2012/11/18 - Information Assurance | ISACA 2013... · 2012/11/18 Department 1 TÜV ... CERTIFIED Clients (all schemes) Statutory Boards & GLCs TÜV SÜD PSB Pte Ltd 11/18/2012 CERTIFIED

2012/11/18

Department 1

TÜV SÜD PSB Pte Ltd 18 November 2012Auditing

ISO 22301-the International Standard for your Business Continuity Management System (BCMS)

Chris NgProduct Manager

TÜV SÜD PSB Pte Ltd,MITM, ABCP, CISM, CISA, CISSP, CTT, ISO 9000 LA, ISO 27000 LA, ISO 20000 LA

ISO 22031 LA, SS 540 LA, SS 507 LA

www.tuv-sud-psb.com

TÜV SÜD PSB Pte Ltd 11/18/2012

ISO 22301– the International Standard for your Business

Continuity Management System (BCMS)

Chris Ng


Agenda• Corporate and Product Overview• What is Business continuity?• What is BCM?• What is BCMS & ISO 22301?• History of the BCM standard• Why ISO 22301 certification?• Main components of ISO 22301 standard (ISO 22301 framework)• Relationships of ISO 22301 & SS 540• Relationships of ISO 22301 & BS 25999• The PDCA Model of ISO 22301• ISO 22301 certification roadmap

– Pre-requisites– Certification process

• Key success factors• Conclusion

http://www.tuv-sud-psb.com/

2012/11/18

Department 2


Corporate Overview

TÜV SÜD PSB Pte Ltd 18 November 2012Department

Heritage - Evolution of SISIR and PSB

SISIR merged withNPB and remainedas a Stat board on1 April 1996

Corporatized asentity under PSBHolding on 1 April2001

Acquired byTÜV SÜD on24 March2006

A Nationalcertificationcertificationand tand testingauthority

Part of anInternationalTÜV SÜDGroup

AA Regionalplayer offeringcertificationservices withbranch officesin Indonesiaand China

Renamed asTÜV SÜDPSB on 1April 2007

SISIR wasestablished as aStatutory Boardin 1973

TÜV SÜD PSB Pte Ltd 18 November 2012

• Global headquarter in Munich, Germany

• Leading one-stop global solution provider for product quality and safety testing &inspections, engineering support, management system certification and training solutions

• Founded 140 years ago in Mannheim, Germany

• Today over 12,800 employees located in over 600 locations worldwide

• Regional Headquarters: Asia Pacific: Singapore; America: Danvers (Massachusetts)

Corporate Overview -TÜV SÜD

Auding Services

2012/11/18

Department 3

TÜV SÜD PSB Pte Ltd

ASIA:HeadquartersTÜV SÜD Asia Pacific Pte. Ltd.Singapore

AMERICAS:HeadquartersTÜV SÜD America Inc.Peabody, MA

EUROPE:HeadquartersTÜV SÜD AGMunich, Germany

EUROPE / AFRICA

AustriaBelgiumCzech RepublicDenmarkFranceGermanyHungaryItalyNetherlandsPolandRomaniaRussiaSerbiaSlovakiaSloveniaSouth AfricaSpainSwitzerlandTurkeyUK

AMERICAS

ArgentinaBrazilCanadaChileMexicoUSA

ASIA-PACIFIC

BangladeshChinaHong KongIndiaIndonesiaJapanKoreaMalaysiaPhilippinesQatarSingaporeSri LankaTaiwanThailandUAEVietnam

International Presence

ACS 18 November 2012


INDUSTRY

Construction engineering Environmental technology Systems engineeringSteam and pressure technology

Electrical safety testing Environmental simulation EMC Mechanical safety testing

Industry Service

Product Service


MOBILITY / PEOPLE

TÜV SÜD Automotive TÜV SÜD Rail

Quality managementcertification

Environmental managementcertification

Safety managementcertification

Food safety

Mobility

People

2012/11/18

Department 4


Aerospace

Automotive

Chemicals

Construction

Food

Healthcare

ITConsumerproducts

Energy

Rail

Telecomms

Softlines

and more …

One-stop solutions in TÜV SÜD PSB

18 November 2012

Slide 10Corporate Presentation


Product Portfolio


Auditing solutions service portfolio

QualityISO 9001ISO / TS 16949ISO 13485ESD 20:20TL 9000AS 9100

ITInformation Security(ISO27000)IT Service (ISO20000)Business Continuity &Disaster Recovery (BC/DR,SS507)Business ContinuityManagement (SS540, BS25999 & ISO 22301)

Environmental Health & SafetyISO14001OHSAS 18001QC080000Safety & Health Management System (SHMS)Safe Management of Hazardous Substances (SMHS)Carbon Footprint Certification

Food safetyISO22000British Retail Consortium(BRC)Hazard Analysis and CriticalControl Points (HACCP)Good ManufacturingPractice (GMP)

Specific industryQuality Management forBunker Supply Chain (QMBS)Quality Maritime Education andTraining (QMET)CaseTrustGood Distribution Practice forMedical Devices (GDPMDS)FSC (Forestry StewardshipCouncil)

Product InspectionProduct Listing (PLS)Ready Mixed ConcreteCertificationPre-shipment Inspection(PSI)Factory/Agency InspectionSource InspectionSuppliers’ Audit

18 November 2012


ISO14064PAS 2050ISO 50001

Social complianceSA8000

CDMValidation, verification of carbon

dioxide (CO²) emissions

2012/11/18

Department 5


Auditing – Certification Marks

18 November 2012


ISO9001 ISO14001 ISO27001 QMBS QMET ISO20000 ISO22000 ISO 22301

HACCP QC080000 OHSAS18001 BCM BC/DR ESD GDPMDS ISO 14064

SS 506 ISO/TS16949 ISO/TS16949 ISO13485 SA8000 EMAS EfbV

AZWV SCC PAS1037 SCP BS8800 ENV Service Quality


Our Customers


Our Key Strategic Clients & Partners

MNC’sGovtLocal

2012/11/18

Department 6


CERTIFIED Clients (all schemes)CERTIFIED Clients (all schemes)Statutory Boards & GLCsStatutory Boards & GLCs


CERTIFIED Clients (all schemes)CERTIFIED Clients (all schemes)MNCsMNCs


ISO 27001 CERTIFIED ClientsISO 27001 CERTIFIED Clients

Semiconductor

Banking

Government / Health

Electronics/Entertainment

IT/Security Related

Telecommunication

Manufacturing

Printing

Education

2012/11/18

Department 7

TÜV SÜD PSB Pte Ltd 18 November 2012ACS 18 November2012

Department

Certified BCM companies made up ofGovernment-linked entities, MNC, and SME:

SS 540 CERTIFIED ClientsSS 540 CERTIFIED Clients


Why TUV SUD PSB?

• Why TUV SUD PSB?– Market leader in certification industries within ASEAN– Have the largest group of IT related certified clients– Certification Body with the largest team of IT and other

scheme Auditors in ASEAN– All IT auditors are

• armed with many years of industrial experiences• exposed to various IT related schemes

– Quality of audits


Why TUV SUD PSB?

• Seminars Participated– Being invited as guess speaker for several IT related

seminars in Singapore• AISP-ITSC Information Security Standards - ISO 27001

Series: Talk #1 - Information Security ManagementSystem Foundation – 23 Apr 2010

• Information Systems Audit and Control Association(ISACA) – ISO 27001 Dinner talks – 19 Aug 2010

• AISP-ITSC Information Security Standards - ISO 27001Series: Talk #8 - SS540 - The Singapore Standard forBusiness Continuity Management (BCM) and itsrelationship with the ISO 27001 (ISMS) standard –18 Feb 11

2012/11/18

Department 8


Why TUV SUD PSB?

• Seminars Participated– Being invited as guess speaker for several ISO 27001

related seminars in Singapore• AISP-ITSC Information Security Standards - ISO 27001

Series: Talk #1 - Information Security ManagementSystem Foundation – 5 Apr 2012

• AISP-ITSC Information Security Standards - ISO 27001Series: Talk #1 (Re-run) - Information SecurityManagement System Foundation – 11 May 2012


ISO 22301 : 2012 BCM


Murphy’s Law

“If anything can go wrong, it will !!”

2012/11/18

Department 9


Threats & Disasters are Real!

• Threats and Disasters are REAL!– September 11 2001 disaster

• Terrorist threats are real !!• 19 al-Qaeda terrorists hijacked four commercial

passenger jet airliners.• The hijackers intentionally crashed two of the airliners into

the Twin Towers of the World Trade Center in New YorkCity,

• >3,000 victims and the 19 hijackers died in the attacks!



• Threats and Disasters are REAL!– Severe acute respiratory syndrome (SARS) Outbreak in

2003• The outbreak began in February 2003 when a young

woman who had been infected while holidaying abroadreturned to Singapore.

• She set off a series of transmission events here thatspread the SARS virus to >238 people, 33 of whom died.

• Organization functions arejeopardized



• Threats and Disasters are REAL!– H1N1 in Singapore in 2009

• First H1N1 reported in May 2009 when a SMU studentcontracted the virus while on a study trip to New York

• Extremely contagious and spread like wide fire• 3 waves of exported cases to Singapore.

– The first wave came from the US.– The second wave came from Australia.– The third wave from fellow ASEAN countries,

including the Philippines and Thailand.– MOH has revised the Influenza A (H1N1) flu alert

status from Yellow to Green in July 2009– Company operations are affected!

2012/11/18

Department 10


What is Business Continuity?


What is Business Continuity?

• What is Business Continuity?– Capability of an organization to continue delivery of products or

services at acceptable predefined levels following disruptiveincident

– Defined as the processes, procedures, decisions and activitiesto ensure that an organization can continue to function throughan operational interruption.

– In other words it is about making proactive and reactive plans tohelp your organization avoid crisis and disasters and to be ableto quickly return to 'business as usual' should they occur


Business Continuity Management Systems (BCMS)

• Business Continuity Management Systems (BCMS)– provides a systematic approach to ensure business

continuity– part of the overall management system, based on a business

risk approach, to establish, implement, operate, monitor,review, maintain and improve business continuity

– encompasses organizational structure, employees, policies,planning activities, procedures, processes and resources

– includes all the good business continuity practices

2012/11/18

Department 11


What is ISO 22301 : 2012 (BCMS)?


The ISO 22301 standard

• What is ISO 22301 standard?– the formal standard against which organizations may seek

independent certification of their Business ContinuityManagement Systems (BCMS)

– to provide a common base for:• developing organizational business continuity

framework and standards and adopting good & effectivebusiness continuity management practice

• to provide confidence in inter-organizational dealings


History of ISO 22301 : 2012 (BCM)

2012/11/18

Department 12


History of BCM Standard

• Singapore BCM Standard– the SPRING’s standard on ‘Requirements for BCM’ was

developed in consultation with consultants, employer groups,practitioners & organizations

• test piloted with 10 organizations & launched in 2003• objective is to provide a general framework and consistent

process in BCM adoption & implementation.• non-prescriptive, applicable to all organizations regardless

of size or industry sectors



• Singapore BCM Standard (Con’t)– On 22 Sept 05, the Technical Reference TR19:2005 was

launched to supersede the earlier document• The idea is to develop TR 19 into a national standard and

aims to be an internationally recognized standard– TR19 was later reviewed and in 2008 and published as the

current Singapore Standard SS 540:2008 standard



• Singapore BCM Standard (Con’t)– Excerpt of “Prof S Jayakumar, Deputy Prime Minister and

Coordinating Minister for National Security, at “The NationalSecurity Dialogue with the Business Community”, 21 May 2008:

– “….The Government will continue to take the lead to encouragecompanies already supplying Government with essentialservices to be certified in TR19, or equivalent standards.Eventually, we may even make it mandatory for firms supplyingessential or important services to the government to obtainTR19 or equivalent standards. I want to emphasise that in thisexercise, we would be consulting the business communityclosely.”

2012/11/18

Department 13



• International & Other BCM Standard– At the end of 2007, BSI published its 25999-2:2007

“Specification for Business Continuity Management", formallyspecifies a set of requirements for implementing, operating andimproving a BCM System (BCMS).

– On 15 May 2012, ISO published the International Standard ISO22301:2012, "Societal security -- Business continuitymanagement systems --- Requirements“


Why ISO 22301(BCM)?


Why ISO 22301certification?

• Why ISO 22031certification?– Satisfying Customers’ Requirements

• Requirements from customers to posses a BusinessContinuity Management system

– Provision of Assurance in Business Continuity• Certification provides assurance to the clients that the

organization has a robust and reliable BusinessContinuity Management system

Benefits & Drivers

2012/11/18

Department 14



• Why ISO 22301 certification?– Demonstration of Commitment:

• Certification serves as a guarantee of the effort put intorendering the organization provide continuity of businessat all levels

• Demonstrates the due diligence of its administrators.– Showing of Compliance:

• Certification demonstrates to competent authorities thatthe organization observes all applicable laws andregulations in Business Continuity.

Benefits & Drivers



• Why ISO 22301 certification?– Enhancing the Risk management:

• Leads to a better knowledge of business processes andinformation systems, their weaknesses and how to protectthem, thereby protecting the shareholder value

• Ensures a more dependable availability of resources.

Benefits & Drivers



• Why ISO 22031 certification?– Increasing credibility and confidence

• Partners, shareholders and customers are reassuredwhen they see the importance afforded by theorganization to provide continuity of businesses.

• Certification can help set a company apart from itscompetitors and in the marketplace.

Benefits & Drivers

2012/11/18

Department 15


Why ISO 22301 certification?

• Why ISO 22301 certification?– Helping to reduce loss

• Helps to minimize losses related to incidents, disruptions& disaster that have an business impact to anorganization operations

• Protect against potential threats– Improving business continuity awareness

• Improves employee awareness of business continuityissues and their responsibilities within the organization

• Prepare employees for business disruptions• Promote knowledge sharing and teamwork among

employees

Benefits & Drivers


Application of ISO 22301(BCM)


Application of ISO 22301

• Which organizations can go for ISO 22301certification?– Any organization that requires the building of its resiliency and

capability to effectively response to disruption, emergency anddisaster to the continuity of its businesses.

• Certify organizations in:– Finance, banking and insurance– Telecommunications, utilities– Contact Centre– Retail sectors– Manufacturing sector– Various service industries– Transportation sector– Government bodies

2012/11/18

Department 16


BCM Framework


ISO 22301 Framework

Clause 4-7

Clause 8

Clause 9

Clause 10


The ISO 22301 Standards

2012/11/18

Department 17


ISO 22301 Framework

• ISO 22301 is organized with the following 7 key clauses,which forms the framework of the BCMS:– Clause 4: Context of the organization (Plan)– Clause 5: Leadership (Plan)– Clause 6: Planning (Plan)– Clause 7: Support (Plan)– Clause 8: Operation (Do)– Clause 9: Performance evaluation (Check)– Clause 10: Improvement (Act)


ISO 22301Clause 4 (Context of the organization) (Plan)

Summary


ISO 22301 Framework

• Clause 4: Context of the organization (Summary) (Plan)– 4.1 Understanding of the organization and its context– 4.2 Understanding of the needs and expectations of interested

parties– 4.3 Determining the scope of the business continuity

management system• This section basically looks at the events or activities that

may have an impact on the implementation of BCMS• In addition, it also looks into the needs of the relevant

interested parties (including legal and regulatoryrequirements)

• It also requires the organization to define the scope of itsBCMS, taking into consideration of the businessrequirements

2012/11/18

Department 18


ISO 22301Clause 5 (Leadership) (Plan)

Summary


ISO 22301 Framework

• Clause 5: Leadership (Summary) (Plan)– 5.1 Leadership & Commitment– 5.2 Management Commitment– 5.3 Policy– 5.4 Organizational roles, responsibilities and authorities

• This section looks at the “top management commitment” inthe BCMS

• The management needs to among other things, define clearBCM roles & responsibilities, endorse essential documentse.g. BCM policy and ensure clear communication to allrelevant parties within the organization

• The management will also need to ensure that ManagementReview and Internal Audit being conducted


ISO 22301Clause 6 (Planning) (Plan)

Summary

2012/11/18

Department 19


ISO 22301 Framework

• Clause 6: Planning (Summary) (Plan)– 6.1 Actions to address risks and opportunities– 6.2 Business continuity objectives and plans to achieve them

• This section looks at the need to have a robust RiskManagement Methodology and Framework to identify andaddress risk

• It also highlights the need to establish measurable BCMobjectives


ISO 22301Clause 7 (Support)

Summary


ISO 22301 Framework

• Clause 7: Support (Summary) (Plan)– 7.1 Resources– 7.2 Competence,– 7.3 Awareness– 7.4 Communication– 7.5 Documented information

• This section looks at the need to identify & mange BCMresources and the relevant training needs for BCMSimplementation

• It also ensures the need to have a communication anddocumentation control system

2012/11/18

Department 20


ISO 22301Clause 8 (Operation) (Do)

Summary


ISO 22301 Framework

• Clause 8: Operation (Summary) (Do)– 8.1 Operational planning and control– 8.2 Business impact analysis (BIA) and risk assessment (RA)– 8.3 Business Continuity Strategy

• This section looks at the relevant processes and proceduresneeded to support BCMS implementation

• It also focuses in the area of BIA, RA and the relevant BCstrategy

• It outlines the importance to establish procedures that caterfor communication, responding to incident & the ability tocover & resume during a disaster

• It specifies the content requirements of a BusinessContinuity Plan (BCP)

• It highlights the need to test BCP


ISO 22301Clause 9 (Performance & Evaluation) (Check)

Summary

2012/11/18

Department 21


ISO 22301 Framework

• Clause 9: Performance Evaluation (Summary) (Check)– 9.1 Monitoring, measurement, analysis and evaluation– 9.2 Internal Audit– 9.3 Management Review

• This section specifies the monitoring & measurementrequirements (in terms of metrics & targets) for theeffectiveness of the implementation of BCMS

• It also looks at the need to conduct “Internal Audit“ &“Management Review” as part of the monitoring &measurement requirements


ISO 22301Clause 10 (Improvement) (Act)

Summary


ISO 22301 Framework

• Clause 10: Improvement (Summary) (Act)– 10.1 Nonconformity and corrective action– 10.2 Continual improvement

• This section spells out the need to address All Non-conformities detected during the implementation of theBCMS

• It also emphases on the need to perform continuousimprovement

2012/11/18

Department 22


Relationship of ISO 22301 with other BCMStandards


ISO 22301 Standards

• Relationship of ISO 22301 with other BCM standards– Australian/New Zealand Standard - AS/NZS 5050– British Standards Institute (BSI) - BS 25999, Parts 1 & 2– Canadian Standard - CSA Z1600– National Institute of Standards and Technology - NIST SP 800-

34– Singapore Standards: SS 540:2008– Etc.


Relationship of ISO 22301 with SS 540

2012/11/18

Department 23


ISO 22301 Standard

• Relationship to SS 540:2008 (BCM Standard)

ISO 22301

-Terms & Definitions(C3)-Context of the organizations(C4)-Leadership (C5)-Planning (C6)-Support (C7)-Operation (C8)--Performance Evaluation (C9)--Improvement (C10)

SS 540


ISO 22301 Standards

• High Level Relationship of ISO 22301 with SS 540:2008– ISO 22301 has a total of 55 definitions (41 with SS 540)

• 44 Definitions are new to SS 540• 2 Definitions are the same as SS 540, but with different

meaning– ISO 22301 is more aligned with the ISO 9001 & BS 25999

standard as compared to SS 540– Not all clauses in SS 540 can be mapped directly to ISO 22301– ISO 22301 has a more detail elaboration on the following:

• Management Commitment (Clause 5)• Business Continuity Plan & Procedures (Clause 8)• Documented Information (Clause 7)• Continuous Improvement (Clause 10)


Relationship of ISO 22301 with BS 25999

2012/11/18

Department 24


ISO 22301 Standard

• Relationship to BS 25999(BCM Standard)

ISO 22301

-Terms & Definitions(C3)-Context of the organizations(C4)-Leadership (C5)-Planning (C6)-Support (C7)-Operation (C8)--Performance Evaluation (C9)--Improvement (C10)

BS 25999


ISO 22301 Standards

• High Level Relationship of ISO 22301 with BS 25999– ISO 22301 has a total of 55 definitions (40 with BS 25999)

• 33 Definitions are new to BS25999• 22 Definitions are the same as BS25999, but some with

different meaning– ISO 22301 is more aligned with the ISO 9001 and the BS 25999

standard– Not all clauses in BS 25999 can be mapped directly to ISO 22301– ISO 22301 has a more detail elaboration on the following:

• Management Commitment (Clause 5)• Business Continuity Plan & Procedures (Clause 8)• Documented Information (Clause 7)• Communication and Continuous Improvement (Clause 7 & 10)


The PDCA Model of ISO 22301 Standard

2012/11/18

Department 25


Continual Improvement: Plan-Do-Check-Act

Requirementsand

expectationsof business

continuity bystakeholders

andinterested

parties

1. Establish BCMframework,scope, policy,objectives,processes,procedures, RA,BIA, training,etc.

2. Establish MBCO,MTPD, RTO,RPO, etc.

1. Monitor &Review BCMS2. Mgt Review3. BCMS audit

1. Implementthose in plan,communicate &operate theBCM policy, BCPlan, processes& procedures

2.Manageresource,documentation& implementtrainingprograms

1. BCMS continuousimprovement2. Preventive &Corrective Action

ManagedBusiness

ContinuityManagement

System

Plan

Do

Check

Act

PDCA ModelClause 4 - 10


The Certification Roadmap


ISO 22301 Certification Road map (2 phases)1. Gap analysis

- Getting the ISO 22301 standard- List of identified gaps- Cost and schedule estimation

2. Setting up BCM framework-Scope, policy, BCM framework, processes & procedures- Perform Risk analysis & review, BIA,Strategy, BC plan, Tests & exercises, etc.

3. Implementation- Training and communication- Implementation of BCM policy, processes, procedures, etc.

4.Documentation-BCM policy, procedures, work instructions,etc.

1

Phase 1:

Pre-Certification

Phase

2012/11/18

Department 26


Pre-requisites for ISO 22301 certification

• Pre-requisites– Develop the BCM Manual

• Establish the BCM Scope• Establish BCM Policies, Objectives, Processes & Procedures

– Perform Risk Assessment & Review• Description of Risk Assessment Methodology• Risk assessment report• Risk Treatment Plan

– Perform Business Impact Analysis (BIA)• Establish MTPD, RTO, RPO, etc.



• Pre-requisites– Selection of Recovery Strategy

• Alternate site• Reciprocal Arrangement• Rebuild from disaster, etc.

– Reviewed & approved by Management/Steering Committee– Perform Internal Audit

• Internal Audit Procedure• Audit Criteria• Audit Scope• Audit Frequency



• Pre-requisites (con’t)– Continual Improvement

• Corrective Actions Procedure• Preventive Actions Procedure

– Conduct Management Review– Establish Control of documents/records procedures

• Control of Document Procedure• Control of Records Procedure

2012/11/18

Department 27


ISO 22301 Certification Road map (con’t)

7. Preliminary assessment (Stage 1)- Records demonstrating ISMS / BCM implementation

8. Certification assessment (Stage 2)-Assessment report and CorrectiveActions (CA)

9. Awarding of certificate

1

5. Application for ISO 22301 certification

6. Document (Manual) assessment (Stage 1)Phase 2:

Certification

Phase


ISO 22301 Certification Process

1. Application

2. DocumentationAssessment (Stage 1)

3. PreliminaryAssessment (Stage 1)

4.Certification

Assessment (Stage 2)

5. Awardof

Certificate(valid for 3 yrs)

6. Post-AwardRoutine

Surveillance

7. Renewalof Certificate

(on the 3rd yr)

CERTIFICATION PROCESSCERTIFICATION PROCESS


Key Success Factors

2012/11/18

Department 28


Successful ISO 22301 implementation

• Key Success Factors:– Management Commitment– Cross-functional forum / committee– Understanding Stakeholders’ business requirements in

relation to Business Continuity– Effective Risk Management Process


Successful ISO 22301 implementation

• Key Success Factors:– Training & Awareness– Proactive & Continual Improvement

• Internal audit & management review• Identify and act on Security weaknesses / Business

Continuity• Learn from test & exercises and establish relevant

Prevention Action


Common FAQs

2012/11/18

Department 29


Common FAQs

• Q1: How much and how long it takes for a certification auditto complete?– The cost and the time taken depends on the following

factors:• Scope of services• Staff strength in supporting the services• Number of remote sites (if any)• Complexity of logistics arrangement• Complexity of organization and processes• Nature & sensitivity of businesses• Language Barrier (requires a local interpreter if English is

not the used medium for audit)


Common FAQs

• Q2: How many months of data must I accumulate beforeapplying for certification?– Typically, a minimum of 3 months of data and/or

implementation records will be required in order for ameaningful audit to be carried out.


Common FAQs

• Q3:What are the different kinds of assessment findings?(con’t)Stage 1 Certification:– Area of Concerns (AOC)

• Represents a non-conformance in the implementation ofthe ISMS/BCMS requirements. Organization will be givenOne month’s time to resolve any AOC issues

2012/11/18

Department 30


Common FAQs

• Q3:What are the different kinds of assessment findings?(con’t)Stage 2 Certification / Continuing / Renewal :– Category 1 (Major finding)

• Represents a breakdown in the QMS/ISMS/BCMS/ITSMframework. Organization will be given a 3 month’s timeto resolve any CAT 1 issues

– Category 2 (Minor finding)• Represents some deficiency in the implementation of

QMS/ISMS/BCMS/ITSM requirements. Organization willbe given a 1 month’s time to resolve any CAT 2 issues


Common FAQs

• Q3:What are the different kinds of assessment findings?(con’t)– AFI (Area for Improvement)

• Represents an area that need to be enhanced before itdevelops into a CAT 1 or CAT 2 problems

– Positive (Positive Aspects)• Represents an implementation that can be used as a role

model for other departments or organization


Conclusion

• Conclusion– ISO 22301 is the certifiable standard for the Business

Continuity Management Systems (BCMS) of anorganization

– Need to perform detail readiness check or gap analysisbefore applying for ISO 22301 certification

– Understand the Key Success Factors in ISO 22301certification

2012/11/18

Department 31


Thank you for your patience andattention!

(for more information, you can email to Chris Ng at: [email protected])

www.tuv-sud-psb.sg

mailto:[email protected])

http://www.tuv-sud-psb.sg/

Documents

2012/11/18 - Information Assurance | ISACA 2013... · 2012/11/18 Department 1 TÜV ... CERTIFIED Clients (all schemes) Statutory Boards & GLCs TÜV SÜD PSB Pte Ltd 11/18/2012 CERTIFIED