ISO 22301: Overview, Certification And What To . - BSI
ISO 22301: Overview, certification andwhat to expect from your auditSuzanne Fribbins, EMEA Product Marketing Manager - RiskCopyright 2012 BSI. All rights reserved.
Outline Overview of ISO 22301 ISO 22301 – an implementation checklist The certification process Benefits of ISO 22301 certification Transitioning from BS 25999-2 to ISO 22301 Potential areas of auditor focusCopyright 2012 BSI. All rights reserved.10/09/20122
Introducing ISO 22301 ISO 22301 Societal Security - Businesscontinuity management system - Requirements. Management system standard Based on global BCM consensus All core business continuity elements in BS25999-2 are present in ISO 22301Copyright 2012 BSI. All rights reserved.3
Societal Security and BCM? ISO 22301 now comes under a wider societalsecurity remit This acknowledges the important role that BCMhas to play in protecting society and ensuringour ability to respond to incidents, emergenciesand disasters.Copyright 2012 BSI. All rights reserved.4
Benefits of adopting a systems approach to managing BCM Allows organizations to benefit from global BCMbest practice, regardless of whether they areplanning to certify or not Provides a foundation and a commonvocabulary for BCM best practice and guidance Consensus standards like ISO 22301 representthe input and recommendations of hundreds ofBC professionals and industry experts Saves you having to reinvent the wheelCopyright 2012 BSI. All rights reserved.5
Comparing ISO 22301 and BS 25999-2Includes all core requirements The ‘Plan Do Check Act’ cycle Business continuity policy Business impact analysis Risk assessment and risk treatments Exercising Business continuity plans and strategy Internal audit Management review Non conformity and corrective action Improvement actionsCopyright 2012 BSI. All rights reserved.6
Key changes and aspectsNotable shifts in emphasis from BS 25999-2:2007: First standard written in accordance with Guide 83 Change in the way an organization is defined Clearer expectations on management Preventive action has been replaced with “actions to address risks andopportunities” and features earlier ISO 22301 puts a much greater emphasis on setting the objectives, monitoringperformance and metrics – aligning BC to top management strategic thinkingCopyright 2012 BSI. All rights reserved.7
Key changes and aspects 22301 requires more careful planning for and preparing the resources neededfor ensuring business continuity Communication elements more demanding and there is a responsibility to thewider community defined BIA similar but with some changes to terminology There is a stronger link to the organizations approach to risk To reflect the societal security approach some new terminology has beenintroduced, see ISO 22300Copyright 2012 BSI. All rights reserved.8
New high level structure ISO 22301 is the first management system standard to be developed usingGuide 83 Guide 83 is for standards writers and provides a standardised text suitable forall ISO management system standards The intention is to standardise terminology and requirements for fundamentalManagement System requirementsCopyright 2012 BSI. All rights reserved.9
Structure of ISO 22301:2012ClauseDescription4.0Is a component of Plan. It introduces requirements necessary to establish the context ofthe BCMS as it applies to the organization, as well as needs, requirements, and scope.5.0Is a component of Plan. It summarises the requirements specific to top management’srole in the BCMS, and how leadership articulates its expectations to the organization viaa policy statement.6.0Is a component of Plan. It describes requirements as it relates to establishing strategicobjectives and guiding principles for the BCMS as a whole. The content of Clause 6differs from establishing risk treatment opportunities stemming from risk assessment, aswell as business impact analysis (BIA) derivedrecovery objectives.Copyright 2012 BSI. All rights reserved.10
Structure of ISO 22301:2012ClauseDescription7.0Is a component of Plan. It supports BCMS operations as they relate to establishingcompetence and communication on a recurring/as-needed basis with interested parties,while documenting, controlling, maintaining and retaining required documentation.8.0Is a component of Do. It defines BC requirements, determines how to address them anddevelops the procedures to manage a disruptive incident.9.0Is a component of Check. It summarises requirements necessary to measure BCMperformance, BCMS compliance with the International Standard and management’sexpectations, and seeks feedback from management regarding expectations.10.0Is a component of Act. It identifies and acts on BCMS non-conformance throughcorrective action.Copyright 2012 BSI. All rights reserved.11
Clause 4: Context of the organization Clause 4 relates to the context of the organization which requires theorganization to determine their external and internal issues There is now a clear requirement to consider interested parties This will determine its business continuity policy and objectives and how it willconsider risk and the effect of risk on its business Requirement also for a procedure to manage legal and regulatory requirementsCopyright 2012 BSI. All rights reserved.12
Concept of interested parties ISO 22301 replaces the term ‘stakeholders’ withthat of ‘interested parties’ The ISO requires broader consideration ofinterested parties than BS 25999-2 Closer alignment with organizational objectivesfor corporate social responsibilityCopyright 2012 BSI. All rights reserved.13
Clause 5: Leadership Clause 5 of the standard summarizes therequirements specific to top management’srole in the BCMS Top management given clearer BCMresponsibilities The ISO outlines specific ways in whichmanagement must demonstrate itscommitment to the systemCopyright 2012 BSI. All rights reserved.14
Clause 6: Planning New section relating to establishment ofstrategic objectives and guiding principles forthe BCMS as a whole When planning the BCM the context of theorganization should be taken into accountthrough the consideration of the risks andopportunities The organizations business continuity objectivesmust be clearly defined with plans in place toachieve themCopyright 2012 BSI. All rights reserved.15
Clause 7: Support Clause 7 details the support required to establish, implement and maintain aneffective BCMS, including: Resource requirementsCompetence of people involvedAwareness of and communication with interested partiesRequirements for document management.Copyright 2012 BSI. All rights reserved.16
Clause 8: Operation ISO 22301 requires that organizations planand control the operation of their BCMrequirements. Most importantly this willinclude: A methodology and documented process forconducting a business impact analysis (BIA) A systematic methodology and documented processfor conducting risk assessments A methodology for selecting business continuitystrategies which will protect the most importantactivities of the business and ensure theirresumption in the event of disruption.Copyright 2012 BSI. All rights reserved.17
Clause 8: Operation ISO 22301 places greater emphasis on the procedure required to detect anincident, early communication thereof and the need to regularly monitor theincident There is also a requirement to consider how the organization will recover itsactivities from a temporary state back to “normal” (if appropriate) Exercises and tests to demonstrate the effectiveness of BCM arrangementsCopyright 2012 BSI. All rights reserved.18
Clause 9: Performance evaluation As with all management system standards there is a need to look back at whathas been achieved ISO 22301 also requires that this analysis is evaluated and conclusions drawnby the organization Greater emphasis on setting of objectives, monitoring performance and metrics Most organizations will already produce metrics which can be tailored to BCMSperformanceCopyright 2012 BSI. All rights reserved.19
Clause 9: Performance evaluation Internal audits and management reviewcontinue to be key methods of reviewing theperformance of the BCMS and tools for itscontinual improvementCopyright 2012 BSI. All rights reserved.20
Clause 10: Improvement Nonconformities of the BCMS have to be dealtwith together with corrective actions to ensurethey don’t happen again As with all management system standards,continual improvement is a core requirement ofthe standardCopyright 2012 BSI. All rights reserved.21
ISO 22301 - an implementation checklistCopyright 2012 BSI. All rights reserved.22
ISO 22301 – an implementation checklist1.2.3.4.5.6.7.Obtain management supportTreat it as a projectBCM policy – define objectives and scopeDefine roles and responsibilitiesImplement mandatory proceduresPerform BIA and risk assessmentDetermine the business continuity strategyCopyright 2012 BSI. All rights reserved.23
ISO 22301 – an implementation checklist8. Develop incident management plans and business continuity plans9. Training and awareness10. Exercising11. Maintaining and reviewing the BCMS12. Internal audit13. Management review14. Preventative and corrective actionsCopyright 2012 BSI. All rights reserved.24
Certification to ISO 22301 with BSICopyright 2012 BSI. All rights reserved.25
The assessment cycle for ISO 22301Copyright 2012 BSI. All rights reserved.26
Benefits of certification Certification offers many advantages, including: It challenges your BCM programme and organization to reach a higher level ofmaturity and preparedness Supply chain requirement Prequalification for tenders Provides a competitive advantage Signifies a base level of readiness and a commitment and seriousness aboutBCMCopyright 2012 BSI. All rights reserved.27
Transition periodMay 2012November 20121 June 2014Certification: BS 25999-2 or ISO 22301Certification: to ISO 22301Organizations can choose to certify against either BS25999-2 or ISO 22301After November 2012, BSI will only be offeringcertification to ISO 22301 to ensure that BS 25999certified clients have an adequate amount of time tocomplete their transition2 year transition periodOrganizations will need to complete their transition tothe new revision by 1 June 2014. Failure to do so willresult in the expiry of their certificate.Copyright 2012 BSI. All rights reserved.28
How will the transition take place for existing customers? Assessment to the new standard will take place during continuing assessmentvisits A date for their transition will be agreed with their Client Manager A new certificate will be issued once they have demonstrated compliance withISO 22301 Clients can transition ahead of their next CAV for an additional feeCopyright 2012 BSI. All rights reserved.29
Potential areas of auditor focusCopyright 2012 BSI. All rights reserved.30
Potential areas of auditor focus1. Exercising of business continuity procedures2. Poor scoping – key resources/activities not included3. BIA only considers inability to deliver products andservices, not stakeholders or reputational damage4. Lack of senior management commitment andculture of ‘continual improvement’5. Planned requirement to restore to BAU – does notcover all activitiesCopyright 2012 BSI. All rights reserved.31
Exercising of business continuity procedures Business Continuity plans are useless unless you testthem All elements of business continuity plans should beexercised on a regular basis Staff, vendors and stakeholders should be involved inexercises Keep exercises simple and realistic Team members need to be treated well Reports should be prepared post-exercise, andreviewedCopyright 2012 BSI. All rights reserved.32
Poor scoping - key resources/activities missingCopyright 2012 BSI. All rights reserved.33
Business Impact Analysis is not comprehensive enough BIA needs to be comprehensive enough to meet the organization’s needs whilebeing simple enough for everyone to use It should not only consider the organizations inability to provide productsand/or services and meet contractual agreements, but also damage toreputation and other stakeholder impacts, such as: breaches of statutory duties or regulatory requirementsfinancial viabilitydeterioration of product or service qualityenvironmental damageCopyright 2012 BSI. All rights reserved.34
Lack of senior management commitmentCopyright 2012 BSI. All rights reserved.35
Planned requirements to restore to BAU – does not cover all activities Section 8.4.5 requires that “the organization shall have documented proceduresto restore and return business activities from the temporary measures adoptedto support normal business requirements after an incident. It is important that all prioritized activities are coveredCopyright 2012 BSI. All rights reserved.36
Next steps? Buy a copy of the new ISO 22301:2012 Consider how the changes affect yourorganization Existing customers should speak with theirClient Manager to agree timing for assessmentto the new standard New customers can call BSI and speak with anadvisor on 44(0) 845 080 9000 or visitwww.bsigroup.co.uk/ISO22301Copyright 2012 BSI. All rights reserved.37
How can BSI help you? Consider scheduling a BSI gap analysis Attend one of our new suite of training courses designed to help yourorganization with the new revision The range includes introduction, transition, implementation and auditor courses For more information, call the BSItraining team on 0845 086 9000 orvisit our websiteCopyright 2012 BSI. All rights reserved.38
Additional guidance available Webinar – Transitioning from BS 25999-2 to ISO 22301 (available fordownload at lan/) Webinar – Introducing ISO 22301 (available for download 01-detailed/) Transition guide (available for download ition-Guide.pdf). This freeguide has been designed to help you meet the requirements of the newinternational standard for business continuity management, ISO 22301. Standards, books, BCM Self-assessment Tool, public and in-house trainingCopyright 2012 BSI. All rights reserved.39
Questions?Copyright 2012 BSI. All rights reserved.40
Contact usAddress:BSI389 Chiswick High RoadLondon W4 4ALTelephone: 44 (0)20 8996 .comCopyright 2012 BSI. All rights reserved.41
Certification: BS 25999-2 or ISO 22301 Organizations can choose to certify against either BS 25999-2 or ISO 22301 Certification: to ISO 22301 After November 2012, BSI will only be offering certification to ISO 22301 to ensure that BS 25999 certified clients have an adequate amount of t
ISO 22301 - Understanding the requirements of ISO 22301:2012 and ISO 22301:2019 4 About this guide This document presents a mapping between the requirements of ISO 22301:2012 Business Continuity Management System (BCMS) and ISO 22301:2019. It has been designed for guidance purposes only and provides the following: 1.
PECB-820-4- ISO 22301 LA Exam Preparation Guide Page 2 of 16 The objective of the "Certified ISO 22301 Lead Auditor" examination is to ensure that the candidate has the knowledge and the skills to audit a Business Continuity Management System (BCMS) as specified in ISO 22301:2012 and to manage a team of auditors by applying widely
ISO 9001:2015 - ISO 14001:2015 - DIS2 ISO 45001:2017 - ISO 50001:2011 - ISO 22301:2012 001_22301 2.docx Ersteller: E. Bauer / Prüfer: W. Hackenauer 12/4 ISO 9001:2015 ISO 14001:2015 ISOISO DIS2 45001:2017 ISO 50001:2011 22301:2012 Qualitätsmanagement-system und seine Prozesse
Who is ISO 22301 for ? ISO 22301 is applicable to all organizations, regardless of size, industry or nature of business. It is also relevant to certification and regulatory bodies as it enables them to assess an organization's ability to meet its legal or regulatory requirements. Based on ISO's High-Level Structure ( HLS), it aligns with many other internation -
ISO 45001 Established:-ISO 10006 -Quality in project management-ISO 10007 -Configuration management-ISO 15161 -Food safety (ISO 9000 and HACCP)-ISO 19600 -Compliance management systems-ISO 20000 -IT services-ISO 20121 -Sustainable event management-ISO 20400 -Sustainable purchasing-ISO 22000 -Food safety-ISO 22301 -Business continuity management
AUDITOR TRAINING PPT PRESENTATION KIT Price 299 USD . www.globalmanagergroup.com Page E mail sales@globalmanagergroup.com 2 of 5 Part: 1 Topic wise number of slides:- Sr. No. Title of Slides No of Slide 1. Overview of ISO 22301:2012 50 2. ISO 22301:2012 requirements 63
ISO 10381-1:2002 da ISO 10381-2:2002 da ISO 10381-3:2001 da ISO 10381-4:2003 da ISO 10381-5:2001 da ISO 10381-6:1993 da ISO 10381-7:2005 ne ISO 10381-8:2006 ne ISO/DIS 18512:2006 ne ISO 5667-13 da ISO 5667-15 da Priprema uzoraka za laboratorijske analize u skladu s normama: HRN ISO 11464:2004 ne ISO 14507:2003 ne ISO/DIS 16720:2005 ne
evaluation of English Pronunciation and Phonetics for Communication (second edition) and English Phonology (second . textbook is English Phonology written and edited by Wang Wenzhen, which was first published by Shanghai Foreign Language Educational Press in 1999. It was modified and republished in 2008 and also came with a CD. 4 Polyglossia Volume 25, October 2013 2.4 Procedure and Data .
