How to to transition to ISO 22301... One year on Rob Acker Business Continuity Lead Assessor LRQA Ltd
Agenda Structure of ISO22301 Detailed review a walk through. Section 4 understanding Section 5 leadership Section 6 planning Section 7 support Section 8 operation Section 9 performance Section 10 improvement. Transition How LRQA can help
ISO 22301 and BS 25999 Comparison Societal security
Greater emphasis on business need and context Policy The vertical Direction Act Check Plan Do Commitment, Plan Controls, Objectives, KPI s Measure Acting on results System framework The horizontal effective, efficient control of recovery
PDCA - BCM cycle Plan Establish business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity in order to deliver results that align with the organization s overall policies and objectives. Act Plan Do Implement and operate the business continuity policy, controls, processes and procedures Check Do Check Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement. Act Maintain and improve the BCMS by taking corrective action, based on the results of management review and reappraising the scope of the BCMS and business continuity policy and objectives
Count of requirements Structural changes Name change Societal security contributing to a resilient society The new format is more consistent with other ISO management system standards (e.g. ISO 9001, ISO 14001), but retains the existing BC lifecycle 105 Shall s compared with the 56 of BS 25999 PDCA comparison Some simplification, clarification or re-wording and some new requirements. 50 45 40 35 30 25 20 15 10 5 0 Plan Do Check Act BS25999 ISO22301
New Requirements Summary Formalisation of external and internal issues relevant to BCMS outcomes Management Commitment Business Continuity Objectives Legal and regulatory requirements Resource Planning 3rd Party Management Measures and Effectiveness
Enhanced requirements 5.2 Management commitment 5.3 Policy requirements 6.2 Business Continuity Objectives 7.1 Resources 7.2 Communications.
Section 5 - Leadership Top management demonstrate Leadership Compatibility of BCMS to company strategic direction Integration, achievement of outcomes Policy enhancements include: Provide the framework for setting business continuity objectives, Be communicated within the organization to all persons working for or on behalf of the organization within the scope of the BCMS This clarifies existing requirements and aligns it to other management system expectations (e.g. roles, responsibility & authority definition, resource determination and review).
Section 6 - Planning Business Continuity Objectives SMART but practical linking the analysis of Issues and opportunities to operations and results Actions to address risks and opportunities This risk assessment is aimed at a corporate level risks (for which a BCMS is effective mitigation) rather than operational risks that might trigger a BCMS response.
Section 7 - Support Competence & awareness Communication Documents and records
Section 7 - Resource requirements Clarifies the types of resources required to be considered All resources under the organisation s control to be identified together with associated competences
7.4 Communication Essentially now need to define What, When and Whom Needs to be tested
Section 8 - Operation Business Impact Analysis & Risk Assessment Business Continuity Strategy Incident response Business recovery and continuity
8.4.4 Business Continuity Plans Resources, information and records Purpose and Scope Objectives Internal and external interdependencies and interactions Plan Activation criteria and procedures Communication requirements and procedures Roles, responsibilities and authorities
8.5 Exercise and Test Testing is explicitly mentioned Consistent with Policy AND Objectives Reviewed against aims and objectives Based on scenarios The communication and warning procedures shall be regularly exercised.
Section 9 - Performance evaluation Determine what needs to be monitored or measured the When s What s and How s Methods to use When it needs to be done When analysis needs to done Action on adverse trends Periodic review of legal and regulatory requirements.
9.3 Management Review Gone Results of education & training programmes Level of residual risk and acceptance as input Feedback from interested parties When significant changes occur New Trends audits and measures Changes required to policy and objectives Updates to BIA, RA and BCPs Security requirements rather than resilience Changes to contractual requirements.
The Conversion Process Conducted an internal audit of our old BCMS against the new ISO, thereby identifying potential non-conformities Re-ordered our BCMS so that it followed the ISO Chapter headings, making it easier for the external certifying body easier to audit the system.
Changes to the BCMS To reflect enhanced top management role Ensured that the BCMS stated the links between business continuity and the business as a whole, with demonstrable evidence of how it is incorporated into the business processes (strategic direction and operational control) Review of the process in terms of upstream (supply chain) and downstream (impact on clients). To better demonstrate the accountability of 3 rd party suppliers. Independent audits of critical outsourced dependencies incorporated into Monitoring and Measurement process.
Changes to the BCMS (continued ) Improved alignment with day to day running of the business Review and utilisation of ISO31000 principles in managing operational risks Improved iteration of risk assessment Developed simple but effect risk controls Carried out simulation exercise Improved proactive, preventive controls throughout operations
Challenges Being able to prove to an auditor that the business continuity plan can achieve Recovery of its activities to a predetermined level, based on management approved recovery objectives. Specific plans are required for any RTOs for critical activities that are time sensitive.
Summary The changes from BS 25999 to ISO 22301 are not a great leap into the unknown; rather, it is a process of evolving the BCMS The initial internal audit is crucial to critically analyse the changes required to ensure our BCMS conformed to ISO 22301.
What to expect from LRQA... Transition Plans UKAS requirements on Certification Body (CB) drives the maximum period to transition CB s must transition by 30 May 2014 No new client certificates or renewals to BS 25999 in 2014 For how long does your BS 25999 certificate remain valid? 30 May 2015 at the latest, but is governed by other rules... Client transition should be at the first surveillance or renewal after CB transition.
What to expect from LRQA... Transition Plans How long would the transition audit take? Up to a 1 day depending on approach What is the approach to the transition audit? Can take place at a surveillance visit Driven by a checklist pre-completed by the organisation with supporting information Additional time will be required if the checklist is completed following exploration by the assessor Any deficiencies will be reported as findings in the usual way. As long as these are minimal and a corrective action plan has been agreed, the assessor will recommend approval to the ISO/IEC 22301 standard.
What to expect from LRQA... Transition Plans What happens if you are part way through your initial assessment against BS 25999? Subject to normal assessment limitations, the limit is 31 December 2013 (BS25999 expires 1 June 2014) Switching standards between Stage 1 and 2 is not recommended and will require some additional time to check the new requirements have been met.
Any questions? Come and see us on Stand 23 Thank you! Rob Acker Lead Assessor Lloyd s Register Quality Assurance Limited Hiramford, Middlemarch Office Village Siskin Drive, Coventry, CV3 4FJ United Kingdom T +44 (0)24 7688 2343 E rob.acker@lrqa.com W www.lrqa.co.uk Lloyd's Register Quality Assurance Limited (LRQA) is a subsidiary of Lloyd's Register Group Limited.