Upload
agora-group
View
726
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
© 2011
Managing Business Continuity with BS25999 – Beyond Technologies
Dr. Almerindo GrazianoCEO, [email protected]
© 2011
About Silensec
• IT Governance– Approved BSI
Associate Consultants
• Penetration Testing• Security Training• E-fraud and
Cybercrime Services• Computer Forensics
Services
© 2011
Offices
Sheffield (UK)
Bucharest (Romania)
Nairobi (Kenya)
© 2011
Business Continuity
Strategic and tactical capability of the organization to plan for and respond to
incidents and business disruptions in order to continue business operations at an
acceptable predefined level
© 2011
BCM and Incident Management
© 2011
BCM is NOT Disaster Recovery
• Disaster Recovery is an integral part of a Business Continuity plan
– REACTIVE process focused on restoring the organization to business as usual after a disaster occurs
• Business Continuity is PROACTIVE– its focus is to avoid or mitigate the impact of a risk
© 2011
BCMS
• A Business Continuity Management System (BCMS) is the set of processes, people and controls aimed at guaranteeing the continuity of a business in case of a disaster
© 2011
BS25999-2
• Business continuity management – Part 2: Specification (Nov 2007)
• Specifies requirements for:– planning, establishing, implementing, operating, monitoring,
reviewing, exercising, maintaining and improving a documented BCMS within the context of managing an organization’s overall business risks
It can be used for assessment and certification
© 2011
BS25999-1
• Business continuity management – Part 1: Code of practice (Dec 2006)
• Provides guidance on the implementation of the standard
It cannot be used for assessment and certification
© 2011
BS25999-2 management clauses
3 Planning the business continuity management system
4 Implementing and operating the BCMS
5 Monitoring and reviewing the BCMS
6 Maintaining and improving the BCMS
© 2011
BS25999-2 Implementation
3 Planning the business continuity management system
4 Implementing and operating the BCMS
5 Monitoring and reviewing the BCMS
6 Maintaining and improving the BCMS
3.1 General3.2 Establishing and managing the BCMS 3.2.1 Scope and objectives of the BCMS 3.2.2 BCM Policy 3.2.3 Provision of resources 3.2.4 Competency of BCM personnel3.3. Embedding BCM in the organization’s culture3.4 BCMS documentation and records 3.4.1 General 3.4.2 Control of BCMS records 3.4.3 Control of BCMS documentation
© 2011
BS25999-2 Implementation
3 Planning the business continuity management system
4 Implementing and operating the BCMS
5 Monitoring and reviewing the BCMS
6 Maintaining and improving the BCMS
4.1 Understanding the organization 4.1.1 Business impact analysis 4.1.2 Risk assessment 4.1.3 Determining choices4.2 Determining business continuity strategy4.3 Developing and implementing a BCM response 4.3.1 General 4.3.2 Incident response structure 4.3.3 Business continuity plans and incident
management plans4.4 Exercising, maintaining and reviewing BCM arrangements 4.4.1 General 4.4.2 BCM exercising 4.4.3 Maintaining and reviewing BCM arrangements
© 2011
4.1 Understanding the Organization
Identify Stakeholders
Identify Key Products & Services
Whom do we want to satisfy?What are they interested in?
What are the required activities, assets and resources?
Business Impact Analysis (BIA)
What is the impact of disruption to those activities?What are the critical activities?
Risk AssessmentWhat are the risks to those activities (especially to the critical ones)
Determine ChoicesWhat are the chosen risk treatments?
4.1.1
4.1.2
4.1.3
Output
© 2011
BS25999-2 Implementation
3 Planning the business continuity management system
4 Implementing and operating the BCMS
5 Monitoring and reviewing the BCMS
6 Maintaining and improving the BCMS 5.1 Internal audit5.2 Management review of the BCMS 5.2.1 General 5.2.2 Review input 5.2.2 Review output
© 2011
BS25999-2 Implementation
3 Planning the business continuity management system
4 Implementing and operating the BCMS
5 Monitoring and reviewing the BCMS
6 Maintaining and improving the BCMS
6.1 Preventive and corrective actions 6.1.1 General 6.1.2 Preventive action 6.1.3 Corrective action 6.2 Continual improvement
© 2011
BCM Documentation
Scope and objectives of the BCMS and proceduresBCM policyProvision of resourceCompetency of BCM personnel and associated training recordsBusiness impact analysisRisk assessment Business continuity strategyIncident response structureBusiness continuity plans and incident management plansBCM exercisingMaintenance and review of BCM arrangementsInternal auditManagement review of the BCMSPreventive and corrective actionsContinual improvement BS25999-2 Clause 3.4.1
© 2011
ISO/IEC 27001:2005 controls for BCP
Annex A – Control Objective A.14– Business Continuity Management Process– Business Continuity and Risk Assessment– Developing and Implementing Continuity Plans– Business Continuity Planning Framework– Testing, Maintaining and Reassessing Business Continuity
Plans
• ISO/IEC 27031 Information technology - Security techniques - Guidelines for information and communications technology readiness for business continuity (FDIS – Final Draft International Standard)
© 2011
Benefits of BS25999 Certification
• Most highly recognized BCM standard– Competitive advantage,
image, improved client confidence
• Ensure effective and efficient use of business continuity technologies
• Compliance with legal, regulatory, contractual requirements
© 2011
BS/ISO Guidelines
• BS 25777:2008, Information and communications technology continuity management - Code of practice ($)
• BS ISO/IEC 24762:2008, Information technology - Security techniques - Guidelines for information and Communications technology disaster recovery services ($)
• ISO/PAS 22399:2007 – Guideline for incident preparedness and operational continuity management ($)
© 2011
BCM Related Standards and Guidelines (1)
• Australia Standards/New Zeland Standars– AS/NZS 5050 : Business Continuity Managing
disruption-related risk (Jun 2010) ($)– HB 221:2004 – Business Continuity Management
Handbook ($)• Part One: What is Business Continuity Management• Part Two: The BCM Manual
– HB 292-2006 – A practitioners guide to business continuity management
– HB 293-2006 – Executive guide to business continuity management
© 2011
BCM Related Standards and Guidelines (2)
• North America– National Fire Protection Association (NFPA)
1600:2007 Standard on Disaster/Emergency Management and Business Continuity Programs
– American Society for Industrial Security ASIS SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management Systems
• Singapore– SS540:2008 – Singapore Standard for Business
continuity management (BCM) ($)