ISO 22301: An Overview of BCM Implementation Process Presenter: Dejan Kosutic

ISO 22301: An Overview of
BCM Implementation Process
Presenter: Dejan Kosutic
GoToWebinar Control Panel
• Open and close your
Panel
• View, Select, and Test
your audio
• Submit text questions –
they will be addressed
throughout the session
• Raise your hand
©2014
27001Academy www.iso27001standard.com
2
Which are the mandatory steps in ISO
22301 implementation
If you’re planning to implement business
continuity…
… you need to know all the necessary
elements for successful business
continuity implementation
©2014
27001Academy www.iso27001standard.com
3
ISO 22301 is the framework that is
the easiest to adopt, and is the only
one that is truly international
©2014
27001Academy www.iso27001standard.com
4
Agenda
• ISO 22301/BS 25999 family of
standards
• 17 steps for ISO 22301 implementation
• Mandatory documents
• How get management commitment
• Biggest challenges in implementation
©2014
27001Academy www.iso27001standard.com
5
ISO 22301 & BS 25999
family of standards
• BS 25999-1:2006 – Code of practice
• BS 25999-2:2007 – Specification
• ISO 22301:2012 – Specification
• ISO 22313:2012 – Guidance
Other standards/frameworks:
• ISO 27001, A.17
• BCI – Good Practice Guidelines
• DRII – Professional Practices
©2014
27001Academy www.iso27001standard.com
6
17 implementation steps…
Management support
Identification
Your Text of
requirements
Your Text
Objectives and scope
©2014
27001Academy www.iso27001standard.com
Budget,
Project plan
List of
requirements
BCM Policy
7
17 implementation steps…
Your Text
Management framework
Risk
Your
assessment
Text
&
treatment
Define
Your RTO,
Text RPO,
resources
©2014
27001Academy www.iso27001standard.com
3 procedures
Methodology &
report
Business
Impact Analysis
8
17 implementation steps…
Your Textneeded &
Resources
how to provide them
Your Text
How to react & recover
Your Texttraining &
Implement
awareness programs
©2014
27001Academy www.iso27001standard.com
Business
continuity
strategy
Incident
response plans;
Recovery plans
Records
9
17 implementation steps…
Your Text
Documentation
maintenance
Your Text
Exercising & testing
Your Text
Learning
from
experience
©2014
27001Academy www.iso27001standard.com
Records
Reports;
Preventive and
Corrective
actions
Postincident reviews
10
17 implementation steps…
Your Text
Communication
with
interested parties
Records
Your Text
Measurement
and
evaluation
Reports;
Preventive and
Corrective
actions
Your Text
Internal audit
©2014
27001Academy www.iso27001standard.com
Report
11
17 implementation steps…
Your Text
Improvement
Your Text
Management review
©2014
27001Academy www.iso27001standard.com
Corrective
actions
Minutes of the
meeting
12
Mandatory documents…
•
•
•
•
•
•
•
•
List of regulatory and other requirements
Scope of the BCMS
Business Continuity Policy
Business continuity objectives
Evidence of personnel competences
Records of communication
Business impact analysis
Risk assessment, including risk appetite
©2014
27001Academy www.iso27001standard.com
13
… Mandatory documents
•
•
•
•
•
•
•
•
Incident response structure
Business continuity plans
Recovery procedures
Results of preventive actions
Results of monitoring and measurement
Results of internal audit
Results of management review
Results of corrective actions
©2014
27001Academy www.iso27001standard.com
14
How to sell the idea to
management?
Benefits!
Compliance
Marketing
edge
Reduce
dependence
on individuals
Prevent
large-scale
damage
©2014
27001Academy www.iso27001standard.com
15
Biggest challenges in ISO
22301 implementation
• Cost of implementation
• Top management awareness - not
investing in prevention
• Definition of the Scope/Perimeter to
assess
• Making people understand the real
purpose of implementing BCMS
• Developing and maintaining the required
documented information
©2014
27001Academy www.iso27001standard.com
16
Conclusions
Unless you have specific
requirement to implement some
other business continuity
framework, ISO 22301 is most
probably the best solution
©2014
27001Academy www.iso27001standard.com
17
Q&A
Dejan Kosutic
©2014
27001Academy www.iso27001standard.com
18
Thank you!
www.iso27001standard.com/webinars