View
1.186
Download
7
Tags:
Embed Size (px)
Citation preview
ISO’s Newest Standard – The BIA (ISO 22317)
http://www.thebci.org/index.php/home/us-chapter-home
Introductions
2
Brian Zawada, FBCIPresident, USA Chapter of the BCIProject Team Leader – ISO 22317Director of Consulting, Avalution Consulting
www.thebci.org
Agenda
3
• BCI Overview• ISO 22317
• Background• Relationship to ISO 22301• Relationship to the BCI GPGs• BIA Process Review and Outcomes
• Questions / Discussion
www.thebci.org
BCI Overview
4
• Founded in 1994, a Member-Owned, Not-for-Profit Professional Association of Business Continuity Professionals
• A global membership and certifying organization for business continuity professionals
• Over 8,000 members in more than 120 countries working in an estimated 3,000 organizations in the public and private sectors
• We stand for excellence in the business continuity profession
• Our certified grades provide unequivocal assurance of technical and professional competency
www.thebci.org
• Provide fundamental business continuity skills and specialized business continuity training to develop individual knowledge, skills, and capabilities.
• Provide members with access to peer-based networking opportunities, enabling them to share experiences and knowledge.
• Encourage members to maintain or enhance their professional capabilities throughout their careers by updating their knowledge and skills and maintaining a record of this progress via a Continuing Professional Development program.
• Exploit all learning technologies, including online training, virtual workshops, social media and distance learning, thereby providing access to products and services to all members.
5
What are the BCI’s Objectives?
BCI Overview
www.thebci.org
• Founded in 2008, the USA arm of the BCI
• 900+ members and growing rapidly
• Our chapter’s strategic goal is to grow BCI membership in the USA by communicating and influencing the products and services offered by the BCI, and building new products/services to help USA members better achieve their professional objectives
USA Chapter Board Members:
• Brian Zawada (President)• Stacy Gardner (VP)• Eric Staffin (Treasurer)• Paul Kirvan (Secretary)• Rich Bogle• Ted Brown• John Jackson• Kathleen Lucey• Margaret Millett• Ann Pickren• Belinda Wilson• Doug Weldon• Ginnie Stouffer
6
BCI USA Chapter
www.thebci.org
1. Internationally Respected Certification2. Professional Growth3. Networking4. Content5. “Much More”
7
Why the BCI?
www.thebci.org
8
ISO 22317 – Business continuity management systems – Business impact analysis
www.thebci.org
9
• In January 2014, ISO Technical Committee 223 (now 292) began the process of developing a new “technical specification” on the topic of Business Impact Analysis (BIA)
• The new technical specification is titled ISO 22317 and it is designed to complement ISO 22301, but can also be a “stand alone” standard
• In March 2015, the ISO 22317 project team finalized the technical specification, which will be published in Q2 2015
Background
10
Background
22301
22313
22317
Requirements
Guidance
Technical Specification
The organization shall establish, implement and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services.
The business impact analysis shall include the following:a) identifying activities that support the provision of products and services;b) assessing the impacts over time of not performing these activities;c) Setting priorities timeframes for resuming these activities at a specified
minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and
d) Identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.
ISO 22301 – BIA Content
11www.thebci.org
225 versus 8570
ISO 22301 vs 22317 Content
12www.thebci.org
This Technical Specification provides guidance for an organization to establish, implement, and maintain a formal and documented business impact analysis (BIA) process. This Technical Specification does not prescribe a uniform process for performing a BIA, but will assist an organization to design a BIA process that is appropriate to its needs.
This Technical Specification is applicable to all organizations regardless of type, size, and nature of the organization, whether in the private, public, or not-for-profit sectors. The guidance can be adapted to the needs, objectives, resources, and constraints of the organization.
ISO 22317 Scope Statement
13www.thebci.org
• Scope• Normative references• Terms and definitions• Prerequisites• Performing the BIA
– Product and service prioritization– Process prioritization– Activity prioritization– Analysis and consolidation– Obtain top management endorsement of
results– After the BIA
• BIA Process Monitoring and Review• Annex A – BIA Within 22301• Annex B – Terminology Mapping• Annex C – Information Collecting
Methods• Annex D – Other uses
ISO 22317 Table of Contents
14www.thebci.org
GPG / ISO 22317 Cross-Walk
15www.thebci.org
BCI GPG 2013 ISO 22317Initial BIA Prerequisites (Clause 4)Strategic BIA Product and Service Prioritization (Clause 5.3)Tactical BIA Process Prioritization (Clause 5.4)Operational BIA Activity Prioritization (Clause 5.5)
16
The BIA process analyzes the consequences of a disruptive incident on the organization. The outcome is a statement
of justification of business continuity requirements.
Note: business continuity requirements has the same meaning as continuity and recovery priorities, objectives, and targets
ISO 22317 Preview: BIA Definition
17
• Endorsement or modification of the organization’s BC program scope• Identification of legal, regulatory, and contractual requirements (obligations) and
their effect on business continuity requirements• Evaluation of impacts on the organization over time, which serves as the
justification for business continuity requirements (time and capability)• Identification and confirmation of product/service delivery requirements
following a disruptive incident, which then sets the prioritized timeframes for activities and resources
• Identification of, and establishment of, the relationships between products/services, processes, activities, and resources
• Determination of the resources needed to perform prioritized activities (e.g. facilities; people; equipment; information, communication and technology assets; supplies; and financing)
• Understanding of the dependencies on other activities, supply chains, partners, and other interested parties
• Determination of how up to date the information needs to be
ISO 22317 Preview: BIA Outcomes
18
ISO 22317: BIA Process
Of the ISO 22301 management system processes and requirements, the ISO 22317 project team identified four necessary BIA process prerequisites:
– Context and Scope– Roles– Commitment– Resources
Prerequisites
19www.thebci.org
BIA Value Proposition:
1. ensuring the appropriate and most cost effective strategies are selected by determining the correct business continuity requirements;
2. providing evidence to management that business continuity requirements align with organizational objectives;
3. ensuring the organization meets its legal, contractual, and customer requirements during a disruptive incident;
4. identifying linkages between products and services and process, activities, and resources
• “Management should agree on the priority of products and services following a disruptive incident which may threaten the achievement of their objectives.”
• Outcomes:– Endorsement or modification of the organization’s BC program scope– Identification of legal, regulatory, and contractual requirements (obligations)– Evaluation of impacts over time as it relates to a failure to deliver products/services,
which serves as the justification for business continuity requirements– Confirmation of product and service delivery requirements (that may include time,
quality, quantity, service levels, and capability specifications) following a disruptive incident that then sets the priorities for activities and resources
– Identification of processes (that deliver the products and services)– Nomination of lead personnel to assist in identifying which processes deliver
products and services– Documentation of a list of prioritized products and services (grouped by timeframe
or customer)
Product and Service Prioritization
20www.thebci.org
21
Impact Categories Examples of Impacts
Financial Financial losses due to fines, penalties, lost profits, or diminished market share
Reputational Negative opinion or brand damage
Legal and Regulatory Litigation liability and withdrawal of license to trade
Contractual Breach of contracts or obligations between organizations
Business Objectives Failure to deliver on objectives or take advantage of opportunities
ISO 22317: Impact Category Examples
Process Prioritization
22www.thebci.org
• “A process is a set of interrelated or interacting activities which transform inputs into outputs (ISO 22300); the priority is determined by the priority of the products and services which are its output.“
• Outcomes:– Identification of the relationship between product and services, processes,
and activities– Identification of dependencies on other business processes– Evaluation of impacts over time of a process failure– Priorities of processes– Interdependency analysis of the processes that deliver products and
services to customers– Interdependency analysis of the activities that deliver processes– Documented list of prioritized processes that deliver products and services– Initial documented list of activities that deliver processes
Activity Prioritization
23www.thebci.org
• “Organizations should perform activity level prioritization to obtain a detailed understanding of day-to-day resource requirements, enabling the organization to identify the quantity and timing of resources necessary for recovery and to help confirm impact-related conclusions developed at the process level.“
• Resource-related information includes:– People/skills/roles– Facilities and equipment (including special tools, spare parts, and
consumables)– Records– Financing– Information and communications technologies (including applications, data,
telephony, and networks)– Supplies, supply chains, and partners
Activity Prioritization
24www.thebci.org
• Outcomes:– Confirmation of impacts over time, which serves as justification for
business continuity requirements (time and capability)– Resource needs to perform each prioritized activity– How up to date the information needs to be– Dependencies– Documented list of activities and their prioritized timeframes that
support processes– Documented list of resources and their prioritized timeframes that
enable activities
• Drawing conclusions that lead to business continuity requirements
Analysis and Consolidation
25www.thebci.org
Quantitative Analytic Techniques Qualitative Analytic Techniques
• Interdependency Analysis• Financial Analysis Approaches
• Common Sense and Cross Checks• Stress Testing• Review of Post-Incident Reviews and
Recommendations• Supplier-Input-Process-Output-Customer
(SIPOC)• Fishbone (Ishikawa) Diagrams
• Outcomes:– Confirmation of impacts over time– Review and confirmation of resource dependencies and requirements– Consolidation of resource requirements– Review and confirmation of the interdependencies of processes and
activities, and their relation to the delivery of products and services, that serve as the input to business continuity strategy selection
Analysis and Consolidation
26www.thebci.org
• “The organization should seek management endorsement of results, including product and service, process, activity, and resource prioritization following one or more individual BIAs“
• Outcomes:– The endorsement of the BIA results by top management should be
documented according to established document management practices
– The BIA results can then be passed to the business continuity strategy selection process
Top Management Endorsement
27www.thebci.org
• “Approved business continuity requirements enable the organization to determine and select appropriate business continuity strategies to enable an effective response and recovery from a disruptive incident.“
• Examples include:– Alternate workplace arrangements– Alternate supply chain arrangements– IT recovery options– Alternate sources of people – Alternate sources of equipment – Workarounds and alternate procedures
• Reconsideration…
After the BIA
28www.thebci.org
• Periodic basis…• A review of different components of the BIA process may be
triggered by the following considerations:– Strategic directional change– Product or service change– Regulatory change– Customer and/or contractual change– Operational change, including resources– Structural change– Following a business continuity exercise or disruptive incident
BIA Monitoring and Review
29www.thebci.org
• ISO 22317 offers flexible guidance regarding the performance of a BIA process
• Consistent with ISO 22301 and the GPGs (just with different words at times)
• Enables the identification of business continuity requirements that matter to the organization and its stakeholders
Conclusions
30www.thebci.org
Questions / Discussion
Tel: 703.637.4407 Email: [email protected]
http://www.thebci.org/index.php/home/us-chapter-home LinkedIn: BCI USA – The Business Continuity Institute US Chapter
Twitter: @BCI_US_Chapter