Societal security Business continuity management systems Guidance

Similar documents
INTERNATIONAL STANDARD

Asset management Management systems Requirements

This document is a preview generated by EVS

Technical Specification

Asset management Overview, principles and terminology

Information technology Security techniques Information security management systems Requirements

AS/NZS ISO 9000:2000 Quality management systems Fundamentals and vocabulary

AS/NZS ISO 9004:2011 Managing for the sustained success of an organization A quality management approach

AS/NZS ISO 9001:2016. Quality management systems Requirements AS/NZS ISO 9001:2016. Australian/New Zealand Standard. Superseding AS/NZS ISO 9001:2008

ISO INTERNATIONAL STANDARD. Risk management Principles and guidelines. This is a free 6 page sample. Access the full version online.

Australian/New Zealand Standard

This document is a preview generated by EVS

INTERNATIONAL STANDARD

ISO INTERNATIONAL STANDARD. Clinical investigation of medical devices for human subjects Good clinical practice

AS/NZS ISO 30301:2012

ISO/IEC Information technology Service management Part 1: Service management system requirements

This is a free 15 page sample. Access the full version online. HB 90.1:2012 The Small Business Handbook Guide to ISO 9001:2008

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management systems Requirements

ISO/IEC INTERNATIONAL STANDARD. Information technology Service management Part 1: Service management system requirements

Information technology Security techniques Information security management systems Requirements

Waters Examination for Legionella spp. including Legionella pneumophila

Quality management systems Requirements

Sýnishorn ISO INTERNATIONAL STANDARD. Quality management Guidelines on people involvement and competence

ISO/IEC INTERNATIONAL STANDARD. Information technology Service management Part 2: Guidance on the application of service management systems

This document is a preview generated by EVS

ISO INTERNATIONAL STANDARD. Event sustainability management systems Requirements with guidance for use

Australian/New Zealand Standard

This document is a preview generated by EVS

AS/NZS ISO 9004:2011. Managing for the sustained success of an organization A quality management approach AS/NZS ISO 9004:2011

AS/NZS ISO 19158:2013

Australian Standard. Guidelines for the selection of quality management system consultants and use of their services AS ISO ISO 10019:2005

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management systems Requirements

This document is a preview generated by EVS

ISO INTERNATIONAL STANDARD. Quality management Guidelines for training. Management de la qualité Lignes directrices pour la formation

ISO INTERNATIONAL STANDARD. Quality management systems Guidelines for configuration management

This document is a preview generated by EVS

AS AS Australian Standard. Fire safety audits. This is a free 7 page sample. Access the full version online.

ISO INTERNATIONAL STANDARD. Energy management systems Requirements with guidance for use

ISO/TR TECHNICAL REPORT. Medical devices Quality management systems Guidance on the application of ISO 13485:2003

Environmental management systems Requirements with guidance for use

Quality management systems Requirements

Quality management Quality of an organization Guidance to achieve sustained success

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management systems Requirements

ISO/IEC Information technology Security techniques Information security management systems Requirements

Provläsningsexemplar / Preview. Third edition

Australian/New Zealand Standard

Information technology Guidelines for the application of ISO 9001:2008 to IT service management and its integration with ISO/IEC :2011

ISO INTERNATIONAL STANDARD. Buildings and constructed assets Service life planning Part 3: Performance audits and reviews

HB Executive Guide to Business Continuity Management. This is a free 6 page sample. Access the full version online.

ISO Freight containers RFID cargo shipment tag system

AS/NZS 10002:2014. Australian/New Zealand Standard. Guidelines for complaint management in organizations AS/NZS 10002:2014

This document is a preview generated by EVS

Quality Manual. ISO 9001:2008 Standard. Issue No - 3. April

ISO/TS TECHNICAL SPECIFICATION

ISO INTERNATIONAL STANDARD. Specification for security management systems for the supply chain

ISO INTERNATIONAL STANDARD. Welding coordination Tasks and responsibilities. Coordination en soudage Tâches et responsabilités

ISO INTERNATIONAL STANDARD

Human resource management Workforce planning

ISO INTERNATIONAL STANDARD

Guidelines for auditing management systems

Controlled environments

ISO 3034 INTERNATIONAL STANDARD. Corrugated fibreboard Determination of single sheet thickness

This is a preview - click here to buy the full publication GUIDE 67. Conformity assessment Fundamentals of product certification. First edition 2004

Handbook. Arrangements for the recognition and acceptance of conformity assessment results. HB ISO/IEC Guide 68:2002 HB 18.

ISO INTERNATIONAL STANDARD

SA/SNZ HB 89:2013. Australian/New Zealand Handbook. Risk management Guidelines on risk assessment techniques. Superseding HB SA/SNZ HB 89:2013

This document is a preview generated by EVS

INTERNATIONAL STANDARD

INTERNATIONAL STANDARD

ISO INTERNATIONAL STANDARD. Random sampling and randomization procedures. Modes opératoires d'échantillonnage et de répartition aléatoires

Conformity assessment Requirements for bodies providing audit and certification of management systems. Part 2:

Sýnishorn ISO 9004 INTERNATIONAL STANDARD. Managing for the sustained success of an organization A quality management approach

This document is a preview generated by EVS

Medical devices Quality management systems Requirements for regulatory purposes

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management Measurement

Australian/New Zealand Standard

ISO INTERNATIONAL STANDARD. Plastics Guidelines for the recovery and recycling of plastics waste

ISO/TS TECHNICAL SPECIFICATION

Steel and steel products Inspection documents

Grout for prestressing tendons Part 3: Test methods

ISO Information and documentation Management systems for records Fundamentals and vocabulary

INTERNATIONAL STANDARD

INTERNATIONAL STANDARD

ISO/IEC TR TECHNICAL REPORT. Information technology Process assessment Part 7: Assessment of organizational maturity

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management systems Requirements

Sýnishorn. Medical devices Quality management systems Requirements for regulatory purposes

Australian/New Zealand Standard

ISO/TR TECHNICAL REPORT. Information and documentation Records management Part 2: Guidelines

Australian Standard. Sampling procedures for inspection by attributes

This document is a preview generated by EVS

INTERNATIONAL STANDARD

ISO 4986 INTERNATIONAL STANDARD. Steel castings Magnetic particle inspection. Pièces moulées en acier Contrôle par magnétoscopie

ISO INTERNATIONAL STANDARD. Buildings and constructed assets Service life planning Part 1: General principles

AS/NZS :2016. High-strength steel fastener assemblies for structural engineering Bolts, nuts and washers AS/NZS :2016

ISO INTERNATIONAL STANDARD. Space systems Oxygen safety Part 6: Facility planning and implementation

This document is a preview generated by EVS

ISO/IEC INTERNATIONAL STANDARD. Information technology Radio frequency identification for item management RFID Emblem

AS/NZS 8016:2013. Australian/New Zealand Standard. Governance of IT enabled projects. Superseding AS/NZS 8016(Int):2010 AS/NZS 8016:2013

Australian Standard. Atmospheric corrosivity zones in Australia AS AS

ISO INTERNATIONAL STANDARD. Quality management Guidelines for training. Management de la qualité Lignes directrices pour la formation

Transcription:

ISO 22313:2012 AS ISO 22313:2017 Societal security Business continuity management systems Guidance

This Australian Standard was prepared by Committee MB-025, Security and Resilience. It was approved on behalf of the Council of Standards Australia on 31 July 2017. This Standard was published on 29 August 2017. The following are represented on Committee MB-025: Australasian Council of Security Professionals Australian Security Industry Association Business Continuity Institute Australasia Commissioner for Privacy and Data Protection Engineers Australia International Commission of Jurists Australia Risk and Insurance Management Society of Australasia Security Professionals Registry Australasia Transport Accident Commission This Standard was issued in draft form for comment as DR AS ISO 22313:2017. Keeping Standards up-to-date Ensure you have the latest versions of our publications and keep up-to-date about Amendments, Rulings, Withdrawals, and new projects by visiting: www.standards.org.au www.saiglobal.com (sales and distribution) ISBN 978 1 76035 866 2

ISO 22313:2012 Australian Standard Societal security Business continuity management systems Guidance First published as AS ISO 22313:2017. COPYRIGHT ISO 2017 All rights reserved Standards Australia Limited 2017 All rights are reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including photocopying, without the written permission of the publisher, unless otherwise permitted under the Copyright Act 1968 (Cth). Published by SAI Global Limited under licence from Standards Australia Limited, GPO Box 476, Sydney, NSW 2001, Australia.

ii Preface This Standard was prepared by the Standards Australia Committee MB-025, Security and Resilience. The objective of this Standard is to provide guidance based on effective international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that enables organizations to prepare for, respond to and recover from disruptive incidents when they arise. This Standard is identical with, and has been reproduced from, ISO 22313:2012, Societal security Business continuity management systems Guidance. As this document has been reproduced from an International Standard, the following applies: (a) Source text this International Standard should read this Australian Standard. (b) A full point substitutes for a coma when referring to a decimal marker. Australian or Australian/New Zealand Standards that are identical adoptions of international normative references may be used interchangeably. Refer to the online catalogue for information on specific Standards. The terms normative and informative are used in Standards to define the application of the appendices or annexes to which they apply. A normative appendix or annex is an integral part of a Standard, whereas an informative appendix or annex is only for information and guidance. Standards Australia Limited 2017

iii AS ISO 22313:2017 Contents Preface...ii Foreword...v Introduction...vi 1 Scope...1 2 Normative references...1 3 Terms and definitions...1 4 Context of the organization...1 4.1 Understanding of the organization and its context... 1 4.2 Understanding the needs and expectations of interested parties... 2 4.2.1 General... 2 4.2.2 Legal and regulatory requirements... 3 4.3 Determining the scope of the management system... 4 4.3.1 General... 4 4.3.2 Scope of the BCMS... 4 4.4 Business continuity management system... 4 5 Leadership...4 5.1 Leadership and commitment... 4 5.2 Management commitment... 5 5.3 Policy... 5 5.4 Organizational roles, responsibilities and authorities... 6 6 Planning...7 6.1 Actions to address risks and opportunities... 7 6.2 Business continuity objectives and plans to achieve them... 7 7 Support...7 7.1 Resources... 7 7.1.1 General... 7 7.1.2 BCMS resources... 8 7.1.3 Incident response personnel... 8 7.2 Competence... 8 7.3 Awareness...10 7.4 Communication...11 7.5 Documented information...12 7.5.1 General...12 7.5.2 Create and update...13 7.5.3 Control of documented information...13 8 Operation...14 8.1 Operational planning and control...14 8.1.1 Elements of BCM...15 8.1.2 Managing the BCM environment...16 8.1.3 Maintaining business continuity...16 8.1.4 Measuring effectiveness...17 8.1.5 Outcomes...17 8.2 Business impact analysis and risk assessment...17 8.2.1 General...17 8.2.2 Business impact analysis...18 8.2.3 Risk assessment...20 8.3 Business continuity strategy...21 8.3.1 Determination and selection...21 8.3.2 Establishing resource requirements...23 8.3.3 Protection and mitigation...28 8.4 Establish and implement business continuity procedures...28

iv 8.4.1 General...28 8.4.2 Incident response structure...28 8.4.3 Warning and communication...29 8.4.4 Business continuity plans...31 8.4.5 Recovery...37 8.5 Exercising and testing...38 8.5.1 General...38 8.5.2 Exercise programme...38 8.5.3 Exercising business continuity plans...39 9 Performance evaluation...40 9.1 Monitoring, measurement, analysis and evaluation...40 9.1.1 General...40 9.1.2 Evaluation of business continuity procedures...41 9.2 Internal audit...43 9.3 Management review...43 10 Improvement...44 10.1 Nonconformity and corrective action...44 10.2 Continual improvement...45 Bibliography...46

v AS ISO 22313:2017 Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 22313 was prepared by Technical Committee ISO/TC 223, Societal security. For the purposes of research, users are encouraged to share their views on ISO 22313:2012 and their priorities for changes to future editions of the document. Click on the link below to take part in the online survey: http://www.surveymonkey.com/s/22313 Standards Australia Limited 2017

vi Introduction General This International Standard provides guidance, where appropriate, on the requirements specified in ISO 22301:2012 and provides recommendations ( should ) and permissions ( may ) in relation to them. It is not the intention of this International Standard to provide general guidance on all aspects of business continuity. This International Standard includes the same headings as ISO 22301 but does not repeat the requirements for business continuity management systems and its related terms and definitions. Organizations wishing to be informed of these must therefore refer to ISO 22301 and ISO 22300. To provide further clarification and explanation of key points, this International Standard includes a number of figures. All such figures are for illustrative purposes only and the related text in the body of this International Standard takes precedence. A business continuity management system (BCMS) emphasizes the importance of: understanding the organization s needs and the necessity for establishing business continuity policy and objectives; implementing and operating controls and measures for managing an organization s overall capability to manage disruptive incidents; monitoring and reviewing the performance and effectiveness of the BCMS; and continual improvement based on objective measurement. A BCMS, like any other management system, includes the following key components: a) a policy; b) people with defined responsibilities; c) management processes relating to: 1) policy; 2) planning; 3) implementation and operation; 4) performance assessment; 5) management review; and 6) improvement. d) a set of documentation providing auditable evidence; and e) any BCMS processes relevant to the organization. Business continuity is generally specific to an organization, however, its implementation can have far reaching implications on the wider community and other third parties. An organization is likely to have external organizations that it depends upon and there will be others that depend on it. Effective business continuity therefore contributes to a more resilient society. The Plan-Do-Check-Act cycle This International Standard applies the Plan-Do-Check-Act (PDCA) cycle to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organization s BCMS. Standards Australia Limited 2017

vii AS ISO 22313:2017 Figure 1 illustrates how the BCMS takes interested parties' requirements as inputs for business continuity management (BCM) and, through the required actions and processes, produces business continuity outcomes (i.e. managed business continuity) that meet those requirements. Plan (Establish) Do (Implement and operate) Check (Monitor and review) Act (Maintain and improve) Figure 1 PDCA model applied to BCMS processes Table 1 Explanation of PDCA model Establish business continuity policy, objectives, controls, processes and procedures relevant to improving business continuity in order to deliver results that align with the organization s overall policies and objectives. Implement and operate the business continuity policy, controls, processes and procedures. Monitor and review performance against business continuity objectives and policy, report the results to management for review, and determine and authorize actions for remediation and improvement. Maintain and improve the BCMS by taking corrective actions, based on the results of management review and re-appraising the scope of the BCMS and business continuity policy and objectives. Standards Australia Limited 2017

This is a free preview. Purchase the entire publication at the link below: AS ISO 22313:2017 - PDF his is a free 9 page sample. Access the full version online. Looking for additional Standards? Visit SAI Global Infostore Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation Need to speak with a Customer Service Representative - Contact Us

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback