Verso Ilnuovostandard ISO 22301 (BS25999) SullaBusiness .

Verso il nuovo standard ISO 22301 (BS25999) sulla BusinessContinuity – Scenari e opportunitàMassimo Cacciotti – Business Services Manager BSI Group Italia

AgendaBSI: Introduction1. Why we need BCM?2. Benefits of BCM3. International Development of BCM4. Getting started with BCM5. Related standard to BCM: ISO/IEC 27000 series

BSI’s rtification,training,software#1 certificationbody in the UK,USA and KoreaWorld’s #1StandardsBody53 officeslocated aroundthe worldNo owners/shareholders allprofit reinvestedinto business70,000 clientsin150 countries 235mrevenue in2010 2,500 staffand 50% non-UK

BSI’s IntroductionWhat our customers say about us

Operations in 147 Countries

Global52OfficesPresenceWorldwideMilano, PadovaLondonWashingtonBeijingMexico CitySingaporeNew DelhiWorldwide OfficesSao PauloSydney

Our services Assurance Services (Assessment and Certification) Training Governance, Risk and Compliance Testing services Healthcare Services Advisory Services

BSI Training We offer various types of training including: Implementation Training Auditor Training Our delivery options: Public training courses In-house training courseCustomer journey Awareness Training e-learning coursesConvenzione AIEA – BSIAuditortrainingImplementationTrainingAwareness Training

BSI Governance, Risk & Compliance (GRC)Entropy Software A turn-key solution that provides themanagement system framework for fullyfunctional integrated and auditablemanagement systems including: Environmental Management – ISO 14001 Health & Safety Management – OHSAS 18001 Quality Management – ISO 9001 Information Security Management – ISO/IEC 27001 Supplier Compliance Management (C-TPAT & AEO) and other management systems standards

Business Continuity Management (BCM)facts and future trends

1. Why we need BCMDefinition“Business Continuity Management (BCM) is a frameworkfor identifying potential threats to an organization andbuilding organizational capability to respond to suchthreats, in order to safeguard the interests of keystakeholders, reputation, brand and value-addingactivities”(1)(1) Joint statement: Bristish Standards Institution, Business Continuity Institute, Cabinetoffice, Chartered Management Institute

Examples of Disruption Natural disasters Economic disruption and market turbolence Terrorism Physical security disruptions Infrastructure or IT failures Fraud or hacking New regulations Potential consequences: Employee safety jeopardized Reduced customer confidence Loss in image or brand equity Decline in revenues Decline in market shareBCMRisks

Are you prepared for disaster?CMI/BSI UK survey – March 2011 84% of managers realize the benefits of BCM planning 58% of managers report that their organization has BCM in place (significant YoY growth inSMB sector) Only 50% of organizations with BCM test their BC plan once a year or more 60% of organizations with BCM provide training to relevant staff Only 55% of organizations ensure that their supply chain have BCM plans in place

2. BCM: The Benefits & Business Case Expedite recovery after disruption Understand overall business exposure Prepared to respond should the unexpected occur. Raises awareness in the organization Proxy for good overall management. Demonstrates to customers, partners and other stakeholdersthat the organization takes a robust approach to risk Reassurance that the business can keep going

Perceived benefits of BCM

Managers’ views on BCM effectiveness

3. International development of BCM 25999PAS 2003BS 2006ISO 2012 Started as a “PAS” (Publicly Available Specification) by BSI (PAS 56) Moved to a BS 25999 in 2006 & 2007 in two parts as “UmbrellaStandard” Scheduled to move to ISO in 2012 (ISO 22301)

International usage of BS25999BSI BSI translations into French, German and Spanish BS 25999 sold by BSI in over 100 countriesOther National Standards Bodies Adoption of BS 25999 outside the UK (Brazil, Spain etc.) Local translation/distribution (Japan, China, Russia, etc.)US As part of the ‘PS-Prep program’ the US Department forHomeland Security recommended 3 standards for BCM,including BS 25999.

19The new ISO 22301 The growing success of the BSI developed BS 25999 hasprompted ISO (the International Organisation forStandardization) to begin work on publishing an ISOrecognised standard which is expected to be released inMay 2012 BSI is well placed to assist clients in making a smoothtransition to the new ISO standard in 2012 (ISO 22301)

4. Getting Started with BCMRecommendations Senior managers must take ultimate responsibility for thequality and robustness of their organizations BCM. Use BCM based on a common framework (such as BS 25999)as part of a wider programme and train employees Develop a clearly defined approach for responding to themedia; BCM is “multi-functional” not just IT Review which suppliers are critical to your operations and askwhether they have BCM Test your BCM through regular exercises

BCM StandardsCodeCode ofof PracticePractice –– BestBestpractice,notauditablepractice, not auditableRequirementsRequirements –– ShallShallstatements,auditablestatements, auditable

Management SystemsCommon components of management systems: Policy Planning Implementation and operation Performance assessment Improvement Management review

Plan – Do – Check – Act(PDCA) tSystemManagement ishActDoMaintain andimproveBusinessContinuityrequirementsand ement andoperateCheckMonitor andreviewManagedBusinessContinuity

PLAN: Understanding the Organization Identify critical activities Perform Business Impact Analysis (BIA) Evaluate threats to critical activities Determine continuity requirements Determine choicesUnderstandingtheOrganization

Business Continuity Policy Requires top management commitment and approval Includes objectives of business continuity and scope ofbusiness continuity management system Must be communicated Must be reviewed Should be appropriate to the nature, scale, complexity,geography and criticality of business activities Should reflect culture, dependencies andoperating environment

PLAN: Determine Business ContinuityStrategy Strategies are arrangements toenable an organization to recover Define and document incidentresponse structure Determine how to recover eachcritical activity Manage relationshipsDeterminingBCMStrategies

DO: Developing and Implementing aBCM Response Incident response structure and Crisis Management Incident management plan Business continuity planDeveloping andImplementingBCM Responses

Sequence of Events of an IncidentIncident!Incident!Overall recovery objective:back-to-normal as quickly as possibleTimelineTimelineIncidentIncident ResponseResponseBusinessBusiness continuitycontinuityWithin minutes to hours: Staff and visitorsaccounted for Casualties dealt with Damage containment/limitation Damage assessment Invocation of BCPWithin minutes to days: Contact staff, customers,suppliers, etc. Recovery of critical businessprocesses Rebuild lost work-in-progressWithin weeks to months: Damage repair/replacement Relocation to permanent placeof work Recovery of costs from insurersRecovery/resumptionRecovery/resumption –– backback toto normalnormal

CHECK: Exercising, Maintaining, andReviewing BC Arrangements Exercise program Exercise arrangements Maintaining BC arrangements Reviewing BC arrangementsExercising,maintaining,and reviewing

ACT: Embedding BCM inOrganizational Culture Ensure BCM becomes part ofthe core values and effectivemanagement of theorganization BCM education forall employees Evaluate the effectivenessof the BCMawareness delivery

SUMMARY Disruptions experienced by 8 out of 10 organizations - a realthreat 8 out of 10 say benefits & business cases are strong for BCM Despite this, many organizations still unprepared for BCM BS 25999 is the leading global standard to help implement BCM BCM should be reviewed with suppliers Media coverage included in BCM strategy (reputational risk) Senior managers must take ultimate responsibility for BCM Many tools to assist your organisations in BCM

The Early Adopters of BCMICTFinanceProffessional ServicesManufacturePublic ServicesMinerals, Energy, UtilitiesBuilt EnvironmentTransportHealthcareFoodAero and DefenceFacilities & RetailThe ICT andFinance sector arethe early adoptersof BusinessContinuityManagementSystems

BSI 25999 certification clients

What is ISO 22301Societal Security –Prepardness and ContinuityManagement System –Requirements

What is ISO 22301 Very similar to BS 25999-2What are the key differences: Monitoring performance:Introduces requirements for BCM/BCMS Metrics e.g.BIA update frequency, number of plans, numbersexercises completed, etc Operational Planning and Control:Enphasis on operational planning and setting controlsfor BCMS

Certified Organisations - TransitionDecided by UKAS at the point of publication Certified Organisations have 12 to 18 months totransition, althought could be up to 3 years Part of Continuous assessment visits Additional visit will be necessary:- differences between ISO 22301 and BS 25999-2- Organisation size and BCMS scope

ISO/IEC 27000 Series - PublishedISO/IEC 27000 - Overview and vocabulary2009ISO/IEC 27001 - Information security management systems - Requirements2005ISO/IEC 27002 - Code of practice for Information security management2005ISO/IEC 27003 - ISMS implementation guidance2010ISO/IEC 27004 - Information security management - Measurement2009ISO/IEC 27005 - Information security risk management2011ISO/IEC 27006 - Guidance to Certification Bodies2007ISO/IEC 27007 - Guidelines for ISMS auditing2011ISO/IEC 27008 - Guidelines for auditors on information security controls2011ISO/IEC 27010 - Guidance for inter-sector and inter-organizational communications2012ISO/IEC 27011 - Guidance to telecommunications2008ISO/IEC 27031 - Guidelines for ICT readiness for business continuity2011ISO/IEC 27033-1 - Security Techniques, Network Security2009

Other 27000 standards in developmentISO/IEC 27013Guidelines on the integrated implementation of ISO/IEC 27001 & ISO/IEC 20000-1(2012)ISO/IEC 27014Governance of information security(2012)ISO/IEC 27015Information security management guidelines for financial services(2013)ISO/IEC 27016Information security management – Organizational economics(2014/15)ISO/IEC 27017Information Security in Cloud Computing (relevant controls in 27001)(2014)ISO/IEC 27018Information Security in Cloud Computing (relevant controls in 27001 - DP/Privacy)(2014)ISO/IEC 27032Guidelines for cyber-security(2012)ISO/IEC 27034Guidelines for application security (6 part standard)(2012 )ISO/IEC 27036Information security for supplier relationships (4 part standard)(2012/13)ISO/IEC 27037Guidelines for identification, collection, acquisition and preservation of digital evidence(possibly a 4 part standard)(2013/14)ISO/IEC 27038Specification for digital redaction(2013)ISO/IEC 27039Selection, deployment and operations of intrusion detection and prevention systems(2013/14)ISO/IEC 27040Storage security(2014)

Evento 24 Maggio 2012 – primo in ItaliaConvegno ISO 22301-Business ContinuityQuando:24 Maggio 2012 MilanoDove:Camera di Commercio Milano – ViaMeravigli 9b – Palazzo TURATIOrario:9,15 – 17,00Iscrizioni:Viviana Rosa – Marketing & PR Managerviviana.rosa@bsigroup.com

Verso ilnuovostandard ISO 22301 (BS25999) sullaBusiness Continuity –Scenarie opportunità Massimo Cacciotti –Business Services Manager BSI Group Italia. Agenda BSI: Introduction 1. Why we need BCM? 2. Benefits of BCM 3. International Development of BCM 4. Getting started w