AREYOUREADY
FORISO22301ASimpleGuide
ABSTRACTIfyou’rethinkingaboutimplementingISO22301,thenthisguidewillhelpyoumakeanassessmentofwhetheryou’rereadytofacethechallengesahead
MISSINGTHELINQ2016
AREYOUREADYFORISO22301
MISSINGTHELINQ2016 2
AREYOUREADYFORISO22301?
ASIMPLEGUIDE
INTRODUCTION
WithBusinessContinuityanoftenoverlookedaspectofCorporateITGovernanceforalotoforganisations,theISO22301standardformsoneofthepillarsonwhichITGovernanceissupported.Thestandardhasbeendesignedwithorganisationsofallsizesandtypesinmindandshouldbesomethingworthconsidering,thisguidewillhelpyoumakeanassessmentofwhetheryouarereadyforISO22301.
Byaskingafewsimplequestions,itwillenableyoutomaketherightdecisionforyouandyourbusinessandhelpyouavoidmakingacostlymistake.
FollowtheAreYouReadyforISO22301–ASimpleGuidetolearnwhatisrequired.
Ifyouwantmoredetailedinformationorhelpinjumpstartingyouraccreditationprocessthengotoourwebsitewww.missingthelinq.comformoreinformationorsendusanemailatcontact@missingthelinq.com
AREYOUREADYFORISO22301
MISSINGTHELINQ2016 3
QUESTION1–ISYOURMANAGEMENTTEAMCOMMITTED?
Unlessyouhavethebackingoftheseniormanagementteamand/oramemberoftheseniorteammanagementleadingtheprojectitwillfail.
Theyshouldbethedrivingforcebehindtheprogramme,theyneedtocompletelyunderstandthestrategicissuesaroundtheneedforbusinesscontinuitymanagementanddisasterrecovery.Iftheseniormanagementarenotbehindthisproject,thereislittlepointinproceeding,certificationwillnotbeawardedwithoutclearevidenceofsuchcommitment.
ManagementsupportisveryimportantaswithintheStandarditformsacriticalpartoftheprocessandhavingSeniorManagementbuy-inenablestheprojecttocutacrossallpartsofanorganisation,andthereforeallkeyleadersneedtobeonside.
Onebusinessworkingtowardsacommonobjective.
QUESTION2–WHATISTHEPOTENTIALDISRUPTION?
WithoutsomeformofBusinessContinuityplanwhatisthepotentialdisruptiontothebusiness,whatwilltheimpactsbeandreputationaldamage.
WhenconsideringthethreatstotheorganisationyouneedtoconsiderinterestedpartiesaffectedbytheBCMS.Itrequiresyoutounderstandtheimpactofrisksfacingtheorganisationandrequirescross-organisationalworking.
AprofessionalorganisationwillhaveasufficientunderstandingofthethreatstoBusinessContinuityandwillensurethatallstaffunderstandtheirroleinthewiderenvironmentincludingthesupplychain.
Everyoneshouldbeawareofhowtheycontributetodeliveringtheorganisationsaims.
AREYOUREADYFORISO22301
MISSINGTHELINQ2016 4
QUESTION3–AREYOUALREADYMEETINGTHEREQUIREMENTS?
Awellorganisedcompany,withgoodstructureandorganisationandsupportingprocessesandpeopleopentochangeandwilingtolearnmay
alreadybeonthepathtoaccreditation.
Inordertounderstandhowfaryourorganisationisfromaccreditationandhowmuchworkisrequiredtoachieveit,itisworthgettingholdofacopyofthestepbystepguidestoimplementingISO22301thiswillgiveyouasimpleintroductiontotheStandardandaninsightofwhatisrequired.
Furthermore,itisrecommendedbeforecommittingyourselftothefullprojectthatagapanalysisisperformed.Thiswillquicklyidentifygapsinyourcurrentmanagementsystemsupfrontbeforeembarkingonacostlyproject.
ThiscanbedoneusingtheBusinessContinuityManagementSystemdocumentationasguidanceonwhatyourcorethreatsare,whatyouaredoingaboutthem,yourriskassessmentprocessesandhowrisksarehandledandwhatplansareinplacetomanagedisruption.
QUESTION4–DOYOUHAVEAVAILABLEBUDGET&RESOURCES?
FailtoPlan,PlantoFail-ofcoursewhileitisnecessary,itisnotsufficienttojusthaveaplan,havingtherightlevelofresourceandbudgetiscriticalwhen
implementingtheproject.
NoteveryorganisationcanaffordtheluxuryofadedicatedBusinessContinuityManager,nordoeseveryorganisationhavetheskillsorcompetenciesin-housetodelivertheproject.
Likewise,somemayhaveimplementedtheISOStandardinapreviousrole,orhavebackgroundsincreatingbusinesscontinuityplansandmanagementsystems.
ThegoodnewsistheStandardmakesitaloteasierforalltypesoforganisationstoimplementasitismoreflexibleandagileanddesignedformodernbusinesses,takingacollectiveviewofriskanditsmanagement.
AREYOUREADYFORISO22301
MISSINGTHELINQ2016 5
QUESTION5–WHATARETHERISKS/COSTSOFNOTBEINGACCREDITED?
WithriskbasedthinkingattheheartoftheStandardandafocusonthemanagementofdisruptionandhowtokeepcriticalfunctionsoperational.Itwill
demonstrateresiliencetocustomersandsuppliers.
TheISO22301embracesaprocessapproachtorisk,bothintermsofdisruptionanditsmanagement,i.e.howtokeepcriticalfunctionsupandrunningduringtimesofcrises.
Theorganisationneedstounderstandwhatthecorerisksandthreatsare,howtheyaretobeassessedandmitigatedandwhatplansareinplace.Needtoalsohaveallappropriateregulatoryandlegalrequirementsidentifiedaspartoftheriskassessment.
Arethereprocessesformanaginganincident,andhowaretheseinvoked,whodoeswhatandwhen,whattestingandvalidationproceduresareinplace?Whatiftheplanisnon-conforming?
Inotherwords;whatistherealisticlikelihoodofathreatofadisruptionoccurring,andtheharmlikelytoresultfromthatdisruptionoccurringandwhatistheopportunitytoimprove.
QUESTION6–WILLITMAKEYOUABETTERBUSINESS?
Thefinalquestionyoushouldaskyourself,isgoingthroughallthehardwork,timeandeffortacrossallpartsoftheorganisation,implementingchangeand
controlsgoingtomakeyouabetterbusiness?
AlotofworkandcommitmentisgoingtoberequiredtoimplementISO22301,alotofchangewillneedtobemanagedacrossalotoftheorganisationandthereforetherehastobeatangiblebusinessbenefit,whichismeasurableandquantifiable.
AcknowledgingthatBusinessContinuityisnotjust‘anicethingtohave’,butanecessityisimportant.Therecouldbemorebeneficialprojectstoworkonwhichwillhavebiggerreturnsoninvestment,howeverdependingontheanswerstotheabove5questionsitwillgiveyouagoodindicationofwherethisprojectssitsintermsofprioritisationandwhetheritfitsinyourorganisationsstrategyornot.
GLOSSARYOFTERMS
AREYOUREADYFORISO22301
MISSINGTHELINQ2016 6
RiskAssessment–Ariskassessmentcombinestwotechniquesariskanalysisandariskevaluation.
RiskAnalysis-Usesinformationtoidentifypossiblesourcesofrisk.Itusesinformationtoidentifythreatsoreventsthathaveaharmfulordetrimentalimpact.Itthenestimatestheriskbyaskingwhatistheprobabilityofthateventoccurring,andwhatimpactwouldithaveifitoccurred?
RiskEvaluation–Comparestheestimatedriskwithasetofriskcriteria.Thisisdonetodeterminehowsignificanttheriskreallyis.
RiskAcceptance–IspartoftheRiskTreatmentdecisionmakingprocess,meaningtheriskisacceptablegivencertaincontrolsareinplaceortheriskhasbeenmitigatedinsomeotherway.
Controls–Inthecontextofbusinesscontinuitymanagement,acontrolisanyadministrative,managerial,technical,orlegalmethodthatisusedtomodifyormanageariskorthreattodisruption.Controlscanincludethingssuchaspractises,processes,policiesandorganisationstructures.
BusinessContinuityManagementSystem(BCMS)–Includesallofthepolicies,procedures,documents,records,plans,guidelines,agreements,contracts,processes,practises,methods,activities,roles,responsibilities,relationships,tools,techniques,technologies,resourcesandstructuresthatareusedtoimplementandmanagerisksandthreatstothebusiness.
AREYOUREADYFORISO22301
MISSINGTHELINQ2016 7
MissingtheLinq9FarncombeLaneOakwoodDerbyDE212AYRegisteredinEnglandandWalesNo.9832076
WEB:www.missingthelinq.com EMAIL:[email protected]