Presentation is loading. Please wait.

Presentation is loading. Please wait.

BUSINESS CONTINUITY MANAGEMENT THROUGH STANDARDS AND BEST PRACTICES Jasmina Trajkovski, CISA, CISM.

Published byReginald Danson Modified over 9 years ago

Similar presentations

Presentation on theme: "BUSINESS CONTINUITY MANAGEMENT THROUGH STANDARDS AND BEST PRACTICES Jasmina Trajkovski, CISA, CISM."— Presentation transcript:

1 BUSINESS CONTINUITY MANAGEMENT THROUGH STANDARDS AND BEST PRACTICES Jasmina Trajkovski, CISA, CISM

2 What is BCM?  holistic management process  identifies potential impacts  framework for resilience and response capability  safeguard interests of key stakeholders or more simply…

3  Not just a paper plan, it also requires organisation, planning, assessment, training, rehearsal and more. A process that establishes a secure and resilient business environment capable of mounting an immediate and effective response to a major incident.

4 Objective of business continuity management Time Level of business Critical recovery point Fully tested effective BCM No BCM – ‘lucky’ escape No BCM – likely outcome

5 Impact of Downtime Lost Revenue Know the downtime costs (per hour, day, two days...) Number of employees impacted (x hours out * hourly rate) Damaged Reputation Customers Suppliers Financial markets Banks Business partners Financial Performance Revenue recognition Cash flow Lost discounts (A/P) Payment guarantees Credit rating Stock price Other Expenses Temporary employees, equipment rental, overtime costs, extra shipping costs, travel expenses... Direct loss Compensatory payments Lost future revenue Billing losses Investment losses Lost Productivity

6 Availability Measurement – Levels of ‘9s’ Availability % Uptime% DowntimeDowntime per YearDowntime per Week 98%2%7.3 days3hrs 22 min 99%1%3.65 days1 hr 41 min 99.8%0.2%17 hrs 31 min20 min 10 sec 99.9%0.1%8 hrs 45 min10 min 5 sec 99.99%0.01%52.5 min1 min 99.999%0.001%5.25 min6 sec 99.9999%0.0001%31.5 sec0.6 sec

7 Impact Scenarios 7  Loss or denial of physical space  Your work area has been destroyed and/or become inaccessible  Access to space, but loss of technology  Your area is intact, but without data/power/water/etc.  Both

8 Impact Categories 8  Financial  The cost to recover all functions + loss of revenue  Example: BP oil spill cost billions to clean + lost billions in product  Operational  The ability to physically execute a critical business function

9 Impact Categories 9  Legal/Regulatory  The ability to be fined, sued, or shut down  Customer  The ability to retain customer base when operating in Emergency Mode  Reputation  The ability to retain customer base when the story gets out

10 The business continuity plan Emergency response plan Activity Crisis management/ communication plan Business recovery plan Time objective A A successful outcome

11 What is wrong with current plans  Outdated or gathering dust on the shelves  ‰ Reads like a policy vs. a process to restore  ‰ Recovery team is not aware of plan contents or been trained  ‰ Only addresses restoring IT systems  ‰ Lacks an effective plan to:  restore connectivity between locations  manage communications to customers, local media, employees  ‰ Never been tested  ‰ A large single document  ‰ Saved only on the network  ‰ Does not address security incidents  ‰ Too much focus on catastrophic disasters or natural disasters  ‰ Does not address availability of critical vendors  ‰ One plan fits all disruptions

12 Some survey results 2014  One-third of respondents experienced outages reported stated that critical applications were lost for hours and sometimes multiple days.  Even more alarming was that one in four respondents said they had lost most, if not all of their datacenter for hours and in some cases days.  Nearly one in four respondents never tested their DR plans, and one-third of those surveyed tests their plans only once or twice a year. When companies do test, more than 65% do not pass their own DR tests  http://drbenchmark.org/ http://drbenchmark.org/

13

14 BUT….. WHERE DO THE STANDARDS COME IN THE PICTURE?

15

16 Difference in objective / purpose  What has to be done  Agreed / accepted by a representative number of countries  Applicable to all types of organizations  What works well  How an activity can be done  A compilation of practices from various types of organizations StandardsBest practices

17 Standards….  ISO 22301:2012, "Societal security -- Business continuity management systems --- Requirements“  BS 25999-2:2007, “Specification for Business Continuity Management” - replaced by ISO 22301:2012.  NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.  ASIS/BSI BCM.01:2010 published Dec 2010  ANSI/ASIS SPC.1-2009 Organizational Resilience.

18 Best practices….  Business continuity institute – Good practice guidelines  Disaster recovery institute – reference materials  BS 25777, “Information and communications technology continuity management. Code of practice” – replaced with ISO27031: 2011, “Guidelines for information and communication technology readiness for business continuity”  ISO27002:2013, “Code of practice for information security controls”  ISO 22313:2012, "Societal security -- Business continuity management systems – Guidance“  ISO/IEC 27031:2011, "Information security - Security techniques — Guidelines for information and communication technology [ICT] readiness for business continuity“  BS 25999-1:2006, “Business Continuity Management. Code of Practice” – replaced by ISO22313:2012  HB 292-2006: A practitioners guide to business continuity management  HB 293-2006: Executive guide to business continuity management  And many more….

19 ISO22301 Elements

20 ISO22301 clauses

21 Standards provides requirements for  Determining the context of the organization  List of legal, regulatory and other requirements  Scope of the BCMS (Business Continuity Management System) and explanation of exclusions  Business continuity policy and Business continuity objectives  Competences of personnel  Communication with interested parties  Process for business impact analysis and risk assessment  Business continuity procedures  Incident response procedures  Procedures for restoring and returning business from temporary measures  PDCA cycle

22 BCI Good Practice Guidelines  Policy and program management  Embedding business continuity  Analysis  Design  Implementation  Validation Management practicesTechnical practices

23 Best practices

24 Final words Do not just make the plan…. ….. Test to see if it works …. If it provides the required continuity …. And if the right people know how to use it.

25 JASMINA TRAJKOVSKI, CISA, CISM jasmina.trajkovski@tpconsulting.com.mk

Download ppt "BUSINESS CONTINUITY MANAGEMENT THROUGH STANDARDS AND BEST PRACTICES Jasmina Trajkovski, CISA, CISM."

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
Business Continuity and Disaster Recovery Planning.

Business Continuity and Disaster Recovery Planning.
A briefing about your BCM Programme.  Why BCM  Benefits of BCM  Programme Objectives  Methodology  Tasks & Deliverables Programme Overview.

A briefing about your BCM Programme.  Why BCM  Benefits of BCM  Programme Objectives  Methodology  Tasks & Deliverables Programme Overview.
CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (www.cioassist.in)www.cioassist.in

CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (
Module – 9 Introduction to Business continuity

Module – 9 Introduction to Business continuity
Business Continuity Section 3(chapter 8) BC:ISMDR:BEIT:VIII:chap8:Madhu N PIIT1.

Business Continuity Section 3(chapter 8) BC:ISMDR:BEIT:VIII:chap8:Madhu N PIIT1.
Your Role in the New Normal Increased knowledge and active participation in disaster preparedness and recovery prepare you for the New Normal Baton Rouge,

Your Role in the New Normal Increased knowledge and active participation in disaster preparedness and recovery prepare you for the New Normal Baton Rouge,
Managed Funds Association’s Sound Practices for Hedge Fund Managers 2009 Edition.

Managed Funds Association’s Sound Practices for Hedge Fund Managers 2009 Edition.
Introduction to Business Continuity Planning An Introduction to the Business Continuity Planning Process Including Developing your Process and the Plans.

Introduction to Business Continuity Planning An Introduction to the Business Continuity Planning Process Including Developing your Process and the Plans.
© 2009 EMC Corporation. All rights reserved. Introduction to Business Continuity Module 3.1.

© 2009 EMC Corporation. All rights reserved. Introduction to Business Continuity Module 3.1.
September 14, 2010 Measuring/Monitoring for Perfect Ground Transportation Services AGTA Meeting – San Antonio 10:45 AM Michael J. Corby, CISSP, CCP, PMP.

September 14, 2010 Measuring/Monitoring for Perfect Ground Transportation Services AGTA Meeting – San Antonio 10:45 AM Michael J. Corby, CISSP, CCP, PMP.
Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
BCP/DRP Consultancy Project- An approach

BCP/DRP Consultancy Project- An approach
Business Continuity Planning Jeremy Stacy. Objectives Understand the steps in Business Continuity Planning Understand the terminology used in Business.

Business Continuity Planning Jeremy Stacy. Objectives Understand the steps in Business Continuity Planning Understand the terminology used in Business.
Security Controls – What Works

Security Controls – What Works
Implementing BCM Lynda McMullan CBCI Business Continuity Manager.

Implementing BCM Lynda McMullan CBCI Business Continuity Manager.
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.

Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
Business Continuity The Basics Emergency Planning and Business Continuity Team.

Business Continuity The Basics Emergency Planning and Business Continuity Team.

Similar presentations

Ads by Google