BCM Legislations, Regulations, Standards And Good Practice

BCM Legislations, Regulations, Standardsand Good PracticeFebruary 2016Page i

INTRODUCTIONThe BCI is regularly asked by members and other interested parties about current legislation,regulation and standards that exist nationally and internationally for Business ContinuityManagement.It is difficult to provide a definitive list because there are regular changes and amendments at acountry level and often inconsistent terminology between countries, sectors and legislators.The document that follows is the most comprehensive that it was possible to produce based uponinformation provided to us by our members around the world. Where we have country input we haveincluded it alphabetically. At the start of the document we have listed current and projected internationalinitiatives, particularly those supported by the International Standards Organization (ISO), The EuropeanUnion (EU) and the Basel Committee on Banking Supervision.Each entry is categorized into one of four headings:LEGISLATIONS: Government laws which include aspects of Business Continuity Management byname or are sufficiently similar in nature (Disaster Recovery, Emergency Response, CrisisManagement) to be treated as BCM legislation for this purpose. To be included in this categorythey must be legally enforceable legislation passed by a national, federal, state or provincialgovernment depending upon the legal structure in each particular country.REGULATIONS: Mandatory rules or audited guidance documents from official regulatory bodies insectors such as Financial Services, Telecommunications, Energy, Oil, Gas and Chemicals. Those whichcould reasonably be construed as having some implications on an organization’s BCM provisions areincluded. General help and guidance documents are included under Good Practice.STANDARDS: Official standards from national (and international) accredited standards bodies whichrelate to Business Continuity as a whole or to a specific related subset such as IT ServiceContinuity. The list also includes standards for different but related topics (like InformationSecurity) when BCM is included only as a part requirement for compliance. “Standards” that areissued by 3rd parties or professional groups will only be included if they are i s s u e d by anaccredited national standards body or accredited directly by a national accreditation service.GOOD PRACTICE: Guidelines published as good (or best) practice by various authoritative bodies.These documents may form part of a wider set of advice provided by a professional body of whichBCM is only a peripheral activity. Alternatively, they might be issued by a BCM professional body asgeneral guidance either locally or internationally. They will provide no mandated rules but will bewell used and accepted as credible advice by BCM professionals.Countries for which we have no information available under any of the 4 headings will not be included. Ifany reader has additional information to help us fill in these gaps, then please submit details toPatrick.Alcantara@thebci.org for future amendment of the document. We normally update this at thebeginning of each calendar year.Page i

WARNINGThe BCI has done its best to check the validity of these details but takes no responsibility for theiraccuracy and currency at any particular time or in any particular circumstances.Some of the listed items (particularly under legislation and regulation) are only indirectly related toBusiness Continuity Management, and should not be interpreted as specifically designed for BCM.However they will contain sections which can be useful to a BCM practitioner, and are consequentlyincluded in this reference document.It should also be noted that in some countries Regulatory Practices and/or ISO Standards might beincorporated into national legislation, thus giving the document additional importance in thosespecific countries.BCI Editorial TeamDeborah Higgins MBCIHead of Learning & DevelopmentPatrick Alcantara DBCISenior Research AssociateGianluca RigliettiResearch AssistantPage ii

LEGENDGovernment &Public AgenciesInformation Distribution &CommunicationsAgriculture, Food Supply &WaterIndustry - GeneralEnergy (including nuclear)Transportation & ShippingPublic Health & HealthcareBanking & FinanceThe following colours are used against various entries to indicate which sectors are affected by the relevant guidance, rule orregulation. We acknowledge the efforts of the Disaster Recovery Journal in coming up with these categories.VERSION RECORDFile ReferenceDateAuthor / amendDescriptionStatus0.1October 09Lyndon Bird0.20.3April 2010June 2010Jan GilbertJan Gilbert0.4June 2010Jan Gilbert0.5August 2010Jan GilbertUpdatedFINAL DRAFT0.6January 2011Lyndon BirdUpdatedISSUE – V10.7January 2012Lyndon BirdUpdatedISSUE – V20.8March 2013Jan GilbertUpdatedISSUE – V30.9July 2013Chris GreenUpdatedDRAFTIan L DRAFT1.0January 2014Lyndon BirdAuthorizedISSUE – V41.1January 2015Lyndon BirdAuthorizedISSUE – V51.2Febuary 2016PatrickAlcantaraUpdatedISSUE – V6DeborahHigginsAuthorizedPage iii

ContentsINTRODUCTION . iWARNING .iiLEGEND . iiiVERSION RECORD . iiiINTERNATIONAL . 1ARGENTINA . 16AUSTRALIA. 16AUSTRIA . 21BAHAMAS . 22BARBADOS. 24BELGIUM. 24BRAZIL . 26CANADA. 28CHINA . 30DENMARK . 31FRANCE . 31GERMANY . 32HONG KONG. 36INDIA . 39INDONESIA . 41ISRAEL. 41ITALY. 42JAPAN . 46KAZAKHSTAN. 48KENYA. 49LATVIA . 49MALAYSIA. 50MALTA . 51Page iv

NETHERLANDS. 51NEW ZEALAND . 52PAKISTAN . 54PALESTINE . 54PERU . 55PHILIPPINES . 55POLAND . 57PORTUGAL. 58RUSSIA (Russian Federation). 59RWANDA . 60SINGAPORE . 61SOUTH AFRICA . 64SOUTH KOREA (Republic of Korea) . 66SRI LANKA. 67SWEDEN . 68SWITZERLAND . 74THAILAND . 74UAE. 75UK . 76USA . 84Additional Resources . 108Page v

INTERNATIONALTITLEThe European Programme for LegislationCritical InfrastructureProtection (EPCIP)AUTHORITYEuropean CommissionSUMMARYThe European Programme for CriticalInfrastructure Protection (EPCIP) has been laidout in EU Directives by the Commission (e.g. EUCOM (2006) 786 final). It has proposed a list ofEuropean critical infrastructures (ECIs) basedupon inputs by its Member States. ReferenceMemo-06-477 EN.LINKhttp://europa.eu/legislation summaries/justice freedom security/fight againstterrorism/l33260 en.htmEach designated ECI will have to have anOperator Security Plan (OSP) covering theidentification of important assets, a risk analysisbased on major threat scenarios and thevulnerability of each asset, and theidentification, selection and prioritization ofcounter-measures and procedures. Solvency II (2009/138/EC)LegislationEuropean CommissionDirective 2009/138/EC of the EuropeanParliament and of the Council of 25 November2009 on the taking-up and pursuit of the businessof Insurance and Reinsurance (Solvency II). uri CELEX:32009L0138&from ENPage 1

High Level Principles forBusiness ContinuityRegulationBasel Joint Forum:Basel Committee on BankingSupervisionInternational Organization ofSecuritiesCommissions(IOSCO)International Association ofInsurance ts,Basel in August 20061. A comprehensive BCM process withresponsibility by the Board of Directors andSenior Management.2. Integration of risk of significant operationaldisruptions into BCM.3. Recovery objectives that take account oftheir systemic relevance and the resultingrisk for the financial system.4. Definition of internal and externalcommunication measures in the event ofmajor business interruptions.5. Communication concepts must covercommunication with foreign supervisoryauthorities.6. Testing of BCP’s to evaluate theireffectiveness.7. Institutions are subject to supervision aspart of the ongoing monitoring process.http://ithandbook.ffiec.gov/media/22111/ex basel high princ bc a.pdf Basel II: BASEL capital accord(April 2003)(Currently incorporated in theInternational Convergence ofCapital Measurement andCapital Standards: A RevisedFramework)RegulationBasel Committee on BankingSupervisionAddresses operational risk and defines it as http://www.bis.org/publ/b“the risk of loss resulting from inadequate or cbs107.htmfailed internal processes, people & systems, orfrom external events.” Page 2

Basel III (Basel 3)RegulationBasel Committee on BankingSupervisionThe term is now in common usage anticipating http://www.bis.org/publ/bthe next revision to the Basel Accords. The Bank cbs201.pdffor International Settlements (BIS) itself beganreferring to this new international regulatoryframework for banks as "Basel III" in September2010. ISO TC 292StandardTechnical Committee 292 ofthe International StandardsOrganization (ISO)TC292 is responsible for a wide range of http://www.iso.org/iso/homstandards under the general title of Security and e/standards development/list of iso technical commitResilience.tees/iso technical committee.htm?commid 295786Work Group 2 concentrates on BCM andOrganizational Resilience. BS EN ISO 22300:2014 –Societal Security TerminologyStandardInternational StandardsOrganization (ISO)Societal Security – Vocabulary for all 223 series http://www.iso.org/iso/catstandards including direct BCM standards ISO alogue detail.htm?csnumber 5619922301 and ISO 22313. BS EN ISO 22301:2014 –Societal Security – BusinessContinuity ManagementSystems – RequirementsStandardInternational StandardsOrganization (ISO)Requirements to plan, establish, implement, http://www.iso.org/iso/catoperate, monitor, review, maintain and alogue detail?csnumber 5continually improve a documented management 0038system to protect against, reduce the likelihoodof occurrence, prepare for, respond to, andrecover from disruptive incidents when theyarise. Page 3

BS EN ISO 22311:2014 –Societal Security – VideoSurveillance – ExportInteroperabilityStandardInternational StandardsOrganization (ISO)Specifies a common output file format that can http://www.iso.org/iso/catabe extracted from the video-surveillance logue detail.htm?csnumbercontents collection systems (stand-alone 53467machines or large scale systems) by anexchangeable data storage media or through anetwork to allow end-users to access digitalvideo-surveillance contents and perform theirnecessary processing. ISO/TR 22312:2011 – Societal StandardSecurity – TechnologicalCapabilitiesInternational StandardsOrganization (ISO)An enumeration of different existing available http://www.iso.org/iso/catatechnologies which would be relevant to logue detail?csnumber 568standardize within the field of societal security.97 BS EN ISO 22313:2014 –Societal Security – BusinessContinuity ManagementSystems – GuidanceStandardBS ISO 22315:2014 – SocietalSecurity – Mass Evacuation –Guidelines for PlanningStandardInternational StandardsOrganization (ISO)Guidance for establishing incident response and http://www.iso.org/iso/catcontinuity programs. This will support alogue detail?csnumber 5implementation of ISO 22301.0050 International StandardsOrganization (ISO)Guidelines for mass evacuation planning in http://www.iso.org/iso/catterms of establishing, implementing, monitoring, alogue detail.htm?csnumbevaluating,reviewing,andimproving er 50052preparedness. Page 4

PD ISO/TS 22317:2015 –Societal Security – BusinessContinuity ManagementSystems – Guidelines forBusiness Impact Analysis(BIA)PD ISO/TS 22318:2015 –Societal security. Businesscontinuity managementsystems. Guidelines forsupply chain continuity ISO 22320:2011 – SocietalSecurity – EmergencyManagement –Requirements for IncidentResponseStandardInternational StandardsOrganization (ISO)Guidance for establishing Business Impact http://www.iso.org/iso/catalAnalysis. This will support implementation of ISO ogue detail.htm?csnumber 22301.50054 StandardInternational StandardsOrganiz

tees/iso_technical_committ Work Group 2 concentrates on BCM and . BS EN ISO 22301:2014 – Societal Security – Business Continuity Management Systems – Requirements of occurrence, prepare for, respond to, and . Standard International S