How to transition to ISO 22301How to transition to ISO 22301

. . . the new business continuity standard. . . the new business continuity standard

Phil WilloughbyPhil Willoughby

ICT Technical Service Manager

LRQA Limited

ISO 22301 and BS 25999

Comparison

Societal security

Download LRQA’s presentation support pack

• www.lrqa.co.uk/bsiconference

• Pack includes:

• Copy of the presentation slides

• Online copy of the Needhams case study

• Links to LRQA Training Courses

• Overview

• Detailed review

• Section 4 – understanding

• Section 5 – leadership• Section 6 – planning

• Section 7 – support• Section 8 – operation

• Section 9 – performance• Section 10 – improvement.

Agenda

Structural changes

• Name change – Societal security – contributing to a resilient society

• The new format is more consistent with other ISO management system

standards (e.g. ISO 9001, ISO 14001), but retains the existing BC lifecycle

• 105 ‘Shall’s’ compared

with the 56 of BS 25999

• Some simplification,

clarification or re-wordingand some new

requirements.

PDCA comparison

0

5

10

15

20

25

30

35

40

45

50

Plan Do Check Act

Co

un

t o

f re

qu

ire

me

nts

BS25999

ISO22301

Change Categorisation

• New requirements

• Enhanced requirements

• Clarification

• Alignment to other Management system standards

• Word changes not really affecting requirements.

Important terminology changes

Gone

• Key

• Critical

• MTPoD

• Preventive action

New

• Prioritized

• Establishing timeframe

and recovery levels.

New Requirements Summary

• Management Commitment

• Business Continuity Objectives

• Legal and regulatory requirements

• Resource Planning

• 3rd Party Management

• Measures and Effectiveness

• Formalisation of external and internal issues relevant to BCMS outcomes.

Enhanced requirements

5.2 Management commitment

5.3 Policy requirements

6.2 Business Continuity Objectives

7.1 Resources

7.2 Communications.

Section 4 - Understanding the organisation and its context• Focuses on external and internal issues relevant to its purpose

and that affect its ability to achieve the expected outcomes of its

BCMS

• Increased documentation likely to be required, e.g. Supply chain

information

• Documented procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements . . .

related to the continuity of its operations, products and services, as well as the interests of relevant interested parties.

Section 4 - Understanding the organisation and its context (continued…)• These requirements are taken into account in establishing,

implementing and maintaining its BCMS

• This information must be documented, updated and communicated to affected employees and other interested

parties when requirements change

• Define, document and explain any exclusions.

Section 5 - Leadership

• Top management demonstrate Leadership

• Compatibility of BCMS to company strategic direction

• Integration, achievement of outcomes

• Policy enhancements include:

• Provide the framework for setting business continuity objectives,

• Be communicated within the organization to all persons working for or on behalf of the organization within the scope of the BCMS

This clarifies existing requirements and aligns it to the normal management

system expectations (e.g. roles, responsibility & authority definition, resource

determination and review).

Section 6 - Planning

6.1 Actions to address risks and opportunities

• Replaces preventive action clause (6.1.2)

• Improvement (6.2)

This risk assessment is aimed at a corporate level risks (for which a BCMSis effective mitigation) rather than operational risks that might trigger a

BCMS response.

Section 6 - Planning (continued…)

6.2 Business Continuity Objectives

Requirements for objectives clarified

• Link to policy

• Consider acceptable minimum level of products and services

• Be measurable

• Take into account applicable requirements, and

• Be monitored and updated as appropriate

The plans to achieve these objectives must be defined.

Section 7 - Support

New section covering

• Resource requirements

• Competence & awareness

• Communication

• Document and record control

7.1 Resource requirements

• Clarifies the types of resources required to be considered

• All resources under the organisation’s control to be identified together with associated competences

• Resource requirements for the continuity strategies should be identified and could include:

o People, information and data, buildings, work environment and associated utilities, facilities, equipment and

consumables, information and communication technology

(ICT) systems, transportation, finance, and partners and suppliers.

7.2 Competence 7.3 AwarenessCompetence requirements clarified

• Includes full time and contract staff with BCMS roles and responsibilities – “under organisation’s control”

• Removed reference to training needs analysis

• Changed records to appropriate documentation.

7.4 Communication

• Essentially now need to define What, When and Whom

• Procedure(s) for

o Internal communications

o External communications with customers, partner entities, local community, media and IP’s

o Processing communication from interested parties,o Ensuring communications availability during a disruptive incident,

o Communications with appropriate authorities and interoperability of multiple responding organizations

o Operating and testing of communications capabilities.

7.5 Document Control

• Inline with other management systems standards

• No longer a list of the required documents

• Records are a special type of document

• Need a process for . . rather than a procedure

• Format is required information (e.g. language, software version,

graphics) and media (e.g. paper, electronic)

Section 8 - Operational planning and control

• Determine and manage processes needed to address BCMS risks and opportunities

• Control planned changes

• Take action on unintended effects

• Control processes that are contracted-out or outsourced.

Section 8 - Operational planning and control (continued…)

For this purpose “management control” of a process consists of:

• Knowledge and control of inputs

• Knowledge, use and interpretation of outputs

• Definition, measurement and monitoring of related metrics

• Definition, measurement and review of process improvements

• SLA or contract in placeo Defines service expectations

o Defines procedures to follow

• Regular reports or service reviews.

Section 8.2 Business Impact and Risk Assessment• Requires overview process linking BIA and RA

• More detail on risk assessment and impact on BC objectives

• Change of emphasis from incident response to business continuity strategy with associated need for resource planning

• Further detail on response procedures in particular need for

effective communication and preservation of life.

8.2.2 Business Impact Analysis

Less prescriptive than 25999:

• No MTPoD, No critical activities, No RTO

• All activities are recovered but to a prioritised timeframe and a specified level taking into account the implications of missing the target timescale.

• There is a general requirement to keep the information confidential from

the BIA and RA

• Contracted out work must be controlled rather than determined.

8.2.2 Business Impact Analysis (continued…)Still requires a documented process that:

• a) Establishes the context of the assessment, defines criteria and

evaluates the potential impact of a disruptive incident

• b) Takes into account legal and other requirements to which the

organization subscribes,

• c) Includes systematic analysis, prioritization of risk

treatments, and their related costs,

• d) Defines the required output from the business impact

analysis and risk assessment, and

8.2.3 Risk Assessment

• No significant changes but substantial rewording

• ‘prioritized’ activities, indicates a BIA is completed before the

risk assessment

• Requirement now to treat identified risks using 3 types of

proactive measures rather than identified treatments for all

critical activities.

8.3 Business continuity strategy

• Largely the same requirements to determine strategies to

recover prioritized activities based on outputs from BIA and RA

• Strategy includes approving prioritized activities and time frames

for the resumption

• Strategy includes conducting evaluations of the business

continuity capabilities of suppliers.

8.4.2 Incident Response

Largely the same as now but:

• Using life safety as the first priority to decide whether to communicate

externally.

8.4.4 Business Continuity Plans

• Largely the same requirements, with a few items removed and someadditions

• All plans should be re-evaluated against the new requirements

• Each plan shall define:

o Purpose and scope,o Objectives,o Activation criteria and procedures,o Implementation procedures,o Roles, responsibilities, and authorities,o Communication requirements and procedures,o Internal and external interdependencies and interactions,o Resource requirements, ando Information flow and documentation processes.

8.4.5 Recovery

• The organization shall have documented procedures to restore and

return business activities from the temporary measures adopted to support normal business requirements after an incident

• Recovery commences once prioritised activities have resumed

• ISO 22313 suggests the procedure should include:

o Options for restoring and returningo Resources and infrastructure – covering operation and recovery

o Operational split (recovery and primary sites)o Restoring damaged facilities and salvage equipment

o Emergency funding and procurement, claims against insuranceo Lost documentation

o Communication and due diligence requirements.

8.5 Exercise and Test

• Testing is explicitly mentioned

• Consistent with Policy AND Objectives

• Reviewed against aims and objectives

• Based on scenarios

• The communication and warning procedures shall be regularly exercised.

Section 9 - Performance evaluation

• What needs to be monitored or measured

• Methods to use

• When it needs to be done

• When analysis needs to done

• Action on adverse trends

• Periodic review of legal and regulatory requirements.

9.2 Internal Audit

• No significant additions except

• Alignment with other Management system standards• Procedure covers Scope, frequency

• Clear separation of Audit from review.

9.3 Management Review

Gone

• Results of education &

training programmes

• Level of residual risk and

acceptance as input

• Feedback from interested

parties

• ‘When significant changes occur’

New

• Trends audits and measures

• Changes required to policy

and objectives

• Updates to BIA, RA and BCPs

• Security requirements rather

than resilience

• Changes to contractual

requirements.

Section 10 - Improvement

• Clarification on handling nonconformity

• React to address the instance

• Identify cause and correct

• No procedural requirements

• Preventive action is now part of risk assessment and planning.

Experiences of Transition Assessments

An independent provider of risk

management and business continuity

consultancy, planning and training services.

The Conversion Process

• Conducted an internal audit of our old BCMS against the new ISO,

thereby identifying potential non-conformities

• Re-ordered our BCMS so that it followed the ISO Chapter headings,

making it easier for the external certifying body easier to audit the system.

• Reflect enhanced top management role

• Ensured that the BCMS stated the links between business continuity and the business as a whole, with demonstrable evidence of how it is

incorporated into the business processes

• To better demonstrate the accountability of 3rd party suppliers,

independent audits of critical outsourced dependencies incorporated into Monitoring and Measurement.

Changes to the BCMS

Challenges

• The thought of an auditor arriving can leave some members of an

organisation a little apprehensive.

Challenges

• Being able to prove to an auditor that the business

continuity plan can achieve

• “Recovery of its activities to a predetermined level,

based on management approved recovery objectives.”

• Specific plans are required for any RTOs for critical activities that are time sensitive.

Summary

• The changes from BS 25999 to ISO 22301 are

not a great leap into the unknown; rather, it is a process of evolving the BCMS

• The initial internal audit is crucial to critically analyse the changes required to ensure our

BCMS conformed to ISO 22301.

• UKAS requirements on Certification Body (CB) drives the maximum

period to transition

• CB’s must transition by 30 May 2014

• CB transition visits can start from 1 November 2012

• No new client certificates or renewals to BS 25999 in 2014

• For how long does your BS 25999 certificate remain valid?

• 30 May 2015 at the latest, but is governed by other rules . . .

• Client transition should be at the first surveillance or renewal after

CB transition.

What to expect from LRQA . . .

Transition Plans

How long would the transition audit take?• Up to a 1 day depending on approach

What is the approach to the transition audit?• Can take place at a surveillance visit

• Driven by a checklist pre-completed by the organisation with supporting

information

• Additional time will be required if the checklist is completed following

‘exploration’ by the assessor

• Any deficiencies will be reported as findings in the usual way. As long

as these are minimal and a corrective action plan has been agreed, the assessor will recommend approval to the ISO/IEC 22301 standard.

What to expect from LRQA . . .

Transition Plans

What happens if you are part way through your initial assessmentagainst BS 25999?

• Subject to normal assessment limitations, the limit is 31 December 2013

• Switching standards between Stage 1 and 2 is not recommended and will

require some additional time to check the new requirements have been

met.

What to expect from LRQA . . .

Transition Plans

Experiences of Transition Assessments

• In the intervening period between now and when LRQA are assessed by

UKAS to gain accreditation

• LRQA will offer transition assessments AND initial assessment to ISO

22301

• These will not initially accredited, but subject to UKAS assessment will be granted accredited status.

• www.lrqa.co.uk/bsiconference

• Pack includes:• Copy of the presentation slides

• Online copy of the Needhams case study

• Links to LRQA Training Courses.

Download LRQA’s presentation support pack

Lloyd’s Register and LRQA are trading names of Lloyd’s Register Group Limited and its subsidiaries.

For further information visit www.lr.org/entities

For more information, please contact:

Phil WilloughbyICT Technical Service Manager

Lloyd’s Register Quality Assurance Limited

Hiramford, Middlemarch Office Village

Siskin Drive, Coventry CV3 4FJ, United Kingdom

T +44 (0)24 7688 2292

E phil.willoughby@lrqa.comw www.lrqa.co.uk

Thank you very much for your time today