Monday, May 20, 2013

Clause 6 : Planning


Clause 6 : Planning

 

When planning the BCM the context of the organization should be taken into account through the consideration of the risks and opportunities

This section requires the organization to address the threats to the BCMS not being successfully established, implemented and maintained. It is about understanding the internal culture and the external environment in which the organization operates and the likely barriers that will prevent the BCMS being effective.

It relates back to Clause 4.1, Understanding of the organization and its context, and Clause 4.2, Understanding the needs and expectations of interested parties.

New section relating to establishment of strategic objectives and guiding principles for the BCMS as a whole

 

Business continuity objectives and plans to achieve them:

 

S.M.A.R.T Objectives

 



 

Specifics of S.M.A.R.T. Objectives:

 

  • Specific – concrete, detailed, and well defined.
  • Measurable – numbers, quantity, and comparisons
  • Attainable- achievable and actionable.
  • Realistic – considers resources, and can be achieved.
  • Time bound – a defined time line in which activities are to be achieved.

 

In order to ensure that these objectives will be achieved, the organizations should determine:

  • Who will be responsible?
  • What will be done and when it will be completed.
  • How the results will be evaluated.

 

Reference to ISO 22313
 
Posted by at 3 comments:

Tuesday, April 30, 2013

Clause 5 : Leadership


Leadership


It’s very important to implement BCMS that all levels of management should demonstrate leadership in their capacity to fulfill business continuity policy and objectives in support of top management. Demonstration may be achieved using techniques of motivation, engagement and empowerment.

Management commitment

Top management should demonstrate its commitment and provide evidence of its commitment to the development and implementation of the BCMS and continually improving its effectiveness.

·         Check the BCMS is compatibility with the strategic direction of the organization

·         Complying with applicable legal requirements and any other requirements.

·         Creating business continuity policy and objectives according to the organization purpose.

·         Nominate one or team that have authority and competencies to be responsible for the system.

·         Check with the BCMS team the availability of resources.

·         Communicating the BCMS policy and objective to the organization.

·         Check the internal audits for the BCMS and the audit report.

·         Effective management review and outcomes.

·         Directing and supporting continual improvement

There are some ways to do the above

·         Steering committee meetings.

·         Exercising and testing contribution.


Policy:

·         Top management should ensure that the policy is appropriate to the organization purpose and objectives.

·         Provide the basis for setting BCM objectives.

·         contains commitments to meeting legal and regulatory requirements and to continual improvement of the BCMS

·         Policy should be available to interested parties after management approval and on-going maintenance periodically and whenever significant changes to internal or external factors occur.

·         Scope should be clearly defined in the policy as well as the exclusions.

·         Owner and responsible person or team.

·         Comply with the standard and other policies.

 

Organizational roles, responsibilities and authorities

A member of top management should have overall responsibility for the BCMS.

Top management should nominate representative, should have defined roles, responsibilities and authority for:

·         Ensuring that the business continuity programme is established implemented and maintained in accordance with the business continuity policy;

·         Reporting on the performance of the business continuity programme to top management for review and as the basis for improvement;

·         Promoting awareness of the programme throughout the organization; and

·         Ensuring the effectiveness of procedures developed for incident response, but not necessarily in their implementation during an incident.

It’s very important to implement BCMS to know that all roles, responsibilities and authorities in the BCMS should be defined and documented and be subject to audit.

 

Reference to ISO 22313
Posted by at 1 comment:

Tuesday, April 23, 2013

Interested parties

Interested party definition:

Person or group of people that holds a view that may affect the organization.

When establishing the BCM, the organization needs to be aware of not only ‘those groups without whose support the organization would cease to exist’, the Stanford Research Institute’s definition of stakeholders, but additionally those who have an interest in the organization, such as the media, the public nearby, competitors and so on. Furthermore a stakeholder may have defined requirements that must be taken into account, whereas an interested party in most situations is not able to specify requirements or impose obligations.


There are 2 types of Interested parties:

  1. Interested parties outside the organization.
  2. Interested parties inside the organization.





















Reference: ISO 22313:2012
Posted by at No comments:

Sunday, April 21, 2013

Clause 4 : Context of the organization


4 - Context of the organization:

-                    This clause introduces requirements necessary to establish the context of the BCMS as it applies to the organization, as well as needs, requirements and scope.
-                    ISO 22301 requires an organization to 'determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the expected outcomes of its BCMS'. Understanding the organization and how it sits within its environment is an essential step to ensure any BCMS and BCM solutions developed are fit for purpose and relevant to the organization and interested parties.
 
1st step:

-          Understanding of the organization and its context by determining external and internal factors that are relevant to establishing, implementing and maintaining the organization's BCMS.

External factors examples:

-                    Interested parties outside the organization.

-                    Political, legal and regulatory environment.

-                    Supply chain commitments and relationships.

-                    Economic, culture and technology.


Internal factors examples:

-                    Interested parties within the organization.

-                    Activities and resources.

-                    Policies, objectives and culture.

 

2nd step:

-       Identify all the needs and requirements of interested parties.

-       The action needed in relation to interested parties.

-         Document legal and regulatory requirements.

 

3rd step:

-         Clearly define the scope of the BCMS and it according to the size, nature and complexity of the organization.

-        The scope should identify the key products and services that support the organization's objectives.

-      Make sure that you cover all of activities, locations, resources, suppliers and outsourcing partners in the scope.
-         If part of an organization is excluded from the scope of its BCMS, the organization should document the exclusion with the reason of exclusion.

 
Posted by at 4 comments:

ISO 22301:2012 and BS 25999-2:2007 Comparison


When news of an ISO standard for BCM emerged, business continuity managers expressed concern that they might have to radically rework their BCM procedures and processes once ISO 22301 was introduced. BS 25999-2 had been, and continues to be, used by many organizations across the world as the basis of their BCM procedures and processes. The good news is that BS 25999-2 has provided the main foundation of the new ISO standard. There are some important additions and a few elements that have been omitted. The additions have added greater depth and clarity while the omissions do not detract from the overall good BCM practices and principles.

 

The new standard is entitled ‘Societal security – Business continuity management systems – Requirements.’ This is one of a suite of standards being developed by ISO/TC 223 designed to achieve greater societal security. Societal security can be defined as providing protection of society from, and the ability to respond to, incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards, and technical failures.

 

The way in which ISO 22301 can be used is detailed in Clause 1 Scope It states that the standard is applicable to all types and sizes of organizations that wish to:
 
  • Establish, implement, maintain and improve a BCMS.
  • Ensure conformity with stated business continuity policy
  • Demonstrate conformity to others
  • Seek certification/registration of its BCMS by an accredited third party certification body
  • Make a self-determination and self-declaration of conformity with this International Standard [ISO 22301:2012].
 
The standard can also be used by an organization to assess its suppliers’ ability to meet continuity needs and obligations.
 


 
Posted by at 7 comments:
Subscribe to: Posts (Atom)