John Zeppos OTE Group Business Continuity Management Deputy Director August 2012

BS25999-2:2007 Certification & Transition to new

ISO22301 BCM Standard

How has Business Continuity Management Developed?

1970s

USA - Natural Disasters

UK - Irish Terrorist attacks resulted in the “Disaster-Recovery” approach in the UK to deal with the aftermath of an event

1980s

BCM professionals recognised the need to understand the Impact to the Business – hence BIA, Risk Assessment etc

1990s

Holistic approach intended to reduce risks and resulting impacts

US standard NFPA 1600 – a recommended approach for Disaster Management – based on Natural, Human or Technological disasters

2000s

Standards Start to be developed 2003/2004 PAS56 - UK - never

developed into a full standard NFPA1600 USA – became programme

based BS25999 – Code of Practice &

Specification (2006/7) – organisations able to be independently certified o Management System approach aligned

with existing Management Systems o Lifecycle to ensure that the business is

protected – not Disaster and then Recover

Current situation

BS25999 formed the key input to the ISO22301

ISO22301 Standard May 2012

2 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos

2003

2006/2007

2012

3 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos

Why should one decide to undertake certification ?

BS25999 / ISO22301 is the most appropriate standard containing both the Continuity and Crisis Management

They are is based on a Management System approach fully aligned with ISO9001 and ISO27001

They provide independent proof that one’s BCMS is fit for purpose

Senior Management confidence that the approach that they are being asked to underwrite is appropriate.

Certificate could significantly reduce Insurance costs

Certification Programme

Initial pre-assessment by qualified independent auditors ( gap analysis )

Certification project internal kick off meeting with all relevant functions

Stage 1 Assessment – finalise scope and agree timing

Stage 2 Assessment – Certification Audit

1 Month later - Certificate can be officially issued

BCMS Certification

4 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos

ISO22301:2012

ISO22301 published w/b May 15

BS25999-2 will be withdrawn in November 2012

No new applications for certification after 22nd October 2012

Scope extensions for existing certifications supported to end October 2013

After 1st November 2012 all visits based on ISO 22301

Existing certificates remain valid until the end of transitional period (30th May 2014)

No new certificates or renewals after 31st December 2013

1st May 2012 UKAS transition project under way

with internal actions, document

preparation, internal training etc.

31st October 2012 No new applications accepted for

accreditation to BS 25999-2

1st November 2012 Transition Assessments begin as part

of the normal surveillance cycle

31st October 2013 No new BS 25999-2 scope extensions

accepted by UKAS

31st December 2013 No new BS 25999-2 certificates to be

issued by CABs

30th May 2014 All CABS to have transitioned to ISO

22301

All CAB clients to have transitioned

within one year of Accreditation to

ISO 22301.

5 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos

ISO TC 223

ISO TC 223 is the Technical Committee responsible

TC 223 deals with all matters regarding Societal Security

o provision of International Standards to enhance all actors capacity in society to handle all phases before, during and after disruptive events

45 countries are participating members

All standards from this committee are prefixed “Societal Security” and are number 223xx

Other standards being developed include:

o Mass evacuation

o Emergency Management Command and Control

6 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos

7 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos

Contributors

ISO22301:2012 Source documents included

o BS25999-2 o NFPA 1600 o ASIS OR standard o Singapore standards o ISO27031 o ISO Guide 73 o ISO/PAS22399

So ISO 22301 is not simply an international version of BS25999-2:2007

ISO moving towards standardization of management systems headings and text

o In development as it was being written o Agreed now and published as ISO Guide 83 o Rules on how to apply this were not always clear so had to be changed

Hence our interpretation may differ in detail from others like ISO 27001 – all management systems

standards will follow Guide 83’s standardized headings and text

Integration of management systems will be easier

8 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos

ISO22301:2012

ISO 22301 is the requirements document

ISO 22313 is the guidance document that accompanies ISO22301

o It was originally planned to publish these together but in practicality 22301 has run ahead of the guidance

o It is aligned to 22301, clearly BS25999-1 was not

ISO 22313 should be published early next year

o Currently at DIS

9 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos

John Zeppos yzeppos@cosmote.gr +30 697 9666844

Twitter : @jzeppos http://www.linkedin.com/in/johnzeppos

10 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos