How to to transition to ISO One year on. Rob Acker Business Continuity Lead Assessor LRQA Ltd

Similar documents
Introducing ISO 22301

ISO/DIS 9001:2014 Analysis and Transition Guide

ISO Business Continuity Management. Your implementation guide

ISO 14001:2015 READINESS CHECKLIST YOU RE CLOSER THAN YOU THINK LEADERSHIP LIFECYCLE PERSPECTIVE DOCUMENTATION RISK TAKING PROTECTION

ISO 14001:2015 PREPARING FOR A SUCCESSFUL TRANSITION

Business Continuity Management for Singapore s Logistics Sector. By Singapore Business Federation and Singapore Logistics Association

ISO 9001:2015 READINESS CHECKLIST YOU RE CLOSER THAN YOU THINK EXECUTIVE SUMMARY CLAUSE 4 - CONTEXT OF THE ORGANISATION CLAUSE 5 - LEADERSHIP

ISO 14001:2015 Gap Analysis Check Sheet

Business Continuity. Building a Program Fit for Purpose

ISO Your implementation guide

ISMS AUDIT CHECKLIST

P. 1. Identify the Differences between ISO9001:2000 與 ISO9001:2008 ISO9001:2008 ISO9001:2000 版本的異同. 5 January 2009 ISO 9000 SERIES

ISO/DIS 9001: 2014 comparison with ISO 9001:2008. ISO 9001:2015 Updates. (Based on Draft International Standard, DIS) ISO/DIS 9001 ISO 9001:2008

How to achieve ISO/IEC The key successful factors

ISO 9001:2015 How your ISO 9001 audit will be different. Whitepaper

ISO 14001:2015 Transition Presentation. Presented by Fredric Leung

ISO 14001: 2015 Environmental Gap Analysis

ISO/IEC INTERNATIONAL STANDARD. Information technology Service management Part 2: Guidance on the application of service management systems

To all accredited and applicant Certification Bodies operating QMS, ISMS and ITSM certification.

Managing Risk and Supporting Innovation. Working together for a safer world

Conformity and Certification against ISO 55001

April 2017 Latest update. ISO/DIS Understanding the new international standard for occupational health & safety

ERM CVS s Approach Performance Based Certification versus Traditional Auditing Approaches

Health and Safety Management Standards

When Recognition Matters WHITEPAPER ISO 14001:2015 ENVIRONMENTAL MANAGEMENT SYSTEMS - REQUIREMENTS.

ISCC 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT. Version 3.0

ISO Collaborative Business Relationship Management Your implementation guide

IAF Mandatory Document

ISO Environmental management systems Requirements with guidance for use

We are a global classification, certification, technical assurance and advisory company Ungraded

Solution Track 5. Managing Vendor Risk and Contingency Plans. March 26, Strategic BCP, Inc. All rights reserved. strategicbcp.

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

Level 5 NVQ Diploma in Management and Leadership Complete

Quality Manual ISO 9001:2015 Quality Management System

ISO Standards in Strengthening Organizational Resilience and Mitigating Risk while Addressing Quality and Sustainability

STANDARD. Competence management systems DNVGL-ST-0049: DNV GL AS

BS2482 TIMBER BOARDS ASSESSMENT REPORT. Assessment Summary

IAQG 9101:2014 (Rev. E)

THE NEW ISO STANDARDS ON MANAGEMENT SYSTEMS & THE EFQM EXCELLENCE MODEL

ISO 28002: RESILIENCE IN THE SUPPLY CHAIN: REQUIREMENTS WITH GUIDANCE FOR USE

EN39 TUBE ASSESSMENT REPORT. Assessment Summary

What, Why and how? Transition to TickITplus... Welcome and Introduction

US Business Continuity Safeguarding Your Business from a Disaster

Guidance Document. Auditing the Cloud Controls Matrix

Head of Security and Business Continuity

Summary of ISO 9001:2015 New and Changed Requirements

ISO 9001:2015. Quality Manual Template.

Forsythes Training. RPL Policies and Procedures

AS9101 Revision E Understanding the Changes

Building up an IT Service Management System through the ISO Certification

World Green Building Council Rating Tools Task Group: QUALITY ASSURANCE GUIDE FOR GREEN BUILDING RATING TOOLS

Transition Strategy for VDA 6.1, VDA 6.2 and VDA 6.4. Revision January Contents. 1. Foreword

INTERNATIONAL STANDARD

ISO 14001:2015 How your ISO audit will be different. Whitepaper

Quality Management System Guidance. ISO 9001:2015 Clause-by-clause Interpretation

This circular replaces and annuls the preceding circular ACCREDIA n 01/2014 ref. DC2013UTN076 of 10/01/2014.

Pre Audit Transition Gap Analysis EMS (ISO 14001:2015 Only)

Diversified Services. Our Diversified Services include:

Process Management Framework

Quality management systems

ASIS Standards: Auditing for. Improvement. Security, Risk and Resilience. Auditing. Value Added. Auditing

ISO 9001:2015 Transition Evidence Guide

Energy Management System (EnMS) White Paper

Introduction to ISO 14001:2015

Moving to the AS9100:2016 series. Transition Guide

Melanie Quinlan, Business Continuity & Compliance Manager, Resources & Quality Assurance

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Guidelines for information security management systems auditing

BINDT AUDIT PROCEDURE CONFORMITY ASSESSMENT AND CERTIFICATION/VERIFICATION OF MANAGEMENT SYSTEMS

The Relevance of Risk Based Thinking in ISO 9001:2015 and ISO 14001:2015. March 4, 2016 Our webinar will begin at 1:00 PM

EHQMS Manual & Policy Document

SPECIAL AUDITS WHAT, WHY AND HOW?

Risk Based Thinking & QMS Risk Management as per ISO

Presentation on Crisis Management and Business Continuity. ISCA Breakfast Talk 13 September See Hong Pek, Partner, PwC

Analysis of ISO 9001:2015 against the ICoCA Certification Assessment Framework

ISO/IEC TR TECHNICAL REPORT

ENVIRONMENTAL AUDITING GUIDE TD 16/16/E

Governance in a Multi-Supplier Environment

Managing risk and supporting innovation. Terry Mundy Business Development Manager

Gap Analysis Checklist ISO 14001:2015 Self-assessment

APPLICATION for ISO Certification (All Standards) Contents

LB35: Verifying IT and Business Continuity. Lucas G. Aimes & Terry DiVittorio, Project Performance Corporation (PPC)

Risk Management Strategy. Version: V3.0

ISO 9001:2015 Readiness Review

Business Framework Change How You Manage Safety

BSI ISO Revision Seminar Copyright 2014 BSI. All rights reserved.

NATIONAL HIGHWAY SECTOR SCHEMES FOR QUALITY MANAGEMENT IN HIGHWAY WORKS SCHEME 3B. Particular requirements for the application of ISO 9001:2015 FOR

New protocol FSSC version 4 What you need to know

INTEGRATING ISO 9000 METHODOLOGIES WITH PROJECT QUALITY MANAGEMENT

Internal Controls and Risk Management Report

ISO 9001:2015. Presented By: ASEAN Eng. DEXTER T. CHUA, PIE. Conference Room, University of Mindanao March 17, 2017

Making the Transition to ISO 14001:2015 ISO EMS Support Tools

Moving from ISO/TS 16949:2009 to IATF 16949:2016. Transition Guide

Management System Manual International Compliance Group

Corporate policy. Business Continuity Management Policy. Issue sheet

IATF 16949:2016 TRANSITION INFORMATION

Risk Management Strategy

ISO 9001 Quality Management Systems

Update from the Business Continuity Working Group

NATIONAL HIGHWAY SECTOR SCHEMES FOR QUALITY MANAGEMENT IN HIGHWAY WORKS SCHEME 19A. Particular requirements for the application of ISO 9001:2015 FOR

ISO /TS 29001:2010 SYSTEMKARAN ADVISER & INFORMATION CENTER SYSTEM KARAN ADVISER & INFORMATION CENTER

Transcription:

How to to transition to ISO 22301... One year on Rob Acker Business Continuity Lead Assessor LRQA Ltd

Agenda Structure of ISO22301 Detailed review a walk through. Section 4 understanding Section 5 leadership Section 6 planning Section 7 support Section 8 operation Section 9 performance Section 10 improvement. Transition How LRQA can help

ISO 22301 and BS 25999 Comparison Societal security

Greater emphasis on business need and context Policy The vertical Direction Act Check Plan Do Commitment, Plan Controls, Objectives, KPI s Measure Acting on results System framework The horizontal effective, efficient control of recovery

PDCA - BCM cycle Plan Establish business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity in order to deliver results that align with the organization s overall policies and objectives. Act Plan Do Implement and operate the business continuity policy, controls, processes and procedures Check Do Check Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement. Act Maintain and improve the BCMS by taking corrective action, based on the results of management review and reappraising the scope of the BCMS and business continuity policy and objectives

Count of requirements Structural changes Name change Societal security contributing to a resilient society The new format is more consistent with other ISO management system standards (e.g. ISO 9001, ISO 14001), but retains the existing BC lifecycle 105 Shall s compared with the 56 of BS 25999 PDCA comparison Some simplification, clarification or re-wording and some new requirements. 50 45 40 35 30 25 20 15 10 5 0 Plan Do Check Act BS25999 ISO22301

New Requirements Summary Formalisation of external and internal issues relevant to BCMS outcomes Management Commitment Business Continuity Objectives Legal and regulatory requirements Resource Planning 3rd Party Management Measures and Effectiveness

Enhanced requirements 5.2 Management commitment 5.3 Policy requirements 6.2 Business Continuity Objectives 7.1 Resources 7.2 Communications.

Section 5 - Leadership Top management demonstrate Leadership Compatibility of BCMS to company strategic direction Integration, achievement of outcomes Policy enhancements include: Provide the framework for setting business continuity objectives, Be communicated within the organization to all persons working for or on behalf of the organization within the scope of the BCMS This clarifies existing requirements and aligns it to other management system expectations (e.g. roles, responsibility & authority definition, resource determination and review).

Section 6 - Planning Business Continuity Objectives SMART but practical linking the analysis of Issues and opportunities to operations and results Actions to address risks and opportunities This risk assessment is aimed at a corporate level risks (for which a BCMS is effective mitigation) rather than operational risks that might trigger a BCMS response.

Section 7 - Support Competence & awareness Communication Documents and records

Section 7 - Resource requirements Clarifies the types of resources required to be considered All resources under the organisation s control to be identified together with associated competences

7.4 Communication Essentially now need to define What, When and Whom Needs to be tested

Section 8 - Operation Business Impact Analysis & Risk Assessment Business Continuity Strategy Incident response Business recovery and continuity

8.4.4 Business Continuity Plans Resources, information and records Purpose and Scope Objectives Internal and external interdependencies and interactions Plan Activation criteria and procedures Communication requirements and procedures Roles, responsibilities and authorities

8.5 Exercise and Test Testing is explicitly mentioned Consistent with Policy AND Objectives Reviewed against aims and objectives Based on scenarios The communication and warning procedures shall be regularly exercised.

Section 9 - Performance evaluation Determine what needs to be monitored or measured the When s What s and How s Methods to use When it needs to be done When analysis needs to done Action on adverse trends Periodic review of legal and regulatory requirements.

9.3 Management Review Gone Results of education & training programmes Level of residual risk and acceptance as input Feedback from interested parties When significant changes occur New Trends audits and measures Changes required to policy and objectives Updates to BIA, RA and BCPs Security requirements rather than resilience Changes to contractual requirements.

The Conversion Process Conducted an internal audit of our old BCMS against the new ISO, thereby identifying potential non-conformities Re-ordered our BCMS so that it followed the ISO Chapter headings, making it easier for the external certifying body easier to audit the system.

Changes to the BCMS To reflect enhanced top management role Ensured that the BCMS stated the links between business continuity and the business as a whole, with demonstrable evidence of how it is incorporated into the business processes (strategic direction and operational control) Review of the process in terms of upstream (supply chain) and downstream (impact on clients). To better demonstrate the accountability of 3 rd party suppliers. Independent audits of critical outsourced dependencies incorporated into Monitoring and Measurement process.

Changes to the BCMS (continued ) Improved alignment with day to day running of the business Review and utilisation of ISO31000 principles in managing operational risks Improved iteration of risk assessment Developed simple but effect risk controls Carried out simulation exercise Improved proactive, preventive controls throughout operations

Challenges Being able to prove to an auditor that the business continuity plan can achieve Recovery of its activities to a predetermined level, based on management approved recovery objectives. Specific plans are required for any RTOs for critical activities that are time sensitive.

Summary The changes from BS 25999 to ISO 22301 are not a great leap into the unknown; rather, it is a process of evolving the BCMS The initial internal audit is crucial to critically analyse the changes required to ensure our BCMS conformed to ISO 22301.

What to expect from LRQA... Transition Plans UKAS requirements on Certification Body (CB) drives the maximum period to transition CB s must transition by 30 May 2014 No new client certificates or renewals to BS 25999 in 2014 For how long does your BS 25999 certificate remain valid? 30 May 2015 at the latest, but is governed by other rules... Client transition should be at the first surveillance or renewal after CB transition.

What to expect from LRQA... Transition Plans How long would the transition audit take? Up to a 1 day depending on approach What is the approach to the transition audit? Can take place at a surveillance visit Driven by a checklist pre-completed by the organisation with supporting information Additional time will be required if the checklist is completed following exploration by the assessor Any deficiencies will be reported as findings in the usual way. As long as these are minimal and a corrective action plan has been agreed, the assessor will recommend approval to the ISO/IEC 22301 standard.

What to expect from LRQA... Transition Plans What happens if you are part way through your initial assessment against BS 25999? Subject to normal assessment limitations, the limit is 31 December 2013 (BS25999 expires 1 June 2014) Switching standards between Stage 1 and 2 is not recommended and will require some additional time to check the new requirements have been met.

Any questions? Come and see us on Stand 23 Thank you! Rob Acker Lead Assessor Lloyd s Register Quality Assurance Limited Hiramford, Middlemarch Office Village Siskin Drive, Coventry, CV3 4FJ United Kingdom T +44 (0)24 7688 2343 E rob.acker@lrqa.com W www.lrqa.co.uk Lloyd's Register Quality Assurance Limited (LRQA) is a subsidiary of Lloyd's Register Group Limited.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback