Why should you care about ISO 22301?
(Brief) Recent history of BC standards
What are ISO Standards? 22301 Content - What’s in it; what’s not?
ISO Certification / 22301 Certification - Who, why, how?
Q & A
© 2015 Anzis Consulting
Would you like executives and management more involved with your BC
program? Would you like them to really support it with adequate resources?
THEN YOU SHOULD CARE
Would you like to assure that regular testing, training, and updates to BC plans take place in your organization?
THEN YOU SHOULD CARE
Would you like to see BC integrated into your organization’s business processes?
THEN YOU SHOULD CARE
Would you like to easily respond to queries from customers and other business partners about your BC program in a way that assures and satisfies them?
THEN YOU SHOULD CARE
Would you like your BC program to add demonstrated value to your organization?
THEN YOU SHOULD CARE
© 2015 Anzis Consulting
2007 – Federal legislation established PS Prep (Private Sector Preparedness) program under Dept. of Homeland Security
2009 – DHS declared three BC programs qualify for PS Prep certification:
o British Standard BS 25999 – United Kingdom
o NFPA 1600 (National Fire Protection Association) – North America
o ANSI/ASIS SPC.1 – North America
2012 - ISO 22301:2012, "Societal Security -- Business Continuity” Management Systems” and supporting “guidance” ISO 22313
2012 -BS 25999 withdrawn
2015 – ISO 22317, BIA Technical Specifications
© 2015 Anzis Consulting
ISO – International Standards Organization is a standards setting body with 163 national members out of 206 world countries, including: United States - ANSI Botswana - BOBS
United Kingdom - BSI Sri Lanka SLSI
France - AFNOR Uzbekistan - UZSTANDARD
Australia - SA
ISO 9001 “Quality Management” first published in 1987. BC related standards include:
ISO 27001 – Information Security
ISO 1401 – Environmental Management
ISO standards prescribe Management Systems
© 2015 Anzis Consulting
© 2015 Anzis Consulting
ISO 22316
Organizational Resilience – Principles
and Guidelines
ISO 22301
Business Continuity Management Systems –
Requirements
ISO 22313
Business Continuity Management Systems –
Guidance
ISO 22317
Business Continuity Management Systems –
Business Impact Analysis
ISO 22318
Business Continuity Management Systems –
Supply Chain Continuity
ISO 22398
Guidelines for Exercises
Connect a discipline to organizational strategy through executive management. They are about the organization, not its programs.
Require formalized procedures including
Policy Executive support
Formal documentation Training and awareness
Regular, periodic review Etc.
Prescribe a continuous improvement cycle
© 2015 Anzis Consulting
Plan
Do
Check
Act
The Standard specifies “what” not “how”.
Written for many audiences internationally
Not designed to build BC competencies
The Standard does not specify strategies or substance of the BCMS and BC Program
States only that the BCMS must be appropriate to the risks and impacts identified in the RA and BIA
Organization management determines strategy and substance
Program specifics (methods and frequency of testing, updates, training, etc.) also determined and regularly reviewed and improved by management.
It may not be the only standard to which an organization wishes to align.
© 2015 Anzis Consulting
© 2015 Anzis Consulting
• Clause 1: Scope
• Clause 2: Normative References
• Clause 3: Terms and Definitions
Introduction
• Clause 4: Context of the Organization
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operations
• Clause 9: Performance Evaluation
• Clause 10: Improvement
Requirements
Would you like executives and management more involved with your BC
program? Would you like them to really support it with adequate resources? Clause 5: LEADERSHIP
Clause 7.1: SUPPORT - Resources Would you like to assure that regular testing, training, and updates to BC plans
take place in your organization? Clause 8.5: OPERATION – Exercising & Testing
Clause 7.3 : SUPPORT – Awareness Clause 10.2: IMPROVEMENT – Continual Improvement
Would you like to see BC integrated into your organization’s business processes? Clause 5.2 b: LEADERSHIP – Management Commitment
Would you like to easily respond to queries from customers and other business partners about your BC program in a way that assures and satisfies them?
ISO 22301 INTERNATIONAL CERTIFICATION Would you like your BC program to add demonstrated value to your
organization? BIDS, PROPOSALS, RFP’s
© 2015 Anzis Consulting
Granted by a accredited certification body following an audit using certified auditors (Veritas, Lloyds, BSI, NQA) Surveillance audit in years 2 and 3 to audit minor non-conformities and
observe changes in the organization Re-certification in year 4 (required every 3 years)
May not make sense for organizations that are heavily regulated or have their own industry standard, to try seek 22301 certification. Financial institutions, health care providers, insurance companies Alignment can still provide benefits and add business value
An organization may wish to align to the standard but not seek certification Self audit (Internal Audit), second party audit (customer, vendor, etc.)
First step: Qualified third party Gap Assessment
Where you stand vis-à-vis Certification Recommend changes and improvements to your program Relatively short process
© 2015 Anzis Consulting
Because ISO 22301 has been adopted as an ISO international standard, conformity
brings a BC program up to a credible and recognizable industry standard.
ISO standards are Management Systems, and as such are about an organization’s
processes, not about its programs.
A BC program gains many benefits from alignment with 22301
management support resources
integration with the organization ability to recover
added business value less time responding to inquiries
22301 may not be for everyone
Financial institutions, healthcare, insurance
May choose alignment rather than certification
A qualified Gap Assessment may be your first step.
Tells you where you stand vis-à-vis conformity
Relatively short process
© 2015 Anzis Consulting