18
Association of Contingency Planners Mike Anzis Anzis Consulting
Association of Contingency Planners
Mike Anzis Anzis Consulting
WHY YOU SHOULD CARE ABOUT ISO 22301
WHAT ARE ISO STANDARDS AND MANAGEMENT SYSTEMS?
RECENT HISTORY OF BC STANDARDS
22301 CONTENT - WHAT’S IN IT; WHAT’S NOT?
ISO CERTIFICATION / 22301 CERTIFICATION AND GAP ASSESSMENT
SUMMARY
Q & A
© 2016 Anzis Consulting
Would you like executives and management more involved with your BC
program? Would you like them to really support it with adequate resources?
THEN YOU SHOULD CARE
Would you like to assure that regular testing, training, and updates to BC plans take place in your organization?
THEN YOU SHOULD CARE
Would you like to see BC integrated into your organization’s business processes?
THEN YOU SHOULD CARE
Would you like to easily respond to queries from customers and other business partners about your BC program in a way that assures and satisfies them?
THEN YOU SHOULD CARE
Would you like your BC program to add demonstrated value to your organization?
THEN YOU SHOULD CARE
© 2016 Anzis Consulting
ISO – International Standards Organization is a standards setting body with 163 national members out of 206 world countries, including: United States - ANSI Botswana - BOBS
United Kingdom - BSI Sri Lanka SLSI
France - AFNOR Uzbekistan - UZSTANDARD
Australia - SA
ISO 9001 “Quality Management” first published in 1987. BC related Certification standards include:
ISO 27001 – Information Security
ISO 1401 – Environmental Management
ISO standards prescribe Management Systems
© 2016 Anzis Consulting
Connect a discipline to organizational strategy through executive management. About the organization’s processes, not its programs.
Require formalized procedures including
Policy Executive support
Formal documentation Training and awareness
Regular, periodic review Etc.
Prescribe a continuous improvement cycle
© 2016 Anzis Consulting
Plan
Do
Check
Act
1. POLICY AND OTHER DOCUMENTATION
2. LEADERSHIP COMMITMENT
3. CONTEXT AND OBLIGATIONS
4. RESOURCES
5. COMMUNICATION
6. COMPETENCIES / TRAINING AND AWARENESS
7. PERFORMANCE EVALUATION AND INTERNAL AUDIT
8. NONCONFORMITIES AND CORRECTIVE ACTIONS
9. MANAGEMENT REVIEW
10. CONTINUOUS IMPROVEMENT
© 2016 Anzis Consulting
2007 – Federal legislation established PS Prep (Private Sector Preparedness) program under Dept. of Homeland Security
2009 – DHS declared three BC programs qualify for PS Prep certification:
o British Standard BS 25999 – United Kingdom
o NFPA 1600 (National Fire Protection Association) – North America
o ANSI/ASIS SPC.1 – North America
2012 - ISO 22301:2012, "Societal Security -- Business Continuity” Management Systems” and supporting “guidelines” ISO 22313
2012 -BS 25999 withdrawn
© 2016 Anzis Consulting
© 2016 Anzis Consulting
ISO 22316
Organizational Resilience – Principles
and Guidelines
ISO 22301:2012
Business Continuity Management Systems –
Requirements
ISO 22313:2012
Business Continuity Management Systems –
Guidelines
ISO 22317:2015
Business Continuity Management Systems –
Business Impact Analysis - Guidelines
ISO 22318:2015
Business Continuity Management Systems –
Supply Chain Continuity - Guidelines
ISO 22398:2013
Guidelines for Exercises
© 2016 Anzis Consulting
The Standard specifies “what” not “how”.
Written for many audiences internationally
Written in easy-to-understand language (not jargon)
Not designed to build BC competencies
The Standard does not specify strategies or substance of the BCMS and BC Program
States only that the BCMS must be appropriate to the risks and impacts identified in the RA and BIA. (Forces scoping)
Organization management determines strategy and substance
Program specifics (methods and frequency of testing, updates, training, etc.) also determined and regularly reviewed and improved by management.
© 2016 Anzis Consulting
© 2016 Anzis Consulting
• Clause 1: Scope
• Clause 2: Normative References
• Clause 3: Terms and Definitions
Introduction
• Clause 4: Context of the Organization
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operations
• Clause 9: Performance Evaluation
• Clause 10: Improvement
Requirements
© 2016 Anzis Consulting
Would you like executives and management more committed to your BC program?
Would you like them to really support it with adequate resources?
Clause 5: LEADERSHIP
Would you like to assure that regular training, testing, and updates to BC plans take place in your organization?
Clause 7.3 : SUPPORT – Awareness
Clause 8.5: OPERATION – Exercising & Testing
Clause 10.2: IMPROVEMENT – Continual Improvement
Would you like to see BC integrated into your organization’s business processes?
Clause 5.2 b: LEADERSHIP – Management Commitment
Would you like to easily respond to queries from customers and other business partners about your BC program in a way that assures and satisfies them?
ISO 22301 INTERNATIONAL CERTIFICATION or GAP ANALYSIS
Would you like your BC program to add demonstrated value to your organization?
RFP’s, Bids, Proposals, RECOVERY
© 2016 Anzis Consulting
Granted by an ANAB accredited certification body following an audit using certified auditors (NQA, Orion, Veritas, Lloyds, BSI, etc.) Surveillance audit in years 2 and 3 to audit minor non-conformities and
observe changes in the organization Re-certification in year 4 (required every 3 years)
May not make sense for organizations that are heavily regulated or have their own industry standard, to try seek 22301 certification. Financial institutions, health care providers, insurance companies Alignment can still provide benefits and add business value
An organization may wish to align to the standard but not seek certification Self audit (Internal Audit), second party audit (customer, vendor, etc.), or a
third party qualified Gap Assessment
© 2016 Anzis Consulting
Where you stand vis-à-vis Certification
Can recommend remediation, changes and improvements to your program
Relatively short, inexpensive process
When remediation measures are documented, they can be used effectively to respond to outside inquiries about you BCM program.
Should be done by a qualified auditor / audit organization
© 2016 Anzis Consulting
© 2016 Anzis Consulting
Because ISO 22301 has been adopted as an ISO international standard,
conformity brings a BC program up to a credible and recognizable industry
standard.
ISO standards are Management Systems, and as such are about an organization’s
processes, not about its programs.
A BC program gains many benefits from alignment with 22301
management support resources
alignment with organization strategy less time and resource for inquiries
external credibility ability to respond and recover
22301 may not be for everyone
Financial institutions, healthcare, insurance
May choose alignment rather than certification
A qualified Gap Assessment may be your first step.
Tells you where you stand vis-à-vis conformity
Relatively short process
Can be used for outside inquiries
© 2016 Anzis Consulting
Q & A
© 2016 Anzis Consulting
