Writing a business continuity plan according to ISO 22301
Presenter: Dejan Kosutic
©2017 27001Academy www.advisera.com/27001academy
• Open and close your Panel
• View, Select, and Test your audio
• Submit text questions – they will be addressed throughout the session
• Raise your hand
GoToWebinar Control Panel
2
©2017 27001Academy www.advisera.com/27001academy 3
Elements of the business continuity plan required by ISO 22301
If you’re starting to develop the BCP…
… make sure you didn’t forget anything
©2017 27001Academy www.advisera.com/27001academy 4
BCP is used in case of a real emergency – if you want it to be useful, make sure you prepare it
properly!
©2017 27001Academy www.advisera.com/27001academy
Agenda
5
• BCP in the BCM process
• Business continuity plan elements
• ISO 22301 requirements for BCP
• ISO 22301 requirements for incident response
• Main elements of recovery plans
• Specifics for disaster recovery plans
• Roles in the BCP development
• Biggest challenges with BCP
©2017 27001Academy www.advisera.com/27001academy
BCP in the BCM process
6
6
Analysis
Risk assessm
ent
Business impact
analysis
BCM Strategy
BC Plans
Testing Excerci
sing
BCM Policy
©2017 27001Academy www.advisera.com/27001academy
Business continuity plan elements
7
Business continuity plan
Incident
response
plan
Disaster
recovery
plan
Recovery
plans
Incident
©2017 27001Academy www.advisera.com/27001academy
ISO 22301 requirements for BCP…
8
Plans must collectively contain:
• defined roles and responsibilities
• process for activating the response
• details to manage immediate consequences
• details on how and with whom to communicate, including media response
• how to continue or recover activities within the RTOs
• process for standing down
©2017 27001Academy www.advisera.com/27001academy
…ISO 22301 requirements for BCP
9
Additionally, each plan must define:
• purpose and scope
• objectives
• internal and external interdependencies and interactions
• resource requirements
• information flow and documentation processes
©2017 27001Academy www.advisera.com/27001academy
ISO 22301 requirements for Incident response
10
• define impact thresholds for plan initiation
• assess nature, extent and impact of an incident
• define how to activate appropriate response
• define processes for handling the response
• have available resources
• communication with interested parties
©2017 27001Academy www.advisera.com/27001academy
Main elements of recovery plans
11
• Recovery time objective
• Responsibilities / authorizations
• Key tasks
• Minimum acceptable capacity
• Resources
• Who must be notified
• Contact information – all parties involved
• Recovery steps for critical activity – to be developed by each recovery team
©2017 27001Academy www.advisera.com/27001academy
Specifics for disaster recovery plans
12
• Recovery plans for IT infrastructure
• Usually the shortest RTO
• The same plan template
• Much more detailed for each IT system –appendices
• Each step in recovery is determined by RTO of other critical activities
©2017 27001Academy www.advisera.com/27001academy
Roles in the BCP development
13
• BCM Coordinator develops the plans templates
• BCM Coordinator writes/coordinates the main part of the plan
• BCM Coordinator writes/coordinates Incident response plan
• Department heads develop recovery plans and disaster recovery plans; BCM Coordinator coordinates them
• Final approval by top management
©2017 27001Academy www.advisera.com/27001academy
Biggest challenges with the business continuity plans
14
• Top management involvement and budget
• How big a BCP needs to be? What details/components to cover?
• How to ensure a BCP can cater to most of the worst case scenarios
• How can the BCP be automated, what are the possible tools?
• Get BCP to the staff for education, trainings and exercising
©2017 27001Academy www.advisera.com/27001academy
Conclusion
15
Business continuity plans require careful preparation
If you skip some of the steps, you’ll produce plans that won’t be usable
when you need them
Q & A
Dejan Kosutic
www.advisera.com/27001academy/webinars
Thank you!