35
The New Corporate ISO 22301 BC Standard: Standard: What It Takes To Comply Robert C. Chandler, Ph.D. Di t Ni h l Sh l fC i ti Director, Nicholson School of Communication
The New Corporate ISO 22301 BC Standard:Standard: What It Takes To ComplyRobert C. Chandler, Ph.D.Di t Ni h l S h l f C i tiDirector, Nicholson School of Communication
About Everbridge• The Global Leader in incident notification
systems
• Fast growing global company with• Fast-growing global company with more than 1,500 clients in more than 100 countries
• Serve the Global 2000 healthcare• Serve the Global 2000, healthcare systems, state and local government, federal government, military, financial services firms, and universities
• 100% focused on incident notification solutions that merge technology and expertise
2
Agenda
Part 1: Presentation• The standards on which ISO 22301 is basedThe standards on which ISO 22301 is based• What this means for your current business continuity
communication plan • How to improve your plan to withstand audit and
review
Part 2: Q&A
3
The New Corporate ISO
Bracing for the 2010 Hurricane Season
The New Corporate ISO 22301 BC Standard: What It Takes To Comply
Hurricane SeasonDr. Robert ChandlerUniversity of Central FloridaUniversity of Central Florida
Do ISO standards really matter?
• Over a million organizations worldwide are independently certified making ISO 9001 one of theindependently certified, making ISO 9001 one of the most widely used management tools in the world today.
• In addition to several stakeholders’ benefits, a number of studies have identified significant financial benefits for organizations certified to ISOfor organizations certified to ISO.
• Studies also indicate that certified organizations gachieved superior return on assets compared to otherwise similar organizations without certification.
BS 25999-2 was the beginning
• In November 2006, the first draft of BS 25999 was published in the British Standards Institution finallypublished in the British Standards Institution, finally providing a necessary structure to processes, principles and terminology for business continuity.
• The second draft was published in November, 2007.
• Targeted stakeholder assurance of BC plans in place• Targeted stakeholder assurance of BC plans in place.
• Will be withdrawn when ISO 22301 is finalized
6
The standard evolves with ISO 22301
• Greater emphasis on setting the objectives, monitoring performance and metricsperformance and metrics.
• Clearer expectations on management.
• Requires more careful planning for and preparing the resources needed for ensuring business continuity.
• An international standard appeals to top management of any organization.
7
The main differences between BS25999 2 d ISO 22301?
• Communication:
BS25999-2 and ISO 22301?
Communication:The requirements for business continuity plans, including response procedures and recovery plans, are much more detailed too - e.g. the communication part
• Monitoring performance:Requirement for BCM/BCMS Metrics e g BIA update frequencyRequirement for BCM/BCMS Metrics e.g. BIA update frequency, number of plans, number of exercises completed, etc
• Operational planning and control:• Operational planning and control:Emphasis on operational planning and setting controls for the BCMS
The shift from BCMS to PCMS
• BCMS (Business Continuity Management System) vs PCMS (Preparedness and Continuityvs PCMS (Preparedness and Continuity Management System)
• An emphasis on preparedness is now integrated• An emphasis on preparedness is now integrated in terminology.
• Preparedness includes:• Preparedness includes:• Creating policies and actions.• Controlling and measuring an organization’s risks.• Monitoring and reviewing progress• Monitoring and reviewing progress.• Implementing continual improvement based on measurement
ISO 22301 anticipated timeline
• The standard, entitled “Societal security - Business ti it t t R i t ” icontinuity management systems – Requirements” is
currently on to the Final Draft International Standard (FDIS) stage.( ) g
• The draft now needs a two-thirds majority of a yes or no vote (with less than one-third of the total vote (being negative) by the TC233 committee for the standard to be published.
• The earliest that the standard will be published is the end of 2011 but 2012 may be more likely.
Let’s highlight a few of the i ti t f ISO 22301
• Section 8 5 3
communication aspects of ISO 22301
• Section 8.5.3
• The organization shall establish, implement and maintain procedures for:and maintain procedures for:c) internal communication between the various levels
and functions within the organization;
d) external communications with partner organizations and other stakeholders;
Everbridge AwareSingle-step to send to all of your
11
Single step to send to all of your internal contacts and external partners and constituents
Let’s highlight a few of the i ti t f ISO 22301
• Section 8 5 3
communication aspects of ISO 22301
• Section 8.5.3
• The organization shall establish, implement and maintain procedures for:and maintain procedures for:e) receiving, documenting and responding to
communication from other stakeholders;
h) assuring availability of means of communication during a disruptive incident;
Everbridge AwareReceive 2-way real-time feedback on
12
Receive 2 way, real time feedback on notifications. Bullet proof infrastructure with 99.99% availability.
Let’s highlight a few of the i ti t f ISO 22301
• Section 8 5 3 cont’d
communication aspects of ISO 22301
• Section 8.5.3 cont d
• The organization shall establish, implement and maintain procedures for:and maintain procedures for:
i) facilitating structured communication with emergency responders;
j) assuring the interoperability of multiple responding organizations and personnel;
k) recording of vital information aboutk) recording of vital information about the incident, actions taken and decisions made; and Everbridge Aware
Pre-planned structured messages
13
Pre planned structured messagesCommunicate across all device typesRobust real-time reporting and results
Let’s highlight a few of the i ti t f ISO 22301
• Section 8 5 3 cont’d
communication aspects of ISO 22301
• Section 8.5.3 cont d
• The organization shall establish, implement and maintain procedures for:and maintain procedures for:l) operations of a communications facility.
• The communication and warning system shall be regularly exercised
Everbridge AwareENS system is core component of
14
ENS system is core component of every communication facility. Easy and cost-effective to test regularly.
Let’s highlight a few of the i ti t f ISO 22301
• Section 8 5 4
communication aspects of ISO 22301
• Section 8.5.4
• The organization shall nominate incident response personnel with the necessary responsibilitypersonnel with the necessary responsibility, authority and competence to manage an incident.
• The organization shall establish an incident• The organization shall establish an incident response structure that provides for personnel to: b) trigger an appropriate response;
c) have processes and procedures for the activation, operation, coordination and communication
Everbridge AwareFacilitates the response process
15
coordination and communication of the incident response;
Facilitates the response process.Easy to incorporate your communication processes into the system
Let’s highlight a few of the i ti t f ISO 22301communication aspects of ISO 22301
• Section 8 5 4• Section 8.5.4
• The organization shall nominate incident response personnel with the necessary responsibilitypersonnel with the necessary responsibility, authority and competence to manage an incident.
• The organization shall establish an incident
d) have resources available to support
• The organization shall establish an incident response structure that provides for personnel to:
) ppthe processes and procedures to manage an incident; and
e) communicate with stakeholders
Everbridge AwareProvides the central infrastructure to
16
e) communicate with stakeholders. Provides the central infrastructure to communicate with stakeholders
Here are communication tips to enhance li ith i tyour compliance with requirements…
Communication priorities to improve your l d h liplan and enhance compliance
1. Optimal timing
2. Message content2. Message content
3. Maintain control
4. Transparency
5. Optimal delivery channels
Reaction time
Factors that affect reaction time include:• RecognitionRecognition
• Choice
• Number of stimuli
• Fatigue
• Reasoning
• Remembering
• Imagining
• Learning
19
Situation awareness
• Situation awareness is “knowing what is going on so you can figure out what to do”*going on so you can figure out what to do
• To function in a crisis, people need to have answers to:have answers to:
• What is happening?
Wh i it h i ?• Why is it happening?
• What will happen next?
• What can I do about it?
20*Wikipedia
Is your communication plan fortified?
Effective crisis communication includes just the right t f i f ti b tamount of information, but…
• What constitutes the right amount of information?
• How much information is enough?
• How much is too much?
Pitfalls to avoid in your messaging audit
1. Underloading or overloading messages
Balance ideas, information, and words the context of a crisisthe context of a crisis.
Pitfalls to avoid in your messaging audit
2. Not testing messages
Test content, tone, and comprehension with focus groups.
Pitfalls to avoid in your messaging audit
3. Sending mixed messages
Create messages that are accurate, consistent, and reinforce each other.
Pitfalls to avoid in your messaging audit
4. Poorly-timed messages
Avoid too-early or too-late messages. Plan ahead and act quickly to communicate during the short window whenduring the short window when people are most receptive.
Pitfalls to avoid in your messaging audit
5. Wrong delivery channels
Account for changes to common communication channels due to quarantine, illness, and other pandemic effectspandemic effects.
Pitfalls to avoid in your messaging audit
6. Mismatched messages
Create and send authoritative, accurate forthright messagesaccurate, forthright messages. Do not downplay risks or threats. Correct misinformation swiftly.
Pitfalls to avoid in your messaging audit
7. Failure to understand your audience
Understand and adapt messaging to your audience’s comprehension levels and motivations. Avoid jargon and sophisticated conceptsconcepts.
Pitfalls to avoid in your messaging audit
8. Lack of transparency
Provide factual, accurate information. Remember that people have a right to know the risks and consequences.
Discussion continues…
• Twitter: @ISO22301@ISO22301
• LinkedIn: http://www.linkedin.com/groups/ISO22301-3931836p g p
• Download the draft:http://www.iso.org/iso/iso_catalogue/catalogue_tc/ct l d t il ht ? b 50038atalogue_detail.htm?csnumber=50038
30
It’s your choice!
• Your organization can choose how important it i t tifit is to certify.
• Weigh the impact or advantages/disadvantages of certification on your organizationof certification on your organization.
• More research is recommended to understand the full implications of ISO 22031 in your situationfull implications of ISO 22031 in your situation.
31
Incident Notification
Marc LadinChief Marketing Officer, Everbridge
32
Incident notification solutions address common communication challengescommon communication challenges
• Communicate quickly easily and • Reduce miscommunication and• Communicate quickly, easily, and efficiently with large numbers of people in minutes, not hours, making sure that the lines of communication
• Reduce miscommunication and control rumors with accurate, consistent messages
are open
• Receive feedback from your messages by using polling
• Satisfy regulatory requirementswith extensive and complete
ti f i ti tt tmessages by using polling capabilities
• Ensure two-way communication
reporting of communication attempts and two-way acknowledgements from recipients
Ensure two way communicationto get feedback from message receivers
• Deliver refined, prepared , timedmessages to each pre-designated audience group, by scenario
33
Key evaluation criteria for an incident notification systemnotification system
• Experience and expertise
• Ease of useEase of use
• Ability to reach all contact paths, including voice email native SMSincluding voice, email, native SMS (over SMPP and SMTP), IM, and more
• Ease of integration
3434
Contact informationCommunication resourcesUpcoming webinars:Business Case Demo (August 25)www everbridge com/webinars
Robert C. Chandler, Ph.D.h dl@ il f d
www.everbridge.com/webinars
White papers, literature, case studieswww.everbridge.com/resources
Follow us:
blog.everbridge.comtwitter.com/everbridgefacebook.com/everbridgeinc
Marc [email protected] 818 230 9700
youtube.com/user/everbridge
1.818.230.9700
ReminderEverbridge Insights webinars qualify for Continuing Education Activity Points (CEAPs) for DRII certifications. Visit www.drii.orgto register your credit.
Item Number (Schedule II): 26.3Activity Group: A1 Point for each webinar
