Section 6.6 (3) Crisis communication and public information in accordance with Section 6.5 (4) Resource management in accordance with 6.8.7 (5) Donation management in accordance with 6.8.9
NFPA 1600 2019, Continuity plans shall identify and document the following: (1) Stakeholders that need to be notified (2) Processes that must be maintained (3) Roles and responsibilities of the individuals implementing the continuity strategies (4) Procedures for activating the plan, including authority for plan activation (5) Critical and time-sensitive technology, application systems, and information
(6) Security of information (7) Alternative work sites (8) Workaround procedures (9) Vital records (10) Contact lists (11) Required personnel
(12) Vendors and contractors supporting continuity (13) Resources for continued operations (14) Mutual aid or partnership agreements (15) Activities to return critical and time-sensitive processes to the original state 6.10.1.3 Continuity plans shall be designed to meet the RTO and RPO. 6.10.1.4 Continuity plans shall address supply chain disruption.
Strategies for disruption or loss of operational site, such as the following (a) Transfer of workload and staff to a surviving site (b) Alternate site contracted through a commercial recovery vendor. (c) Reciprocal agreement or mutual aid agreement with a similar entity. (d) Dedicated alternate site built by the entity to support recovery. (e) Mobile facility — Generally, a trailer or mobile home that has been equipped to support operational recovery. These can be owned or contracted for through a vendor. (f) Remote access/work from home
(g) Resources acquired at the time of disruption — This would be used for less time-sensitive operations. (h) Customer service or product priority — Focuses operational capacity on specific high-value customers or high-profit products or services. (i) Finished goods buyback. (j) Utilized to recover already delivered inventory from other customers to meet the demands of customers who utilize “just in time.” (k) Relocation of staff to a surviving site that has additional capacity. (l) Stockpile critical equipment and inventory to be available at time of disaster.
Third-party (i.e., vendor provided/extended enterprise) recovery strategy options, such as the following (a) Multiple sourcing — The entity buys the same or similar product or service from multiple vendors to prevent supply chain disruption should one of them experience a disruption. (b) Alternate sourcing — To identify another source for a product or service should the current vendor experience a disruption. (c) Service level agreement — Established service level agreements with the third party with penalties for nonperformance. (d) Insource (do not outsource) — To identify internal resources that can provide service or product.
Technical recovery alternatives, such as the following: (a) Commercial vendor (hot site) (b) Resources acquired at time of disruption (c) Quick-ship equipment (d) Dual data center with active/active data centers must generally be w— This strategy requires that the entity has access to two data center environments that are always fully operational and are either owned by the entity or leased where they can load balance time-sensitive applications between two geographic locations. The data that supports the applications in each center needs to be replicated to the other data center to facilitate recovery and to prevent significant data loss. (f) Outsourcing with a service level agreement (e.g., cloud computing) — An entity can have some or all of this technology environment hosted in the “cloud.” This would likely prevent the entity’s operations and the technology environment from being impacted by the same disruption. The requirements for recovery of the technology environment are established with the cloud vendor.
(g) Stockpiled equipment — The entity could store the equipment needed for recovery on-site in their recovery location. (h) Manual workarounds or alternate systems — The entity could use manual workarounds such as a manual call log or alternate systems such as spreadsheets instead of the general ledger system until the technology environment is recovered.
Backup strategies for records/record management, such as the following: (1) Identification of records (hard copy or electronic) vital to continue the operations of the entity (2) Backup of records on a frequency necessary to meet program goals and objectives (3) Validation of the integrity of records backup (4) Implementation of procedures to: store, retrieve, and recover records on-site or off-site (5) Protection of records (6) Implementation of a record review process (7) Procedures coordinating records access
Thank you

More Related Content

PPTX
BCP Awareness
Imad Almurib
 
PPTX
Iso 22301
Craig Willetts ISO Expert
 
PPT
Business Continuity Workshop Final
Bill Lisse
 
PDF
ISO 22301 Business Continuity Management
Ramiro Cid
 
PPTX
Business continuity planning and disaster recovery
KrutiShah114
 
PDF
Business Continuity Management PowerPoint Presentation Slides
SlideTeam
 
PPTX
Business continuity management per ISO 22301 - a certification training cour...
Mart Rovers
 
PDF
ISO 22301: The New Standard for Business Continuity Best Practice
MissionMode
 
BCP Awareness
Imad Almurib
 
Iso 22301
Craig Willetts ISO Expert
 
Business Continuity Workshop Final
Bill Lisse
 
ISO 22301 Business Continuity Management
Ramiro Cid
 
Business continuity planning and disaster recovery
KrutiShah114
 
Business Continuity Management PowerPoint Presentation Slides
SlideTeam
 
Business continuity management per ISO 22301 - a certification training cour...
Mart Rovers
 
ISO 22301: The New Standard for Business Continuity Best Practice
MissionMode
 

What's hot (20)

PDF
Business continuity management system
subbusai82
 
PPT
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PPTX
Iso27001 Risk Assessment Approach
tschraider
 
PPTX
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
PDF
Bcp drp
aqel aqel
 
PDF
Introduction to Business Continuity Management
Prof. David E. Alexander (UCL)
 
PPTX
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
PDF
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPT
BUSINESS CONTINUITY MANAGEMENT system
Kuroba Kaitou
 
PDF
Business Continuity Management
ECC International
 
PPTX
27001 awareness Training
Dr Madhu Aman Sharma
 
PDF
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
NQA ISO 27001 Implementation Guide
NQA
 
PPTX
Business continuity & disaster recovery planning (BCP & DRP)
Narudom Roongsiriwong, CISSP
 
PPTX
Iso 27001 isms presentation
Midhun Nirmal
 
PDF
ISO 27001
n|u - The Open Security Community
 
PPTX
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
PPTX
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
PPTX
Iso 27001 awareness
Ãsħâr Ãâlâm
 
PPTX
GRC Fundamentals
3Sixty Insights
 
Business continuity management system
subbusai82
 
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Iso27001 Risk Assessment Approach
tschraider
 
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Bcp drp
aqel aqel
 
Introduction to Business Continuity Management
Prof. David E. Alexander (UCL)
 
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
BUSINESS CONTINUITY MANAGEMENT system
Kuroba Kaitou
 
Business Continuity Management
ECC International
 
27001 awareness Training
Dr Madhu Aman Sharma
 
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NQA ISO 27001 Implementation Guide
NQA
 
Business continuity & disaster recovery planning (BCP & DRP)
Narudom Roongsiriwong, CISSP
 
Iso 27001 isms presentation
Midhun Nirmal
 
ISO 27001
n|u - The Open Security Community
 
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Iso 27001 awareness
Ãsħâr Ãâlâm
 
GRC Fundamentals
3Sixty Insights
 
Ad

Similar to Awareness iso 22301 danang suryo (20)

PPTX
BCP awareness ISO 22301 2019 training .pptx
shiva3305
 
PPTX
ICTD Material PowerPoint Presentation Format.pptx
MahmoudElmahdy32
 
PPTX
awareness bcp for manufacturing industry.pptx
shiva3305
 
PDF
Bcm in oil&gas industry
Eduardo Teixeira Neto
 
PPTX
BUSINESS-CONTINUITY-AND-DISASTER-RECOVERY.pptx
JayLloyd8
 
PDF
Business Continuity Management System ISO 22301:2012 An Overview
Ahmed Riad .
 
PPTX
ISO 22301 Business Continuity Management System.pptx
JustinNickaf3
 
PPTX
ISO 22301 Business Continuity Management System.pptx
JustinNickaf3
 
PPTX
Business Continuity Management
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PPT
Implementing Business Continuity With The Bs25999 Standard By Dennis
Discover JKUAT
 
PPTX
Bussiness continuity
atharabbas
 
PDF
Business impact analysis
Shashwat Shankar
 
PDF
Cyber Security and Business Continuity an Integrated Discipline
Graeme Parker
 
PDF
05 integrated management system telkom 2016 penanganan bencana - tanggap da...
wisnu wardhana, i nyoman
 
PDF
Article on Emergency Management and Corporate Certification
Thomas Bronack
 
PPTX
module-3-chapter-1-Business-Continu.pptx
DrUshaDivakarlaNMAMI
 
DOCX
Business Continuity Plan TemplateCIO Maria Sosa has asked you to p.docx
felicidaddinwoodie
 
PDF
Business Continuity (ISO22301) is relevant to PCI DSS v3.2.1 【Continuous Study】
Boise State University - College of Engineering
 
PPTX
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
sarankamalanathan
 
PPT
BCM Roadmap
btrmuray
 
BCP awareness ISO 22301 2019 training .pptx
shiva3305
 
ICTD Material PowerPoint Presentation Format.pptx
MahmoudElmahdy32
 
awareness bcp for manufacturing industry.pptx
shiva3305
 
Bcm in oil&gas industry
Eduardo Teixeira Neto
 
BUSINESS-CONTINUITY-AND-DISASTER-RECOVERY.pptx
JayLloyd8
 
Business Continuity Management System ISO 22301:2012 An Overview
Ahmed Riad .
 
ISO 22301 Business Continuity Management System.pptx
JustinNickaf3
 
ISO 22301 Business Continuity Management System.pptx
JustinNickaf3
 
Business Continuity Management
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Implementing Business Continuity With The Bs25999 Standard By Dennis
Discover JKUAT
 
Bussiness continuity
atharabbas
 
Business impact analysis
Shashwat Shankar
 
Cyber Security and Business Continuity an Integrated Discipline
Graeme Parker
 
05 integrated management system telkom 2016 penanganan bencana - tanggap da...
wisnu wardhana, i nyoman
 
Article on Emergency Management and Corporate Certification
Thomas Bronack
 
module-3-chapter-1-Business-Continu.pptx
DrUshaDivakarlaNMAMI
 
Business Continuity Plan TemplateCIO Maria Sosa has asked you to p.docx
felicidaddinwoodie
 
Business Continuity (ISO22301) is relevant to PCI DSS v3.2.1 【Continuous Study】
Boise State University - College of Engineering
 
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
sarankamalanathan
 
BCM Roadmap
btrmuray
 
Ad

More from Danang suryo Wardhono (10)

PDF
Awareness iso 37001 danang implementation ver 2
Danang suryo Wardhono
 
PDF
Awareness iso 37001 2016 danang implementation
Danang suryo Wardhono
 
PDF
Freelance trainer auditor iso 9001 14001 45001 danang suryo wardhono
Danang suryo Wardhono
 
PDF
Iso prinsip qualitas management pdca new
Danang suryo Wardhono
 
PDF
Training iso murah 9001 ohsas 14001 22000
Danang suryo Wardhono
 
PPTX
Cv danang suryo_wardhono_st_mm
Danang suryo Wardhono
 
PDF
Standart operating procedures sop warung makan
Danang suryo Wardhono
 
PDF
Standart operating procedures sop warung makan
Danang suryo Wardhono
 
PPTX
Training usaha warung makan untuk karyawan purna
Danang suryo Wardhono
 
PPTX
Bp's kpi
Danang suryo Wardhono
 
Awareness iso 37001 danang implementation ver 2
Danang suryo Wardhono
 
Awareness iso 37001 2016 danang implementation
Danang suryo Wardhono
 
Freelance trainer auditor iso 9001 14001 45001 danang suryo wardhono
Danang suryo Wardhono
 
Iso prinsip qualitas management pdca new
Danang suryo Wardhono
 
Training iso murah 9001 ohsas 14001 22000
Danang suryo Wardhono
 
Cv danang suryo_wardhono_st_mm
Danang suryo Wardhono
 
Standart operating procedures sop warung makan
Danang suryo Wardhono
 
Standart operating procedures sop warung makan
Danang suryo Wardhono
 
Training usaha warung makan untuk karyawan purna
Danang suryo Wardhono
 
Bp's kpi
Danang suryo Wardhono
 

Recently uploaded (20)

PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
Yogi Goddess Pres Conference Studio Updates
LDMMia Reiki Lectures
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PPTX
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
PPTX
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Yogi Goddess Pres Conference Studio Updates
LDMMia Reiki Lectures
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 

Awareness iso 22301 danang suryo

  • 1. Awareness ISO 22301:2019 DANANG SURYO WARDHONO | REGISTERED TRAINER/AUDITOR 081567796679/08112999715
  • 2. Introduction  Name: Danang Suryo Wardhono ST MM  Occupation:  Registered Auditor trainer ISO Series PECB , Trainer/ auditor management system for certification body LRBA previously LRQA, Mutu Certification International, Afnor Indonesia, IAPMO, TUV Rheinland, pusdiklat gadjahmada, NQA ,Sucofindo,Bina Profesi Institute, mutu institute , ITS tekno sains, WQA, ISQ, etc  LA IRCA/PECB certified ISO 9K, 14K, 18K, 22K, 22301, 27K, 37k, 45K,50k (waiting result) smk3 auditor, halal, national assessor (waiting result) BRC version 8 auditor conversion etc  Telp/WA: 081567796679, 08112999715  [email protected]
  • 4. MATERI  SCOPE and TERMS of BCMS  PURPOSE and BENEFITS OF BCMS  BCMS family of standards  Clausul ISO 22301:2019
  • 5. scope This document specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptions when they arise.
  • 6. Terms and definition business continuity, capability of an organization (3.31) to continue delivery of products and services (3.41) within acceptable time frames at predefined capacity relating to a disruption (3.12) [SOURCE: ISO 22300:2018, 3.24, modified.]. business continuity management system, BCMS, management system (3.25) for business continuity (3.3) Note 1 to entry: The management system includes organizational structure, policies, planning (3.36) activities (3.1), responsibilities, procedures (3.39), processes (3.40) and resources [SOURCE: ISO 22300:2018, 3.26, modified]
  • 7. business continuity plan documented information (3.13) that guides an organization (3.31) to respond to a disruption (3.12) and resume, recover and restore the delivery of products and services consistent with its business continuity objectives [SOURCE: ISO 22300:2018, 3.27, modified. Note 1 to entry deleted.] business impact analysis process (3.40) of analyzing the impact (3.18) of a disruption (3.12) on the organization (3.31) Note 1 to entry: The outcome is a statement and justification of business continuity (3.3) requirements (3.45). [SOURCE: ISO 22300:2018, 3.29, modified. Note 1 to entry added.]
  • 8. Incident event (3.16) that can be, or could lead to, a disruption (3.12), loss, emergency (3.15) or crisis [SOURCE: ISO 22300:2018, 3.111, modified.] Disruption incident (3.19), whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services (3.41) according to an organization’s (3.31) objectives (3.30) [SOURCE: ISO 22300:2018, 3.70, modified.]
  • 9. Crisis management holistic management (3.135) process (3.180) that identifies potential impacts (3.107) that threaten an organization (3.158) and provides a framework for building resilience (3.192), with the capability for an effective response that safeguards the interests of the organization’s key interested parties (3.124), reputation, brand and value-creating activities (3.1), as well as effectively restoring operational capabilities Note 1 to entry: Crisis management also involves the management of preparedness (3.172), mitigation (3.146) response, and continuity (3.49) or recovery (3.187) in the event of an incident (3.111), as well as management of the overall program through training (3.265), rehearsals and reviews (3.197) to ensure the preparedness, response and continuity plans stay current and up-to- date. (ISO 22300:2018)
  • 10. recovery time objective RTO period of time following an incident (3.111) within which a product or service (3.181) or an activity (3.1) is resumed, or resources (3.193) are recovered Note 1 to entry: For products, services and activities, the recovery time objective is less than the time it would take for the adverse impacts (3.107) that would arise as a result of not providing a product/service or performing an activity to become unacceptable. Source ISO 22300:2018
  • 11. recovery point objective RPO point to which information (3.116) used by an activity (3.1) is restored to enable the activity to operate on resumption Note 1 to entry: Can also be referred to as “maximum data loss”. Source ISO 22300:2018
  • 12. What is an BCMS? Business continuity is the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business continuity management (BCM) is the process of achieving business continuity and is about preparing an organization to deal with disruptive incidents that might otherwise prevent it from achieving its objectives. Placing BCM within the framework and disciplines of a management system creates a business continuity management system (BCMS) that enables BCM to be controlled, evaluated and continually improved. Any incident, large or small, natural, accidental or deliberate has the potential to cause major disruption to the organization’s operations and its ability to deliver products and services. However, implementing business continuity before a disruptive incident occurs, rather than waiting for this to happen will enable the organization to resume operations before unacceptable levels of impact arise.
  • 13. fundamental principles a) awareness of the need for BCMS b) assignment of responsibility for BCMS c) incorporating management commitment and the interests of stakeholders d) enhancing societal values e) risk assessments determining appropriate controls to reach acceptable levels of risk f) security incorporated as an essential element of BCMS g) active prevention and detection of Business continuity incidents h) ensuring a comprehensive approach to Business continuity management i) continual reassessment of Business continuity and making of modifications as appropriate.
  • 14. steps: 1. being clear on the organization’s key products and services and the activities that deliver them 2. knowing the priorities for resuming activities and the resources they require 3. having a clear understanding of the threats to these activities, including their dependencies, and knowing the impacts of not resuming them 4. having tried and trusted arrangements in place to resume these activities following a disruptive incident; and 5. making sure that these arrangements are routinely reviewed and updated so that they will be effective in all circumstances
  • 15. PURPOSE BCMS By focusing on the impact of disruption rather than the cause, business continuity identifies those activities on which the organization depends for its survival, and enables the organization to determine what is required to continue to meet its obligations. Through business continuity, an organization can recognize what needs to be done to protect its resources (e.g. people, premises, technology and information), supply chain, interested parties and reputation, before a disruptive incident occurs. With that recognition, the organization is able to take a realistic view on the responses that are likely to be needed as and when a disruption occurs, so that it can be confident of managing the consequences and avoid unacceptable impacts
  • 16. benefits Protects business from a range of threats Ensures business continuity Minimizes financial loss Optimizes return on investments Increases business opportunities
  • 22. BCMS FAMILY STANDART ISO 22300, Security and resilience — Vocabulary ISO/IEC 22301, Business continuity management systems — Requirements ISO/IEC 22313, Societal security — Business continuity management systems — Guidance
  • 25. Main difference to other ISO standard are 4.2.2 Legal and regulatory requirements And Clausal 8
  • 26. Clausal 8 operation 8.1 Operational planning and control 8.2 Business impact analysis and risk assessment ◦ 8.2.1 General ◦ 8.2.2 Business impact analysis ◦ 8.2.3 Risk assessment 8.3 Business continuity strategies and solutions.. ◦ 8.3.1 General ◦ 8.3.2 Identification and selection of strategies and solutions ◦ 8.3.3 Resource requirements ◦ 8.3.4 Implementation of solutions
  • 27. 8.4 Business continuity plans and procedures ◦ 8.4.1 General. ◦ 8.4.2 Response structure ◦ 8.4.3 Warning and communication ◦ 8.4.4 Business continuity plans ◦ 8.4.5 Recovery 8.5 Exercise programme
  • 28. 8.2.2 BIA, process (3.40) of analyzing the impact (3.18) of a disruption (3.12) on the organization (3.31) a) defines impact categories and criteria relevant to the organization’s context; b) uses these impact categories and criteria for measuring impact; c) identifies activities that support the provision of products and services; d) analyses the impacts over time resulting from disruption of these activities; e) identifies the time within which the impacts of not resuming activities would become unacceptable to the organization; NOTE This may be referred to as maximum tolerable period of disruption (MTPD) f) sets prioritized timeframes within the time identified in e) above for resuming disrupted activities at a specified minimum acceptable capacity; NOTE This may be referred to as recovery time objective (RTO) g) uses the business impacts to identify prioritized activities; h) determines which resources are needed to support prioritized activities; i) determines the dependencies and interdependencies of prioritized activities.
  • 30. BIA
  • 35. Self assessment BIA Is there a formal risk assessment process for analyzing the risk of disruptive incidents? Does this risk assessment method identify risk treatments appropriate to BC objectives? Is there evidence of prioritizing risk treatments with costs identified? Source BSI self assessment BIA
  • 36. 8.2.3 Risk assessment The organization shall implement and maintain a systematic risk assessment process. NOTE This process can be made in accordance with ISO 31000. The organization shall: a) identify risks of disruption to the organization's prioritized activities and to their supporting resources; b) systematically analyse risks of disruption; c) evaluate risks of disruption which require treatment
  • 40. 8.3 Business continuity strategies and solutions business continuity capability of an organization (3.158) to continue the delivery of products or services (3.181) at acceptable predefined levels following a disruption (3.70) continuity strategic and tactical capability, pre-approved by management (3.135), of an organization (3.158) to plan for and respond to conditions, situations and events (3.82) in order to continue operations at an acceptable predefined level
  • 41. Based on the outputs from the business impact analysis and risk assessment. The organization shall identify and select business continuity strategies that consider option for before, during and after disruption. 8.3.2 Identification of strategies and solution 8.3.3 Selection of strategies and solutions 8.3.3 Resource requirements 8.3.4 Implementation of solutions
  • 42. The organization shall identify and select appropriate business continuity strategies and solutions taking into consideration their associated costs for (goal for BC Strategy): a) responding to disruptions; b) continuing and recovering prioritized activities and their required resources to meet the delivery of products and services at the agreed capacity over time. For the prioritized activities, the organization shall identify and select strategies and solutions considering business continuity objectives and the amount and type of risk that the organization may or may not take that: a) reduce the likelihood of disruption; b) shorten the period of disruption; c) limit the impact of disruption on the organization's products and services
  • 46. Self assessment BC strategy Is the BC strategy based on the outputs of the BIA and risk assessment? Does the BC strategy protect prioritized activities and provide appropriate continuity and recovery of them, their dependencies and resources? Does the BC strategy provide for mitigating, responding to and managing impacts? Have prioritized time frames been set for the resumption of all activities? Have the BC capabilities of suppliers been evaluated? Have the resource requirements for the selected strategy options been determined, including people, information and data, infrastructure, facilities, consumables, IT, transport, finance and partner/supplier services? Have measures to reduce the likelihood, duration or impact of a disruption for identified risks been considered and implemented, and are these in accordance with the organization’s risk appetite?
  • 47. 8.4 Business continuity plans and procedures The organization shall implement and maintain a structure that will enable timely warning and communication to relevant interested parties. It shall provides plans and procedures to manage the organization during a disruption. The plans and procedures shall be used when required to activate business continuity solutions. The procedures shall: a) be specific regarding the immediate steps that are to be taken during a disruption; b) be flexible to respond to changing internal and external conditions of a disruption; c) focus on the impact of incidents that potentially lead to disruption; d) be effective in minimizing impact through implementation of appropriate solutions; e) assign roles and responsibilities for tasks within it.
  • 48. Self assessment BCP Have BC procedures been put in place to manage a disruptive incident, and have continuity activities based on recovery objectives been identified in the BIA? Are the business continuity procedures documented? Have internal and external communication protocols been established as part of these procedures? Source BSI self assessment ISO 22301
  • 49. 8.4.2 Response structure The organization shall implement and maintain a structure identifying one or more teams responsible for responding to disruptions For each team there shall be: a) identified personnel and their associates with the necessary responsibility, authority and competence to perform their designated role; b) documented procedures to guide their actions (see 8.4.4) including those for the activation, operation, coordination and communication of the response.
  • 50. Self assessment Incident Response Structure (IRS) Is there the management structure and trained personnel in place to respond to a disruptive incident? Does the IRS and associated procedures include thresholds, assessment, activation, resource provision and communication? Do the people in your IRS have the necessary competency to perform their duties, and have you kept records to demonstrate their competence?
  • 51. 8.4.3 Warning and communication 8.4.3.1 The organization shall document and maintain procedures for: a) communicating internally and externally to relevant interested parties, including what, when, with whom and how to communicate; NOTE The organization may document and maintain procedures for how, and under what circumstances, the organization communicates with employees and their emergency contacts. b) receiving, documenting and responding to communications from interested parties, including any national or regional risk advisory system or equivalent; c) ensuring availability of the means of communication during a disruption; d) facilitating structured communication with emergency responders; e) details of the organization's media response following an incident, including a communications strategy; f) recording details of the disruption, actions taken and decisions made The communication and warning procedures shall be exercised as part of the organization’s exercise programme referred to in 8.5.
  • 52. Self assessment Incident communications and warnings 1. Is there a procedure for detecting and monitoring incidents? 2. Is there a procedure for managing internal communications and external communications from interested parties during a disruptive incident? 3. Is there a procedure for receiving and responding to warnings from outside agencies and emergency responders? 4. Is there a structure to communicate with emergency responders and other authorities during an incident, or for responding organizations are communications interoperable with others? 5. Is there a procedure for recording vital information about the incident, actions taken and decisions made? 6. Is there a procedure for issuing alerts and warnings if appropriate? 7. Are the organization’s communication and warning systems regularly exercised, and records kept of the results?
  • 53. 8.4.4 Business continuity plans 8.4.4.1 The business continuity plans shall provide guidance and information that will assist the teams to respond to a disruption and assist the organization with response and recovery. Collectively, the business continuity plans shall contain: a) details of the actions that the teams will take in order to continue or recover prioritized activities within predetermined timeframes and to monitor the effects of the disruption and the organization’s response to it; b) reference to the pre-defined threshold and process for activating the response; c) procedures to enable the delivery of products and services at agreed capacity to interested parties; d) details to manage the immediate consequences of a disruption giving due regard to: 1) the welfare of individuals; 2) prevention of further loss or unavailability of prioritized activities; 3) protection of the environment; e) a process for standing down once the incident is over.
  • 54. Business Continuity Plan shall has 1. purpose and scope, and objectives; 2. roles, responsibilities of the team that will implement the plan; 3. actions and resources to implement the solutions; 4. supporting information needed to activate (including activation criteria), operate, coordinate and communicate the team’s actions; 5. internal and external interdependencies; 6. resource requirements; 7. reporting requirements. Each plan shall be usable and available at the time and place at which it is required
  • 55. Self assessment Business continuity response and recovery plans 1. Are there documented plans/procedures for restoring business operations after an incident? 2. Do these plans reflect the needs of those who will use them? 3. Do the plans define roles and responsibilities? 4. Do the plans define a process for activating the response? 5. Do the plans consider the management of the immediate consequences of a disruption, in particular the welfare of individuals, options for response and further loss prevention? 6. Do the plans detail how to communicate with the various interested parties during the disruption? 7. Do the plans contain details on how prioritized activities will be continued or recovered within predetermined time frames? 8. Is there a planned media response to an incident? 9. Do the plans include a procedure for standing down the response? 10. Does each plan contain the essential information to use it effectively?
  • 56. 8.4.5 Recovery The organization shall have documented processes to restore and return business activities from the temporary measures adopted to support normal business requirements during and after a disruption.
  • 57. Self assessment Exercising and testing 1. Have business continuity procedures been tested to ensure they are consistent with your BC objectives? 2. Do top management “actively engage” in testing and exercising the BCMS? 3. Are the test exercises clearly defined, consistent with the scope of the BCMS and business continuity objectives, and based on appropriate scenarios? 4. Will the test exercises that have been conducted over time validate the whole of the organization’s business continuity arrangements? 5. Are the test exercises designed to minimize the risk of disruption to operations? 6. Have formal post-exercise reports been produced for the conducted tests? 7. Are the outcomes of exercises reviewed to ensure they lead to improvement? 8. Are test exercises undertaken at planned intervals, and when significant changes occur is this process documented within the BCMS?
  • 58. 8.5 Exercise programme The organization shall implement and maintain a program of exercising and testing to validate over time the effectiveness of its business continuity strategies and solutions. The organization shall conduct exercises and tests that: a) are consistent with its business continuity objectives; b) are based on appropriate scenarios that are well planned with clearly defined aims and objectives; c) develop teamwork, competence, confidence and knowledge for those who have roles to perform in relation to disruptions; d) taken together over time validate the whole of its business continuity strategies; e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements; f) are reviewed within the context of promoting continual improvement; g) are performed at planned intervals and when there are significant changes within the organization or the context in which it operates. The organization shall act on the results of its exercising and testing to implement changes and improvements
  • 59. Short-term goals and performance objectives should be established and include the following: (1) Recovery of critical or time-sensitive personnel, systems, operations, records, and equipment (2) Agreed-upon priorities for restoration and mitigation (3) Length of downtime acceptable before restoration to a minimal level is required (4) Minimal acceptable level of resources needed to provide for the restoration of facilities, processes, programs, services, and infrastructure
  • 62. Interrelation ISO 27001 A.17 Information security aspects of business continuity management A.17.1 Information security continuity Objective: Information security continuity shall be embedded in the organization’s business continuity management systems. A.17.1.1 Planning information security continuity Control The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.
  • 63. A.17.1.2 Implementing information security continuity Control The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the requiredlevel of continuity for information security during an adverse situation. A.17.1.3 Verify, review and evaluate information security continuity Control The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.
  • 67. ISO 22301 Mandatory documents List of legal, regulatory and other requirements (clause 4.2.2) – lists everything you need to comply with. Scope of the BCMS and explanation of exclusions (clause 4.3) – defines where your BCMS will be implemented. Business continuity policy (clause 5.2) – defines main responsibilities, and the intent of the management. Business continuity objectives (clause 6.2) – defines measurable objectives that are to be achieved with business continuity. Competencies of personnel (clause 7.2) – defines knowledge and skills needed. Business continuity plans and procedures (clause 8.4) – includes plans and procedures for response, communication, recovery (including disaster recovery plans), restore and return activities. Documented communication with interested parties (clause 8.4.3.1) – these could be emails, but also official communication from sources such as government agencies and others. Records of important information about the disruption, actions taken and decisions made (clause 8.4.3.1) – normally these records are done through minutes or by filling out checklists of performed activities.
  • 68. Data and results of monitoring and measurement (clause 9.1.1) – this is the evaluation on whether your BCMS met the objectives. Internal audit program (clause 9.2) Results of internal audit (clause 9.2) – normally, this is the Internal audit report. Results of management review (clause 9.3) – usually, this is in the form of minutes or perhaps documented decisions. Nature of nonconformities and actions taken (clause 10.1) – this is a description of nonconformities, and their cause. Results of corrective actions (clause 10.1) – this is a description of what has been done to eliminate the cause of a nonconformity. Source advisera https://advisera.com/27001academy/knowledgebase/mandatory-documents- required-by-iso-22301/
  • 69. Commonly used non-mandatory BCMS documents and records Procedure for identification of applicable legal and regulatory requirements (clause 4.2.2) Implementation plan for achieving the business continuity objectives (clause 6.2) Training and awareness plan (clauses 7.2 and 7.3) Procedure for control of documented information (clause 7.5) Contracts and service level agreements (SLAs) with suppliers and outsourcing partners (clause 8.1) Process for business impact analysis and risk assessment (clause 8.2.1) Results of business impact analysis (clause 8.2.2) Results of risk assessment (clause 8.2.3)
  • 70. Strategies and solutions for business continuity (clause 8.3.3) Incident scenarios (clause 8.5) Exercise and testing plans (clause 8.5) Post-exercise reports (clause 8.5) Results of post-incident review (clause 8.6) Methods for monitoring, measurement, analysis and evaluation (clause 9.1.1) Procedure for internal audit (clause 9.2) Procedure for corrective action (clause 10.1) Source advisera https://advisera.com/27001academy/knowledgebase/mandatory-documents- required-by-iso-22301
  • 71. Difference ISO 22301:2012 to 22301:2019 • The 2019 edition is significantly less detailed and prescriptive than its predecessor. However, in the process of removing the detail and providing less direction, the Standard places greater emphasis on the skills and competence of those individuals who are responsible for designing and implementing the management system processes. There are no substantial changes in the processes that make up a business continuity management system (BCMS) and the same end results are required. • Clause 6.1.2 now makes it clear that the risks (and opportunities) that need to be addressed relate to the effectiveness of the BCMS, as opposed to the risks of disruption, which are addressed by Clause 8.2.3. The same relationship is intended in other standards such as ISO 27001 and if you are implementing a BCMS, you will need to work out how to meet the requirements of this clause. Source: https://www.urmconsulting.com/2019/12/10/iso-223012019-released-5-key-changes/
  • 72. • The requirements for conducting the pivotal business impact analysis (BIA) are now clearer. The relationship between unacceptable impact, maximum tolerable period of disruption and prioritized timeframes for activity resumption is defined as well as using the BIA to identify ‘prioritized activities’. The 2012 edition required prioritized timeframes simply to consider impact. It should be noted that there is no specific requirement with the 2019 version to document the BIA process. • A key assurance process, evaluation of procedures, specifically requires the suitability, adequacy and effectiveness of BIAs and risk assessments to be evaluated. This was previously only an implicit requirement in the name of effectiveness, but points to the key role played by BIAs and risk assessments. • The concept of minimum activity levels has shifted, from the need to identify minimum levels of products and services and minimum acceptable levels of activity, the linking of which is implicit, to the minimum acceptable capacity of resumed activities.
  • 74. NFPA 1600 2019 Chapter 5 Planning ................................ 5.1 Planning and Design Process. ......................... 5.2 Risk Assessment. ............................................... 5.3 Business Impact Analysis (BIA). ...................... 5.4 Resource Needs Assessment. ........................... Chapter 6 Implementation ……………………….... . 6.1 Common Plan Requirements .. ...... ............. . 6.2 Prevention. ....................................................... 6.3 Mitigation. ........................................................
  • 75. 6.4 Crisis Management. .......................................... 6.5 Crisis Communications and Public Information. .......... 6.6 Warning, Notifications, and Communications. ........ 6.7 Operational Procedures. ................................. 6.8 Incident Management. .................................... 6.9 Emergency Operations/Response Plan. ......... 6.10 Continuity and Recovery. ................................. 6.11 Employee Assistance and Support. .................
  • 76. prevention strategy include the following: (1) Ongoing hazard identification (2) Threat assessment (3) Risk assessment (4) Analysis of impacts (5) Operational experience, including incident analysis (6) Information collection and analysis (7) Intelligence and information sharing (8) Regulatory requirements
  • 77. Mitigation strategies can include the following: (1) Use of applicable building construction standards (2) Hazard avoidance through appropriate land use practices (3) Relocation, retrofitting, or removal of structures at risk (4) Removal or elimination of the hazard (5) Reduction or limitation of the amount or size of the hazard (6) Segregation of the hazard from that which is to be protected (7) Modification of the basic characteristics of the hazard (8) Control of the rate of release of the hazard
  • 78. (9) Provision of protective systems or equipment for both cyber risks and physical risks (10) Establishment of hazard warning and communication procedures (11) Redundancy or diversity of essential personnel, critical systems, equipment, information, operations, or materials (12) Acceptance/retention/transfer of risk (insurance programs) (13) Protection of competitive/proprietary information
  • 79. 6.9 Emergency Operations/Response Plan. 6.9.1* Emergency operations/response plans shall define responsibilities for carrying out specific actions in an emergency. 6.9.2* The plan shall identify actions to be taken to protect people, including people with disabilities and other access and functional needs, information, property, operations, the environment, and the entity. 6 9.3* The plan shall identify actions for incident stabilization. Δ 6.9.4* The plan shall include the following: (1) Protective actions for life safety in accordance with 6.9.2 (2) Warning, notifications, and communication in accordance with Section 6.6 (3) Crisis communication and public information in accordance with Section 6.5 (4) Resource management in accordance with 6.8.7 (5) Donation management in accordance with 6.8.9
  • 80. NFPA 1600 2019, Continuity plans shall identify and document the following: (1) Stakeholders that need to be notified (2) Processes that must be maintained (3) Roles and responsibilities of the individuals implementing the continuity strategies (4) Procedures for activating the plan, including authority for plan activation (5) Critical and time-sensitive technology, application systems, and information
  • 81. (6) Security of information (7) Alternative work sites (8) Workaround procedures (9) Vital records (10) Contact lists (11) Required personnel
  • 82. (12) Vendors and contractors supporting continuity (13) Resources for continued operations (14) Mutual aid or partnership agreements (15) Activities to return critical and time-sensitive processes to the original state 6.10.1.3 Continuity plans shall be designed to meet the RTO and RPO. 6.10.1.4 Continuity plans shall address supply chain disruption.
  • 83. Strategies for disruption or loss of operational site, such as the following (a) Transfer of workload and staff to a surviving site (b) Alternate site contracted through a commercial recovery vendor. (c) Reciprocal agreement or mutual aid agreement with a similar entity. (d) Dedicated alternate site built by the entity to support recovery. (e) Mobile facility — Generally, a trailer or mobile home that has been equipped to support operational recovery. These can be owned or contracted for through a vendor. (f) Remote access/work from home
  • 84. (g) Resources acquired at the time of disruption — This would be used for less time-sensitive operations. (h) Customer service or product priority — Focuses operational capacity on specific high-value customers or high-profit products or services. (i) Finished goods buyback. (j) Utilized to recover already delivered inventory from other customers to meet the demands of customers who utilize “just in time.” (k) Relocation of staff to a surviving site that has additional capacity. (l) Stockpile critical equipment and inventory to be available at time of disaster.
  • 85. Third-party (i.e., vendor provided/extended enterprise) recovery strategy options, such as the following (a) Multiple sourcing — The entity buys the same or similar product or service from multiple vendors to prevent supply chain disruption should one of them experience a disruption. (b) Alternate sourcing — To identify another source for a product or service should the current vendor experience a disruption. (c) Service level agreement — Established service level agreements with the third party with penalties for nonperformance. (d) Insource (do not outsource) — To identify internal resources that can provide service or product.
  • 86. Technical recovery alternatives, such as the following: (a) Commercial vendor (hot site) (b) Resources acquired at time of disruption (c) Quick-ship equipment (d) Dual data center with active/active data centers must generally be w— This strategy requires that the entity has access to two data center environments that are always fully operational and are either owned by the entity or leased where they can load balance time-sensitive applications between two geographic locations. The data that supports the applications in each center needs to be replicated to the other data center to facilitate recovery and to prevent significant data loss. (f) Outsourcing with a service level agreement (e.g., cloud computing) — An entity can have some or all of this technology environment hosted in the “cloud.” This would likely prevent the entity’s operations and the technology environment from being impacted by the same disruption. The requirements for recovery of the technology environment are established with the cloud vendor.
  • 87. (g) Stockpiled equipment — The entity could store the equipment needed for recovery on-site in their recovery location. (h) Manual workarounds or alternate systems — The entity could use manual workarounds such as a manual call log or alternate systems such as spreadsheets instead of the general ledger system until the technology environment is recovered.
  • 88. Backup strategies for records/record management, such as the following: (1) Identification of records (hard copy or electronic) vital to continue the operations of the entity (2) Backup of records on a frequency necessary to meet program goals and objectives (3) Validation of the integrity of records backup (4) Implementation of procedures to: store, retrieve, and recover records on-site or off-site (5) Protection of records (6) Implementation of a record review process (7) Procedures coordinating records access