ISO/TS 22317: How to Use ISO s Newest BC Standard to Develop Real BC Requirements

Transcription

1 ISO/TS 22317: How to Use ISO s Newest BC Standard to Develop Real BC Requirements Jacqueline Rupert Managing Consultant Avalution Consulting

2 Agenda ISO/TS Background Overview BIA Outcomes Process Keys to Success Conclusions and Questions

3 Background Since 2013, ISO technical committee 292 (security and resilience) has been working on developing a business impact analysis standard Lead by the US Delegation Brian Zawada and Jacqueline Rupert Participants from over a dozen countries

4 Background In September 2015, ISO published its newest business continuity standard: ISO/TS 22317: 2015 Societal security Business continuity management systems Guidelines for business impact analysis (BIA)

5 Overview The new technical specification is designed to complement ISO 22301, but also be a stand alone standard Note: This standard is not auditable; instead it provides guidance on how to effectively implement or mature a BIA process

6 Overview ISO sought to re-define ISO s business impact analysis definition, outcomes, and process to be more clear and straight-forward The BIA process analyzes the consequences of a disruptive incident on the organization. The outcome is a statement of justification of business continuity requirements. Note: business continuity requirements has the same meaning as continuity and recovery priorities, objectives, and targets

7 BIA Outcomes Endorsement or modification of the organization s BC program scope Identification of legal, regulatory, and contractual requirements (obligations) and their effect on business continuity requirements Evaluation of impacts on the organization over time, which serves as the justification for business continuity requirements (time and capability) Identification and confirmation of product/service delivery requirements following a disruptive incident, which then sets the prioritized timeframes for activities and resources Identification of, and establishment of, the relationships between products/services, processes, activities, and resources Determination of the resources needed to perform prioritized activities (e.g. facilities; people; equipment; information, communication and technology assets; supplies; and financing) Understanding of the dependencies on other activities, supply chains, partners, and other interested parties Determination of how up to date the information needs to be

8 BIA Process

9 BIA Process Impact Categories Financial Reputational Legal and Regulatory Contractual Business Objectives Examples of Impacts Financial losses due to fines, penalties, lost profits, or diminished market share Negative opinion or brand damage Litigation liability and withdrawal of license to trade Breach of contracts or obligations between organizations Failure to deliver on objectives or take advantage of opportunities

10 Keys to Success Prerequisites identifies prerequisites for organizations to consider implementing before the BIA process These boil down to what management system (ISO 22301) activities are needed to be successful, including: Context and scope Roles and responsibilities Leadership commitment Resource allocation

11 Keys to Success BIA Process Levels breaks down the BIA process into three levels: Product and service prioritization (section 5.3) Process prioritization (section 5.4) Activity prioritization (includes resources and interdependencies) (section 5.5) Complex organizations should use all three levels, but less complex organizations may choose to combine one or two of the levels These levels ensure results are consistent from topdown and bottom-up

12 Keys to Success Section 5 Structure The three levels are explained in Section 5 (Performing the Business Impact Analysis) and broken down by the following: Introduction (Overview) Inputs Outcomes Methods for how to conduct each level are: Explained in Section 5.6 (Analysis and Consolidation) Detailed in Annex C (BIA Information Collecting Methods) Information on how to obtain top management endorsement is in Section 5.7

13 Keys to Success After the BIA Section 5.8 (Business Continuity Strategy Selection) outlines how to use BIA results to select appropriate business continuity strategies Section 6 (BIA Process Monitoring and Review) outlines when the BIA process should be refreshed, including: Frequency considerations Organizational change considerations

14 Conclusions Provides a new, enhanced BIA definition that is more clear with less jargon Offers a BIA value proposition for organizations struggling to gain buy-in Identifies the prerequisites that the organization should have in place before starting the BIA Outlines a detailed process for how to effectively perform the BIA Proposes the outcomes of the BIA (including outcomes of each step of the BIA) Provides options for different information collecting methods, along with a pros and cons analysis of each method Describes other uses for which organizations may choose to use the BIA

15 Questions? Thank you!

16 Contact Information Jacqueline Rupert Managing Consultant, Avalution Consulting avalution.com bccatalyst.com