27ian2011 silensec

© 2011

Managing Business Continuity with BS25999 – Beyond Technologies

Dr. Almerindo GrazianoCEO, [email protected]

© 2011

About Silensec

• IT Governance– Approved BSI

Associate Consultants

• Penetration Testing• Security Training• E-fraud and

Cybercrime Services• Computer Forensics

Services

© 2011

Offices

Sheffield (UK)

Bucharest (Romania)

Nairobi (Kenya)

© 2011

Business Continuity

Strategic and tactical capability of the organization to plan for and respond to

incidents and business disruptions in order to continue business operations at an

acceptable predefined level

© 2011

BCM and Incident Management

© 2011

BCM is NOT Disaster Recovery

• Disaster Recovery is an integral part of a Business Continuity plan

– REACTIVE process focused on restoring the organization to business as usual after a disaster occurs

• Business Continuity is PROACTIVE– its focus is to avoid or mitigate the impact of a risk

© 2011

BCMS

• A Business Continuity Management System (BCMS) is the set of processes, people and controls aimed at guaranteeing the continuity of a business in case of a disaster

© 2011

BS25999-2

• Business continuity management – Part 2: Specification (Nov 2007)

• Specifies requirements for:– planning, establishing, implementing, operating, monitoring,

reviewing, exercising, maintaining and improving a documented BCMS within the context of managing an organization’s overall business risks

It can be used for assessment and certification

© 2011

BS25999-1

• Business continuity management – Part 1: Code of practice (Dec 2006)

• Provides guidance on the implementation of the standard

It cannot be used for assessment and certification

© 2011

BS25999-2 management clauses

3 Planning the business continuity management system

4 Implementing and operating the BCMS

5 Monitoring and reviewing the BCMS

6 Maintaining and improving the BCMS

© 2011

BS25999-2 Implementation





3.1 General3.2 Establishing and managing the BCMS 3.2.1 Scope and objectives of the BCMS 3.2.2 BCM Policy 3.2.3 Provision of resources 3.2.4 Competency of BCM personnel3.3. Embedding BCM in the organization’s culture3.4 BCMS documentation and records 3.4.1 General 3.4.2 Control of BCMS records 3.4.3 Control of BCMS documentation

© 2011






4.1 Understanding the organization 4.1.1 Business impact analysis 4.1.2 Risk assessment 4.1.3 Determining choices4.2 Determining business continuity strategy4.3 Developing and implementing a BCM response 4.3.1 General 4.3.2 Incident response structure 4.3.3 Business continuity plans and incident

management plans4.4 Exercising, maintaining and reviewing BCM arrangements 4.4.1 General 4.4.2 BCM exercising 4.4.3 Maintaining and reviewing BCM arrangements

© 2011

4.1 Understanding the Organization

Identify Stakeholders

Identify Key Products & Services

Whom do we want to satisfy?What are they interested in?

What are the required activities, assets and resources?

Business Impact Analysis (BIA)

What is the impact of disruption to those activities?What are the critical activities?

Risk AssessmentWhat are the risks to those activities (especially to the critical ones)

Determine ChoicesWhat are the chosen risk treatments?

4.1.1

4.1.2

4.1.3

Output

© 2011





6 Maintaining and improving the BCMS 5.1 Internal audit5.2 Management review of the BCMS 5.2.1 General 5.2.2 Review input 5.2.2 Review output

© 2011






6.1 Preventive and corrective actions 6.1.1 General 6.1.2 Preventive action 6.1.3 Corrective action 6.2 Continual improvement

© 2011

BCM Documentation

Scope and objectives of the BCMS and proceduresBCM policyProvision of resourceCompetency of BCM personnel and associated training recordsBusiness impact analysisRisk assessment Business continuity strategyIncident response structureBusiness continuity plans and incident management plansBCM exercisingMaintenance and review of BCM arrangementsInternal auditManagement review of the BCMSPreventive and corrective actionsContinual improvement BS25999-2 Clause 3.4.1

© 2011

ISO/IEC 27001:2005 controls for BCP

Annex A – Control Objective A.14– Business Continuity Management Process– Business Continuity and Risk Assessment– Developing and Implementing Continuity Plans– Business Continuity Planning Framework– Testing, Maintaining and Reassessing Business Continuity

Plans

• ISO/IEC 27031 Information technology - Security techniques - Guidelines for information and communications technology readiness for business continuity (FDIS – Final Draft International Standard)

© 2011

Benefits of BS25999 Certification

• Most highly recognized BCM standard– Competitive advantage,

image, improved client confidence

• Ensure effective and efficient use of business continuity technologies

• Compliance with legal, regulatory, contractual requirements

© 2011

BS/ISO Guidelines

• BS 25777:2008, Information and communications technology continuity management - Code of practice ($)

• BS ISO/IEC 24762:2008, Information technology - Security techniques - Guidelines for information and Communications technology disaster recovery services ($)

• ISO/PAS 22399:2007 – Guideline for incident preparedness and operational continuity management ($)

© 2011

BCM Related Standards and Guidelines (1)

• Australia Standards/New Zeland Standars– AS/NZS 5050 : Business Continuity Managing

disruption-related risk (Jun 2010) ($)– HB 221:2004 – Business Continuity Management

Handbook ($)• Part One: What is Business Continuity Management• Part Two: The BCM Manual

– HB 292-2006 – A practitioners guide to business continuity management

– HB 293-2006 – Executive guide to business continuity management

© 2011

BCM Related Standards and Guidelines (2)

• North America– National Fire Protection Association (NFPA)

1600:2007 Standard on Disaster/Emergency Management and Business Continuity Programs

– American Society for Industrial Security ASIS SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management Systems

• Singapore– SS540:2008 – Singapore Standard for Business

continuity management (BCM) ($)

Documents

27ian2011 silensec