Upload
buihanh
View
220
Download
1
Embed Size (px)
Citation preview
2012/11/18
Department 1
TÜV SÜD PSB Pte Ltd 18 November 2012Auditing
ISO 22301-the International Standard for your Business Continuity Management System (BCMS)
Chris NgProduct Manager
TÜV SÜD PSB Pte Ltd,MITM, ABCP, CISM, CISA, CISSP, CTT, ISO 9000 LA, ISO 27000 LA, ISO 20000 LA
ISO 22031 LA, SS 540 LA, SS 507 LA
www.tuv-sud-psb.com
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301– the International Standard for your Business
Continuity Management System (BCMS)
Chris Ng
TÜV SÜD PSB Pte Ltd 11/18/2012
Agenda• Corporate and Product Overview• What is Business continuity?• What is BCM?• What is BCMS & ISO 22301?• History of the BCM standard• Why ISO 22301 certification?• Main components of ISO 22301 standard (ISO 22301 framework)• Relationships of ISO 22301 & SS 540• Relationships of ISO 22301 & BS 25999• The PDCA Model of ISO 22301• ISO 22301 certification roadmap
– Pre-requisites– Certification process
• Key success factors• Conclusion
2012/11/18
Department 2
TÜV SÜD PSB Pte Ltd 11/18/2012
Corporate Overview
TÜV SÜD PSB Pte Ltd 18 November 2012Department
Heritage - Evolution of SISIR and PSB
SISIR merged withNPB and remainedas a Stat board on1 April 1996
Corporatized asentity under PSBHolding on 1 April2001
Acquired byTÜV SÜD on24 March2006
A Nationalcertificationcertificationand tand testingauthority
Part of anInternationalTÜV SÜDGroup
AA Regionalplayer offeringcertificationservices withbranch officesin Indonesiaand China
Renamed asTÜV SÜDPSB on 1April 2007
SISIR wasestablished as aStatutory Boardin 1973
TÜV SÜD PSB Pte Ltd 18 November 2012
• Global headquarter in Munich, Germany
• Leading one-stop global solution provider for product quality and safety testing &inspections, engineering support, management system certification and training solutions
• Founded 140 years ago in Mannheim, Germany
• Today over 12,800 employees located in over 600 locations worldwide
• Regional Headquarters: Asia Pacific: Singapore; America: Danvers (Massachusetts)
Corporate Overview -TÜV SÜD
Auding Services
2012/11/18
Department 3
TÜV SÜD PSB Pte Ltd
ASIA:HeadquartersTÜV SÜD Asia Pacific Pte. Ltd.Singapore
AMERICAS:HeadquartersTÜV SÜD America Inc.Peabody, MA
EUROPE:HeadquartersTÜV SÜD AGMunich, Germany
EUROPE / AFRICA
AustriaBelgiumCzech RepublicDenmarkFranceGermanyHungaryItalyNetherlandsPolandRomaniaRussiaSerbiaSlovakiaSloveniaSouth AfricaSpainSwitzerlandTurkeyUK
AMERICAS
ArgentinaBrazilCanadaChileMexicoUSA
ASIA-PACIFIC
BangladeshChinaHong KongIndiaIndonesiaJapanKoreaMalaysiaPhilippinesQatarSingaporeSri LankaTaiwanThailandUAEVietnam
International Presence
ACS 18 November 2012
TÜV SÜD PSB Pte Ltd 11/18/2012
INDUSTRY
Construction engineering Environmental technology Systems engineeringSteam and pressure technology
Electrical safety testing Environmental simulation EMC Mechanical safety testing
Industry Service
Product Service
TÜV SÜD PSB Pte Ltd 11/18/2012
MOBILITY / PEOPLE
TÜV SÜD Automotive TÜV SÜD Rail
Quality managementcertification
Environmental managementcertification
Safety managementcertification
Food safety
Mobility
People
2012/11/18
Department 4
TÜV SÜD PSB Pte Ltd
Aerospace
Automotive
Chemicals
Construction
Food
Healthcare
ITConsumerproducts
Energy
Rail
Telecomms
Softlines
and more …
One-stop solutions in TÜV SÜD PSB
18 November 2012
Slide 10Corporate Presentation
TÜV SÜD PSB Pte Ltd 11/18/2012
Product Portfolio
TÜV SÜD PSB Pte Ltd
Auditing solutions service portfolio
QualityISO 9001ISO / TS 16949ISO 13485ESD 20:20TL 9000AS 9100
ITInformation Security(ISO27000)IT Service (ISO20000)Business Continuity &Disaster Recovery (BC/DR,SS507)Business ContinuityManagement (SS540, BS25999 & ISO 22301)
Environmental Health & SafetyISO14001OHSAS 18001QC080000Safety & Health Management System (SHMS)Safe Management of Hazardous Substances (SMHS)Carbon Footprint Certification
Food safetyISO22000British Retail Consortium(BRC)Hazard Analysis and CriticalControl Points (HACCP)Good ManufacturingPractice (GMP)
Specific industryQuality Management forBunker Supply Chain (QMBS)Quality Maritime Education andTraining (QMET)CaseTrustGood Distribution Practice forMedical Devices (GDPMDS)FSC (Forestry StewardshipCouncil)
Product InspectionProduct Listing (PLS)Ready Mixed ConcreteCertificationPre-shipment Inspection(PSI)Factory/Agency InspectionSource InspectionSuppliers’ Audit
18 November 2012
Slide 12Corporate Presentation
ISO14064PAS 2050ISO 50001
Social complianceSA8000
CDMValidation, verification of carbon
dioxide (CO²) emissions
2012/11/18
Department 5
TÜV SÜD PSB Pte Ltd
Auditing – Certification Marks
18 November 2012
Slide 13Corporate Presentation
ISO9001 ISO14001 ISO27001 QMBS QMET ISO20000 ISO22000 ISO 22301
HACCP QC080000 OHSAS18001 BCM BC/DR ESD GDPMDS ISO 14064
SS 506 ISO/TS16949 ISO/TS16949 ISO13485 SA8000 EMAS EfbV
AZWV SCC PAS1037 SCP BS8800 ENV Service Quality
TÜV SÜD PSB Pte Ltd 11/18/2012
Our Customers
TÜV SÜD PSB Pte Ltd 11/18/2012
Our Key Strategic Clients & Partners
MNC’sGovtLocal
2012/11/18
Department 6
TÜV SÜD PSB Pte Ltd 11/18/2012
CERTIFIED Clients (all schemes)CERTIFIED Clients (all schemes)Statutory Boards & GLCsStatutory Boards & GLCs
TÜV SÜD PSB Pte Ltd 11/18/2012
CERTIFIED Clients (all schemes)CERTIFIED Clients (all schemes)MNCsMNCs
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 27001 CERTIFIED ClientsISO 27001 CERTIFIED Clients
Semiconductor
Banking
Government / Health
Electronics/Entertainment
IT/Security Related
Telecommunication
Manufacturing
Printing
Education
2012/11/18
Department 7
TÜV SÜD PSB Pte Ltd 18 November 2012ACS 18 November2012
Department
Certified BCM companies made up ofGovernment-linked entities, MNC, and SME:
SS 540 CERTIFIED ClientsSS 540 CERTIFIED Clients
TÜV SÜD PSB Pte Ltd 11/18/2012
Why TUV SUD PSB?
• Why TUV SUD PSB?– Market leader in certification industries within ASEAN– Have the largest group of IT related certified clients– Certification Body with the largest team of IT and other
scheme Auditors in ASEAN– All IT auditors are
• armed with many years of industrial experiences• exposed to various IT related schemes
– Quality of audits
TÜV SÜD PSB Pte Ltd 11/18/2012
Why TUV SUD PSB?
• Seminars Participated– Being invited as guess speaker for several IT related
seminars in Singapore• AISP-ITSC Information Security Standards - ISO 27001
Series: Talk #1 - Information Security ManagementSystem Foundation – 23 Apr 2010
• Information Systems Audit and Control Association(ISACA) – ISO 27001 Dinner talks – 19 Aug 2010
• AISP-ITSC Information Security Standards - ISO 27001Series: Talk #8 - SS540 - The Singapore Standard forBusiness Continuity Management (BCM) and itsrelationship with the ISO 27001 (ISMS) standard –18 Feb 11
2012/11/18
Department 8
TÜV SÜD PSB Pte Ltd 11/18/2012
Why TUV SUD PSB?
• Seminars Participated– Being invited as guess speaker for several ISO 27001
related seminars in Singapore• AISP-ITSC Information Security Standards - ISO 27001
Series: Talk #1 - Information Security ManagementSystem Foundation – 5 Apr 2012
• AISP-ITSC Information Security Standards - ISO 27001Series: Talk #1 (Re-run) - Information SecurityManagement System Foundation – 11 May 2012
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 : 2012 BCM
TÜV SÜD PSB Pte Ltd 11/18/2012
Murphy’s Law
“If anything can go wrong, it will !!”
2012/11/18
Department 9
TÜV SÜD PSB Pte Ltd 11/18/2012
Threats & Disasters are Real!
• Threats and Disasters are REAL!– September 11 2001 disaster
• Terrorist threats are real !!• 19 al-Qaeda terrorists hijacked four commercial
passenger jet airliners.• The hijackers intentionally crashed two of the airliners into
the Twin Towers of the World Trade Center in New YorkCity,
• >3,000 victims and the 19 hijackers died in the attacks!
TÜV SÜD PSB Pte Ltd 11/18/2012
Threats & Disasters are Real!
• Threats and Disasters are REAL!– Severe acute respiratory syndrome (SARS) Outbreak in
2003• The outbreak began in February 2003 when a young
woman who had been infected while holidaying abroadreturned to Singapore.
• She set off a series of transmission events here thatspread the SARS virus to >238 people, 33 of whom died.
• Organization functions arejeopardized
TÜV SÜD PSB Pte Ltd 11/18/2012
Threats & Disasters are Real!
• Threats and Disasters are REAL!– H1N1 in Singapore in 2009
• First H1N1 reported in May 2009 when a SMU studentcontracted the virus while on a study trip to New York
• Extremely contagious and spread like wide fire• 3 waves of exported cases to Singapore.
– The first wave came from the US.– The second wave came from Australia.– The third wave from fellow ASEAN countries,
including the Philippines and Thailand.– MOH has revised the Influenza A (H1N1) flu alert
status from Yellow to Green in July 2009– Company operations are affected!
2012/11/18
Department 10
TÜV SÜD PSB Pte Ltd 11/18/2012
What is Business Continuity?
TÜV SÜD PSB Pte Ltd 11/18/2012
What is Business Continuity?
• What is Business Continuity?– Capability of an organization to continue delivery of products or
services at acceptable predefined levels following disruptiveincident
– Defined as the processes, procedures, decisions and activitiesto ensure that an organization can continue to function throughan operational interruption.
– In other words it is about making proactive and reactive plans tohelp your organization avoid crisis and disasters and to be ableto quickly return to 'business as usual' should they occur
TÜV SÜD PSB Pte Ltd 11/18/2012
Business Continuity Management Systems (BCMS)
• Business Continuity Management Systems (BCMS)– provides a systematic approach to ensure business
continuity– part of the overall management system, based on a business
risk approach, to establish, implement, operate, monitor,review, maintain and improve business continuity
– encompasses organizational structure, employees, policies,planning activities, procedures, processes and resources
– includes all the good business continuity practices
2012/11/18
Department 11
TÜV SÜD PSB Pte Ltd 11/18/2012
What is ISO 22301 : 2012 (BCMS)?
TÜV SÜD PSB Pte Ltd 11/18/2012
The ISO 22301 standard
• What is ISO 22301 standard?– the formal standard against which organizations may seek
independent certification of their Business ContinuityManagement Systems (BCMS)
– to provide a common base for:• developing organizational business continuity
framework and standards and adopting good & effectivebusiness continuity management practice
• to provide confidence in inter-organizational dealings
TÜV SÜD PSB Pte Ltd 11/18/2012
History of ISO 22301 : 2012 (BCM)
2012/11/18
Department 12
TÜV SÜD PSB Pte Ltd 11/18/2012
History of BCM Standard
• Singapore BCM Standard– the SPRING’s standard on ‘Requirements for BCM’ was
developed in consultation with consultants, employer groups,practitioners & organizations
• test piloted with 10 organizations & launched in 2003• objective is to provide a general framework and consistent
process in BCM adoption & implementation.• non-prescriptive, applicable to all organizations regardless
of size or industry sectors
TÜV SÜD PSB Pte Ltd 11/18/2012
History of BCM Standard
• Singapore BCM Standard (Con’t)– On 22 Sept 05, the Technical Reference TR19:2005 was
launched to supersede the earlier document• The idea is to develop TR 19 into a national standard and
aims to be an internationally recognized standard– TR19 was later reviewed and in 2008 and published as the
current Singapore Standard SS 540:2008 standard
TÜV SÜD PSB Pte Ltd 11/18/2012
History of BCM Standard
• Singapore BCM Standard (Con’t)– Excerpt of “Prof S Jayakumar, Deputy Prime Minister and
Coordinating Minister for National Security, at “The NationalSecurity Dialogue with the Business Community”, 21 May 2008:
– “….The Government will continue to take the lead to encouragecompanies already supplying Government with essentialservices to be certified in TR19, or equivalent standards.Eventually, we may even make it mandatory for firms supplyingessential or important services to the government to obtainTR19 or equivalent standards. I want to emphasise that in thisexercise, we would be consulting the business communityclosely.”
2012/11/18
Department 13
TÜV SÜD PSB Pte Ltd 11/18/2012
History of BCM Standard
• International & Other BCM Standard– At the end of 2007, BSI published its 25999-2:2007
“Specification for Business Continuity Management", formallyspecifies a set of requirements for implementing, operating andimproving a BCM System (BCMS).
– On 15 May 2012, ISO published the International Standard ISO22301:2012, "Societal security -- Business continuitymanagement systems --- Requirements“
TÜV SÜD PSB Pte Ltd 11/18/2012
Why ISO 22301(BCM)?
TÜV SÜD PSB Pte Ltd 11/18/2012
Why ISO 22301certification?
• Why ISO 22031certification?– Satisfying Customers’ Requirements
• Requirements from customers to posses a BusinessContinuity Management system
– Provision of Assurance in Business Continuity• Certification provides assurance to the clients that the
organization has a robust and reliable BusinessContinuity Management system
Benefits & Drivers
2012/11/18
Department 14
TÜV SÜD PSB Pte Ltd 11/18/2012
Why ISO 22301certification?
• Why ISO 22301 certification?– Demonstration of Commitment:
• Certification serves as a guarantee of the effort put intorendering the organization provide continuity of businessat all levels
• Demonstrates the due diligence of its administrators.– Showing of Compliance:
• Certification demonstrates to competent authorities thatthe organization observes all applicable laws andregulations in Business Continuity.
Benefits & Drivers
TÜV SÜD PSB Pte Ltd 11/18/2012
Why ISO 22301certification?
• Why ISO 22301 certification?– Enhancing the Risk management:
• Leads to a better knowledge of business processes andinformation systems, their weaknesses and how to protectthem, thereby protecting the shareholder value
• Ensures a more dependable availability of resources.
Benefits & Drivers
TÜV SÜD PSB Pte Ltd 11/18/2012
Why ISO 22301certification?
• Why ISO 22031 certification?– Increasing credibility and confidence
• Partners, shareholders and customers are reassuredwhen they see the importance afforded by theorganization to provide continuity of businesses.
• Certification can help set a company apart from itscompetitors and in the marketplace.
Benefits & Drivers
2012/11/18
Department 15
TÜV SÜD PSB Pte Ltd 11/18/2012
Why ISO 22301 certification?
• Why ISO 22301 certification?– Helping to reduce loss
• Helps to minimize losses related to incidents, disruptions& disaster that have an business impact to anorganization operations
• Protect against potential threats– Improving business continuity awareness
• Improves employee awareness of business continuityissues and their responsibilities within the organization
• Prepare employees for business disruptions• Promote knowledge sharing and teamwork among
employees
Benefits & Drivers
TÜV SÜD PSB Pte Ltd 11/18/2012
Application of ISO 22301(BCM)
TÜV SÜD PSB Pte Ltd 11/18/2012
Application of ISO 22301
• Which organizations can go for ISO 22301certification?– Any organization that requires the building of its resiliency and
capability to effectively response to disruption, emergency anddisaster to the continuity of its businesses.
• Certify organizations in:– Finance, banking and insurance– Telecommunications, utilities– Contact Centre– Retail sectors– Manufacturing sector– Various service industries– Transportation sector– Government bodies
2012/11/18
Department 16
TÜV SÜD PSB Pte Ltd 11/18/2012
BCM Framework
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Framework
Clause 4-7
Clause 8
Clause 9
Clause 10
TÜV SÜD PSB Pte Ltd 11/18/2012
The ISO 22301 Standards
2012/11/18
Department 17
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Framework
• ISO 22301 is organized with the following 7 key clauses,which forms the framework of the BCMS:– Clause 4: Context of the organization (Plan)– Clause 5: Leadership (Plan)– Clause 6: Planning (Plan)– Clause 7: Support (Plan)– Clause 8: Operation (Do)– Clause 9: Performance evaluation (Check)– Clause 10: Improvement (Act)
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301Clause 4 (Context of the organization) (Plan)
Summary
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Framework
• Clause 4: Context of the organization (Summary) (Plan)– 4.1 Understanding of the organization and its context– 4.2 Understanding of the needs and expectations of interested
parties– 4.3 Determining the scope of the business continuity
management system• This section basically looks at the events or activities that
may have an impact on the implementation of BCMS• In addition, it also looks into the needs of the relevant
interested parties (including legal and regulatoryrequirements)
• It also requires the organization to define the scope of itsBCMS, taking into consideration of the businessrequirements
2012/11/18
Department 18
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301Clause 5 (Leadership) (Plan)
Summary
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Framework
• Clause 5: Leadership (Summary) (Plan)– 5.1 Leadership & Commitment– 5.2 Management Commitment– 5.3 Policy– 5.4 Organizational roles, responsibilities and authorities
• This section looks at the “top management commitment” inthe BCMS
• The management needs to among other things, define clearBCM roles & responsibilities, endorse essential documentse.g. BCM policy and ensure clear communication to allrelevant parties within the organization
• The management will also need to ensure that ManagementReview and Internal Audit being conducted
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301Clause 6 (Planning) (Plan)
Summary
2012/11/18
Department 19
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Framework
• Clause 6: Planning (Summary) (Plan)– 6.1 Actions to address risks and opportunities– 6.2 Business continuity objectives and plans to achieve them
• This section looks at the need to have a robust RiskManagement Methodology and Framework to identify andaddress risk
• It also highlights the need to establish measurable BCMobjectives
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301Clause 7 (Support)
Summary
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Framework
• Clause 7: Support (Summary) (Plan)– 7.1 Resources– 7.2 Competence,– 7.3 Awareness– 7.4 Communication– 7.5 Documented information
• This section looks at the need to identify & mange BCMresources and the relevant training needs for BCMSimplementation
• It also ensures the need to have a communication anddocumentation control system
2012/11/18
Department 20
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301Clause 8 (Operation) (Do)
Summary
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Framework
• Clause 8: Operation (Summary) (Do)– 8.1 Operational planning and control– 8.2 Business impact analysis (BIA) and risk assessment (RA)– 8.3 Business Continuity Strategy
• This section looks at the relevant processes and proceduresneeded to support BCMS implementation
• It also focuses in the area of BIA, RA and the relevant BCstrategy
• It outlines the importance to establish procedures that caterfor communication, responding to incident & the ability tocover & resume during a disaster
• It specifies the content requirements of a BusinessContinuity Plan (BCP)
• It highlights the need to test BCP
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301Clause 9 (Performance & Evaluation) (Check)
Summary
2012/11/18
Department 21
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Framework
• Clause 9: Performance Evaluation (Summary) (Check)– 9.1 Monitoring, measurement, analysis and evaluation– 9.2 Internal Audit– 9.3 Management Review
• This section specifies the monitoring & measurementrequirements (in terms of metrics & targets) for theeffectiveness of the implementation of BCMS
• It also looks at the need to conduct “Internal Audit“ &“Management Review” as part of the monitoring &measurement requirements
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301Clause 10 (Improvement) (Act)
Summary
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Framework
• Clause 10: Improvement (Summary) (Act)– 10.1 Nonconformity and corrective action– 10.2 Continual improvement
• This section spells out the need to address All Non-conformities detected during the implementation of theBCMS
• It also emphases on the need to perform continuousimprovement
2012/11/18
Department 22
TÜV SÜD PSB Pte Ltd 11/18/2012
Relationship of ISO 22301 with other BCMStandards
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Standards
• Relationship of ISO 22301 with other BCM standards– Australian/New Zealand Standard - AS/NZS 5050– British Standards Institute (BSI) - BS 25999, Parts 1 & 2– Canadian Standard - CSA Z1600– National Institute of Standards and Technology - NIST SP 800-
34– Singapore Standards: SS 540:2008– Etc.
TÜV SÜD PSB Pte Ltd 11/18/2012
Relationship of ISO 22301 with SS 540
2012/11/18
Department 23
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Standard
• Relationship to SS 540:2008 (BCM Standard)
ISO 22301
-Terms & Definitions(C3)-Context of the organizations(C4)-Leadership (C5)-Planning (C6)-Support (C7)-Operation (C8)--Performance Evaluation (C9)--Improvement (C10)
SS 540
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Standards
• High Level Relationship of ISO 22301 with SS 540:2008– ISO 22301 has a total of 55 definitions (41 with SS 540)
• 44 Definitions are new to SS 540• 2 Definitions are the same as SS 540, but with different
meaning– ISO 22301 is more aligned with the ISO 9001 & BS 25999
standard as compared to SS 540– Not all clauses in SS 540 can be mapped directly to ISO 22301– ISO 22301 has a more detail elaboration on the following:
• Management Commitment (Clause 5)• Business Continuity Plan & Procedures (Clause 8)• Documented Information (Clause 7)• Continuous Improvement (Clause 10)
TÜV SÜD PSB Pte Ltd 11/18/2012
Relationship of ISO 22301 with BS 25999
2012/11/18
Department 24
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Standard
• Relationship to BS 25999(BCM Standard)
ISO 22301
-Terms & Definitions(C3)-Context of the organizations(C4)-Leadership (C5)-Planning (C6)-Support (C7)-Operation (C8)--Performance Evaluation (C9)--Improvement (C10)
BS 25999
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Standards
• High Level Relationship of ISO 22301 with BS 25999– ISO 22301 has a total of 55 definitions (40 with BS 25999)
• 33 Definitions are new to BS25999• 22 Definitions are the same as BS25999, but some with
different meaning– ISO 22301 is more aligned with the ISO 9001 and the BS 25999
standard– Not all clauses in BS 25999 can be mapped directly to ISO 22301– ISO 22301 has a more detail elaboration on the following:
• Management Commitment (Clause 5)• Business Continuity Plan & Procedures (Clause 8)• Documented Information (Clause 7)• Communication and Continuous Improvement (Clause 7 & 10)
TÜV SÜD PSB Pte Ltd 11/18/2012
The PDCA Model of ISO 22301 Standard
2012/11/18
Department 25
TÜV SÜD PSB Pte Ltd 11/18/2012
Continual Improvement: Plan-Do-Check-Act
Requirementsand
expectationsof business
continuity bystakeholders
andinterested
parties
1. Establish BCMframework,scope, policy,objectives,processes,procedures, RA,BIA, training,etc.
2. Establish MBCO,MTPD, RTO,RPO, etc.
1. Monitor &Review BCMS2. Mgt Review3. BCMS audit
1. Implementthose in plan,communicate &operate theBCM policy, BCPlan, processes& procedures
2.Manageresource,documentation& implementtrainingprograms
1. BCMS continuousimprovement2. Preventive &Corrective Action
ManagedBusiness
ContinuityManagement
System
Plan
Do
Check
Act
PDCA ModelClause 4 - 10
TÜV SÜD PSB Pte Ltd 11/18/2012
The Certification Roadmap
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Certification Road map (2 phases)1. Gap analysis
- Getting the ISO 22301 standard- List of identified gaps- Cost and schedule estimation
2. Setting up BCM framework-Scope, policy, BCM framework, processes & procedures- Perform Risk analysis & review, BIA,Strategy, BC plan, Tests & exercises, etc.
3. Implementation- Training and communication- Implementation of BCM policy, processes, procedures, etc.
4.Documentation-BCM policy, procedures, work instructions,etc.
1
Phase 1:
Pre-Certification
Phase
2012/11/18
Department 26
TÜV SÜD PSB Pte Ltd 11/18/2012
Pre-requisites for ISO 22301 certification
• Pre-requisites– Develop the BCM Manual
• Establish the BCM Scope• Establish BCM Policies, Objectives, Processes & Procedures
– Perform Risk Assessment & Review• Description of Risk Assessment Methodology• Risk assessment report• Risk Treatment Plan
– Perform Business Impact Analysis (BIA)• Establish MTPD, RTO, RPO, etc.
TÜV SÜD PSB Pte Ltd 11/18/2012
Pre-requisites for ISO 22301 certification
• Pre-requisites– Selection of Recovery Strategy
• Alternate site• Reciprocal Arrangement• Rebuild from disaster, etc.
– Reviewed & approved by Management/Steering Committee– Perform Internal Audit
• Internal Audit Procedure• Audit Criteria• Audit Scope• Audit Frequency
TÜV SÜD PSB Pte Ltd 11/18/2012
Pre-requisites for ISO 22301 certification
• Pre-requisites (con’t)– Continual Improvement
• Corrective Actions Procedure• Preventive Actions Procedure
– Conduct Management Review– Establish Control of documents/records procedures
• Control of Document Procedure• Control of Records Procedure
2012/11/18
Department 27
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Certification Road map (con’t)
7. Preliminary assessment (Stage 1)- Records demonstrating ISMS / BCM implementation
8. Certification assessment (Stage 2)-Assessment report and CorrectiveActions (CA)
9. Awarding of certificate
1
5. Application for ISO 22301 certification
6. Document (Manual) assessment (Stage 1)Phase 2:
Certification
Phase
TÜV SÜD PSB Pte Ltd 11/18/2012
ISO 22301 Certification Process
1. Application
2. DocumentationAssessment (Stage 1)
3. PreliminaryAssessment (Stage 1)
4.Certification
Assessment (Stage 2)
5. Awardof
Certificate(valid for 3 yrs)
6. Post-AwardRoutine
Surveillance
7. Renewalof Certificate
(on the 3rd yr)
CERTIFICATION PROCESSCERTIFICATION PROCESS
TÜV SÜD PSB Pte Ltd 11/18/2012
Key Success Factors
2012/11/18
Department 28
TÜV SÜD PSB Pte Ltd 11/18/2012
Successful ISO 22301 implementation
• Key Success Factors:– Management Commitment– Cross-functional forum / committee– Understanding Stakeholders’ business requirements in
relation to Business Continuity– Effective Risk Management Process
TÜV SÜD PSB Pte Ltd 11/18/2012
Successful ISO 22301 implementation
• Key Success Factors:– Training & Awareness– Proactive & Continual Improvement
• Internal audit & management review• Identify and act on Security weaknesses / Business
Continuity• Learn from test & exercises and establish relevant
Prevention Action
TÜV SÜD PSB Pte Ltd 11/18/2012
Common FAQs
2012/11/18
Department 29
TÜV SÜD PSB Pte Ltd 11/18/2012
Common FAQs
• Q1: How much and how long it takes for a certification auditto complete?– The cost and the time taken depends on the following
factors:• Scope of services• Staff strength in supporting the services• Number of remote sites (if any)• Complexity of logistics arrangement• Complexity of organization and processes• Nature & sensitivity of businesses• Language Barrier (requires a local interpreter if English is
not the used medium for audit)
TÜV SÜD PSB Pte Ltd 11/18/2012
Common FAQs
• Q2: How many months of data must I accumulate beforeapplying for certification?– Typically, a minimum of 3 months of data and/or
implementation records will be required in order for ameaningful audit to be carried out.
TÜV SÜD PSB Pte Ltd 11/18/2012
Common FAQs
• Q3:What are the different kinds of assessment findings?(con’t)Stage 1 Certification:– Area of Concerns (AOC)
• Represents a non-conformance in the implementation ofthe ISMS/BCMS requirements. Organization will be givenOne month’s time to resolve any AOC issues
2012/11/18
Department 30
TÜV SÜD PSB Pte Ltd 11/18/2012
Common FAQs
• Q3:What are the different kinds of assessment findings?(con’t)Stage 2 Certification / Continuing / Renewal :– Category 1 (Major finding)
• Represents a breakdown in the QMS/ISMS/BCMS/ITSMframework. Organization will be given a 3 month’s timeto resolve any CAT 1 issues
– Category 2 (Minor finding)• Represents some deficiency in the implementation of
QMS/ISMS/BCMS/ITSM requirements. Organization willbe given a 1 month’s time to resolve any CAT 2 issues
TÜV SÜD PSB Pte Ltd 11/18/2012
Common FAQs
• Q3:What are the different kinds of assessment findings?(con’t)– AFI (Area for Improvement)
• Represents an area that need to be enhanced before itdevelops into a CAT 1 or CAT 2 problems
– Positive (Positive Aspects)• Represents an implementation that can be used as a role
model for other departments or organization
TÜV SÜD PSB Pte Ltd 11/18/2012
Conclusion
• Conclusion– ISO 22301 is the certifiable standard for the Business
Continuity Management Systems (BCMS) of anorganization
– Need to perform detail readiness check or gap analysisbefore applying for ISO 22301 certification
– Understand the Key Success Factors in ISO 22301certification
2012/11/18
Department 31
TÜV SÜD PSB Pte Ltd 11/18/2012
Thank you for your patience andattention!
(for more information, you can email to Chris Ng at: [email protected])
www.tuv-sud-psb.sg