BUSINESS CONTINUITY MANAGEMENT SYSTEM A COMPLETE GUIDE TO IMPLEMENTING ISO 22301

Transcription

1 BUSINESS CONTINUITY MANAGEMENT SYSTEM A COMPLETE GUIDE TO IMPLEMENTING ISO WEI NING ZECHARIAH WONG & JIANPING SHI

2 Business Continuity Management System

3

4 Business Continuity Management System A Complete Guide to Implementing ISO Wei Ning Zechariah Wong Jianping Shi

5 Publisher s note Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and authors cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the editor, the publisher or any of the authors. First published in Great Britain and the United States in 2015 by Kogan Page Limited Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licences issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned addresses: 2nd Floor, 45 Gee Street 1518 Walnut Street, Suite /23 Ansari Road London EC1V 3RS Philadelphia PA Daryaganj United Kingdom USA New Delhi India Wei Ning Zechariah Wong and Jianping Shi, 2015 The right of Wei Ning Zechariah Wong and Jianping Shi to be identified as the authors of this work has been asserted by them in accordance with the Copyright, Designs and Patents Act ISBN E-ISBN British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library. Library of Congress Cataloging-in-Publication Data Wong, Wei Ning Zechariah. Business continuity management system : a complete guide to implementing iso / Wei Ning Zechariah Wong, Jianping Shi. pages cm ISBN (paperback) ISBN (ebk) 1. Crisis management. 2. Emergency management Planning. 3. Data protection. 4. Computer networks Security measures. I. Shi, Jianping. II. Title. HD49.W dc Typeset by Amnet Print production managed by Jellyfish Printed and bound by CPI Group (UK) Ltd, Croydon, CR0 4YY

6 In memory of my beloved father JS

7

8 CONTENTS Abbreviations xi List of tables xiii List of figures xv Introduction 1 01 Fundamentals of business continuity management 5 Background 5 What is business continuity management? 6 The principles of business continuity management 7 Application of business continuity management in corporate setting 9 Business continuity management lifecycle 12 Summary 24 References 25 Further reading Business continuity management system 27 Background 27 What is a management system? 28 Levels of application 29 ISO business continuity management system 30 Key components of business continuity management system 32 The Plan-Do-Check-Act (PDCA) paradigm 36 Business continuity management system lifecycle 38 Summary 44 Further reading 45

9 viii Contents 03 Context of the organization 47 Background 47 Understanding the organizational context 48 Basic concepts: The organization and its environment 48 Organizational context analysis 49 Corporate analysis 50 Threat and resilience assessment 52 Stakeholder and regulatory analysis 53 Organizational BCMS scoping 59 Outsourced functions and services 66 Summary 67 Further reading Leadership 69 Background 69 Management commitment 70 Business continuity champion 73 Business continuity policy 75 Summary 84 References 85 Further reading Planning 87 Background 87 Approaches to corporate resilience 88 Management approach 88 Process-centric approach 90 Business continuity objectives 93 Business continuity objective development 94 BCMS project management 99 Summary 105 Further reading Support 107 Background 107 Resource allocation 108

10 Contents ix Practices of BCM professionals 109 The professional practices 109 Skills of BCM professionals 110 Performance appraisal 112 Business continuity awareness and training programme 116 Principles of communication 128 BCMS documentation management 131 Principles of documentation management 133 Summary 137 References 139 Further reading Operation 141 Background 141 Understanding the organization 142 Characteristics of business impact analysis 143 Characteristics of risk assessment 164 Strategy selection and development 174 Establish business continuity capability 183 Incident management structure 184 Exercise business continuity capability 196 Summary 215 Further reading Performance evaluation 219 Background 219 BCMS performance assessment 220 BCMS evaluation criteria 220 Approaches to performance evaluation 222 Management review 242 Summary 244 Further reading Improvement 247 Background 247 BCMS control system 248

11 x Contents Continual improvement 256 Summary 261 Further reading Conclusion 263 Application of BCMS 263 Management challenges 266 Concluding remarks 270 References 273 Index 275

12 ABBREVIATIONS Best practice organization (BPO) Business-as-usual (BAU) Business Continuity Institute (BCI) Business continuity management (BCM) Business continuity management system (BCMS) Business continuity plan (BCP) Business continuity resource requirements analysis (BCRRA) Business impact analysis (BIA) Continuous professional development (CPD) Crisis management plan (CMP) Critical success factor (CSF) Disaster Recovery Institute International (DRII) Enterprise risk management (ERM) Function restoration plan (FSP) Incident command centre (ICC) Incident management plan (IMP) Incident management structure (IMS) Information security (IS) Information technology disaster recovery (ITDR) Key performance indicator (KPI) Level of business continuity (LBC) Management of business continuity (MBC) Maximum tolerable period of disruption (MTPD) Plan-Do-Check-Act (PDCA) Political, economic, social and technological (PEST) Process recovery plan (PRP) Recovery point objective (RPO) Recovery time objective (RTO) Responsible, accountable, consulted and informed (RACI) Risk assessment (RA)

13 xii Abbreviations Specific, measurable, achievable, realistic and time-bound (SMART) Statement of applicability (SoA) Strengths, weaknesses, opportunities and threats (SWOT) Training needs analysis (TNA) Uninterrupted power system (UPS)

14 LIST OF TABLES TABLE 2.1 Three levels of management system application 30 TABLE 2.2 PDCA phases and BCMS components 39 TABLE 3.1 Components of organizational context analysis 49 TABLE 3.2 Stakeholder matrix table 57 TABLE 3.3 Techniques and tools for undertaking organizational context analysis 60 TABLE 5.1 Business continuity objectives and their attributes of measurement 97 TABLE 6.1 Professional practices of Disaster Recovery Institute and Business Continuity Institute 110 TABLE 6.2 Sources and methods of information collection 119 TABLE 6.3 Methods of delivery for awareness and training activities 127 TABLE 6.4 Version number prior to revision 134 TABLE 6.5 Version number after major revision 134 TABLE 7.1 Concepts of business impact analysis 145 TABLE 7.2 Suggested principles in designing questions 152 TABLE 7.3 Key areas to be covered by business impact analysis 153 TABLE 7.4 Information checklist for business impact analysis workshop 154 TABLE 7.5 Strengths and weaknesses of information collection methods for BIA 156 TABLE 7.6 Types of impacts 159 TABLE 7.7 Impact rating table 160 TABLE 7.8 Criticality ranking table 161 TABLE 7.9 Staged recovery table 162 TABLE 7.10 Concepts of risk assessment 165

15 xiv List of Tables TABLE 7.11 Comparison between qualitative and quantitative approaches 167 TABLE 7.12 Examples of natural and man-made risks 169 TABLE 7.13 Sources of information for risk identification 170 TABLE 7.14 General considerations of key resources 180 TABLE 7.15 Characteristics of incident management structure 187 TABLE 7.16 Key items of IMP and points of consideration 193 TABLE 7.17 Key characteristics of exercises 202 TABLE 7.18 Participation of individual roles in different levels of exercise 208 TABLE 8.1 Benchmarking scoring table 227 TABLE 8.2 Basic steps and methods of performing a gap analysis 232 TABLE 8.3 Gap analysis scoring checklist 233 TABLE 8.4 Audit elements and their explanation 240 TABLE 9.1 Core concepts of effective continual improvement 257 TABLE 9.2 Methods and processes of improvement in BCMS 259 TABLE 10.1 Strategies for BCMS implementation 268

16 LIST OF FIGURES FIGURE 1.1 Business continuity management lifecycle 24 FIGURE 2.1 BCMS (with the PDCA paradigm) and BCM lifecycle 43 FIGURE 3.1 Interaction between internal and external systems 49 FIGURE 3.2 BCMS conversion of internal and external influences into corporate advantages 59 FIGURE 3.3 Relationships and interactions between functions 64 FIGURE 4.1 Policy development framework 76 FIGURE 4.2 Business continuity oversight structure 78 FIGURE 5.1 Business continuity management structure 101 FIGURE 6.1 Relationship between management skills and professional practices 113 FIGURE 6.2 Lifecycle of business continuity awareness and training programme 117 FIGURE 6.3 Gap analysis of business continuity awareness and training needs 121 FIGURE 6.4 Simplistic external and internal communication structure 132 FIGURE 7.1 Risk probability/impact chart and four options of resilience programmes 171 FIGURE 7.2 Incident management structure 185 FIGURE 7.3 Plan development process 197 FIGURE 7.4 Five levels of exercise 199 FIGURE 7.5 Key stages of exercise programme 209 FIGURE 8.1 BCMS benchmarking process 223

17 xvi List of Figures FIGURE 8.2 Diagrammatic presentation of BCMS performance 229 FIGURE 8.3 BCMS gap analysis model 231 FIGURE 8.4 Gap analysis graph 235 FIGURE 8.5 BCMS audit programme and process 239 FIGURE 8.6 Components of management review 245

18 Introduction Business continuity management (BCM) continues to grow in terms of the importance and value to organizational activities. This is evident by the publication of the International Standard for BCM: ISO (Societal Security Business Continuity Management Systems Requirements), which demonstrates the recognition of the subject in enabling corporate success and optimizing service availability. In addition, today s BCM population is made up of new entrants in the fields of management consulting, information assurance, risk and insurance, compliance and quality, and, surprisingly, arts and history, which will definitely bring a kaleidoscope of novel thoughts to the profession. This diversity perhaps can be viewed as an indicator of a popular discipline in the 21st century. Since its publication in 2012, ISO has been the touchstone in the development and management of an effective business continuity management system (BCMS). Though the requirements are accompanied by the guidance, ISO 22313, which provides useful explanation of the principles of the requirements, it does not provide all the necessary information on how the key processes are established. Following the advent of the International Standard, many books have attempted to provide guidance on the implementation of the BCMS. However, most literature are either brief in content or do not provide the pertinent details to the readers. There still exists a deficiency of a handbook that addresses the whole lifecycle of the BCMS. This book endeavours to address that gap, by providing in detail real case examples and approaches based on the authors experiences. It is intended to be helpful to both new and seasoned business continuity practitioners who are responsible for the BCMS in their organizations. It describes the underlying concepts of the key activities of the BCMS and how each stage of the management system

19 2 Business Continuity Management System relates to one another. It explains the different issues that must be addressed at all stages throughout the lifecycle of the BCMS. A broad range of connected issues are introduced to enable business continuity practitioners to enhance their knowledge as well as to address the organizational challenges. A key strength of this book is that it provides proven techniques and suggests how they may be adapted to meet the individual s requirements and context. In particular, it proposes easy-to-use assessment methodologies to evaluate the organization s BCMS performance (Chapter 8) and explains how an effective BCMS control system is established (Chapter 9). This book is structured based on ISO It comprises 10 chapters. Chapter 1 provides the readers the perspective of business continuity in the corporate setting. It presents an overview of the BCM lifecycle, which allows seasoned practitioners to revisit the key processes and introduces new entrants to the subject. Chapter 2 concentrates on the principles of the BCMS and its underlying approach Plan-Do-Check-Act (PDCA). The chapter offers a review into the essential components of the BCMS. This would be particularly useful for organizations that are seeking to develop a systemic and effective BCM. Chapters 3 to 9 encapsulate the seven main clauses of ISO 22301, namely, Context of the Organization, Leadership, Planning, Support, Operation, Performance Evaluation and Improvement; they collectively form the all-encompassing approach of planning, implementing, managing and continually improving the BCMS. The final chapter, Chapter 10, identifies the organizational barriers that can hamper the effective implementation of the BCMS and offers a series of strategies to overcome those management challenges. A unique feature of this book is that it offers the readers the choice of reading the book in its entirety (for those wishing to understand the planning and establishment of a BCMS), whilst also allowing them to choose particular components of the BCMS a quick overview of the chapter is provided to enable them to pick the topics that are of greatest interest to them. In addition, a checklist is included at the end of each chapter to highlight the key activities or items that should be in place in order to establish an effective BCMS. It is the authors hope that the readers of this book can take away what is most relevant to them; the intention is to complement their

20 Introduction 3 own experiences so that they can derive appropriate solutions. It is particularly aimed at equipping business continuity practitioners with the knowledge, skills and ammunition to position BCM into a value-added activity of strategic importance within their organizations. This would have achieved our objective. As such, a lengthy introduction would not be necessary. Business continuity in the 21st century is here to stay. This book is intended to act as a catalyst to accelerate progress on the journey from business continuity management to business continuity management system, both by enhancing the BCM competence of the individual readers and by contributing to the development of a shared knowledge for implementing ISO in organizations.