CORE Approach Note - ISO 22301 · to ISO 22301 based global good practices Such organisations may...
Transcript of CORE Approach Note - ISO 22301 · to ISO 22301 based global good practices Such organisations may...
ISO 22301 Approach Note © Continuity and Resilience
Approach Note
Daman Dev Sood, CIO & Head
Continuity and Resilience (CORE) is a boutique consulting firm engaged in Consulting, Training,
Assessment and Certification in various
Management (BCM).
This approach note is targeted at organisations in the following three categories:
• Those who have not started their BCM journey yet
• Those who want to implement a solid BCMS based on ISO 22301
• Those who want to migrate their existing BCMS (based on BS 25999
to ISO 22301 based global good practices
Such organisations may be in any country, of any size and complexity, and from any industry sector.
ISO 22301:2012
By name, ISO 22301 is called Social Security
Requirements.
ISO 22301 was released on 15th
May this year.
shows how this has evolved from BS 25999 and other standards.
ISO 22301 Approach Note © Continuity and Resilience
Approach Note – ISO 22301 Implementation
Daman Dev Sood, CIO & Head – Sustainability Practice,
Continuity and Resilience
Continuity and Resilience (CORE) is a boutique consulting firm engaged in Consulting, Training,
various management fields with prime focus on Business Continuity
This approach note is targeted at organisations in the following three categories:
Those who have not started their BCM journey yet
Those who want to implement a solid BCMS based on ISO 22301
Those who want to migrate their existing BCMS (based on BS 25999 or any other standard)
to ISO 22301 based global good practices
Such organisations may be in any country, of any size and complexity, and from any industry sector.
By name, ISO 22301 is called Social Security – Business Continuity Management Systems
May this year. This is an auditable and certifiable standard.
shows how this has evolved from BS 25999 and other standards.
Figure 1: Evolution of ISO 22301
Page 1
22301 Implementation
Continuity and Resilience (CORE) is a boutique consulting firm engaged in Consulting, Training,
fields with prime focus on Business Continuity
This approach note is targeted at organisations in the following three categories:
or any other standard)
Such organisations may be in any country, of any size and complexity, and from any industry sector.
Management Systems –
This is an auditable and certifiable standard. Figure 1
ISO 22301 Approach Note © Continuity and Resilience
The importance of ISO 22301 lies in the fact that
The fact is that
• Organisations today do not operate in
• They operate within the context of society
• Delivery of their products and services has ramifi
ISO 22300 is a suite of related standards, ISO
The Guidance, which is expected to be out by the end of this year.
Purpose of ISO 22301
This international standard for business continuity management specifies requirements to
plan, establish, implement, operate, monitor, review, maintain and continually improve a
documented management system to
protect against, reduce the likelihood of occurrence, prepare for, respond
disruptive incidents when they arise.
Figure 2 shows how PDCA cycle has been implemented in ISO 22301.
ISO 22301 Approach Note © Continuity and Resilience
The importance of ISO 22301 lies in the fact that it’s more than BCM –it’s about Societal Security.
Organisations today do not operate in vacuum
They operate within the context of society
Delivery of their products and services has ramifications far beyond their four walls
standards, ISO 22301 is one of those. The next closest is ISO 22313
The Guidance, which is expected to be out by the end of this year.
or business continuity management specifies requirements to
plan, establish, implement, operate, monitor, review, maintain and continually improve a
documented management system to
protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from
disruptive incidents when they arise.
Figure 2 shows how PDCA cycle has been implemented in ISO 22301.
Figure 2: PDCA cycle in ISO 22301
Page 2
about Societal Security.
cations far beyond their four walls
22301 is one of those. The next closest is ISO 22313 –
or business continuity management specifies requirements to
plan, establish, implement, operate, monitor, review, maintain and continually improve a
to, and recover from
ISO 22301 Approach Note © Continuity and Resilience
BS25999 v/s ISO 22301
Figure 3 shows a quick (not comprehensive) comparison of the two
The fact that ISO22301 has evolved through BS 25999 and other standards and usage of over 5 years
has been exploited by CORE in our approach to ISO 22301 Implementation.
Approach1: for those who have not
This is a fresh journey with four clear steps as depicted in Figure 4.
Figure 4: First implementation of BCMS
Improve
ISO 22301 Approach Note © Continuity and Resilience
Figure 3 shows a quick (not comprehensive) comparison of the two standards.
Figure 3: BS 25999 v/s ISO 22301
The fact that ISO22301 has evolved through BS 25999 and other standards and usage of over 5 years
has been exploited by CORE in our approach to ISO 22301 Implementation.
Approach1: for those who have not started their BCM journey yet
This is a fresh journey with four clear steps as depicted in Figure 4.
Figure 4: First implementation of BCMS
Understand
Prepare
(basic trainings)
Implement
Establish
(advanced trainings, audits,
managementreviews)
Improve
Page 3
The fact that ISO22301 has evolved through BS 25999 and other standards and usage of over 5 years
ISO 22301 Approach Note © Continuity and Resilience Page 4
Basic trainings here will include BCM Concepts, Conducting BIA and RA etc.
Advanced trainings here will include Internal Auditing of the BCMS.
There will not be focus on any particular standard.
Approach2: for those who want to implement a solid BCMS based on ISO 22301
It is assumed that such organisations have some elements of Business Continuity/ Disaster
Recovery/ Crisis Management in place. Figure 5 depicts the five steps approach to such
implementations.
Figure 5: Enhancing existing arrangements via ISO 22301
Understand
Assess the Gaps
Prepare
(basic trainings)
Implement
Establish
(advanced trainings, audits, management
reviews)
Improve
ISO 22301 Approach Note © Continuity and Resilience
The first step will be to assess the gaps with respect to existing arrangements and ISO 22301
requirements.
Basic trainings will include Fundamentals of ISO 22301 (assuming BCM concepts are already well
understood).
Implementation is expected to be smoother
Advanced trainings will revolve around I
22301 etc.
Once an organisation achieves this, it may like to have the next step of certification to ISO 22301.
Figure 6 shows the benefits of certification to a standard.
Figure 6: Benefits of cert
ISO 22301 Approach Note © Continuity and Resilience
The first step will be to assess the gaps with respect to existing arrangements and ISO 22301
Basic trainings will include Fundamentals of ISO 22301 (assuming BCM concepts are already well
is expected to be smoother – just bridging the gaps identified in first step.
Advanced trainings will revolve around ISO 22301 e.g. auditing ISO 22301, BCM Specialist on ISO
ves this, it may like to have the next step of certification to ISO 22301.
Figure 6 shows the benefits of certification to a standard.
Figure 6: Benefits of certification to a standard
Page 5
The first step will be to assess the gaps with respect to existing arrangements and ISO 22301
Basic trainings will include Fundamentals of ISO 22301 (assuming BCM concepts are already well
just bridging the gaps identified in first step.
SO 22301 e.g. auditing ISO 22301, BCM Specialist on ISO
ves this, it may like to have the next step of certification to ISO 22301.
ISO 22301 Approach Note © Continuity and Resilience Page 6
CORE has the capabilities of helping organisations in this aspect also – our services include
identification and recommendation of a certifying agency, pre/mock audits, practice interviews and
practice MR reviews etc.
Approach3: for those who want to migrate their existing BCMS (based on BS 25999 or any other
standard) to ISO 22301 based global good practices
CORE has developed fairly deep and smooth process for this migration challenge, as shown in Figure
7.
Figure 7: Migration to ISO 22301
CORE recommends few additional trainings like CBCI certification, Lead Implementer of ISO 22301
and Lead Auditor of ISO 22301 etc. Our services in the field of hand-holding for certification (benefits
elaborated earlier) will be available to organisations in this category also.
Gap assessment
Bridging the gaps
Updation of templates
Updation of training material
Training
Internal Audit
Exercise
Management review
ISO 22301 Approach Note © Continuity and Resilience
CORE's full basket of ISO 22301 suit of products is shown in Figure 8.
Figure 8: CORE’s ISO 22301 Suit of Products
About the author: Daman is CIO & Head
holds over 27 years global experience of being a practitioner, trainer and consultant. Earlier, he
worked with Xansa/Steria as Global BC Manager and with TCS in various roles and capacities. A
member of BCI (MBCI), Daman was the BC Manager of The
Industry Personality of The Year Award finalist in 2011. He works closely with the BCI in various
working groups. Daman has spoken at over 300 conferences across globe. He is a Technical Expert
and Assessor with BSI. Daman is an ISO 22301 Expert.
For any of your requirements in the field of BCMS implementation
migration to ISO 22301, please write to us at
ISO 22301 Approach Note © Continuity and Resilience
full basket of ISO 22301 suit of products is shown in Figure 8.
Figure 8: CORE’s ISO 22301 Suit of Products
: Daman is CIO & Head – Sustainability Practice at Continuity and Resilience
holds over 27 years global experience of being a practitioner, trainer and consultant. Earlier, he
worked with Xansa/Steria as Global BC Manager and with TCS in various roles and capacities. A
member of BCI (MBCI), Daman was the BC Manager of The Year Award India winner in 2009 and BC
Industry Personality of The Year Award finalist in 2011. He works closely with the BCI in various
working groups. Daman has spoken at over 300 conferences across globe. He is a Technical Expert
n is an ISO 22301 Expert.
For any of your requirements in the field of BCMS implementation, or ISO 22301 implementation
migration to ISO 22301, please write to us at [email protected]
Fundamentals (1 day)
Crash Course on Migration (1 day)
Internal Auditor (2 days)
BCM Specialist (3 days)
Lead Auditor (3 days)
Lead Implementer (5 days)
Page 7
Continuity and Resilience. He
holds over 27 years global experience of being a practitioner, trainer and consultant. Earlier, he
worked with Xansa/Steria as Global BC Manager and with TCS in various roles and capacities. A
India winner in 2009 and BC
Industry Personality of The Year Award finalist in 2011. He works closely with the BCI in various
working groups. Daman has spoken at over 300 conferences across globe. He is a Technical Expert
ISO 22301 implementation, or