Date post: | 08-Mar-2018 |
Category: |
Documents |
Upload: | truongquynh |
View: | 217 times |
Download: | 4 times |
1
BSBS 2599925999Business ContinuityBusiness Continuity
ManagementManagement
By. Mr. Chomnaphas TangsookBusiness DirectorBSI Group ( Thailand) Co., Ltd
BSI British StandardsContents slide
2006BS 25999(Business Continuity)
1979BS 5750 -> ISO 9001
1992BS 7750 -> ISO 14001
1995BS 7799 -> ISO/IEC 27001
1996BS 8800 -> OHSAS 18001
2000BS 8600 -> ISO 10002
2002BS 15000 -> ISO/IEC 20000
3
Is your business ready to face thefollowing situations ?
It may not be from you butfrom your neighbors orsuppliers?
6
6
Not just about managing the high profile disasters but also the dayto day business disruptions
Not an IT standard and not about Disaster Recovery
A ‘business-owned, business-driven process that establishesa fit-for-purpose strategic and operational framework’.
BS 25999
7
Defining BusinessContinuity Management
Holistic management process that identifies potentialthreats to an organization and the impacts to business
operations that those threats, if realized, might cause andwhich provides a framework for building organizationalresilience with the capability for an effective response
that safeguards the interests of its key stakeholders,reputation, brand and value-creating activities
BS 25999-2:2007, 2.4
8
8
Publication dates
• BS25999-1 Code of Practice
– December 2006
• BS25999-2 Specification
– Mid November 2007
• Certification process
– BSI develops certification process
9
9
Why was BS 25999 developed?• Business Continuity identified as a critical issue
• Need for a best practice framework to guidebusiness.
• Need for a mechanism to demonstrate BusinessContinuity Management maturity
11
11
Institute of Directors
Who developed BS 25999?
Association of British Insurers
Association of Insurance & Risk Managers
12
12
Who developed BS 25999?
Association of Chief Police Officers
Chief Fire Officers’ Association (CFOA)
Society of Industrial Emergency Services
Metropolitan Police
13
13
Who developed BS 25999?
Business Continuity Institute
Institute of Emergency Management
Institute of Risk Management
Continuity Forum
14
14
Suppliers
Subcontractors
Vendors
Your
Organization
Clients /
Customers
Conduit
Organizations
Infrastructure Dependence (power, telecom, etc.)
System Up Time (computing, data,networks, etc.)
17
Within minutes to days:• Contact staff, customers,
suppliers, etc.• Recovery of critical business
processes• Rebuild lost work-in-progress
Within minutes to hours:• Staff and visitors
accounted for• Casualties dealt with• Damage containment/
limitation• Damage assessment• Invocation of BCP
Sequence of Events of an Incident
Within weeks to months:• Damage repair/replacement• Relocation to permanent
place of work• Recovery of costs from
insurers
Timeline
Incident!
Incident Response
Business continuity
Recovery/resumption – back to normal
Overall recovery objective:back-to-normal as quickly as possible
1818
Business continuity lifecycle andthe Plan-Do-Check-Act cycle
Businesscontinuity
requirementsand
expectations
Managedbusinesscontinuity
Maintainand
improve
Interestedparties
Interestedparties
Establish
Implementand
operate
Plan
Check
Act Do
Monitorand
review
Continual improvement of the businesscontinuity management system
BS 25999-2 :2007 Figure 2
1919
– Scoping of BCM
– Policy agreement & signoff
– Identification &engagement ofstakeholders
– Approach agreed
– Roles & responsibilities
BCM programme management
21
Understanding the organization
Identify key productsand services
Identify activitiesthat support keyproduct and services
Identify impacts fromdisruption to activities
Establish MTPD foreach activity
Scope, policy,stakeholders,regulatory
Identify criticalactivities according topriority for recovery
Identify impact ofthreat to criticalactivities
Estimate resourcesrequired to recovereach critical activity
Set recovery timeobjectives for criticalactivities
Determine choices forcritical activities
Define and documentmethod for riskassessment
2222
– Identify key products and services and criticalactivities which support them
– Identify organisations objectives, obligations,duties
– Identify supporting activities, assets andresources
– Assess impact of failure of activities, assets andresources
– Identify and evaluate threats
– Identify all interdependencies of activities
– Understand 3rd party reliance's
23
MTPD and RTOService Level
Time
MTPD
RTO
Normal level of service
Minimum level of service
Incident management plan
Business continuity plan
OK!
24
MTPD and RTOService Level
Time
MTPD
RTO
Normal level of service
Minimum level of service
Incident management plan
Business continuity plan
Disaster!
2525
– Definition of incident responsestructure enabling an effectiveresponse & recovery
– Identification of restarttimescales and service levelsfollowing a disruption
– Agreement of timescales torestore normal service levels
– Stakeholder relationshipmanagement
– Strategy may be modified as anoutput of management review inresponse to internal or externalevents
Determining BCM strategy
2626
– Aligned to the objectives of theorganisation’s BCM strategy
– Development of plans toeffectively manage a businessdisruption to the point it iscontained
– Creation of business continuityplans designed to facilitate theresumption of critical activities
– Detailed plans covering people,communication, roles &responsibilities, locations,resources etc
Developing and implementing a BCMresponse
27
Contents of an incident management plan include:
• Task and action lists
• Emergency contacts
• People activities
• Media response
• Stakeholder management
• Incident management location
• Contact information for emergency responders that supportresponse strategies
Incident Management Plan
28
Business Continuity Plan
Contents of a business continuity plan include:
• Action plans / task lists
• Resource requirements
• Responsible person(s)
• Incident log / decision record
• A plan to resume back to normal operations (business recoveryplan)
2929
– Validates effectiveness ofplans
– Ensures understanding ofplans, roles &responsibilities
– Identifies improvementopportunities
– Maintains relevance ofplans as result of businesschanges
Exercising, reviewing and maintaining
3030
Exercising plans
• Different types of exercise
• Desk check
• Walk through
• Simulation
• Component/activity
• Full test
• Exercising supports
– awareness programme
– competency development
BS 25999-2:2007, 4.4.2
3131
Structure of BS 25999-21 Scope2 Terms and definitions3 Planning the BCMS
• General requirements, establishing and managing, embeddingBCM in the organisation’s culture, documentation and records
4 Implementing and operating the BCMS• Understanding the organisation, determining strategy, developing
and implementing a response, exercising, maintaining andreviewing
5 Monitoring and reviewing the BCMS• Internal audit, management review
6 Maintaining and improving the BCMS• Continual Improvement, preventive and corrective actions
32
Implementing and operating theBCMS
4.1 Understanding the organisation
4.2 Determining business continuity strategy
4.3 Developing and implementing a BCMresponse
4.4 Exercising, maintaining and reviewing BCMarrangements
34
Maintaining and improving theBCMS
6.1 Preventive and corrective actions
6.2 Continual improvement