Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISO 22301 and ISO 22313 Update Preparing for an Audit Using ISO 22301 Briefing on the BCI Prepared for ACP Greater Boston Chapter by The Business Continuity.

Published byLora Pierce Modified over 9 years ago

Similar presentations

Presentation on theme: "ISO 22301 and ISO 22313 Update Preparing for an Audit Using ISO 22301 Briefing on the BCI Prepared for ACP Greater Boston Chapter by The Business Continuity."— Presentation transcript:

1 ISO and ISO Update Preparing for an Audit Using ISO Briefing on the BCI Prepared for ACP Greater Boston Chapter by The Business Continuity Institute USA Chapter Presenter: Paul Kirvan, CISA, FBCI January 8, 2014

2 Agenda Update on ISO 22301 and ISO 22313
ISO 22301: The Potential Impact on BCM Professionals Tips on Preparing for an Audit Using ISO 22301 Briefing on the BCI

3 Update on ISO and ISO 22313 3

4 What is ISO 22301? A “Requirements” document for a Business Continuity Management System (BCMS) Set up, operate and continuously improve a “BCMS” A resource to drive performance Designed as an audit tool

5 Background: ISO Workgroup #4 Standards Preparedness and Continuity
ISO – Societal security – Business continuity management systems – Requirements Status: Approved and Published in 2012 ISO – Societal security – Business continuity management systems – Guidance

6 Key Concept: Plan-Do-Check-Act
Model for a business continuity management system (BCMS) End result is (hopefully) a BCMS 6

7 Key Concept: Plan-Do-Check-Act
Activity Explanation Plan Establish business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity in order to deliver results that align with the organization’s overall policies and objectives Do Implement and operate the business continuity policy, controls, processes and procedures Check Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement Act Maintain and improve the BCMS by taking corrective action, based on the results of management review and reappraising the scope of the BCMS and business continuity policy and objectives 7

8 ISO 22301 Structure Introduction Requirements Table of Contents
Section 1: Scope Section 2: Normative References Section 3: Terms and Definitions Introduction Section 4: Context of the Organization Section 5: Leadership Section 6: Planning Section 7: Support Section 8: Operations Section 9: Performance Evaluation Section 10: Improvement Requirements 8

9 ISO 22301 Structure Section Activities Addressed
1 (Scope), 2 (Normative References), 3 (Terms) Scope of the standard, reference level, terminology 4. Context of Organization How the organization works, risk criteria, interested parties, defining scope of the BCMS Leadership Management commitment and support, policies, roles and responsibilities Planning Planning goals and objectives Support Staffing, training and awareness, document control, communications Operations BIA, RA, BC strategies, resources, incident response, BC procedures, emergency notification, exercising, maintenance 9. Performance Evaluation Monitoring, measurement, auditing 10. Improvement Non-conformity, corrective action, improvement 9

10 ISO 22301 and Plan-Do-Check-Act
Activity Explanation Section Plan Establish business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity in order to deliver results that align with the organization’s overall policies and objectives 4, 5, 6, 7 Do Implement and operate the business continuity policy, controls, processes and procedures 8 Check Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement 9 Act Maintain and improve the BCMS by taking corrective action, based on the results of management review and reappraising the scope of the BCMS and business continuity policy and objectives 10 10

11 What ISO 22301 Isn’t … A “How-To” guide All about certification
ISO 22313:2012 and other non-ISO developed materials address the “how-to” All about certification Industry-specific All things to everyone (a perfect fit) Jargon-packed

12 What is ISO 22313? 12

13 What is ISO 22313? Important companion to ISO 22301; provides the “how” to ISO 22301’s “what” Approved in 2012 Useful for understanding the business continuity management system (BCMS) concept Helpful in understanding key components of a business continuity program and the associated planning process Use both for maximum understanding and value

14 ISO 22301 / 22313 Value Management and customers respect ISO standards
A form of benchmarking (agreement on minimum expectations) Common language / simplicity of concept descriptions Drives engagement through continuous improvement

15 Things You Need to Know What is a management system?
Scope and objectives of the system How risks are addressed How does the standard impact your current BC operations? What is needed to achieve compliance with the standard? Is it necessary to achieve compliance with the standard? How may I obtain a set of the standards? 15

16 What is a Management System?
Here’s what ISO says about a “management system” “Set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives “It can address a single discipline or several disciplines “System elements include the organization’s structure, roles and responsibilities, planning, operations, etc. “The scope of a management system can range from the entire organization to specific functions / parts of it 16

17 What is a Business Continuity Management System?
According to the standard: “… Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity “The management system includes organizational structure, policies, planning activities, responsibilities, procedures, processes and resources 17

18 What is a Business Continuity Management System?
“BCMS emphasizes the importance of “Understanding the organization’s needs and the necessity for establishing business continuity management policy and objectives, “Implementing and operating controls and measures for managing an organization’s overall capability to manage disruptive incidents, “Monitoring and reviewing the performance and effectiveness of the BCMS, and “Continual improvement based on objective measurement 18

19 What is a Business Continuity Management System?
“A BCMS has the following key components: “Policy “People with defined responsibilities “Management processes relating to policy, planning, implementation and operation, performance assessment, management review, and improvement “Documentation providing auditable evidence “Any business continuity management processes relevant to the organization 19

20 What is a Business Continuity Management System?
So, in reality, a BCMS: Is a term that can be used to describe how you currently address the administrative, planning and operational activities for BC in your organization Has specific components and activities Can help identify how your current BC program can be enhanced Is an important audit control 20

21 Ways to Prepare Learn more about management systems and determine if this approach is appropriate for you and your organization Identify an executive sponsor in your organization, possibly a steering committee (“top management”) Identify your “interested parties”, e.g., internal and external supporters and stakeholders Begin to identify an appropriate program scope and objectives Even if your BC program is well-established, refer to the standards for ways to improve your program 21

22 ISO 22301: The Potential Impact on BCM Professionals

23 For Individual Professionals
The profession now has its own ISO standards: Not in the back seat of another standard (e.g., ISO 27001, 14000, 20000) In addition to existing standards (e.g., NFPA 1600, FFIEC BC Handbook, ASIS SPC.1) Truly international standards Finally, a globally recognized foundation for the profession An important development in the profession’s history – take advantage of it! 23

24 For Individual Professionals (cont.)
A new level-set for learning, thinking, and individual practices Emergence of a common vocabulary Comprehensive set of good practices (back to their roots in the BCI Good Practices Guidelines (GPG)) Standards are key to how we should operate as practitioners Moving toward a more mature profession … 24

25 For Employers/Clients
Employers and clients need to know about these standards and their importance Regardless of what action occurs next (awareness, alignment, compliance), this key development in the evolution of the profession needs to be known and understood by key stakeholders It is our responsibility as professionals to manage the message to these and other stakeholders! 25

26 Other Key Stakeholders
As advocates for the profession, we must manage the knowledge and importance of these standards to other key stakeholder groups: Customers (depending on your company/practice) Regulators (even if no more than an FYI) Suppliers (impact on supply chain policies/processes) Internal peers Industry peers Auditors 26

27 Summing Up Your Role Lead the discussion – regardless of the outcome, your perceived role as a professional will be enhanced by managing the message Be the expert – whether you are an advocate of the standards or not, know the pros and cons for your environment/organization Use the opportunity: To enhance your role and image in your organization To advance your own professionalism To enhance the profession where you can 27

28 Discussion What do you think?
What is the likelihood of your organization adopting ISO or any standard? What is your game plan going forward? 28

29 Tips on Preparing for an Audit of Your BC Program Using ISO 22301
29

30 Why Audit? Use generally accepted auditing practices to independently determine if your BCM program activities are Consistent with good practice Compliant with company policies Aligned with company budget guidelines Compliant with other corporate controls 30

31 Types of Audits First person (internal audit)
Second person (external audit an organization performs on a supplier of goods and services) Third person (fully independent external audit) 31

32 Preparing for an Audit Current copies of
All relevant business continuity and disaster recovery documentation, including BC/DR plans, policies and procedures Assessments, business impact analyses, risk assessments Incident response plans, emergency plans Defined roles and responsibilities for emergency teams as well as employees Exercise programs Technology DR test documents 32

33 Preparing for an Audit Current copies of
Documents describing previous disasters and responses Internal and external communications activities including emergency notification Training program materials Awareness program materials Activity maintenance schedules Previous management reviews and audits Documents demonstrating continuous improvement activities 33

34 Preparing for an Audit Documented evidence that demonstrates
Your program is built around the Plan-Do-Check-Act model Your BC program is referred to (preferably) as a business continuity management system or BCMS Your program and its activities align (as closely as possible) with the structure of ISO 22301:2012 You have scheduled and conducted BC plan exercises, technology DR tests, scheduled and conducted BIAs, RAs, assessments, reviews, plan updates, updates to BC strategies, updates to contact lists and updates to emergency procedures 34

35 Preparing for an Audit Documented evidence that demonstrates
You perform all or most of the activities defined by ISO for a BCMS, specifically the policies, processes and procedures that facilitate your BC program You have senior management commitment and support for the program, including a senior management sponsor and/or champion, a steering committee, a budget, a business plan, staff, and are considered a separate department or a sub-group of a larger department 35

36 Preparing for an Audit Documented evidence that demonstrates
Business continuity is embedded in your organization as a strategic activity for the business, and that BC activities are part of product development, IT operations, product manufacturing, supply chain activities and other key business functions Your emergency team members have received training and participate in regular emergency drills and exercises to ensure they are ready to respond in an emergency 36

37 Preparing the Auditors
Not many auditors know ISO … what can you do? Determine if the auditors are familiar with the standard Consider recommending that the auditors get trained on ISO 22301; courses are available If you are doing a first-party audit, it may be beneficial to provide background materials on BC activities for your auditors so they can prepare accordingly 37

38 What Else Can You Do? Before the audit, here are some additional activities: Study ISO and ISO carefully; identify gaps in your current program activities that you can address/fix before the audit Consider taking a seminar or course in preparing for an ISO audit Discuss pre-audit and audit activities with other BC colleagues who have been audited 38

39 What Else Can You Do? Before the audit, here are some additional activities: Post audit-related questions on LinkedIn or other business-focused social media sites Conduct research on audit preparation activities using search engines Document everything that demonstrates that you are in compliance with the standard 39

40 You Passed the Audit … Now What?
You can self-certify your compliance with the standard (inexpensive) You can have a third-party organization certify you as being compliant with the standard … example: British Standards Institution (expensive) You can do nothing … just be ready for the next audit! 40

41 Briefing on the Business Continuity Institute
41

42 First USA members joined in 1994 Over 8,000 members in 100+ countries
Promoting the Art and Science of Business Continuity Management Worldwide The BCI is more than just certification – Membership in the BCI means you are part of the most widely accepted global BCM professional organization and the largest global network of BCM professionals Membership-based, not-for-profit global professional association of business continuity professionals founded in 1994 in the UK First USA members joined in 1994 Over 8,000 members in 100+ countries

43 Promoting the Art and Science of Business Continuity Management Worldwide
Information and services include: Continuity Magazine, The Good Practice Guidelines, forums, liaison with local professional groups, workshops and reports, conferences, awards programs Chapters: Asia, Africa, Australia, Canada, Japan, Nordic Region, Switzerland and United States Support for members in achieving their professional goals and objectives Membership grades provide assurance of technical and professional competency

44 Membership Information http://www.thebci.org/index.php/membership
Promoting the Art and Science of Business Continuity Management Worldwide General Information Membership Information Training and Education The Good Practice Guidelines Knowledge Bank

45 Promoting the Art and Science of Business Continuity Management Worldwide
The BCI seeks to promote and facilitate the adoption of good business continuity practice worldwide by: Setting professional standards in business continuity management (BCM) Undertaking industry research Driving thought leadership in BCM by partnering with academic institutions, research firms, social media and publishers Facilitating the sharing of best practices Training and certifying professionals Raising the value of the profession Developing the business case for BCM

46 Promoting the Art and Science of Business Continuity Management Worldwide
The BCI’s Objectives Provide fundamental business continuity skills and specialized business continuity training to develop individual knowledge, skills, and capabilities Provide members with access to peer-based networking opportunities, helping them share experiences and knowledge Encourage members to maintain or enhance their professional capabilities throughout their careers by updating their knowledge and skills and maintaining a record of this progress via a Continuing Professional Development (CPD) program. Exploit all learning technologies, including online training, virtual workshops, social media and distance learning, thus providing access to products and services for all members

47 Why Join the BCI? Internationally recognized and respected credentials
Promoting the Art and Science of Business Continuity Management Worldwide Why Join the BCI? Internationally recognized and respected credentials Professional growth and career enhancement Local and global networking Extensive and diverse content Conferences, forums, workshops and awards programs Professional training seminars, webinars and others Social media resources

48 Why Join the BCI? -- Certification
Promoting the Art and Science of Business Continuity Management Worldwide Why Join the BCI? -- Certification A global certification brand aligned to industry standards and best practices Benefits to you and your organization: Credibility (recognition of skills and achievements) Career opportunities Compensation aligned with skills and knowledge

49 The Value of Certification
Promoting the Art and Science of Business Continuity Management Worldwide The Value of Certification Recognition / peer status Desirable hiring credential for that new job Demonstration of commitment and skills to advance with your current employer Continuous access to BCI knowledge base Your demonstrated knowledge in industry-accepted best practice and methodologies

50 Why Join the BCI? – Professional Growth
Promoting the Art and Science of Business Continuity Management Worldwide Why Join the BCI? – Professional Growth Training Instructor-Led Training Custom Training BC Live Online E-Learning Seminars/webinars on current issues Mentoring Program Monthly Newsletter (USA Chapter Newsletter, too)

51 Why Join the BCI? – Professional Growth
Promoting the Art and Science of Business Continuity Management Worldwide Why Join the BCI? – Professional Growth The BCI Good Practice Guidelines Training Course (3- or 5-day) The BCI BCM Audit Course The BCI BIA Training Course The BCI Supply Chain Continuity Course The BCI Crisis & Incident Management Course The BCI Writing Business Continuity Plans Course <PLUS> New education opportunities with academic institutions in the US

52 Why Join the BCI? – Networking
Promoting the Art and Science of Business Continuity Management Worldwide Why Join the BCI? – Networking Largest global network of BCM professionals Partnerships with DRJ and CI Global Conferences USA Conferences and Association Participation Partnership with ACP and other professional groups (e.g., ISSA, IAEM, ISACA) Partnership with other BCI chapters, forums and area representatives BC Awareness Week BCI Consultant Directory The BCI Awards

53 Why Join the BCI? – Networking
Promoting the Art and Science of Business Continuity Management Worldwide Why Join the BCI? – Networking 53

54 Why Join the BCI? -- Content
Promoting the Art and Science of Business Continuity Management Worldwide Why Join the BCI? -- Content The Good Practice Guidelines Continuity magazine BCI e-Newsletter BCI website BCI USA Chapter website and newsletter Special reports Conferences Forums and workshops

55 Why Join the BCI? -- Content
Promoting the Art and Science of Business Continuity Management Worldwide Why Join the BCI? -- Content Webinars Research studies and surveys Benchmarking White papers Standards development and policymaking Job listings and postings Support for academic education

56 BCI Membership Grades FBCI MBCI AMBCI CBCI Minimum 10 years experience
3+ years as an MBCI Plus significant documented leadership contributions to the BCI and the profession MBCI 3 years experience in each of the six skill areas + CBCI Examination Pass with Merit AMBCI 1 year experience in each of the six skill areas + CBCI Examination Pass CBCI BCI Certification Examination 56

57 BCI Alternate Route to Membership
BCI Grade Credentials Accepted Experience Required FBCI Only via MBCI with 3+ years BCI membership 6+ years experience No direct entry Special requirements MBCI CBCI - pass with merit 3+ years as evidenced in full scored assessment form plus résumé plus 2 references MBCP or CBCP - held for 5+ years Either credential must have been held continuously for 5+ years plus application form, résumé, 2 refs % of applications will be audited MBCP or CBCP - held for <5 years AMBCI CBCI, MBCP, CBCP or ABCP 1+ years – self certified plus résumé and 2 references 57

58 BCI Membership Fees CBCI – Certificate of the BCI
(May vary based on exchange rate) CBCI – Certificate of the BCI Price: $600 for 2-hour exam and 1-year membership Renewal: $120 AMBCI – Associate Member of the BCI Annual: $192 MBCI – Member of the BCI Annual: $208 FBCI – Fellow of the BCI Annual: $264 58

59 The BCI USA Chapter

60 The BCI USA Chapter 2013 USA Chapter Board Ted Brown, MBCI Stacey Gardner, MBCI Paul Kirvan, FBCI Kathleen Lucey, FBCI Margaret Millett, MBCI Ann Pickren, MBCI Eric Staffin, FBCI Doug Weldon, FBCI Brian Zawada, MBCI Founded in 2008, the BCI USA Chapter is headquartered in Daytona Beach, FL and has almost 1,000 members Board of Directors Executive Committee

61 The BCI USA Chapter The new Membership Council is chartered to grow US membership and extend the BCI’s visibility and reach Standing committees include Finance and Audit, PR & Industry Liaison, Education, Program, Public Sector Liaison and Information Services

62 Strategic goals Grow BCI membership in the USA
Encourage existing members to continue their membership Influence the development of BCI products and services to meet the needs of USA members Build new products/services to help USA members achieve their professional objectives

63 Thank you! Paul Kirvan, FBCI, CISA Chapter Secretary, The BCI USA Chapter   Vice Chair, BCI Global Membership Council Approved BCI Instructor FBCI Assessor    63

Download ppt "ISO 22301 and ISO 22313 Update Preparing for an Audit Using ISO 22301 Briefing on the BCI Prepared for ACP Greater Boston Chapter by The Business Continuity."

Similar presentations

Organizational Governance

Organizational Governance
. . . a step-by-step guide to world-class internal auditing

. . . a step-by-step guide to world-class internal auditing
PROFESSIONAL ASSOCIATIONS: WHY PARTICIPATE? Presenter Name Company IIA Chapter/Institute.

PROFESSIONAL ASSOCIATIONS: WHY PARTICIPATE? Presenter Name Company IIA Chapter/Institute.
Environmental Management System Implementation

Environmental Management System Implementation
[Organisation’s Title] Environmental Management System

[Organisation’s Title] Environmental Management System
“Putting the pieces together – as a community”. Certification recognizes the experience, knowledge and skill of an individual as measured against a standard.

“Putting the pieces together – as a community”. Certification recognizes the experience, knowledge and skill of an individual as measured against a standard.
HR Manager – HR Business Partners Role Description

HR Manager – HR Business Partners Role Description
Department of Environmental Quality Environmental Management System Overview.

Department of Environmental Quality Environmental Management System Overview.
The Future of Management Accounting Understanding the New Chartered Global Management Accountant (CGMA) Credential.

The Future of Management Accounting Understanding the New Chartered Global Management Accountant (CGMA) Credential.
Elevate Your BC Career Presented by: Cheyene Haase of BC Management, Inc. The Skills, Experience and Credentials in Demand for Business Continuity Professionals.

Elevate Your BC Career Presented by: Cheyene Haase of BC Management, Inc. The Skills, Experience and Credentials in Demand for Business Continuity Professionals.
International Federation of Accountants International Education Standards for Professional Accountants Mark Allison, Executive Director Institute of Chartered.

International Federation of Accountants International Education Standards for Professional Accountants Mark Allison, Executive Director Institute of Chartered.
The Certified Meeting Professional (CMP) Process.

The Certified Meeting Professional (CMP) Process.
How to Document A Business Management System

How to Document A Business Management System
Manage and Safeguard Your BC Career Cheyene Haase BC Management, Inc.

Manage and Safeguard Your BC Career Cheyene Haase BC Management, Inc.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
External Quality Assessments

External Quality Assessments
Quality Management Systems

Quality Management Systems
CBAP and BABOK Presented to the Albany Capital District Chapter of the IIBA February 3, 2009.

CBAP and BABOK Presented to the Albany Capital District Chapter of the IIBA February 3, 2009.
project management office(PMO)

project management office(PMO)

Similar presentations

Ads by Google