All Hazards Risk Management Systems - Disaster Recovery Journal

Download PDF
0 downloads 131 Views 2MB Size Report
Comment
business continuity management system (BCMS) to enable an organization to ... form or by any means, electronic, mechanic
A S I S

I N T E R N A T I O N A L

Business Continuity Management Systems: Requirements with Guidance for Use ASIS/BSI BCM.01-2010

AMERICAN NATIONAL

STANDARD 1625 Prince Street Alexandria, Virginia 22314-2818 USA +1.703.519.6200 Fax: +1.703.519.6299 www.asisonline.org

12110 Sunset Hills Road, Suite 200 Reston, Virginia 20190-5902 USA 1.800.862.4977 Fax: +1.703.437.9001 www.bsiamerica.com

ASIS International (ASIS) is the preeminent organization for security professionals, with more than 37,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, governmental entities, and the general public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s number one magazine, Security Management, ASIS leads the way for advanced and improved security performance. For more information, visit www.asisonline.org.

BSI Group is a global independent business services organization that develops standards-based solutions to improve management practices and promote innovation. BSI can help businesses, governments and other organizations around the world to raise quality and performance in a sustainable and socially responsible way. From its origins as the world’s first National Standards Body, BSI Group draws upon over 100 years’ experience, working with 66,000 organizations in 147 countries from its 50 offices. To learn more, please visit www.bsigroup.com.

ASIS/BSI BCM.01-2010

an American National Standard

BUSINESS CONTINUITY MANAGEMENT SYSTEMS: REQUIREMENTS WITH GUIDANCE FOR USE

A management systems approach for preparedness and business/operational continuity management

Approved November 2, 2010 American National Standards Institute, Inc. ASIS International and British Standards Institution (BSI) Abstract Based on the BS 25999 Business continuity management (Part 1 and Part 2), this Standard specifies requirements for a business continuity management system (BCMS) to enable an organization to identify, develop, and implement policies, objectives, capabilities, processes, and programs—taking into account legal and other requirements to which the organization subscribes—to address disruptive events that might impact the organization and its stakeholders. This Standard specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and improving a documented BCMS within the context of managing an organization’s risks.

ASIS/BSI BCM.01-2010

NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is unanimous agreement among the participants in the development of this document. ASIS International and BSI standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications. ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else. ASIS and BSI do not accept or undertake a duty to any third party because it does not have the authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public, because its works are not obligatory and because it does not monitor the use of them. ASIS and BSI disclaim liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. ASIS and BSI disclaim and make no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any person’s or entity’s particular purposes or needs. ASIS and BSI do not undertake to guarantee the performance of any individual manufacturer or seller’s products or services by virtue of this standard or guide. In publishing and making this document available, ASIS and BSI are not undertaking to render professional or other services for or on behalf of any person or entity, nor are ASIS and BSI undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication. ASIS and BSI have no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS and British Standards have no control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any activity or conduct that purports to conform to its standards. ASIS and British Standards do not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its standards. It merely publishes standards to be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any information in this document shall not be attributable to ASIS and British Standards and is solely the responsibility of the certifier or maker of the statement. This publication does not purport to include all the necessary provisions of a contract. Compliance with a British Standard cannot confer immunity from legal obligations. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner.

Copyright © 2010 ASIS International and British Standards Institution ISBN: 978-1-934904-07-7

ii

ASIS/BSI BCM.01-2010

FOREWORD The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard. ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages. ASIS International and BSI collaborated in the development of the Business Continuity Management Systems: Requirements for Guidance for Use Standard. This management systems standard provides generic auditable criteria and informative guidance on business continuity management.

About ASIS ASIS International (ASIS) is the preeminent organization for security professionals, with more than 37,000 members worldwide. ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s No. 1 magazine – Security Management – ASIS leads the way for advanced and improved security performance. The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security industry.

About BSI BSI is the UK’s National Standards Body, recognized globally for its independence, integrity, and innovation in the production of standards and information products that promote and share best practices. BSI works with businesses, consumers, and government to represent UK interests and to make sure that British, European, and international standards are useful, relevant, and authoritative. BSI Group is a global independent business services organization that inspires confidence and delivers assurance to customers with standards-based solutions. Originating as the world’s first national standards body, the Group has over 2,300 staff operating in over 120 countries through more than 50 global offices. Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818, USA.

iii

ASIS/BSI BCM.01-2010

Commission Members Jason L. Brown, Thales Australia Steven K. Bucklin, Glenbrook Security Services, Inc. John C. Cholewa III, CPP, Mentor Associates, LLC Cynthia P. Conlon, CPP, Conlon Consulting Corporation Michael A. Crane, CPP, IPC International Corporation William J. Daly, Control Risks Security Consulting Eugene F. Ferraro, CPP, PCI, CFE, Business Controls Inc. F. Mark Geraci, CPP, Purdue Pharma L.P., Chair Robert W. Jones, Socrates Ltd, Inc. Michael E. Knoke, CPP, Express Scripts, Inc., Vice Chair John F. Mallon, CPP, Mallon & Associates, LLC Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative John E. Turey, CPP, ITT Corporation Roger D. Warwick, CPP, Pyramid International At the time it approved this document, BCM Standards Committee, which is responsible for the development of this Standard, had the following members:

Committee Members Committee Co-Chairman: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative, ASIS International Committee Co-Chairman: Kevin S. Brear, J.P. Morgan Chase Committee Secretariat: Sue Carioti, ASIS International Committee Secretariat: David Adamson, British Standards Institution David Adamson, British Standards Institution Marene Allison, Johnson & Johnson Edgard Ansola, Mutua Asepeyo Paul H. Aube, CPP, Institut Grasset Dave Austin, Operational Resilience Limited Don Aviv, CPP, PCI, PSP, Interfor Inc. William D. Badertscher, CPP, Georgetown University Pradeep Bajaj, PRISMA Thomas Bannister, Metropolitan Police Service David Benish, Strategic BCP Alan Berman, DRI International Lyndon Bird, The Business Continuity Institute Dennis R. Blass, CPP, PSP, Secumetrics LLC John Boal, CPP, PCI, University of Akron Mark Borchers, CPP, Germanna Community College Thomas Bozek, Bozek Consulting, LLC Kevin S. Brear, J.P. Morgan Chase Patrick Brennan, BCMexperts Larry Brown, First Citizens Bank Frederick A. Budde, Ph.D., PCI, U.S. Department of Homeland Security, Federal Air Marshal Service Doyle J. Burke, CPP, DAKO Group Donald Byrne, North River Solutions Thomas Carroll, Computer Sciences Corporation Doug Cassell, Mutual of Enumclaw Insurance iv

ASIS/BSI BCM.01-2010 Sharon Caudle Ph.D., The Bush School of Government and Public Service Chee Seng Chan, Becton Dickinson Critical Care Systems Pte Ltd Ian Charters, Continuity Systems Ltd Telva Chase, Regence Group Ian Clark, East Neuk Consultants Ltd Justin Clarke, Gobanza, Inc. Mike Claver, State Farm Insurance Companies William Coffey, American Society of Safety Engineers Andrew Collins, Baylor Health Care System Malcolm Cornish, RMI (UK) Limited Robert J. Coullahan, CEM, CPP, CBCP, Readiness Resource Group Georges Cowan, Business Continu-IT Partners Kevin Cunningham, UBS Merlyn Demaine, Imperial College NHS Trust Indrajit Dimyati, Business Continuity Planning Asia Pte Ltd Brian Dixon, Moody International Lisa DuBrock, The Radian Group, LLC Robert Duncan, Consultant Edward Eaton, Warner Gudlaugsson LLC Henry Ee, Business Continuity Planning Asia Pte Ltd Jorge Escalera, Risk Mexico Greig Fennell, Sprint Patti Fitzgerald, Disaster Recovery Journal Windom Fitzgerald, Pendulum Walter Fountain, CPP, Schneider National, Inc. Christopher Frampton, SRCN Limited Barry Freedman, FCS Consulting Services Peter French, CPP, SSR Personnel Robin Gaddum, IBM Paul Genzburg, Soros Fund Management/Open Society Institute Robert Giffin, Avalution Consulting Stephen Giordano, HCA Inc. Matthew Gneuhs, Cincinnati Children's Hospital Medical Center Julia Graham, DLA Piper UK LLP Briane Grey, U.S. Drug Enforcement Administration Wayne Harrop, Centre for Disaster Management: Coventry University Ronald Hauri, Northwestern University John Hele, British Standards Institution Michael Hill, Nokia Andrea Hollman, United Space Alliance, LLC Simon Honey, Mitsubishi UFJ Securities International plc. Roger Housner, WPS Insurance Corporation C.J. Howard, Deere & Company Terri Howard, FEI Behavioral Health David Huynh, Ross Stores, Inc. Brian Kaye, Control Risks Group David Kaye, Risk Reality Michael Keating, Doulos Business Consulting James Kennedy, Recovery-Solutions Penelope Killow, HFC Bank (HSBC Group) Steven King, CPP, U.S. Department of Homeland Security, Office of Infrastructure Protection Paul Kirvan, Paul Kirvan Associates Donald E. Knox, CPP, Caterpillar Inc. v

ASIS/BSI BCM.01-2010 Richard Kobylar, Capgemini John Kunert, First Restoration Michael Kuras, American Imaging Management, Inc. Bill Lang, VCPI Lince Lawrence, Allianz Cornhill Information Services Grant Lecky, Citizenship and Immigration Canada James J. Leflar Jr., CPP, CBCP, Johns Hopkins Bloomberg School of Public Health Hugh Leighton, Aon Global Risk Consulting Victoria Leighton, Avanade, Inc. Eric Levine, Wellpoint Wayne Lewis, Global Consulting Judy Little, TSYS William Lloyd, City National Bank David Lloyd, The Business Continuity Institute James Lukaszewski, The Lukaszewski Group Inc. Bruce Lundeen, AT&T Tracy Male, Bristol-Myers Squibb Bill Marotz, Schneider National, Inc. Andrew Mason, PricewaterhouseCoopers LLP Diana McClure, Institute for Business & Home Safety Richard McGlave, Continuity² Ltd Jim McMahon, CPP, Align Technology Mohamed Fadhel Meddeb, Efla Consultants Engineers Cynthia Miller, Abbott Murray Mills, CPP, New Zealand Ministry of Health Susan Mitchell, Wilmer Cutler Pickering Hale and Dorr LLP Goh Moh Heng, BCM Institute Lawrence Mondschein, Consultant Ashley Moore, Federal Emergency Management Agency, U.S. Department of Homeland Security Dennis Morgan, CPP, International Consortium for Organizational Resilience Richard Moulton, AlliedBarton James Murphy, North Carolina Department of Health and Human Services James Murray, Blue Cross and Blue Shield of Florida Doug Nelson, Business Continuity Solutions James Nelson, International Consortium for Organizational Resilience Alan M. Nutes, CPP, Consultant Kevin O'Donnell, UBS Augustine O. Okereke, CPP, Statoil Nigeria Ltd Philip Oppenheim, International Continuity Oversight Board Mary Parrish, University of North Carolina at Chapel Hill John A. Petruzzi Jr., CPP, Andrews International Abigail Pollard, Blake Emergency Services Jeanne Powell, IBM Ren Powers, City National Bank Werner Preining, CPP, Interpool Security Ltd Russell Price, Continuity Forum Daniel Puente Pérez, Sociedad de Prevención Asepeyo Heidi Raffanello, KTM Strategies Joseph Rector, CPP, PCI, PSP, United States Air Force George Richards, CPP, Edinboro University of Pennsylvania Robert Roberts, Federal Home Loan Bank of Atlanta Jean Rowe, Verisign Inc. Craig Rydalch, American Imaging Management, Inc. vi

ASIS/BSI BCM.01-2010 Marilyn Saiewitz, Bristol-Myers Squibb Angie Santiago, Contingency Planning Association of the Carolinas Steve Schulze, WPS Insurance Corporation Robert Sena, CPP, King’s College Chris Servia, University Health Systems of Eastern Carolina John Sharp, Kiln House Associates Ltd Daniel Shellenberger, Kinder Morgan Robert Sherwood, North American Security Products Organization Jeffrey Slotnick, CPP, PSP, Setracon Inc. Lisa Smallwood, Comprehensive Emergency Management Professionals LLC Thomas Smith, Comcast Wolf Smith-Butz, Computer Sciences Corporation Kurt Sohn, Capgemini Ian Speirs, North Yorkshire County Council Sam Stahl, EMC Jim Stephens, The Royal Bank of Scotland Stuart Sterling, HM Government (UK) Civil Contingencies Secretariat, Cabinet Office Richard Taylor, Abu Dhabi Accountability Authority Darryl Thibault, CPP, Pexis Corporation Mike Thomson, Association of Contingency Planners Raymond Trombley, Bank of Hawaii Dave Tyson, CPP, Pacific Gas and Electric Eric Van Balen, McKesson Corp. Ray Van Hook, CPP, The School of The Art Institute Suzanne Warner Hart, Delaware Department of Transportation Lee Webster, Society for Human Resource Management Douglas Weldon, Thomson Reuters Renee Wentworth, Union First Market Bankshares Carl Wertman, Mantech SRS Technologies Robert Whitcher, BSI Management Systems America Inc. Dan Wilder, Danalie Partners Frederick Wilson, CBCP, Consulting Amanda Witt, Booz Allen Hamilton Zechariah Wei Ning Wong, Atkins Mark Wright, Brookfield Properties Tim Wright, Institute of Internal Auditors Richard Wright, Wright Security, Inc. Roberta Yang, The Yang Group Lisa Zammit, Bank of England Brian Zawada, Avalution Consulting

Working Group Members Working Group Co-Chairman: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative, ASIS International Working Group Co-Chairman: Kevin S. Brear, J.P. Morgan Chase David Adamson, British Standards Institution Pradeep Bajaj, PRISMA Dennis R. Blass, CPP, PSP, Secumetrics LLC Mark Borchers, CPP, Germanna Community College Thomas Bozek, Bozek Consulting, LLC vii

ASIS/BSI BCM.01-2010 Kevin S. Brear, J.P. Morgan Chase Patrick Brennan, BCMexperts Donald Byrne, North River Solutions Chee Seng Chan, Becton Dickinson Critical Care Systems Pte Ltd Ian Charters, Continuity Systems Ltd Lisa DuBrock, The Radian Group, LLC Edward Eaton, Warner Gudlaugsson LLC John Hele, British Standards Institution Brian Kaye, Control Risks Group Michael Keating, Doulos Business Consulting Penelope Killow, HFC Bank (HSBC Group) Paul Kirvan, Paul Kirvan Associates Donald E. Knox, CPP, Caterpillar Inc. Richard Kobylar, Capgemini Bill Lang, VCPI Lince Lawrence, Allianz Cornhill Information Services Mohamed Fadhel Meddeb, Efla Consultants Engineers James Murphy, North Carolina Department of Health and Human Services Doug Nelson, Business Continuity Solutions James Nelson, International Consortium for Organizational Resilience Alan M. Nutes, Consultant Philip Oppenheim, International Continuity Oversight Board Russell Price, Continuity Forum Robert Roberts, Federal Home Loan Bank of Atlanta Jean Rowe, Verisign Inc. Angie Santiago, Contingency Planning Association of the Carolinas Lisa Smallwood, Comprehensive Emergency Management Professionals LLC Thomas Smith, Comcast Kurt Sohn, Capgemini Ian Speirs, North Yorkshire County Council Stuart Sterling, HM Government (UK) Civil Contingencies Secretariat, Cabinet Office Mike Thomson, Association of Contingency Planners Suzanne Warner Hart, Delaware Department of Transportation Renee Wentworth, Union First Market Bankshares Dan Wilder, Danalie Partners Zechariah Wei Ning Wong, Atkins Brian Zawada, Avalution Consulting

viii

ASIS/BSI BCM.01-2010

TABLE OF CONTENTS TABLE OF CONTENTS............................................................................................................................................. IX TABLE OF FIGURES ................................................................................................................................................. X TABLE OF TABLES .................................................................................................................................................. XI 0 INTRODUCTION .............................................................................................................................................. XIII 0.1 GENERAL ..................................................................................................................................................... XIII 0.2 PLAN-DO-CHECK-ACT (PDCA) CYCLE ...................................................................................................................XV 1 SCOPE OF STANDARD ........................................................................................................................................ 1 2 NORMATIVE REFERENCES ................................................................................................................................. 2 2.1 GENERAL REFERENCE ........................................................................................................................................ 2 3 TERMS AND DEFINITIONS.................................................................................................................................. 2 4 BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) REQUIREMENTS......................................................... 2 4.1 GENERAL REQUIREMENTS ................................................................................................................................... 2 4.2 ESTABLISHING THE CONTEXT .............................................................................................................................. 4 4.2.1 Scope of the BCMS ............................................................................................................................... 4 4.2.2 Legal and Other Requirements ............................................................................................................. 4 4.3 POLICY AND MANAGEMENT COMMITMENT ........................................................................................................... 4 4.3.1 Policy .................................................................................................................................................. 5 4.3.2 Management Commitment .................................................................................................................. 5 4.4 PLANNING ..................................................................................................................................................... 6 4.4.1 Business Impact Analysis and Risk Assessment ..................................................................................... 6 4.4.1.1 Business Impact Analysis (BIA)........................................................................................................... 6 4.4.1.2 Risk Assessment ................................................................................................................................ 7 4.4.2 Business Continuity Objectives and Targets .......................................................................................... 7 4.4.3 Business Continuity Strategies .............................................................................................................. 7 4.5 IMPLEMENTATION AND OPERATION ..................................................................................................................... 8 4.5.1 Resources ............................................................................................................................................ 8 4.5.2 Roles, Responsibility, and Authority ...................................................................................................... 8 4.5.3 Competence, Training, and Awareness ................................................................................................. 9 4.5.4 Documentation .................................................................................................................................. 10 4.5.5 Control of Documents ........................................................................................................................ 10 4.5.6 Developing and Implementing a Business Continuity Response ........................................................... 10 4.5.6.1 Response Structure ......................................................................................................................... 11 4.5.6.2 Business Continuity Plans ................................................................................................................ 11 4.5.7 Communication and Consultation ...................................................................................................... 12 4.6 CHECKING AND CORRECTIVE ACTION .................................................................................................................. 12 4.6.1 Monitoring and Measurement ........................................................................................................... 13 4.6.2 Evaluation of Conformance and System Performance ......................................................................... 13 4.6.2.1 Evaluation of Conformance ............................................................................................................. 13 4.6.2.2 Exercises and Testing ...................................................................................................................... 13 4.6.3 Non-conformity, Corrective Action, and Preventive Action .................................................................. 14 4.6.4 Control of Records.............................................................................................................................. 14 4.6.5 Internal Audits ................................................................................................................................... 15 4.7 MANAGEMENT REVIEW .................................................................................................................................. 15 ix

ASIS/BSI BCM.01-2010 4.7.1 4.7.2 4.7.3 4.7.4

General.............................................................................................................................................. 15 Review Input ...................................................................................................................................... 15 Review Output ................................................................................................................................... 16 Opportunities for Improvement .......................................................................................................... 16

A GUIDANCE ON THE USE OF THE STANDARD .................................................................................................... 17 A.0 INTRODUCTION ............................................................................................................................................... 17 A.4.1 GENERAL REQUIREMENTS............................................................................................................................... 17 A.4.2 ESTABLISHING THE CONTEXT ........................................................................................................................... 18 A.4.2.1 Scope of the BCMS............................................................................................................................ 19 A.4.2.2 Legal and Other Requirements.......................................................................................................... 19 A.4.3 POLICY AND MANAGEMENT COMMITMENT ........................................................................................................ 20 A.4.4 PLANNING .................................................................................................................................................. 21 A.4.4.1 Business Impact Analysis and Risk Assessment .................................................................................. 21 A.4.4.2 Business Continuity Objectives and Targets ....................................................................................... 27 A.4.4.3 Business Continuity Strategies .......................................................................................................... 27 A.4.5 IMPLEMENTATION AND OPERATION .................................................................................................................. 30 A.4.5.1 Resources ......................................................................................................................................... 30 A.4.5.2 Roles, Responsibility, and Authority .................................................................................................. 31 A.4.5.3 Competence, Training, and Awareness.............................................................................................. 33 A.4.5.4 Documentation ................................................................................................................................ 34 A.4.5.5 Control of Documents ....................................................................................................................... 35 A.4.5.6 Developing and Implementing a Business Continuity Response.......................................................... 35 A.4.5.7 Communication and Consultation ..................................................................................................... 37 A.4.6 CHECKING AND CORRECTIVE ACTION ................................................................................................................. 39 A.4.6.1 Monitoring and Measurement .......................................................................................................... 39 A.4.6.2 Evaluation of Compliance and System Performance .......................................................................... 40 A.4.6.3 Non-conformity, Corrective Action and Preventive Action .................................................................. 41 A.4.6.3.1 General ......................................................................................................................................... 41 A.4.6.3.2 Corrective Action ........................................................................................................................... 42 A.4.6.3.3 Preventive Action........................................................................................................................... 42 A.4.6.4 Control of Records ............................................................................................................................ 43 A.4.6.5 Internal Audits.................................................................................................................................. 44 A.4.7 MANAGEMENT REVIEW ................................................................................................................................. 44 B COMPATIBILITY WITH OTHER MANAGEMENT SYSTEMS AND THE DHS PS-PREP STANDARDS ......................... 47 C TERMINOLOGY CONVENTIONS........................................................................................................................ 51 D GLOSSARY....................................................................................................................................................... 52 E BIBLIOGRAPHY ................................................................................................................................................ 60 E.1 E.2 E.3 E.4 E.5

ASIS INTERNATIONAL PUBLICATIONS .................................................................................................................. 60 BRITISH STANDARDS INSTITUTE PUBLICATIONS ...................................................................................................... 60 ISO STANDARDS PUBLICATIONS ......................................................................................................................... 60 NATIONAL STANDARDS PUBLICATIONS................................................................................................................. 60 OTHER REFERENCED PUBLICATIONS .................................................................................................................... 61

TABLE OF FIGURES FIGURE 1: PDCA CYCLE APPLIED TO BCMS PROCESSES .......................................................................................................XV FIGURE 2: BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) FRAMEWORK ....................................................................... 3

x

ASIS/BSI BCM.01-2010

TABLE OF TABLES TABLE 1: CORRESPONDENCE BETWEEN THIS STANDARD OF BEST PRACTICES, BS 25999-1:2006, ISO 9001:2000, ISO 14001:2004, AND ISO 27001:2005 ..................................................................................................................................... 47 TABLE 2: VERBAL FORMS FOR THE EXPRESSION OF PROVISIONS ............................................................................................. 51

xi

ASIS/BSI BCM.01-2010

This page intentionally left blank

xii

ASIS/BSI BCM.01-2010

0 INTRODUCTION 0.1 General A business continuity management system (BCMS) is an organization-wide process that establishes a fit-for-purpose, strategic, and operational framework that upon implementation by the organization’s leadership: •

Improves an organization’s ability to withstand disruptive events that may jeopardize the achievement of its purpose, mission, and strategic objectives.



Delivers a demonstrable capability to manage a disruption and protect stakeholder interests.



Provides a structured and rehearsed method of restoring an organization’s productive ability within a planned timeframe after a disruption.



Enables an organization to return to its normal state more quickly and safely than would otherwise be possible.



Supports maintenance and continuous improvement of the organization’s BCMS.



Promotes the safety and security of internal and external stakeholders.

An actively engaged top management team that directs and embraces a BCMS enables an organization to create and maintain an effective and efficient business continuity program (processes, strategies, and solutions). The BCMS enables the organization to systematically address its stakeholder business continuity needs. This Standard may be used by private, public, not-for-profit, and voluntary organizations, regardless of their size, scope, or complexity. The Standard accommodates diverse jurisdictional, geographical, cultural, operational, and social environments. The success of a BCMS depends on the active engagement, endorsement, and commitment of organizational leadership to the BCMS. A BCMS enables an organization to develop a business continuity management policy, establish objectives and processes to achieve the policy commitments, and take action as needed for continual improvement of business continuity performance. A management system is a dynamic and iterative process; therefore, many of the requirements in this Standard may be addressed concurrently or revisited at any time. A BCMS has the following base components: a) A policy providing a framework for management’s business continuity objectives and expectations; b) A definition of roles, responsibilities, and resources; c) A description of required management process relating to: i.

Policy;

ii.

Strategic planning;

iii.

Business continuity planning and procedural implementation and operation; xiii

ASIS/BSI BCM.01-2010 iv.

Performance assessment;

v.

Management review; and

vi.

Continual improvement.

d) A set of documentation providing auditable evidence demonstrating process implementation and repeatability. The adoption and implementation of a range of business continuity management techniques in a systematic manner can contribute to optimal outcomes for all stakeholders and affected parties. However, adoption of this Standard will not by itself guarantee optimal preparedness, continuity, and response outcomes. In order to achieve its objectives, the BCMS should incorporate the best available practices, techniques, and technologies, where appropriate and where economically viable. The cost-effectiveness of such practices, techniques, and technologies should be taken fully into account. This Standard does not establish absolute requirements for preparedness, response, continuity, or recovery performance beyond commitments in the organization’s policy to: a) Comply with applicable legal requirements and with other requirements to which the organization subscribes; b) Support risk minimization and mitigation; and c) Promote continual improvement. The main body of this Standard contains only those generic criteria that may be objectively audited. Guidance on supporting BCM techniques is contained in the annexes of this document. This Standard, like other management standards, is not intended to be used to create non-tariff trade barriers or to increase or change an organization’s legal obligations. Indeed, conformance with a standard does not in itself confer immunity from legal obligations. Verification of an organization's conformance to this Standard may be performed through an external or internal auditing process. Verification may be by a first-, second-, or third-party mechanism. Verification does not require third-party certification. This Standard does not include requirements specific to other management systems such as those for quality, occupational health and safety, or financial risk management—though its elements can be aligned or integrated with those of other management systems. It is possible for an organization to adapt its existing management system(s) in order to establish a BCMS that conforms to the criteria of this Standard. It should be understood, however, that the application of various elements of the management system might differ depending on the intended purpose and the stakeholder involved. The level of detail and complexity of the BCMS, the extent of documentation, and the resources devoted to it will be dependent on a number of factors—such as the scope of the system; the

xiv

ASIS/BSI BCM.01-2010 size of an organization; and the nature of its activities, products, and services. This may be the case in particular for small and medium-sized enterprises.

0.2 Plan-Do-Check-Act (PDCA) cycle The management systems approach encourages organizations to analyze organizational and stakeholder requirements and define processes that contribute to success. This Standard applies the “Plan-Do-Check-Act” (PDCA) cycle to establishing, implementing, operating, monitoring, exercising, maintaining, and improving the effectiveness of an organization’s BCMS. Use of the PDCA model ensures a degree of consistency with other management systems standards, such as ISO 9001:2008 (Quality Management Systems), ISO 14001:2004 (Environmental Management Systems), ISO/IEC 27001:2005 (Information Security Management Systems), ISO 28000 (Security in the Supply Chain) and ISO/IEC 20000:2005 (IT Service Management), thereby supporting consistent and integrated implementation and operation with related management systems. A suitably designed management system can thus satisfy the requirements of all these standards (see Annex B). Organizations that have adopted an ISO approach to management systems may be able to use their existing management system as a foundation for the business continuity management system. Figure 1 illustrates how a BCMS takes as inputs the business continuity requirements and expectations of the interested parties and, through the necessary actions and processes, produces business continuity outcomes (i.e., managed business continuity) that meet those requirements and expectations. NOTE: In practice, a PDCA cycle is applied to each stage of the BCMS process in an iterative approach.

Continual improvement of the business continuity management system

Interested parties

Interested parties

Establish

Maintain and improve

Business continuity requirement s and expectations

Implement and operate

Monitor and review

Figure 1: PDCA cycle applied to BCMS processes xv

Managed business continuity

ASIS/BSI BCM.01-2010

Plan (establish the management system)

Establish management system policy, objectives, processes, and procedures relevant to managing business continuity risks and improving response and recovery processes that deliver results in accordance with the organization’s strategic needs.

Do

(implement and operate

Implement and operate the management system policy, controls, processes, and procedures.

Check

Monitor, assess, measure, and review performance against management system policy, objectives, and practical experience; report the results to management for review; and determine and authorize actions for remediation and improvement.

the management system)

(monitor and review the management system)

Act (maintain and improve the management system)

Take corrective and preventive actions, based on the results of the internal management system audit and management review, re-appraising the scope of the BCMS and business continuity policy and objectives to achieve continual improvement of the management system.

Conformance with this Standard can be verified by the auditing process described in ISO 19011:2002 that is compatible and consistent with the methodology used for ISO 9001:2008, ISO 14001:2004, ISO 28000:2007, and/or ISO/IEC 27001:2005, and the PDCA Model.

xvi

AMERICAN NATIONAL STANDARD

ASIS/BSI BCM.01-2010

an American National Standard –

Business Continuity Management Systems: Requirements with Guidance for Use 1 SCOPE OF STANDARD This Standard specifies requirements for a business continuity management system (BCMS) to enable an organization to identify, develop, and implement policies, objectives, capabilities, processes, and programs—taking into account legal and other requirements to which the organization subscribes or is governed by—to address disruptive events that might impact the organization and its stakeholders. This Standard specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and improving a documented BCMS within the context of managing an organization’s risks. The requirements specified in this Standard are generic and intended to be applicable to all organizations (or parts thereof), regardless of type, size, and nature of the organizational mission. The scope of these requirements depends on the organization’s operating environment and complexity. This Standard seeks to offer a flexible management systems approach to address and minimize the consequences associated with disruptive events. This Standard addresses all aspects of the organization deemed essential to meeting commitments (as agreed to by top management), consistent with the scope of the BCMS. The Standard does not itself state specific performance criteria. The intent of this Standard is to position an organization to design a BCMS that is appropriate to its needs. These needs are shaped by customer and other stakeholder, regulatory, and operational requirements; the products and services; the processes employed; the size and structure of the organization; and jurisdictional and geographic areas of operation. This Standard is applicable to any organization that chooses to: a) Establish, implement, maintain, and improve a BCMS. b) Assure itself of its conformity with its stated business continuity management policy. c) Demonstrate conformity with this Standard by: i.

Making a self-determination and self-declaration.

ii.

Seeking confirmation of its conformance by parties having an interest in the organization (such as customers and supply chain partners).

iii.

Seeking confirmation of its self-declaration by a party external to the organization.

iv.

Seeking certification/registration of its BCMS by an external organization.

1

ASIS/BSI BCM.01-2010

Annex A provides informative guidance on management system planning, implementation, testing, maintenance, and improvement of a business continuity program.

2 NORMATIVE REFERENCES The following standards contain provisions which, through reference in this text, constitute provisions of this American National Standard. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this American National Standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below.

2.1 General Reference 1 ISO Guide 73:2002, Risk management – Vocabulary – Guidelines for use in standards.

3 TERMS AND DEFINITIONS An extensive Glossary of terms appears in Annex D. NOTE: The reader is encouraged to read through the terms and definitions prior to reading the body of the document.

4 BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) REQUIREMENTS 4.1 General Requirements The organization shall establish, implement, operate, monitor, review, maintain, and improve a documented BCMS within the context of the organization’s overall operational activities and the risks it faces. Figure 2 outlines the process specified by this Standard.

1 This document is available from the International Organization for Standardization. < http://www.iso.ch/iso/en/prods-services/ISOstore/store.html >

2

ASIS/BSI BCM.01-2010

4.2 Establishing the Context • Define Scope of the BCMS • Legal and Other Requirements

4.3 Policy & Management Commitment

4.7 Management Review

• Policy • Management Commitment

• Review Input

• Review Output • Opportunities for Improvement

4.6 Checking & Corrective Action •Monitoring & Measurement • Evaluation of Conformance & System Performance • Exercises & Testing • Nonconformity, Corrective, & Preventive Action •Control of Records • Internal Audits

Continual Improvement

4.4 Planning • BIA & Risk Assessment • Business Continuity Objectives & Targets • Business Continuity Strategies

4.5 Implementation & Operation

• Resources • Roles, Responsibility and Authorities • Competence, Training, Awareness • Documentation • Control of Documents • Developing and Implementing a BCM Response • Response Structure • Business Continuity Plans and Procedures • Communication and Consultation

Figure 2: Business Continuity Management System (BCMS) Framework The BCMS shall ensure that: a) Processes and strategies appropriately provide for the safety and security of all stakeholders. b) Business continuity management objectives are clearly stated, understood, and communicated to stakeholders. c) Top management defines and communicates the organization’s strategic goals and objectives for inclusion in the BCMS. d) Resources are allocated to meet the goals and objectives of the program. e) Those with BCMS management roles and responsibilities are competent to perform their tasks. f) There is a continual assessment of the BCMS elements.

3

ASIS/BSI BCM.01-2010

4.2 Establishing the Context 4.2.1 Scope of the BCMS The organization shall define and document the scope of the BCMS considering its internal and external context. The organization shall: a) Establish the organizational boundaries to be included in the BCMS, being the whole organization or one or more of its internal entities. b) Establish BCMS requirements, considering the organization’s mission, goals, internal and external obligations (including those related to stakeholders), and legal responsibilities. c) Identify products and services and all related activities within the scope of the BCMS. d) Take into account internal and external stakeholders needs and interests. e) Define the scope of the BCMS in terms of – and appropriate to – the size, nature, and complexity of the organization.

When defining the scope, the organization shall document any exclusions; where such exclusions do not affect the organization’s ability and/or responsibility to provide continuity of business and operations that meet the BCMS requirements (determined by impact analysis or risk assessment and applicable legal, regulatory, and contractual requirements).

4.2.2 Legal and Other Requirements The organization shall establish, document, and maintain a procedure(s) to: a) Identify and assess legal, regulatory, contractual, and any other relevant requirements to which the organization subscribes or is governed by related to the continuity of its operations, products and services, and stakeholder interests. b) Assess the impacts of non-conformance. c) Determine how these requirements apply to organizations’ risks and their potential impacts. The organization shall ensure that these applicable legal and other requirements to which the organization subscribes or is governed by are taken into account in establishing, implementing, and maintaining its BCMS. The organization shall keep information required herein, up-to-date.

4.3 Policy and Management Commitment Top management shall establish, document, provide resources, and demonstrate commitment to a business continuity management policy within the defined scope of the BCMS. 4

ASIS/BSI BCM.01-2010

4.3.1 Policy Top management shall define the business continuity management policy in terms of the characteristics of the organization, its location(s) and operating environment, its stakeholders, obligations, and assets. The policy shall include or make reference to: a) Alignment with the organization’s mission, strategic objectives, and risk management approach as it pertains to the BCMS and BCM program; b) Commitment to proactively manage the impact of disruptive events; c) A framework for setting objectives, direction, and principles for action; d) Legal, regulatory, and contractual requirements; e) The scope of business continuity management system, including limitations and exclusions; f) A commitment to leadership oversight; and g) Continual improvement. The policy shall be: a) Approved by top management; b) Communicated to all persons working for or on behalf of the organization deemed within the scope of the BCMS; c) Available to stakeholders as approved by management; and d) Reviewed at defined intervals and when significant changes occur.

4.3.2 Management Commitment Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by: a) Establishing a BCM policy; b) Ensuring that BCMS objectives and plans are established; c) Establishing roles, responsibilities, and competencies for BCM; d) Appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the management system; e) Communicating and promoting awareness within the organization the importance of meeting BCMS objectives and conforming to BCM policy, its responsibilities under the law, and the need for continual improvement; 5

ASIS/BSI BCM.01-2010 f) Providing sufficient resources to establish, implement, operate, monitor, review, maintain, and continually improve the BCMS; g) Defining the criteria for accepting risks and the acceptable levels of risk; h) Actively engaging in exercises and testing; i) Ensuring that internal BCMS audits are conducted; j)

Conducting management reviews of the BCMS; and

k) Demonstrating its commitment to continual improvement.

4.4 Planning 4.4.1 Business Impact Analysis and Risk Assessment The organization shall establish, implement, and maintain a formal and documented evaluation process to systematically analyze risk and impacts, and establish business continuity objectives consistent with the scope and policy of the BCMS. The organization shall: a) Evaluate the impact of disruptive events within its internal and external context; b) Define and establish business continuity and recovery objectives and priorities; c) Evaluate the direct and indirect benefits and costs of options to reduce risk; d) Identify programs required to ensure achievement of its objectives prior to, during, and following a disruption; e) Assess risks and impacts following the changes within the organization's environment caused by internal or external factors; and f) Document and keep this information updated, secured (as appropriate), and readily available for authorized use.

4.4.1.1 Business Impact Analysis (BIA) The organization shall establish, implement, and maintain a formal documented process and methodology for conducting a business impact analysis (BIA). The organization’s BIA shall assess and prioritize organizational activities, and resources required to deliver its products and services (including interdependencies and time and/or event-driven variations) by: a) Identifying the potential impacts over time of disruptions resulting from uncontrolled, non-specific events on the organization’s activities and resources; b) Identifying legal, regulatory, and contractual requirements for the organization’s activities and resources; c) Based on the impacts, estimating maximum allowable downtime for each product, service, and activity; and d) Set recovery time objectives for resuming, at a specified acceptable level, the organization’s activities and resources; taking into consideration the time within which the impacts of not resuming them would become unacceptable. 6

ASIS/BSI BCM.01-2010

4.4.1.2 Risk Assessment The organization shall establish, implement, and maintain a formal documented risk assessment process to systematically identify, analyze, and evaluate the risk of disruptive events to the organization. The organization shall: a) Identify risks (and their sources) that may lead to unacceptable levels of disruption to the activities needed to achieve the organization’s objectives associated with activities, processes, facilities, people, systems, information, resources, assets (tangible and intangible), and partner and supplier relationships; b) Systematically analyze risk; c) Evaluate which risks require treatment; and d) Identify treatments commensurate with business continuity and recovery objectives, resource availability, related costs, and stakeholder expectations.

4.4.2 Business Continuity Objectives and Targets The organization shall establish and maintain documented business continuity objectives consistent with the business continuity expectations for organizational activities, dependency relationships outside the organization (such as suppliers), and stakeholder requirements. Business continuity objectives and targets shall be measurable qualitatively and/or quantitatively, and consistent with the BCM policy. When establishing and reviewing its objectives and targets, an organization shall consider the legal, regulatory, and contractual requirements; the significant risks and impacts; risk tolerance; resource options; financial, operational, contractual, and organizational requirements; and the views of stakeholders.

4.4.3 Business Continuity Strategies The organization shall establish and maintain strategies for achieving its business continuity objectives and targets to prevent, prepare for, mitigate, respond to, and recover from disruptive incidents. Such strategies shall include: a) A designation of responsibility and resources for achieving objectives and targets at relevant activities and levels of the organization; and b) A means and timeframe by which the strategies are to be achieved. The organization shall: a) Define a fit-for-purpose, predefined, and documented response structure that will promote a safe and secure workplace, and an effective response and recovery effort following a disruptive event. The response structure shall address appropriate relationships and liaise with local authorities and assure the availability of necessary 7

ASIS/BSI BCM.01-2010 communications with internal and external stakeholders regardless of the operating environment. b) Determine how it will recover each activity, and resource based on its business continuity and recovery objectives. c) Determine arrangements needed with suppliers and outsource partners to ensure the timely delivery of their products and services. d) Determine how it will manage relationships with its stakeholders and external parties involved in the recovery effort, including coordination with public authorities.

4.5 Implementation and Operation 4.5.1 Resources Management shall ensure the availability of resources essential for the implementation and maintenance of the business continuity management system and the business continuity strategies (see 4.4.3). Resources include facilities, human resources , equipment, infrastructure and other services, technology, information, intelligence, and financial resources. The organization shall determine and provide the resources needed to: a) Establish, implement, operate, monitor, review, maintain, and continually improve the BCMS and its business continuity strategies; b) Assess and participate in agreements related to interdependencies and mutual aid, if applicable; and c) Maintain adequate proactive and reactive capacity. The organization shall develop and document financial, logistical and administrative procedures to support the business continuity strategies before, during, and after an incident. Procedures shall be: a) Established to ensure that fiscal decisions can be expedited; and b) In accordance with established authority levels, governance, and accounting principles.

4.5.2 Roles, Responsibility, and Authority Roles, responsibilities, and authorities shall be defined, documented, and communicated to facilitate effective business continuity management. The organization’s top management shall assume the following responsibilities or shall: a) Designate a management representative(s) with appropriate authority and accountability for the BCMS, irrespective of other responsibilities, who will ensure that the business continuity management system is established, communicated, implemented, and maintained in accordance with the policy requirements, and report 8

ASIS/BSI BCM.01-2010 on the performance of the business continuity management system to top management for review and as the basis for improvement; b) Ensure all management, staff, and other stakeholders (internal and external) are aware and accountable to support the BCMS; c) Identify personnel with the authority to invoke business continuity plans and procedures based on triggers and escalation criteria, as well as terminate response and recovery operations following the conclusion of the event; and d) Identify appropriate business continuity management teams with appropriate authority and responsibility to oversee and execute response and recovery efforts as documented in the BCMS plan(s).

4.5.3 Competence, Training, and Awareness The organization shall ensure that any person(s) assigned business continuity responsibilities under the BCMS framework is (are) competent to perform the required tasks by: a) Determining the necessary competencies for such persons; b) Conducting a training needs analysis on personnel being assigned business continuity management roles and responsibilities; c) Providing training based on the competency requirements; d) Ensuring that the necessary competence has been achieved and maintained; and e) Maintaining associated records of education, training, skills, experience, and qualifications. The organization shall establish, implement, and maintain awareness, competence, and training procedures to ensure persons working for it or on its behalf are aware of: a) Applicable strategies and procedures specific to business continuity, including mitigation, response, communication, recovery, and resumption; b) The importance of conformity with the business continuity management policy and with the requirements of the BCMS; c) Their roles and responsibilities in achieving conformity with the requirements of the business continuity management system; and d) The significant risks, and actual or potential impacts, associated with their work; and e) The benefits of improved personal performance. The organization shall promote awareness to build a culture that ensures business continuity becomes part of its core values and governance, and makes its stakeholders aware of its BCM policy and their roles in any plans. The organization shall evaluate the efficacy of business continuity awareness, competence, and training procedures and retain associated records. 9

ASIS/BSI BCM.01-2010

4.5.4 Documentation BCMS documentation shall include: a) A description of the purpose and scope of the BCMS; b) The BCM policy, objectives, targets, and measures; c) A description of the main elements of the BCMS and their interaction; and d) Documents, including records, required by this Standard; or determined by the organization to be necessary to ensure the effective planning, operation, and maintenance of processes that relate to its identified risks and their impacts and the business continuity plans. BCMS documentation shall be reviewed and updated on a regular basis; however, significant organizational or process changes should be addressed promptly.

4.5.5 Control of Documents Records are a special type of document and shall be maintained in accordance with the requirements given in 4.6.4. The organization shall establish, implement, and maintain a procedure(s) to ensure: a) Documents are approved for adequacy prior to being marked as a final, approved copy; b) Documents are reviewed and updated with each significant change impacting the validity of the document and re-approved; c) Summaries of document change and the current revision status of each document are identified; d) Relevant versions of applicable documents are available at points of use; e) Documents of external origin are identified and their distribution controlled; f) Unintended use of obsolete documents is prevented and that such documents are marked as such, if they are to be retained for any purpose; g) Documents remain legible, readily identifiable, and retrievable; h) Provisions for document identification, storage, protection, and retrieval; i) Only authorized personnel have access to documents in order to protect individuals’ personal sensitive data and adherence to legal and jurisdictional requirements; and j)

Documents are tamper-resistant; securely backed-up; and protected from damage, deterioration, or loss.

4.5.6 Developing and Implementing a Business Continuity Response The organization shall establish, implement, and maintain business continuity plans and procedures to manage a disruptive event and continue its activities based on recovery objectives 10

ASIS/BSI BCM.01-2010 identified in the business impact analysis. The organization shall document plans and procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive event. The plans and procedures shall be: a) Establishing the appropriate internal and external communications protocol; b) Specific regarding the immediate steps that should be taken during a disruption; c) Flexible to respond to unanticipated threat scenarios and changing internal and external conditions; d) Focused on the impact of events that could potentially disrupt operations; e) Developed based on stated assumptions and an analysis of interdependencies; and f) Effective in minimizing consequences through implementation of appropriate mitigation strategies.

4.5.6.1 Response Structure The organization shall establish, document, and implement procedures and a management structure to prepare for, mitigate, and respond to a disruptive event using personnel with the necessary authority, experience, and competence. The response structure shall: a) Identify impact thresholds that justify initiation of formal response; b) Assess the nature and extent of a disruptive event or the potential impact; c) Initiate an appropriate business continuity response; d) Have plans, processes, and procedures for the activation, operation, coordination, and communication of the response; e) Have resources available to support the plans, processes, and procedures to manage a disruptive event or work to minimize impact before realized; and f) Communicate with stakeholders and authorities, as well as the media.

4.5.6.2 Business Continuity Plans The organization shall establish documented plans that detail how the organization will manage a disruptive event and how it will recover or maintain its activities to a predetermined level, based on management-approved recovery objectives. Each plan shall define: a) Purpose and scope; b) Objectives, targets and metrics; c) Activation criteria and procedures; d) Implementation procedures; 11

ASIS/BSI BCM.01-2010 e) Roles, responsibilities, and authorities; f) Communication requirements and procedures; g) Internal and external interdependencies and interactions; h) Resource requirements; and i) Information flow and documentation processes. The organization shall periodically test, review, and (where necessary) revise its business continuity plans—in particular, after the occurrence of the disruptive event and its associated post-event review.

4.5.7 Communication and Consultation The organization shall establish, implement, and maintain procedure(s) for: a) Internal communication amongst stakeholders and employees within the organization; b) External communication with customers, partner entities, local community, and other stakeholders – including the media; c) Receiving, documenting, and responding to communication from internal and external stakeholders; d) Taking into advisement external and/or internal threat advisory system in planning and operational use; e) Alerting stakeholders potentially impacted by an actual or impending disruptive event; f) Ensuring availability of the means of communication during a disruptive event; g) Facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate; and h) Operating and testing of communications capabilities intended for use during disruption of normal communications.

4.6 Checking and Corrective Action The organization shall evaluate the BCMS—including the efficacy of business continuity strategies, capabilities, and plans—through periodic assessments, testing/exercises, post-event analyses, other lessons learned, and performance evaluations. Significant findings should be reflected in strategies and plans as soon as practical. The organization shall keep records of the results of the periodic evaluations.

12

ASIS/BSI BCM.01-2010

4.6.1 Monitoring and Measurement The organization shall establish and maintain procedures to monitor and measure the management system performance on a periodic basis. The procedure(s) shall document the information associated with BCMS performance monitoring, including applicable operational controls and other means of ensuring conformity with the organization's BCMS objectives. The organization shall establish and maintain procedure(s) for maintaining and reviewing business continuity strategies and plans. It shall: a) At defined intervals, review BCMS documentation to ensure continuing suitability, adequacy, and effectiveness; and b) Ensure its business continuity capability and appropriateness is reviewed at planned intervals and when significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.

4.6.2 Evaluation of Conformance and System Performance The organization shall ensure that the business continuity policy, objectives, strategies, and plans meet the organization’s strategic requirements. This evaluation of business continuity conformance and performance will ensure the BCMS remains aligned to and provides the organization with the means to be prepared for a process or service disruption, thus allowing the organization to meet its legal, regulatory, and contractual requirements and minimizing the impact to stakeholders.

4.6.2.1 Evaluation of Conformance The organization shall establish and maintain procedure(s) for periodically evaluating conformance with applicable legal, regulatory, and contractual requirements to which the organization subscribes in order to meet the organization’s commitment to conformance. The organization shall keep records of the results of the periodic evaluations.

4.6.2.2 Exercises and Testing The organization shall ensure that its BCMS – specifically its business continuity plans, teams, and resources – are validated by exercise and review and are kept current. The organization shall: a) Establish a program, approved by top management, to ensure exercises are carried out at planned intervals and as significant changes occur due to internal and external factors; b) Develop exercises that are consistent with the scope of the BCMS; c) Define the objectives and targets of every exercise; d) Plan exercises to prevent a disruptive event occurring as a direct result of the exercise; 13

ASIS/BSI BCM.01-2010 e) Exercise its business continuity plans, teams, and facilities to ensure that they meet organizational requirements; f) Carry out a range of different exercises that taken together validate the whole of its business continuity arrangements; g) Carry out a post-exercise review that will assess the achievement of the objectives and targets of the exercise, lessons learned, and opportunities for improvement; and h) Submit to top management a written report of the exercise, outcomes, and feedback, including recommended corrective and preventative actions.

4.6.3 Non-conformity, Corrective Action, and Preventive Action The organization shall improve its BCMS through the identification of non-conformities and application of preventive and corrective actions. Changes arising from preventive and corrective actions shall be reflected in appropriate BCMS documentation. The organization shall take action to eliminate the cause of non-conformities associated with the implementation and operation of the BCMS to prevent their occurrence as well as take action to prevent potential non-conformities from occurring. These actions include: a) Identification and correction of each actual non-conformity, together with the mitigation of their business impact; b) Investigation and elimination of the cause of each actual non-conformity, in order to prevent recurrence; c) Determination of actions to eliminate the causes of potential non-conformities to prevent their occurrence; d) Any action taken to identify, correct, mitigate, prevent, or eliminate the causes or effects of each actual and potential non-conformity appropriate to the magnitude of problems and the business impact encountered; e) The organization shall document non-conformities identified, as well as corrective and preventative actions taken; and f) A review of corrective and preventative actions taken and implemented within the context of the BCM policy and risk and impact assessment.

4.6.4 Control of Records The organization shall establish and maintain records to demonstrate conformity to the requirements of its BCMS and the results achieved.

14

ASIS/BSI BCM.01-2010 The organization shall establish, implement, and maintain a procedure(s) to protect the integrity of records including access to, identification, storage, protection, retrieval, retention, and disposal of records. Records shall be and remain legible, identifiable, and traceable.

4.6.5 Internal Audits The organization shall plan and conduct internal audits of the BCMS periodically such that the: a) Audit programs shall be planned, established, implemented, and maintained by the organization, taking into account the business impact analysis, risk assessment, control and mitigation measures, plan documentation, exercises, management involvement, and the results of previous audits; b) Audits shall determine whether the BCMS: i.

Conforms to planned arrangements, including the requirements of this Standard;

ii.

Has been properly implemented and is maintained; and

iii.

Is effective in meeting the organization’s business continuity policy and objectives;

c) Information on the results of audits shall be provided to top management in order to drive BCMS improvement; and d) Audit procedure(s) shall be established, implemented, and maintained that address: i.

Responsibilities, competencies, and requirements for planning and conducting audits, reporting results, and retaining associated records;

ii.

Determination of audit criteria, scope, frequency, and methods; and

iii.

Selection of auditors and conduct of audits so as to ensure objectivity and the impartiality of the audit process.

4.7 Management Review 4.7.1 General Top management shall review the organization’s BCMS at planned intervals and when significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the BCMS, including policy, objectives, and targets. Results of management reviews shall be documented.

4.7.2 Review Input The input to a management review shall include: a) Follow-up actions from previous management reviews; b) Results of BCMS audits and reviews; 15

ASIS/BSI BCM.01-2010 c) Results of education and awareness training programs; d) Any internal or external changes that could affect the BCMS; e) Communication with stakeholders; f) Techniques, products, or procedures that could be used in the organization to improve BCMS performance and effectiveness; g) Emerging good practice and guidance; h) Status of preventive and corrective actions; i) Level of residual risk and acceptable risk; j)

Vulnerabilities and threats not adequately addressed in previous risk assessments;

k) Results and lessons learned from exercises, tests, and incidents; l) Current resource allocation to treat risks as needed to meet the organization’s BCM policy and objectives; and m) Recommendations for improvement.

4.7.3 Review Output The output from a management review shall include any decisions and actions related to: a) Varying the scope of the BCMS; b) Improving the effectiveness of the BCMS; c) Modifying business continuity strategies and plans, as necessary, to respond to internal or external events that could impact the BCMS, including changes to: i.

Business requirements;

ii.

Statutory, regulatory, and contractual requirements;

iii.

Levels of risk and/or levels of risk acceptance;

iv.

Resource needs; and

v.

Funding and budget requirements.

4.7.4 Opportunities for Improvement The organization shall continually improve the effectiveness of the BCMS through the review of the business continuity policy and objectives, audit results, analysis of monitored exercises and events, preventive and corrective actions, and management review.

16

ASIS/BSI BCM.01-2010 Annex A (informative)

A GUIDANCE ON THE USE OF THE STANDARD A.0 Introduction Natural disasters, environmental accidents, technology mishaps, and man-made crises have historically demonstrated that disruptive incidents will happen, impacting the public and private sectors alike. The challenge to organizations goes beyond most emergency response plans or disaster management activities previously deployed. Organizations should engage in a comprehensive and systematic process to manage the continuity of operations. It is no longer enough to draft a response plan that anticipates disasters or emergency scenarios. Today’s threats require the creation of an on-going, dynamic, and interactive management process that serves to assure the continuation of an organization’s core activities before, during, and after a major disruptive incident. This Standard provides: a) Organizations of all sizes and types (private, not-for-profit, and public sectors) with the elements needed to achieve and demonstrate proactive risk reduction and business continuity. b) A framework to aid organizations in successfully managing a disruptive incident by developing a strategy and action plan to safeguard its interests and those of its stakeholders; and c) A holistic management process to help avoid and minimize the suspension of service and operations and having procedures to allow a return to normal services and operations as rapidly as possible. It is good practice for an organization to protect its physical, virtual, and human assets. The success of the management system depends on the commitment at all levels and activities in the organization, especially the organization’s top management. Decision makers should be prepared to budget and secure the necessary resources to support the BCMS. It is necessary that an appropriate structure be implemented to effectively deal with prevention, mitigation, and management. Regardless of the organization – for profit, not for profit, faith-based, nongovernmental – its leadership has a duty to stakeholders to plan for its continued operation.

A.4.1 General Requirements The additional text given in this annex is strictly information and is provided to assist the understanding of requirements contained in Section 4 of this Standard. While this information addresses and is consistent with the requirements of Section 4, it is not intended to add to, subtract from, or in any way modify those requirements. 17

ASIS/BSI BCM.01-2010 The implementation of a BCMS specified by this Standard is intended to result in improved business continuity integrated with the organization’s other policies and plans such as privacy, security, and safety. Therefore, this Standard is based on the premise that the organization should periodically review and evaluate its BCMS to identify opportunities for improvement and their implementation. The organization should determine the rate, extent, and timescale of this continual improvement process in the context of economic and other circumstances. Improvements in its business continuity management system are intended to result in further improvements in business performance. This Standard requires an organization and its management to: a) Define and document the scope of the BCMS considering its internal and external context; b) Take into account applicable legal and other requirements when establishing the BCMS; c) Demonstrate continuing commitment to business continuity management policy; d) Maintain a formal process to analyze priorities, impacts, and risks, and establish business continuity objectives consistent with the scope and policy of the BCMS; e) Ensure the availability of resources (including financial and empowered, competent human resources) to implement and maintain the business continuity management system, and a system of BCMS records including a management structure, plans, and procedures to maintain business continuity during and after disruptive incidents; and f) Evaluate the efficacy of the BCMS, business continuity strategies, capabilities, and plans.

A.4.2 Establishing the Context The organization establishes the context of its BCMS by identifying and understanding the internal and external influences and environment in which it operates. By establishing the context, an organization can define the scope of its BCMS and design a fit-for-purpose framework for business continuity management. This should assure that the organization meets the objectives, needs and concerns of internal and external stakeholders. When initiating a BCMS, the organization should conduct an analysis or review to help establish the context of its operations and determine the boundaries of its scope. For example, when conducting the analysis or review, the organization should consider: •

Assets, activities, products, and services;



Risks associated with normal, abnormal, and emergency situations (actual and potential);



Applicable legal and other requirements;



Supply chain, contractual, community, and mutual aid agreements;



Interdependencies and supporting infrastructure;



Previous disruptions, accidents, incident reports, and exercise reports; 18

ASIS/BSI BCM.01-2010 •

Audit reports;



Government advisories; and



Political and social operating environment.

A.4.2.1 Scope of the BCMS An organization has the freedom to define the boundaries for implementing its BCMS. It may choose to implement the BCMS across the entire organization, specific operating units, discrete geographic locations, or clearly defined supply chain flows. These scoping boundaries reflect top management objectives for the BCMS, and the size and nature and complexity of the organization and its activities. Once top management defines the BCMS scope, all assets, activities, products, and services within that scope become elements of concern within the BCMS. Outsourced activities and supply chain remain the organization’s responsibility and should be within the BCMS. If an outsourced product, service, activity, or part of the organization’s supply chain remains under the organization’s risk accountability and management control, then top management should place it within the scope of the BCMS. The organization should make appropriate agreements and take appropriate measures to assure effective BCM agreements are in place with its suppliers and outsource partners. The organization should justify all exclusions from the scope of the BCMS using risk assessment and impact analysis in the justification. Exclusions may include the inability of an organization to provide the continuity of its business and operations, or meet its legal and other requirements and obligations. The scope should ensure the integrity and continuity of operations. The credibility of the BCMS depends on the choice of organizational boundaries defined in the scope. The level of detail and complexity of the BCMS, the extent of documentation required, and resources committed to the BCMS should guide the BCMS scope statement. When the organization implements the Standard for a specific operating unit, then the organization may use applicable policies, plans, and procedures developed by other parts of the organization to satisfy the requirements of this Standard.

A.4.2.2 Legal and Other Requirements The organization should identify and understand legal, regulatory, and contractual requirements that affect its business continuity intentions. These may include national, international, state, local, legal, and regulatory requirements. Identifying and understanding these requirements should help to ensure legal compliance, prevent litigation, minimize liability, improve the organization’s image, and meet its obligations to society. Examples of other requirements to which the organization may subscribe include, if applicable: •

Business and other contractual obligations; 19

ASIS/BSI BCM.01-2010 •

Agreements with public authorities, community groups, or non-governmental organizations;



Agreements with customers;



Non-regulatory guidelines;



Voluntary principles or codes of practice;



Product or service stewardship commitments (e.g., warranties);



Requirements of trade associations;



Public commitments of the organization or its parent organization;



Non-binding protocols;



Healthcare requirements;



Financial obligations;



Social responsibility and environmental commitments; and



Identity information and privacy requirements.

Legal obligations vary by jurisdiction, as well as geographic location, and the type and nature of operations, as well as the location, type, and nature of the organization’s customers. Therefore, it is important that the organization be aware of its obligations within the context of its operating environment. The organization should identify all relevant statutory, regulatory, contractual, and other requirements and communicate this information to appropriate stakeholders. The organization should evaluate which requirements apply and where they apply, and identify who should receive this information. The organization should explicitly define, document, and keep current its approach to accessing and addressing these requirements. Similarly, the organization should define and document specific business continuity methods and controls as well as individual responsibilities to meet these requirements.

A.4.3 Policy and Management Commitment The BCMS management policy is the driver for implementing and improving an organization’s business continuity management system so that it can address and potentially improve its ability to continue business operations during and after disruptive incidents. The BCMS policy should therefore reflect the commitment of top management to: a) Define the scope of the BCMS in terms of its organizational boundaries, products, and services; stakeholder needs and interests; and supply chain – as well as any limitations and exclusions; b) Comply with legal, regulatory, and contractual requirements; c) Align the BCMS with the organization’s mission, strategic objectives, and risk management approach; d) Proactively manage the impact of disruptive events; 20

ASIS/BSI BCM.01-2010 e) Provide active, engaged leadership oversight; and f) Promote continual improvement. The BCMS management policy should be sufficiently clear to interested internal and external parties. Top management reviews, revises, and endorses the policy periodically to reflect changing conditions and information. The scope of the policy should be clearly identifiable and reflect the unique nature, scale, and impact of the BCMS on the organization’s activities, products, and services. The BCMS management policy should be communicated and made available to all persons who work for or on behalf of the organization and others such as customers, investors, stockholders, the supply chain, and concerned public and/or community agencies. Communication to external parties can be in alternative forms to the policy statement itself – such as rules, directives, and procedures – and may therefore only include pertinent sections of the policy. One or more qualified persons should be appointed and empowered to implement, test or exercise, and maintain the BCMS. Top management should conduct its own periodic reviews and audits of the overall BCMS. Top management should demonstrate its commitment to the BCMS. It can do so showing that it champions the BCMS; provides sufficient resources for the BCMS; and takes responsibility for creating, maintaining, testing, and implementing a comprehensive BCMS throughout the Plan, Do, Check, and Act (PDCA) cycle. These steps illustrate the priority of the BCMS to top management and signal that commitment to management and staff throughout the organization. Equally essential is that top management engage a “top down” approach to the BCMS to convey management accountability at all levels, as part of the organization’s overall governance, for effective and efficient BCM plan development, maintenance and testing.

A.4.4 Planning A.4.4.1 Business Impact Analysis and Risk Assessment The BIA and risk assessment provide the foundation for establishing the business continuity objectives, targets, programs, and plans. The appropriate order of conducting BIA and risk assessment depends on the approach the organization employs. All organizations face a certain amount of uncertainty in achieving their objectives for product and service delivery. The level of acceptance is set by top management, as stated in the BCM policy. The BIA and risk assessment then provide the analytical basis for determining the appropriate risk treatment strategies to reduce the risk to within the designated level of risk acceptance. Many methodologies exist for BIA and risk assessment. The organization should establish, implement, and maintain a formal methodology that is documented and repeatable. Assumptions, scope, evaluation criteria, and results should be clearly defined and reviewed by top management. 21

ASIS/BSI BCM.01-2010 The BIA and risk assessment are inclusive processes taking into account the input of internal and external stakeholders. The risk and impact identification, analysis, and evaluation processes are framed within the operating environment of the organization; therefore, they should take into account: •

Internal context such as governance, organizational roles, structures, policies, processes, culture and strategies, resources capabilities and knowledge, and overall risk management strategy;



External context such as social, environmental, geographic, political, cultural, competitive, business, financial, supply chain, interdependencies, and community; and



Legal and other requirements should be considered.

To achieve results that accurately reflect the risk profile of the organization, data for the BIA and risk assessment should be gathered by a competently trained team. The sampling techniques for the collection of administrative, financial, technical, and physical data should be selected to assure representative samples. The BIA and risk assessment are not exact sciences: therefore, assumptions and reliability of information should be documented. All operational units of the organization within scope of the BCMS should be directly consulted during the data gathering process. Results of the BIA and risk assessment should be reported and reviewed by top management in order to establish the BCM objectives, targets, and strategies. The organization should define the scope of the BIA and risk assessment based on: •

BCMS scope (products, services, and organizational activities);



Customer expectations and obligations;



Legal, regulatory, and contractual requirements;



Risk appetite;



Interdependencies and supply chain obligations;



Infrastructure requirements; and



Data/information recovery requirements.

A.4.4.1.1 Business Impact Analysis (BIA) A.4.4.1.1.1 Process The organization should conduct a documented BIA within the scope of its BCMS to prioritize the recovery of product, services, activities, and resources after a disruptive event. The BIA is an important part of the business continuity planning process that helps an organization identify how impacts would increase over time if its operations were disrupted. The purpose of the BIA is to: •

Identify and determine priority of business activities and the impact of a disruption.

22

ASIS/BSI BCM.01-2010 •

Estimate the maximum acceptable downtime that the organization can tolerate while still maintaining viability – enabling it to establish recovery time objectives.



Evaluate resource requirements, activity, and external interdependencies to resume operations within the recovery timescales identified.



Provide the parameters for the selection of appropriate BCM Strategies that can satisfy the required recovery timescales identified.

The organization should document the scope of the BIA, based on the scope of the BCMS. It should select and define the approach and methodology based on BIA objectives and management expectations, as well as the information management needs to make decisions. Typical BIA activities include: •

Confirm scope of BIA with top management;



Identify sources of information;



Decide on methods for data collection



Perform data gathering through interviews, questionnaires, or documentation;



Analyze impact, time, and interrelationship information;



Present recommendations and justification to management for evaluation; and



Prepare information for use in BCM strategy development.

A.4.4.1.1.2 Assessment If the delivery of products and services to customers is disrupted, the impacts to the organization will grow over time to a point where its viability is threatened and its survival is unlikely. Top management should establish the maximum period of time that a failure to deliver each product and services can be tolerated. This may be achieved by reviewing: •

Anticipated customer response;



Contracts and service level agreements; and



Regulatory requirements.

All business activities should be identified and their role and timescale in delivering products and services identified. Interdependencies, both internal and external, should be reviewed to establish activity priorities. The information gathering process may include: •

Organizational charts and structure;



Process flow charts and observation of daily work flow;



Interviews with department and division heads; and



Identification of significant interrelationships internally and externally. 23

ASIS/BSI BCM.01-2010

A.4.4.1.1.3 Impacts This acceptable (tolerable) disruption period and the time to restore operations to normal should be based on: •

Safety implications;



Probable financial, operational, and reputational impairment;



Legal, regulatory, and contractual requirements;



Stakeholder expectations and societal impacts;



Environmental damage; and



Long-term strategic imperatives.

The cause of the disruption is not a consideration – the disruption to supply could result from the non-availability of any of the organization’s internal resources or external services. When assessing impacts, the organization may consider how the disruption to supply of its products and services or interruption to any of its activities could result in: a) Human cost: Potential physical and psychological harm to employees, customers, or other stakeholders. b) Financial considerations: Lost or deferred sales/business, loss of market share, lawsuits, regulatory fines/penalties, equipment and property replacement, overtime pay, and stock devaluation. c) Reputational impairment: Damaged reputation with customers and potential customers. Diminished standing in the community, and negative press. d) Community/societal impacts: Indirect impacts on the regional economy, reduction in the regional net economy, and losses to the tax base of local jurisdictions. e) Environmental impacts: Degradation to the quality of the environment. These parameters are then utilized to assist the organization in setting recovery time objectives.

A.4.4.1.1.4 Maximum Allowable Disruption and Recovery Time Objective The maximum allowable time (or maximum tolerable period of disruption) identifies the point at which the organization’s viability is threatened if the delivery of each product and service is not resumed. Top management can then set a recovery time objective for each product and service within this maximum time, based on their assessment of the increasing impacts over time. Once these times for delivery are established, the organization should assign recovery time objectives to each organizational activity that contributes—directly or indirectly—to the delivery of the product or service based on: 24

ASIS/BSI BCM.01-2010 •

The role and timescale of each activity that support the delivery of products and services;



Management’s guidance regarding disruption tolerance for each activity;



Current and future-state strategic imperatives;



The interdependencies between activities and with external suppliers; and



The currency of information required to undertake each activity is identified.

Recovery time objectives are used to prioritize recovery efforts and the use of recovery resources. Recovery point objectives are used to determine an appropriate back-up strategy for information. These terms are applicable to all disciplines and are not exclusive to information technology and data, and can be applied to other capabilities.

A.4.4.1.1.5 Resources The resource requirements of each activity should be quantified. This is usually undertaken at the same time as the BIA. These resources may include: •

Staff numbers (special skills or qualifications may be required);



Technology and systems);



Access to information);



Accommodation); and



External supplies.

The setting and quantification of recovery time objectives enables a timetable of resource recovery to be prepared. This may take into account the requirement to provide extra resources to clear backlogs or cope with anticipated extra demands following an incident.

A.4.4.1.1.6 Output The BIA report presented to top management should clearly identify the priority of activities, significant interdependencies, and contain a summary of the BIA methodology used. It should quantify the activities for each product and service •

Recovery time objectives and associated justification to include: o o

Initial resumption – and capacity; and Return to its defined operational capability.

For each activity (in addition): •

Identification of recovery resource requirements; and 25

ASIS/BSI BCM.01-2010 •

Recovery point objectives for information required - and associated justification.

A thorough BIA is essential for an organization to develop a suitable business continuity strategy and effective business continuity plan. Therefore, an organization’s BIA team should possess necessary knowledge and skills to conduct all BIA activities.

A.4.4.1.2 Risk Assessment An organization should undertake a documented risk assessment in order to understand the level of risk associated with the organization’s activities, activities, resources, obligations, and processes. The risk assessment should take an accounting of the organization’s underlying resources such as people, premises, technology, information, supplies, and shareholders. The organization should understand the threats to these resources, the vulnerabilities of each resource, and the impact that would arise if a threat became an incident and caused a business disruption. Each organization should: a) Choose which risk assessment method to use – but it is important that the method is suitable and appropriate to address all of the organization’s requirements. A suitable and appropriate risk assessment method should consider risks related to the organization’s activities, products, and services as well as their potential for direct or indirect impact on the organization’s operations, people, property, assets, compensation, image and reputation, profit, credit, and/or environment. b) Use a documented quantitative or qualitative methodology to estimate the likelihood of the identified potential risks and the significance of the impacts if a disruptive incident should occur. c) Consider its dependencies on others and others’ dependencies on the organization – including infrastructure and supply chain dependencies and obligations. d) Evaluate the consequences of legal and other obligations that govern the organization’s activities. e) Consider risks associated with stakeholders, contractors, suppliers, and other affected parties. f) Analyze information on risks, and select those risks that may result in significant disruption to prioritize operations and/or those risks whose consequences are hard to determine in terms of significance. g) Analyze and evaluate alternative risk treatments and the extent to which each risk treatment reduces risk. h) Evaluate risks and impacts it can control and influence. In all circumstances, top management – and, secondly, the organization – determines the degree of control it chooses to exercise as well as its strategies for risk acceptance, avoidance, management, minimization, tolerance transfer, and/or treatment.

26

ASIS/BSI BCM.01-2010

A.4.4.2 Business Continuity Objectives and Targets Objectives and targets are established to meet the goals and commitments of the organization’s business continuity policy. By setting the business continuity objectives and targets, the organization can translate the policy into action plans it describes in the business continuity strategies. The objectives and targets should be specific and measureable in order to track progress and ascertain how the BCMS is performing in improving overall organizational preparedness. Business continuity “objectives” are overriding considerations such as the rapid restoration of business operations. Business continuity “targets” are specific metrics for restoration of operations. Objectives and targets should be appropriate for the organization, based on the risk assessment and BIA. The objectives and targets should reflect what the organization does, how well it is performing, and what it wants to achieve. Appropriate levels of management should define the objectives and targets. Objectives and targets should be periodically reviewed and revised. When the objectives and targets are set, the organization should consider establishing measurable business continuity performance indicators. These indicators can be used as the basis for a business continuity performance evaluation system and can provide information on the business continuity management system and specific mitigation, response, and recovery strategies. In establishing its objectives and targets the organization should consider, including: •

Policy commitments;



Alignment with strategic objectives;



Outcomes of the business impact analysis and risk assessment;



Risk tolerance;



Legal and other requirements;



Internal and external context;



Performance criteria;



Infrastructure requirements and interdependencies;



Interests of stakeholders and supply chain partners;



Technology options;



Financial, operational, and other organizational considerations; and



Actions, resources, and timescales needed to achieve objectives.

A.4.4.3 Business Continuity Strategies The business continuity strategies are documented approaches to achieve the organization’s objectives and targets. Strategies should be coordinated or integrated with other organizational plans, strategies, and budgets. To ensure its success, the business continuity management strategies should define: 27

ASIS/BSI BCM.01-2010 a) Responsibilities for achieving goals (who will do it?); b) Means and resources for achieving goals (how to do it?); and c) Timeframe for achieving those goals (when will it be done?) The strategies may be subdivided to address specific elements of the organization’s operations. The organization may use several action plans as long as the key responsibilities, tactical steps, resource needs, and schedules are adequately defined in each of the documented plans. The strategies should include – where appropriate and practical – consideration of all stages of an organization’s activities related to planning, design, construction, commissioning, operation, retrofitting, production, marketing, outsourcing, and decommissioning. Strategy development may be undertaken for current activities and new activities, products, and/or services. Prevention, preparedness, and mitigation strategies should give priority to the safe removal of people and property at risk. Additional topics include: a) E-location, retrofitting, and provision of protective systems or equipment; b) Information, data, document, and cyber security; c) Establishment of threat or hazard warning and communication procedures; and d) Redundancy or duplication of systems, essential personnel, equipment, information, operations, or materials – including those from partner organizations. The organization should plan for incident response and recovery, taking into account the priority of activities, contractual obligations, employee and neighboring community necessities, operational continuity, and environmental remediation. Organizations have different approaches to managing crises. Regardless of the approach, there are three generic and interrelated management response steps that require pre-emptive planning and implementation in case of a disruptive incident: 1) Emergency response: The initial response to a disruptive incident usually involves the protection of people and property from immediate harm. An initial reaction by management may form part of the organization’s first response. 2) Continuity: Processes, controls, and resources are made available to ensure that the organization continues to meet its BCM objectives. 3) Recovery: Processes, resources, and capabilities of the organization are re-established to meet ongoing operational requirements. This may often include the introduction of significant organizational improvements even to the extent of refocusing strategic or operational objectives. Strategies should be dynamic and modified when: •

Outcomes of the risk assessment and impact analysis change; 28

ASIS/BSI BCM.01-2010 •

Objectives and targets are modified or added;



Relevant legal requirements are introduced or changed;



Substantial progress in achieving the objectives and targets has been made (or has not been made); or



Products, services, processes, or facilities change or other issues arise.

Determining business continuity strategy enables the organization to evaluate a range of options. The organization may choose an appropriate response for each activity, such that it can continue to deliver activities at an acceptable level of operations and within an acceptable timeframe during and following a disruption. Strategic options should be considered for the resumption of activity. The most appropriate strategy or strategies should depend on a range of factors such as: a) The results of the organization’s BIA and risk assessment; b) The costs of implementing a strategy or strategies; and c) The consequences of inaction. Strategies might be required for the following organizational resources: a) Staff; b) Premises; c) Technology; d) Information; e) Supplies; f) Stakeholders; and g) Supporting Infrastructure. In each case, the organization should minimize the likelihood of implementing a business continuity solution that might be affected by the same incident that causes the business disruption. Top management should approve documented strategies to confirm that the determination of continuity strategies has been properly undertaken, that they have addressed the likely causes and effects of disruption, and that the chosen strategies are appropriate to meet the organization’s objectives within the organizations risk appetite. The strategies should also consider the organization’s relationships, interdependencies, and obligations with external stakeholders. These stakeholders include customers, suppliers, and outsource partners – as well as first responders, public authorities, and others in the community. The organization should establish and maintain strategies that protect and preserve the integrity of its supply chain and the delivery of products and services, including 29

ASIS/BSI BCM.01-2010 arrangements needed with customers, suppliers, outsourcing partners, and other stakeholders. In addition, interactions and coordination with first responders, public authorities, and others in the community should be determined and included in strategy development. These strategic arrangements with external stakeholders should support the achievement of business continuity objectives and be clearly defined and documented.

A.4.5 Implementation and Operation A.4.5.1 Resources An organization should provide resources, capabilities, structures, and support mechanisms necessary to: a) Achieve its business continuity policy, objectives, and targets; b) Meet the changing requirements of the organization; c) Communicate on business continuity management system matters, internally and externally; and d) Provide for the ongoing operation and continual improvement of the business continuity management system to improve the organization’s business continuity performance. Top management plays a key role by providing resources needed to implement the BCMS. The management of an organization should determine and make available appropriate resources to establish, implement, maintain, and improve the BCMS. These resources should be provided in a timely and efficient manner. When identifying the resources needed to establish, implement, and maintain the BCMS, an organization should consider: •



People and people-related resources (which may include): o

The time necessary to perform BCMS requirements

o

Transportation logistics

o

Emergency expenses

o

Emergency Operations Centers

o

Infrastructure

o

Applications

o

Security

o

Welfare needs

Facilities: o



Recovery locations

Technology: o

Technology Services Methods to manage and control documentation and records 30

ASIS/BSI BCM.01-2010 •

Communications



Information (which may include):



o

Policies

o

Work instructions

o

Financial (e.g., payroll) details

o

Supplier and stakeholder details

o

Other services documents (e.g., contracts and service level agreements)

o

Standard operating procedures

o

Internal and external contact information

o

Customer account records

o

Legal documents (e.g., contracts, insurance policies, title deeds, etc.)

Supplies

Resources and their allocation should be reviewed periodically, and in conjunction with the management review, to ensure their adequacy. In evaluating adequacy of resources, consideration should be given to planned changes and/or new facilities, projects, or operations.

A.4.5.2 Roles, Responsibility, and Authority A.4.5.2.1 BCMS The successful implementation of a BCMS calls for a commitment from all persons working for the organization or on its behalf. The roles, responsibilities, and authorities of individuals should be clearly defined to ensure implementation of the BCMS, prevent misunderstandings (particularly during an incident), and avoid duplication and/or missed tasks. To demonstrate its commitment, top management should establish and communicate the organization’s BCMS policy and ensure the necessary resources for the implementation of the BCMS. Therefore, top management should designate (a) specific management representative(s) with defined responsibilities and authority for implementing the BCMS, who: a) Champions the BCMS; b) Ensures that the BCMS is established and implemented; c) Reports on BCMS performance over time; and d) Works with others to modify the BCMS as needed. Many organizations nominate a program sponsor who is supported by a cross-functional team of executive managers with the authority to commit the organization to action. In large or more complex organizations, there may be more than one designated sponsor. In small or mediumsized enterprises, one individual may undertake these responsibilities. 31

ASIS/BSI BCM.01-2010

A.4.5.2.2 BCM Roles, responsibilities, and authorities should also be defined, documented, and communicated for coordination with external stakeholders. This should include interactions with contractors, partners, suppliers, public authorities, and financial institutions. The organization should define and communicate the responsibilities and authorities of all persons engaged in business continuity management regardless of their other roles in the organization. The resources provided by top management should enable the fulfillment of the roles and responsibilities assigned. The roles, responsibilities, and authorities should be reviewed when a change in the operational context of the organization occurs.

A.4.5.2.3 Team Structure An organization should have a crisis (or incident) management team to lead incident/event response. The team should be comprised of such functions as human resources, information technology, facilities, security, legal, communications/media relations, operational activities, and other business support activities. Senior management or its representatives should provide overall team direction. Organizations should consider the attributes found in the NIMS incident command system or equivalent (see E.5). Allocate as many response and recovery teams as needed to support the organization’s crisis management team. These requirements should consider such factors as organization size and type, number of employees, location, industry/sector, and culture. Response and recovery teams should develop plans to address various aspects of potential disruptive events – such as escalation and activation, damage assessment, payroll, human resources (benefits), administrative support, process recovery, information technology recovery, administrative support, and site restoration. Response and recovery plans should follow a consistent format and only include content needed during the disruptive event. Business continuity planning process information and supporting detail may be documented elsewhere in separate documents (e.g., in Standard Operating Procedures) in order to streamline plan documentation. Individuals should be recruited for membership on response and recovery teams based upon their skills, experience, and level of commitment.

A.4.5.2.4 Administrative and Financial Structures It is necessary that the organization put in place appropriate administrative and financial structures to effectively deal with response and recovery efforts during a disruptive incident. A management structure, authorities, and responsibility delegation for decision-making – including spending limitations and responsibility for implementation – should be clearly defined.

32

ASIS/BSI BCM.01-2010

A.4.5.3 Competence, Training, and Awareness The organization should identify the awareness, knowledge, understanding, and skills needed by every person – and their alternate(s) – with the responsibility and authority to perform response and recovery tasks. The organization should establish training and awareness programs for internal and external stakeholders who may be affected by a disruptive incident. The organization should require that contractors working on its behalf are able to demonstrate that their employees have the requisite competence and/or appropriate training. Management should determine the level of experience, competence, and training necessary to ensure the capability of personnel having documented responsibility for carrying out specialized BCMS management activities. A training and awareness program may include: •

A consultation process with staff throughout the organization concerning the implementation of the BCM program;



Discussion of BCM in the organization’s newsletters, briefings, induction program, or journals (including new employee orientation);



Inclusion of BCM on relevant web pages or intranets;



Online training modules housed in the organization’s learning management system;



Learning from internal and external incidents through after action reports;



BCM as an item at management team meetings;



Exercising continuity plans at an alternative location (e.g., a recovery site);



Visits to any designated alternative location (e.g., a recovery site);



Conferences and classroom training; and



First aid and other hands-on training.

All personnel should receive training to perform their individual BCMS-related responsibilities. They should receive briefs on the key components of the BCMS, as well as the response and recovery plans that affect them directly. Such training could include procedures for mitigation measures, evacuation, shelter-in-place, check-in processes to account for employees, arrangements at alternate worksites, and the handling of media inquiries by the company. Response and recovery teams should receive education and training about their responsibilities and duties including interactions with first responders and other internal and stakeholders. Team members should be trained at regular intervals (at least annually), and new members should be trained when they join the organization. These teams should also receive training on prevention of incidents that may escalate into crises. The organization should include relevant external stakeholders and resources in their competence, awareness, and training programs. The organization should identify and assess any differences between the competence needed to perform a business continuity activity and that possessed by the individual required to perform the activity. This difference can be rectified through additional education, training, or skills development program which may include the following steps: 33

ASIS/BSI BCM.01-2010 •

Identification of competence and training needs;



Design and development of a training plan to address defined competence and training needs;



Selection of suitable methods and materials;



Verification of conformity with BCMS training requirements;



Training of target groups;



Documentation and monitoring of training received;



Evaluation of training received against defined training needs and requirements; and



Improvement of the training program, as needed.

A.4.5.4 Documentation The level of detail of the documentation should be sufficient to describe the BCMS and how the parts work together. The documentation should also provide direction on where to obtain more detailed information on the operation of specific parts of the BCMS. This documentation may be integrated with documentation of other management systems implemented by the organization. It does not have to be in the form of a manual. The extent of the BCMS documentation can differ from one organization to another due to: a) The size and type of organization and its activities, products or services; b) The complexity of processes and their interactions; and c) The competence of personnel. Examples of documents include: a) Policy, objectives, and targets; b) Information on significant risks and impacts; c) Procedures; d) Process information; e) Organizational charts; f) Internal and external standards; g) Site response, mitigation, emergency, and crisis plans; and h) Records. Any decision to document (a) procedure(s) should be based on issues such as: a) The consequences, including those to human and physical assets and the environment, of not doing so; b) The need to demonstrate compliance with legal and with other requirements to which the organization subscribes; 34

ASIS/BSI BCM.01-2010 c) The need to ensure that the activity is undertaken consistently; d) The advantages of doing so, which can include: a) Easier implementation through communication and training; b) Easier maintenance and revision; c) Less risk of ambiguity and deviations; and d) Demonstrability and visibility. e) The requirements of this Standard. Documents originally created for purposes other than the BCMS may be used as part of this management system, and (if so used) should be referenced in the system.

A.4.5.5 Control of Documents The intent of 4.4.5 is to ensure that organizations create and maintain documents in a manner sufficient to implement the BCMS. However, the primary focus of organizations should be on the effective implementation of the BCMS and not on a complex document control system. Organizations should ensure the integrity of the documents by ensuring they are tamperproof; securely backed-up; accessible only to authorized personnel; and protected from damage, deterioration, or loss.

A.4.5.6 Developing and Implementing a Business Continuity Response Business continuity plans and procedures provide the basis for everyone in the organization to be well informed about how the organization and those who have specific BCMS roles and responsibilities should be expected to respond to a disruptive incident. Business continuity response should ensure life safety, protect assets, and assess the impact of the disruption. BCM activities enable the organization to utilize the available resources to manage the impact of the disruption to operations and reputation. The plans and procedures should include necessary arrangements to ensure human safety and support, continuity of activities, and management of a disruptive event. Business continuity response plans and procedures should: a) Describe the purpose, interdependencies);

scope,

and

assumptions

of

the

plans

(including

b) Describe specific delegations of authority to the appropriate level, and adequate resource staging; c) Describe communications protocols for: 1. Roles, responsibilities, and authorities of first responders; 2. Primary and backup communications technologies; and

35

ASIS/BSI BCM.01-2010 3. The scope of assessments (including field and local assessments) needed to effectively manage the impact of the disruption. d) Be specific as to which team should immediately perform what tasks, and the resources required to carry-out its responsibilities during a disruption; and e) Optimize the benefits of the response implementation to the appropriate mitigation strategies.

A.4.5.6.1 Response Structure The response structure should include provisions/threshold criteria to activate response plans, and identify who has the authority to do the activation. The response structure provides for: a) A determination of the nature and extent of the disruptive incident to establish the scope of the response required, and define actions that might be necessary based on impact and/or potential impact; b) A response to protect people, assets, and stakeholders interests; c) Communication with stakeholders and authorities, as well as the media, using preestablished message templates; and d) Coordination with initial responders, first responders, and government agencies. In some organizations, certain divisions, departments, and activities are better situated to address specific aspects of incident response, continuity, and recovery. These organizations may use a tiered approach, establishing multiple teams to focus on specific aspects of managing the disruptive incident (e.g., communications and media response team). The teams should coordinate their activities to assure a seamless response, and be appropriate to the size and nature of the organization. The response structure should avoid vesting authority of the mobilization of a response in a single individual.

A.4.5.6.2 Business Continuity Plans The organization should establish documented plans that detail how the organization should manage a disruptive event and how it should recover or maintain its activities to a predetermined level, based on management-approved recovery objectives. Each plan should define: a) Purpose and scope; b) Objectives and measures of success; c) Activation criteria and procedures; d) Implementation procedures; e) Roles, responsibilities, and authorities; f) Communication requirements and procedures; 36

ASIS/BSI BCM.01-2010 g) Internal and external interdependencies and interactions; h) Resource requirements; and i) Information flow, documentation, and record keeping processes. The organization should periodically test, review, and (where necessary) revise its business continuity plans—in particular, after the occurrence of the disruptive event and its associated post-event review.

A.4.5.7 Communication and Consultation Arrangements should be made for communication and consultation internally and externally during normal and abnormal conditions. Effective communication is one of the most important ingredients in managing a disruptive incident. Commonly termed crisis communications planning, internal and external stakeholders (or the public) should be identified in order to convey alerts, warnings, and disruptive event and organizational response information. To provide the best communications and suitable messages for various groups, it may be appropriate to segment the audiences. In this way, messages may be tailored can be released to specific groups such as employees, stockholders, the local community, or the media. The communication and consultation procedures and processes should consider: •

Internal communication between the various levels and activities of the organization and with partner entities;



Receiving, documenting, and responding to relevant communications from external stakeholders (including supply chain partners);



Proactive planning of communications with external stakeholders (including the media);



Preemptive communication of response plans to applicable stakeholders facilitating communication and assuring stakeholders that proper planning is in place;



Facilitating structured communication with emergency responders; and



Availability of the communication channels during a disruptive situation.

Organizations should also identify and establish relationships with public sector agencies, organizations, and officials responsible for intelligence, warnings, prevention, response, and recovery related to potential disruptions. Organizations should implement a procedure for receiving, documenting, and responding to relevant communications from stakeholders and interested parties. This procedure can include a dialogue with interested parties and consideration of their relevant concerns. In some circumstances, responses to concerns of interested parties may include relevant information about the risks and impacts associated with the organization’s activities and operations. These procedures should also address necessary communications with public authorities regarding emergency planning and other relevant issues. 37

ASIS/BSI BCM.01-2010 The organization should formally plan its crisis communications strategy, taking into account the decisions made specific to relevant target groups, the appropriate messages and subjects, and the choice of means. When considering communication about hazards, threats, risks, impacts, and control procedures, organizations should take into consideration the views and information needs of all stakeholders. The organization should establish procedures to communicate and consult with internal and external stakeholders specific to its hazards, threats, risks, impacts, and control procedures. These procedures could change depending on several factors, such as the specific stakeholder group, the type of information to be communicated, the type of disruptive event and its consequences, the availability of methods of communication, and the individual circumstances of the organization. Methods for external communication can include: •

News or press releases;



Media;



Financial reports;



Newsletters;



Websites;



Phone calls, emails, and text messages (manually delivered and/or via automated emergency notification systems);



Phone calls;



Voice mails; and



Community meetings.

The organization should conduct preplanning of communication for a disruptive incident. Draft message templates, scripts, and statements can be crafted in advance for threats identified in the risk assessment, for distribution to one or more stakeholder groups identified in the BIA. Procedures to ensure that communications can be distributed on short notice should also be established. The organization should designate and publicize the name of a primary spokesperson (with back-ups identified) who should manage/disseminate crisis communications to the media and others. These individuals should receive training in media relations in preparation for a crisis, and on an ongoing basis. All information should be funneled through a single team to assure the consistency of messages. Top management should stress that all organization personnel should be informed quickly regarding where to refer calls from the media and that only authorized company spokespeople may speak to the media. In some situations, an appropriately trained site spokesperson may also be necessary. The organization’s media response strategy and relevant procedures should be documented in the crisis/incident management plan, or a separate crisis communications plan. The plan should include the following key information: •

A crisis communications strategy overview. 38

ASIS/BSI BCM.01-2010 •

The organization’s preferred interface with the media.



A guideline or template for the drafting or updating of a statement to be provided to the media at the earliest practical opportunity following the disruptive incident.



The most appropriate contact information for trained, competent spokespeople nominated and authorized to release information to the media if the primary spokesperson is unavailable.



The preferred venue or the identification of an alternative suitable venue to support liaison with the media, and other stakeholder groups.

In some cases, it may be appropriate to: •

Provide supporting detail in a separate document, including holding statement content.



Establish an appropriate number of competent, trained people to answer inquiries from the press regardless of the method the press chooses to make the inquiry (e.g., telephone, e-mail, text message, and Internet social media forums).



Prepare in advance background material about the organization and its operations (this information should be pre-approved for release at an appropriate management level).

Response and recovery plan documentation should contain current contact details for relevant internal and external agencies, as well as for organizations and providers that might be required to support the organization.

A.4.6 Checking and Corrective Action A.4.6.1 Monitoring and Measurement The BCMS should provide for the analysis of data collected from monitoring and measurement to identify patterns and obtain information. Knowledge gained from this information can be used to implement corrective and preventive action. Metrics should be established to monitor and measure the effectiveness of the BCMS and identify areas for improvements to enhance preparedness. Metrics assure the organizations policy, objectives, and targets are achieved, as well as elucidate areas for improvement. Checking involves measurement, monitoring, and evaluation of the organization’s business continuity performance. The organization should have a systematic approach for measuring and monitoring its business continuity performance on a regular basis. In order to measure and monitor the organization’s business continuity performance, a set of performance indicators should be developed to measure both the management systems and its outcomes. Measurements can be either quantitative or qualitative. Performance indicators can be management, operational, or economic indicators. Indicators should provide useful information to identify both successes and areas requiring correction or improvement. 39

ASIS/BSI BCM.01-2010

A.4.6.2 Evaluation of Compliance and System Performance A.4.6.2.1 Evaluation of Compliance The organization should be able to demonstrate that it has evaluated compliance with the legal requirements. The organization should be able to demonstrate that it has evaluated compliance with the identified other requirements to which it has subscribed.

A.4.6.2.2 Exercises and Testing Exercises are activities designed to examine the staff’s ability to effectively respond, recover, and continue to perform assigned business activities when faced with specific disruptive scenarios. The organization should use exercises and the documented results of exercises to ensure the effectiveness and readiness of the BCMS – specifically, its business continuity plans, team readiness, and facilities – to perform and validate its business continuity function. Benefits of exercising and testing include: a) Validation of planning scope, assumptions, and strategies; b) Capacity testing (e.g., the capacity of a call-in or call-out phone system); c) Increase efficiency and reduce the time necessary for accomplishment of a process (e.g., using repeated drills to shorten response times); and d) Awareness and knowledge for internal and external stakeholders about the BCMS and their roles. The organization may experience changes internally and externally, thus it should conduct exercises taking into account such changes to: •

Primary or alternate facilities;



Organization restructure;



Assigned staff;



Partnering relationships;



Support systems;



Scope of the operations; and/or



Recovery objectives.

Exercising ensures that technology resources function as planned and that staff members are adequately trained in their use and operation. Exercising can keep response teams and employees effective in their duties, clarify their roles, and identify areas for improvement in the

40

ASIS/BSI BCM.01-2010 BCMS, its plans, and its procedures. authority to the BCMS.

A commitment to exercising lends credibility and

The organization should design exercise scenarios to evaluation the continuity plans. An exercise schedule and timeline for periodically exercising the plan and its components should be established. Exercising and testing should be realistic, evaluate the capabilities and capacities of BCM, and assure the protection of people and assets involved. The scope and detail of the exercises should mature based on the organization’s experience, resources, and capabilities. Early tests may include checklists, simple exercises, and small components of the BCMS. Examples of increasing maturity of exercises include: •

Orientation: Introductory, overview or education session.



Table top: Practical or simulated exercise presented in a narrative format.



Functional: Walk-through or specialized exercise simulating a scenario as realistically as possible in a controlled environment.



Full scale: Live or real-life exercise simulating a real-time, real-life scenario.

There are several roles that exercise participants may fill. All participants should understand their roles in the exercise. The exercise should involve all organizational participants defined by the scope of the exercise; where appropriate, external stakeholders may be included. As part of the exercise, a review should be scheduled with all participants to discuss issues and lessons learned. This information should be documented, and updates should be made to the plan as required. Lessons learned from exercises and tests, as well as actual incidents experienced, should be built into future exercises and test planning for the BCMS. Design of exercises and tests should be evaluated and modified as necessary. They should be dynamic, taking into account changes to the BCMS, personnel turnover, actual incidents, and results from previous exercises.

A.4.6.3 Non-conformity, Corrective Action, and Preventive Action A.4.6.3.1 General The organization should establish effective procedures to ensure that non-fulfillment of a requirement, planning approach, incidents, near misses, and weaknesses associated with the BCMS (its plans and procedures) are identified and communicated in a timely manner to prevent further occurrence of the situation, as well as to identify and address root causes. The procedures should enable ongoing detection, analysis, and elimination of actual and potential causes of nonconformities. An investigation should be conducted of the root cause(s) of any identified nonconformity in order to develop a corrective action plan for immediately addressing the problem to mitigate any consequences, make changes needed to correct the situation and to restore normal 41

ASIS/BSI BCM.01-2010 operations, and take steps to prevent the problem from recurring by eliminating cause(s). The nature and timing of actions should be appropriate to the scale and nature of the nonconformity and its potential consequences. A potential problem may be identified, but no actual nonconformity exists. In this case, a preventive action should be taken using a similar approach. Potential problems can be extrapolated from corrective actions for actual nonconformities, identified during the internal BCMS audit process, analysis of industry trends and events, or identified during exercise and testing. Identification of potential nonconformities can also be made part of routine responsibilities of persons aware of the importance of noting and communicating potential or actual problems. Establishing procedures for addressing actual and potential nonconformities and for taking corrective and preventive actions on an ongoing basis helps to ensure reliability and effectiveness of the BCMS. The procedures should define responsibilities, authority, and steps to be taken in planning and carrying out corrective and preventive action. Top management should ensure that corrective and preventive actions have been implemented and that there is systematic follow-up to evaluate their effectiveness. Corrective and preventive actions that result in changes to the BCMS should be reflected in the documentation, as well as trigger a revisit of the risk assessment and impact analysis related to the changes to the system to evaluate the affect on plans, procedures, and training needs. Changes should be communicated to all who need to know.

A.4.6.3.2 Corrective Action The organization should take action to eliminate the cause of nonconformities associated with the implementation and operation of the BCMS to prevent their recurrence. The documented procedures for corrective action should define requirements for: a) Identifying any nonconformities; b) Determining the causes of nonconformities; c) Evaluating the need for actions to ensure that nonconformities do not recur; d) Determining and implementing the corrective action needed; e) Recording the results of action taken; and f) Reviewing the corrective action taken and the results of that action.

A.4.6.3.3 Preventive Action The organization should take action to prevent potential nonconformities from occurring. Preventive actions taken should be appropriate to the potential impact of nonconformities. The documented procedure for preventive action should define requirements for: a) Identifying potential nonconformities and their causes; b) Determining and implementing preventive action needed; 42

ASIS/BSI BCM.01-2010 c) Recording results of action taken; d) Reviewing preventive action taken; e) Identifying changed risks and ensuring that attention is focused on significantly changed risks; f) Ensuring that all those who need to know are informed of the non-conformity and preventive action put in place; and g) The priority of preventive actions based on results of business impact analyses and risk assessments.

A.4.6.4 Control of Records Management system records can include, among others: a) Compliance records; b) Training records; c) Process monitoring records; d) Inspection, maintenance, and calibration records; e) Pertinent contractor and supplier records; f) Incident reports; g) Records of incident and emergency preparedness tests; h) Audit results; i) Management review results; j) External communications decision; k) Records of applicable legal requirements; l) Records of significant risk and impacts; m) Records of management systems meetings; n) Security, preparedness, response, continuity, and recovery performance information; o) Legal compliance records; p) Communications with stakeholders and interested parties; and q) Results of testing/exercises. Proper account should be taken of confidential information. Organizations should ensure the integrity of records by rendering them tamperproof; securely backed-up; accessible only to authorized personnel; and protected from damage, deterioration, or loss. The organization should consult with the appropriate legal authority within their organization to determine the appropriate period of time the documents should be retained and establish, implement, and maintain the processes to effectively do so. 43

ASIS/BSI BCM.01-2010

NOTE: Records are not the sole source of evidence to demonstrate conformity to this Standard.

A.4.6.5 Internal Audits It is essential to conduct internal audits of the BCMS to ensure that the BCMS is achieving its objectives, that it conforms to its planned arrangements, that it has been properly implemented and maintained, and to identify opportunities for improvement. Internal audits of the BCMS should be conducted at planned intervals to determine and provide information to top management on appropriateness and effectiveness of the BCMS, as well as to provide a basis for setting objectives for continual improvement of BCMS performance. The organization should establish an audit program (see ISO 19011 for guidance) to direct the planning and conduct of audits, and identify the audits needed to meet the program objectives. The program should be based on the nature of the organization’s activities, in terms of its risk assessment and impact analysis, the results of past audits, and other relevant factors. An internal audit program should be based on the full scope of the BCMS; however, each audit need not cover the entire system at once. Audits may be divided into smaller parts, so long as the audit program ensures that all organizational units, activities and system elements, and the full scope of the BCMS are audited in the audit program within the auditing period designated by the organization. The results of an internal BCMS audit can be provided in the form of a report and used to correct or prevent specific nonconformities and provide input to the conduct of the management review. Internal audits of the BCMS can be performed by personnel from within the organization or by external persons selected by the organization, working on its behalf. In either case, the persons conducting the audit should be competent and in a position to do so impartially and objectively. In smaller organizations, auditor independence can be demonstrated by an auditor being free from responsibility for the activity being audited.

A.4.7 Management Review Management review provides top management with the opportunity to evaluate the continuing suitability, adequacy, and effectiveness of the BCMS. The management review should cover the scope of the BCMS, although not all elements of the BCMS need to be reviewed at once, and the review process may take place over a period of time. The management review will enable top management to address need for changes to key BCMS elements, including: • Policy; • Resource allocations; • Risk acceptance; • Objectives and targets; and 44

ASIS/BSI BCM.01-2010 • Business continuity strategies. Review of the implementation and outcomes of the BCMS by top management should be regularly scheduled and evaluated. While ongoing system review is advisable, formal review should be structured, appropriately documented and scheduled on a suitable basis. Persons who are involved in implementing the BCMS and allocating its resources should be involved in the management review. In addition to the regularly schedule management system reviews, the following factors can trigger a review and should otherwise be examined once a review is scheduled: a) Risk assessment and BIA: The BC management system should be reviewed every time a risk assessment and BIA are completed for the organization. The results of the risk assessment and BIA can be used to determine whether the BC management system continues to adequately address the risks facing the organization. b) Sector/industry trends: Major sector/industry initiatives should initiate a BC management system review. General trends and best practices in the sector/industry and in business/operational continuity planning techniques can be used for benchmarking purposes. c) Regulatory requirements: New regulatory requirements may require a review of the BC management system. d) Event experience: A review should be performed following a response to a disruptive incident, whether the response or recovery plan was activated or not. If the plan was activated, the review should take into account the history of the plan itself, how it worked, why it was activated, etc. If the plan was not activated, the review should examine why not and whether this was an appropriate decision. e) Test and exercise results: Based on test and exercise results, the BC management system should be modified as necessary. Continual improvement and BC management system maintenance should reflect changes in the risks, activities, and operation of the organization that will affect the BC management system. The following are examples of procedures, systems, or processes that may affect the plan: a) Policy changes; b) Hazards and threat changes; c) Changes to the organization and its business processes; d) Changes in assumptions in risk assessment and BIA; e) Personnel changes (employees and contractors) and their contact information; f) Supplier and supply chain changes; g) Process and technology changes; h) Systems and application software changes; i) Lessons learned from exercising and testing; 45

ASIS/BSI BCM.01-2010 j) Lessons learned from external organizations’ disruptive events; k) Issues discovered during actual invocation of the plan; l) Changes to external environment (new businesses in area, new roads or changes to existing traffic patterns, etc.); and m) Other items noted during review of the plan and identified during the risk assessment and impact analysis.

46

ASIS/BSI BCM.01-2010

Annex B (informative)

B COMPATIBILITY WITH OTHER MANAGEMENT SYSTEMS AND THE DHS PS-PREP STANDARDS This Standard is aligned with ISO 9001:2008, ISO 14001:2004, ISO/IEC 27001:2005, and ISO 28000:2007 in order to support consistent and integrated implementation and operation with related management standards. One suitably designed management system can support the requirements of all these standards. Table 1: Correspondence between this Business Continuity Management System Standard and ISO Management System Standards and the standards in the U.S. Department of Homeland Security PS-Prep Program 2 ISO Standards ASIS/BSI BCM.012010

ISO 9001:2008

ISO 14001:2004

Introduction

0 Introduction

0 Introduction

0.1 General 0.2 Plan-DoCheck-Act Cycle

0.1 General 0.2 Process approach

0.1 General 0.2 Process approach

0.3 Relationship with ISO 9004 0.4 Compatibility with other management systems

0.3 Compatibility with other management systems

1 Scope of Standard

1 Scope

1 Scope

US-DHS PS-Prep Standards

ISO 27001:2005

0 Introduction

1 Scope

1.1 General

1.1 General

1.2 Application

1.2 Application

ISO 28000-2007

Introduction

ANSI/ASIS SPC.1-2009 0 Introduction

BS 25999-2:2007

NFPA1600:2010

Introduction

0.1 General 0.2 Process approach

1 Scope

1 Scope

1 Scope

1 Administration 1.1 Scope 1.2 Purpose 1.3 Application

2 Normative reference

2 Normative reference

2 Normative reference

2 Normative references

2 Normative references

2 Normative references

3 Terms and definitions

3 Terms and definitions

3 Terms and definitions

3 Terms and definitions

3 Terms and definitions

3 Terms and definitions

2

2 Referenced Publications

2 Terms and definitions

3 Definitions

U.S. Department of Homeland Security Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep) information is available at < http://www.fema.gov/privatesector/preparedness >.

47

ASIS/BSI BCM.01-2010 ISO Standards ASIS/BSI BCM.012010

ISO 9001:2008

ISO 14001:2004

ISO 27001:2005

4 Information security management system (ISMS) 4.1 General requirements

4 Security management system elements 4.1 General requirements

4.2 Establishing and managing the ISMS 4.2.1 Establish the ISMS

4.2 Security management policy

4 Business continuity management system requirements.

4 Quality management system 4.1 General requirements

4 Environmental management system requirements

4.1 General Requirements

5 Management responsibility

4.1 General requirements

4.2 Establishing the context 4.3 Policy and management commitment

5.1 Management commitment 5.2 Customer focus

US-DHS PS-Prep Standards

4.2 Environmental policy

ISO 28000-2007

4.2.2 Implement and operate the ISMS 4.2.3 Monitor and review the ISMS

5.3 Quality policy 5.4 Planning 5.5 Responsibility, authority and communication

ANSI/ASIS SPC.1-2009 4 Organizational resilience (OR) management system requirements 4.1 General requirements 4.1.1 Scope of OR management system 4.2 Organizational resilience (or) management policy 4.2.1 Policy statement

4.2.4 Maintain and improve the ISMS

4.2.2 Management commitment

5 Management responsibility

BS 25999-2:2007

3 Planning the business continuity management system 3.1 General

NFPA1600:2010

4. Program Management 4.1 Leadership and commitment 4.2 Program coordinator

3.2 Establishing and managing the BCMS 3.2.1 Scope and objectives of BCMS

4.3 Program committee 4.4 Program administration

3.2.2 BCM policy 3.2.3 Provision of resources

4.6 Performance objectives

3.2.4 Competency of BCM personnel

4.5 Laws and authorities

4.7 Finance and administration 4.8 Records management

5.1 Management commitment 4.4 Planning 4.4.1 Business impact analysis and risk assessment 4.4.1.1 Business impact analysis 4.4.1.2 Risk assessment 4.4.2 Business continuity objectives and targets 4.4.3 Business continuity strategies

7 Product realization 7.1 Planning of product realization 7.2 Customerrelated processes 7.2.1 Determination of requirements related to the product 7.2.2 Review of requirements related to the product

4.3 Planning 4.3.1 Environmental aspects 4.3.2 Legal and other requirements 4.3.3 Objectives, targets and program(s)

4.2 Establishing and managing the ISMS

4.3 Security risk assessment and planning

4.2.1 Establish the ISMS

4.3.1 Security risk assessment

4.2.2 Implement and operate the ISMS

4.3.2 Legal, statutory and other security regulatory requirements 4.3.3 Security management objectives 4.3.4 Security management targets 4.3.5 Security management programmes

48

4.3 Planning 4.3.1 Risk assessment and impact analysis

4 Implementation and operation of the BCMS

4.3.2 Legal and other requirements

4.1 Understanding the organization

4.3.3 Objectives, targets, and program(s)

4.1.1 Business impact analysis 4.1.2 Risk assessment 4.1.3 Determining choices Determining business continuity strategy

5. Planning 5.1 Planning process 5.2 Common plan requirements 5.3 Planning and design 5.4 Risk assessment 5.5 Business impact analysis 5.6 Prevention 5.7 Mitigation

ASIS/BSI BCM.01-2010 ISO Standards ASIS/BSI BCM.012010 4.5 Implementation and operation 4.5.1 Resources 4.5.2 Roles, responsibility and authority 4.5.3 Competence, training and awareness 4.5.4 Documentation 4.5.5 Control of documents 4.5.6 Developing and implementing a business continuity response 4.5.6.1 Response structure 4.5.6.2 Business continuity plans 4.5.7 Communication and notification

ISO 9001:2008

6 Resource management 6.1 Provision of resources 6.2 Human resources 6.2.2 Competence, training and awareness 6.3 Infrastructure 6.4 Work environment 7.2.3 Customer communication 4.2 Documentation requirements 4.2.1 General 4.2.2 Quality manual 4.2.3 Control of documents

8.1 General 8.2 Monitoring and measurement

4.6.5 Internal audits

4.4.2 Competence, training, and awareness 4.4.3 Communication and warning

4.4 Implementation and operation

4.4 Implementation and operation

5.2.1 Provision of resources

4.4.1 Structure, authority and responsibilities for security management

4.4.1 Resources, roles, responsibility, and authority

5.2.2 Training, awareness and competence

4.4.3 Communication

4.4.2 Competence, training, and awareness 4.4.3 Communication and warning

4.4.4 Documentation

4.4.4 Documentation

4.4.4 Documentation

4.4.5 Control of documents

4.4.5 Document and data control

4.4.5 Control of documents

4.4.6 Operational control

4.4.6 Operational control

4.4.6 Operational control

4.4.7 Emergency preparedness and response

4.4.7 Emergency preparedness, response and security recovery

4.4.7 Incident prevention, preparedness, and response

4.3 Documentation requirements 4.3.1 General 4.3.2 Control of documents

4.4.2 Competence, training and awareness

7.5 Product and service provision

4.6.1 Monitoring and measurement 4.6.2 Evaluation of conformance and system performance

4.6.4 Control of records

4.4.1 Resources, roles, responsibility and authority

5.2 Resource management

7.4 Purchasing

8 Measurement, monitoring and improvement

4.6.2.2 Exercises and testing 4.6.3 Nonconformity, corrective action and preventive action

4.4 Implementation and operation

ISO 28000-2007

ISO 27001:2005

7.3 Design and development

4.6 Checking and corrective action

4.6.2.1 Evaluation of conformance

ISO 14001:2004

US-DHS PS-Prep Standards ANSI/ASIS SPC.1-2009

8.2.2 Internal audit 8.2.3 Monitoring and measurement of processes 8.2.4 Monitoring and measurement of product 8.3 Control of nonconforming product 8.5.3 Corrective actions

BS 25999-2:2007

NFPA1600:2010

4.3 Developing and implementing a BCM response 4.3.1 General

6. Implementation

4.3.2 Incident response structure 4.3.3 Business continuity plans and incident management plans 3.2.4 Competency of BCM personnel 3.3 Embedding BCM in the organization’s culture 3.4 BCMS documentation and records 3.4.2 Control of BCMS records 3.4.3 Control of BCMS documentation

6.1 Resource management 6.2 Mutual aid / assistance 6.3 Communications and warning 6.4 Operational procedures 6.5 Emergency response 6.6 Employee assistance and support 6.7 Business continuity and recovery 6.8 Crisis communication and public information 6.9 Incident management 6.10 Emergency operations centers (EOCs) 6.11 Training and education

4.5 Checking 4.5.1 Monitoring and measurement 4.5.2 Evaluation of compliance 4.5.3 Nonconformity, corrective action and preventive action 4.5.4 Control of records 4.5.5 Internal audits

4.2.3 Monitor and review the ISMS

4.5 Checking and corrective action

8.2 Corrective action

4.5.1 Security performance measurement and monitoring

8.3 Preventive action 4.3.3 Control of records 6 Internal ISMS audits

4.5.2 System evaluation 4.5.3 Securityrelated failures, incidents, nonconformances and corrective and preventive action 4.5.4 Control of records 4.5.5 Audit

4.5 Checking (evaluation) 4.5.1 Monitoring and measurement 4.5.2 Evaluation of compliance and system performance 4.5.2.1 Evaluation of compliance 4.5.2.2 Exercises and testing 4.5.3 Nonconformity, corrective action, and preventive action 4.5.4 Control of records 4.5.5 Internal audits

8.5.3 Preventive actions 4.2.4 Control of records 8.4 Analysis of data

49

4.4 Exercising, maintaining and reviewing BCM arrangements 4.4.1 General 4.4.2 BCM exercising 4.4.3 Maintaining and reviewing BCM arrangements 5 Monitoring and reviewing BCMS 5.1 internal audit 6 Maintaining and improving the BCMS 6.1 Preventive and corrective actions

7. Testing and Exercises 7.1 Entity evaluation 7.2 Exercise evaluation 7.3 Methodology 7.4 Frequency 7.5 Exercise design

ASIS/BSI BCM.01-2010 ISO Standards ASIS/BSI BCM.012010

ISO 9001:2008

4.7 Management review

5.6 Management review

4.7.1 General

8.5 Improvement

4.7.2 Review input 4.7.3 Review output 4.7.4 Opportunities for improvement

ISO 14001:2004

4.6 Management review

ISO 27001:2005

7 Management review of the ISMS 7.1 General 7.2 Review input

8.5.1 Continual improvement

US-DHS PS-Prep Standards ISO 28000-2007

4.6 Management review and continual improvement

7.3 Review output 4.2.4 Maintain and improve

ANSI/ASIS SPC.1-2009 4.6 Management review 4.6.1 General 4.6.2 Review input 4.6.3 Review output 4.6.4 Maintenance 4.6.5 Continual improvement

8 ISMS improvement

BS 25999-2:2007

5.2 Management review of the BCMS 5.2.1 General 5.2.2 Review Input

NFPA1600:2010

8. Program Improvement 8.1 Program reviews 8.2 Corrective action

5.2.3 Review output 6.2 Continual improvement

8.1 Continual improvement he ISMS Annex A Guidance on the use of this Standard Annex B Compatibility with other management system standards and PS-Prep standards

Annex A Correspondence between ISO 9001:2000 and ISO 14001:2004

Annex A Guidance on the use of this International Standard

Annex B Changes between ISO 9001:2000 and ISO 9001:2008

Annex B Correspondence between ISO 14001:2004 and ISO 9001:2000

C Terminology convention D Glossary E Bibliography

Management System Standard

Management System Standard

Management System Standard

Annex A Control objectives and controls

Annex A Guidance on the use of the standard

Annex B OECD principles and this International Standard Annex C Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard

Annex B Compatibility with other management systems Annex C Terminology conventions

Management System Standard

Annex A Correspondence with BS EN ISO 9001:2000, BS EN ISO 14001:2004, BS ISO/IEC 27001:2005

Annex F Bibliography

50

Management System Standard

Annex B Program development resources Annex C Self assessment for conformity with NFPA 1600, 2010 edition Annex D Management system guidelines

Annex D Glossary Annex E Qualifications

Management System Standard

Annex A Explanatory material

Annex E Informational references Management System Standard

Program Management Standard

ASIS/BSI BCM.01-2010

Annex C (informative)

C TERMINOLOGY CONVENTIONS The terminology conventions in Table 2 are in accordance with ISO/IEC – Directives Part 2: Rules for the structure and drafting on International Standards, Annex H, Verbal forms for the expression of provisions, 2004. Table 2: Verbal forms for the expression of provisions Verbal form

Usage (ISO/IEC – Directives Part 2: Rules for the structure and drafting on International Standards)

shall

Auditable requirements of a document – “used to indicate requirements strictly to be followed in order to conform to the document and from which no deviation is permitted.”

should

Recommendations – “used to indicate that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is deprecated but not prohibited.”

may

Permission – “used to indicate a course of action permissible within the limits of the document.”

can

Possibility and capability – “used for statements of possibility and capability, whether material, physical, or causal.”

51

ASIS/BSI BCM.01-2010

Annex D (normative)

D GLOSSARY For the purposes of this standard, the following terms and definitions apply:

D.1

Term

Definition

activity

process or set of processes undertaken by an organization (or on its behalf) that produces or supports one or more products or services. NOTE: Examples of such processes include accounting, call center, information services, manufacturing, distribution, and other services.

D.2

asset

anything that has value to the organization. [ISO/IEC 133351:2004]

D.3

audit

systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. [ISO 9000:2005] NOTE 1: Internal audits—sometimes called first-party audits—are conducted by, or on behalf of, the organization itself for management review and other internal purposes, and may form the basis for an organization’s declaration of conformity. In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited. NOTE 2: External audits include those generally termed second- and third-party audits. Second-party audits are conducted by parties having an interest in the organization, such as customers, or by other persons on their behalf. Third-party audits are conducted by external, independent auditing organizations, such as those providing certification/registration of conformity to a standard. NOTE 3: When two or more management systems are audited together, this is termed a combined audit. NOTE 4: When two or more auditing organizations cooperate to audit a single auditee, this is termed a joint audit.

D.4

auditor

person with competence to conduct an audit. [ISO 9001:2000]

D.5

business continuity

strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level. [BSI 25999-2:2007] NOTE: Business continuity involves designing, implementing, and maintaining strategies to ensure the availability of business processes, personnel, equipment, suppliers, and technology assets in accordance with management approved objectives.

52

ASIS/BSI BCM.01-2010

D.6

Term

Definition

business continuity management (BCM)

holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats—if realized—might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities. [BSI 25999-2:2007] NOTE: Business continuity management involves managing the recovery or continuation of business activities in the event of a business disruption, and management of the overall program through training, exercises, and reviews to ensure the business continuity plan(s) stays current and up-to-date.

D.7

business continuity management system (BCMS)

that part of the overall management system that establishes, implements, operates, monitors, reviews, maintains, and improves business continuity. [BSI 25999-2:2007] NOTE: The management system includes organizational structure, policies, planning activities, responsibilities, procedures, processes, and resources.

D.8

business continuity plan (BCP)

documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefined level. [BSI 259992:2007]

D.9

conformity

fulfillment of a requirement.

D.10 consequence

outcome of an event. [ISO/IEC Guide 73] NOTE 1: There can be more than one consequence from one event. NOTE 2: Consequences can range from positive to negative. NOTE 3: Consequences can be expressed qualitatively or quantitatively.

D.11 continual improvement

recurring process of enhancing the business continuity management system in order to achieve improvements in overall business continuity management performance consistent with the organization’s business continuity management policy. NOTE: The process need not take place in all areas of activity simultaneously.

D.12 corrective action

action to eliminate the cause of a detected non-conformity (3.6.2) or other undesirable situation. [ISO 9000:2005] NOTE 1: There can be more than one cause for a non-conformity. NOTE 2: Corrective action is taken to prevent recurrence whereas preventive action is taken to prevent occurrence.

53

ASIS/BSI BCM.01-2010 Term D.13 crisis management team (CMT)

Definition a group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision-makers trained in incident management and prepared to respond to any situation. NOTE: Members of the CMT should be knowledgeable of the business, authorized to identify a disruptive situation, communicate appropriately, and deploy the necessary resources (human and physical) to control the disruptive event to assure the safety and security of human and physical assets.

D.14 disruption

an event that interrupts normal business, activities, operations, or processes, whether anticipated (e.g., hurricane, political unrest) or unanticipated (e.g., a blackout, terror attack, technology failure, or earthquake). NOTE: A disruption can be caused by either positive or negative factors that will disrupt normal activities, operations, or processes.

D.15 document

information and its supporting medium. [ISO 9000:2005] NOTE: The medium can be paper, magnetic, electronic or optical computer disc, photography, or master sample, or a combination thereof.

D.16 downtime

period of time when something is not in operation. NOTE: The allowable period of downtime is determined by the organizations obligations (e.g., customer and regulatory requirements).

D.17 event

occurrence or change of a particular set of circumstances. [ISO/IEC Guide 73] NOTE 1: The nature, likelihood, and consequence of an event cannot be fully knowable. NOTE 2: An event can be one or more occurrences, and can have several causes. NOTE 3: Likelihood associated with the event can be determined. NOTE 4: An event can consist of a non-occurrence of one or more circumstances. NOTE 5: An event with a consequence is sometimes referred to as “incident”.

D.18 exercise

planned rehearsal of a possible incident designed to evaluate an organization’s capability to manage that incident and to provide an opportunity to improve the organization’s future responses and enhance the relevant competences of those involved.

D.19 facility (infrastructure)

plant, machinery, equipment, property, buildings, vehicles, information systems, transportation facilities, and other items of infrastructure or plant and related systems that have a distinct and quantifiable function or service.

54

ASIS/BSI BCM.01-2010 Term D.20 first responder

Definition a member of an emergency service who is first on the scene at a disruptive incident NOTE 1: Emergency services include any public or private service that deals with disruptions, such as the initial responding law enforcement officers, other public safety officials, emergency medical personnel, rescuers and/or other emergency response service providers.

D.21 impact

evaluated consequence of a particular outcome. [ISO/PAS 22399:2007]

D.22 impact analysis

process of analyzing all operational activities and the effect that an operational interruption might have upon them. NOTE: Impact analysis includes Business Impact Analysis—the identification of business assets, activities, processes, and resources as well as an evaluation of the potential damage or loss that may be caused to the organization resulting from a disruption (or a change in the business or operating environment). Impact analysis identifies: 1) how the loss or damage will manifest itself; 2) how that degree for potential escalation of damage or loss with time following an Incident; 3) the minimum services and resources (human, physical, and financial) needed to enable business processes to continue to operate at a minimum acceptable level; and 4) the timeframe and extent within which activities, and services of the organization should be recovered.

D.23 incident

event that has the capacity to lead to human, intangible, or physical loss or a disruption of an organization’s operations, services, or activities – which, if not managed, can escalate into an emergency, crisis, or disaster.

D.24 integrity

the property of safeguarding the accuracy and completeness of assets. [ISO/IEC 13335-1:2004]

D.25 internal audit

systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the management system audit criteria set by the organization are fulfilled. [ISO 14001:2004] NOTE: In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited.

D.26 loss

negative consequence. [BSI 25999-2:2007]

D.27 management system

system to establish policy and objectives and to achieve those objectives. [ISO 9000:2005] NOTE: A management system of an organization can include different management systems, such as a business continuity management system, quality management system, a financial management system, and/or an environmental management system.

D.28 mitigation

limitation of any negative consequence of a particular incident. [ISO/PAS 22399:2007]

D.29 non-conformity

non-fulfillment of a requirement. [ISO 9000:2005]

55

ASIS/BSI BCM.01-2010 Term

Definition

D.30 objective

overall goal, consistent with the policy that an organization sets itself to achieve. [ISO 14001:2004]

D.31 organization

group of people and facilities with an arrangement of responsibilities, authorities, and relationships. (e.g., company, corporation, firm, enterprise, institution, charity, sole trader, association, or parts or combination thereof). [ISO 9000:2005] NOTE 1: The arrangement is generally orderly. NOTE 2: An organization can be public, private, faith-based, or not-forprofit.

D.32 policy

overall intentions and direction of an organization as formally expressed by top management. [ISO 9000:2005] NOTE 1: Generally, the business continuity policy is consistent with the overall policy of the organization and provides a framework for the setting of business continuity objectives. NOTE 2: Business continuity management principles presented in this Standard can form a basis for the establishment of a business continuity policy.

D.33 preparedness (readiness)

activities, programs, and systems developed and implemented prior to an incident that may be used to support and enhance mitigation of, response to, and recovery from disruptions.

D.34 prevention

measures that enable an organization to avoid, preclude, or limit the impact of a disruption. [ISO/PAS 22399:2007]

D.35 preventive action

action to eliminate the cause of a potential non-conformity (see 3.6.2) or other undesirable potential situation. [ISO 9000:2005] NOTE 1: There can be more than one cause for a potential nonconformity. NOTE 2: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.

D.36 procedure

specified way to carry out an activity. [ISO 9000:2005] NOTE: Procedures can be documented or not.

D.37 process

set of interrelated or interacting activities which transforms inputs into outputs. [ISO 9000:2005] NOTE 1: Inputs to a process are generally outputs of other processes. NOTE 2: Processes in an organization are generally planned and carried out under controlled conditions to add value.

56

ASIS/BSI BCM.01-2010 Term D.38 product

Definition result of a process. [ISO 9000:2005] NOTE 1: There are four generic product categories, as follows: • Services; • Software; • Hardware; and • Processed materials. Many products comprise elements belonging to different generic product categories. Whether the product is then called service, software, hardware, or processed material depends on the dominant element. NOTE 2: Service is the result of at least one activity necessarily performed at the interface between the supplier and customer and is generally intangible. Provision of a service can involve, for example, the following: • An activity performed on a customer-supplied tangible product; • An activity performed on a customer-supplied intangible product; • The delivery of an intangible product; or •

The creation of ambience for the customer.

D.39 recovery time objective

period of time after which it is planned to recover each activities and resources to an acceptable capability after a disruptive event. This may be a simple resumption of full service or a phased return over a period.

D.40 recovery point objective

point in time to which data or capacity of a process is in a known and valid or integral state can be restored from. This should be less than the maximum amount of loss tolerance and may be defined in hours or days.

D.41 record

document stating results achieved or providing evidence of activities performed. [ISO 9000:2005] NOTE 1: For example, records can be used to document traceability and to provide evidence of verification, preventive action, and corrective action. NOTE 2: Generally records need not be under revision control.

D.42 resources

all assets, people, skills, information, technology (including plant and equipment), premises, and supplies and information (whether electronic or not) that an organization has to have available to use, when needed, in order to operate and meet its objectives. [BSI 25999-2:2007]

D.43 risk

combination of the probability of an event and its consequence. [ISO/IEC Guide 73] NOTE 1: The term “risk” is generally used only when there is at least the possibility of negative consequences. NOTE 2: In some situations, risk arises from the possibility of deviation from the expected outcome or event. NOTE 3: See ISO/IEC Guide 51 for issues related to safety.

57

ASIS/BSI BCM.01-2010 Term D.44 risk acceptance

Definition informed decision to take a particular risk. [ISO/IEC Guide 73] NOTE 1: Risk acceptance can occur without risk treatment or during the process of risk treatment. NOTE 2: Risk acceptance can also be a process. NOTE 3: Risks accepted are subject to monitoring and review.

D.45 risk appetite

amount and type of risk that an organization is prepared to pursue, retain, or take.

D.46 risk assessment

overall process of risk identification, risk analysis, and risk evaluation. [ISO/IEC Guide 73] NOTE: Risk assessment involves the process of identifying internal and external threats and vulnerabilities, identifying the probability and impact of an event arising from such threats or vulnerabilities, defining critical activities necessary to continue the organization’s operations, defining the controls in place necessary to reduce exposure, and evaluating the cost of such controls.

D.47 risk management

coordinated activities to direct and control an organization with regard to risk. [ISO/IEC Guide 73] NOTE: Risk management generally includes risk assessment, risk treatment, risk acceptance, and risk communication.

D.48 risk treatment

process of selection and implementation of measures to modify risk. [ISO/IEC Guide 73] NOTE 1: The term “risk treatment” is sometimes used for the measures themselves. NOTE 2: Risk treatment measures can include avoiding, optimizing, transferring, or retaining risk.

D.49 safety

freedom from danger, risk, or injury.

D.50 stakeholder (interested party)

person or group having an interest in the performance or success of an organization. [ISO/PAS 22399:2007] NOTE: The term includes persons and groups with an interest in an organization, its activities and its achievements—e.g., customers, partners, persons working for or on behalf of the organization, shareholders, owners, the local community, first responders, government, and regulators.

D.51 supply chain

the linked set of resources and processes that begins with the acquisition of raw material and extends through the delivery of products or services to the end user across the modes of transport. The supply chain may include suppliers, vendors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end user.

58

ASIS/BSI BCM.01-2010 Term

Definition

D.52 target

detailed performance requirement applicable to the organization (or parts thereof) that arises from the objectives and that needs to be set and met in order to achieve those objectives. [ISO 14001:2004]

D.53 testing

evaluation of a resource to validate the achievement of objectives and aims. See exercise.

D.54 threat

potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community.

D.55 top management

person or group of people who directs and controls an organization (see 3.3.1) at the highest level. [ISO 9000:2005] NOTE: Top management, especially in a large multinational organization, might not be directly involved; however, top management accountability through the chain of command is manifest. In a small organization, top management might be the owner or sole proprietor.

59

ASIS/BSI BCM.01-2010

Annex E (informative)

E BIBLIOGRAPHY E.1 ASIS International Publications 3 Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery, 2005.

E.2 BSI Publications 4 [1] BS 25999-1: 2006, Business Continuity Management – Part 1: Code of Practice. [2] BS 25999-2: 2007, Business Continuity Management – Part 2: Specification.

E.3 ISO standards Publications1 [1] ISO 9001:2008, Quality management systems — Requirements. [2] ISO 14001:2004, Environmental management systems — Requirements with guidance for use. [3] ISO/IEC TR 18044:2004, Information technology — Security techniques — Information security incident management. [4] ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing. [5] ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements. [6] ISO 28000:2007, Specification for security management systems for the supply chain. [7] ISO/PAS 22399:2007, Societal Security – Guidelines for incident preparedness and operational continuity management. [8] ISO/IEC Guide 73:2002, Risk management — Vocabulary — Guidelines for use in standards.

E.4 National Standards Publications [1] ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness and Continuity Management Systems – Requirements with Guidance for Use.3 [2] NFPA 1600: 2010, Standard on Disaster/Emergency Management and Business Continuity Programs. 5

1

These documents are available at < http://iso.org >.

3

This document is available at < https://www.asisonline.org/guidelines/published.htm >.

4

These documents are available at < http://shop.bsigroup.com/ >.

5

This document is available from the National Fire Protection Association (NFPA) < http://www.nfpa.org >.

60

ASIS/BSI BCM.01-2010

E.5 Other Referenced Publications [1] National Incident Management System (NIMS): 2008, US Department of Homeland Security. 6

6

This document is available at < http://www.fema.gov/pdf/emergency/nims/NIMS_core.pdf >.

61

ASIS International (ASIS) is the preeminent organization for security professionals, with more than 37,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, governmental entities, and the general public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s number one magazine, Security Management, ASIS leads the way for advanced and improved security performance. For more information, visit www.asisonline.org.

BSI Group is a global independent business services organization that develops standards-based solutions to improve management practices and promote innovation. BSI can help businesses, governments and other organizations around the world to raise quality and performance in a sustainable and socially responsible way. From its origins as the world’s first National Standards Body, BSI Group draws upon over 100 years’ experience, working with 66,000 organizations in 147 countries from its 50 offices. To learn more, please visit www.bsigroup.com.

A S I S

I N T E R N A T I O N A L

Business Continuity Management Systems: Requirements with Guidance for Use ASIS/BSI BCM.01-2010

AMERICAN NATIONAL

STANDARD 1625 Prince Street Alexandria, Virginia 22314-2818 USA +1.703.519.6200 Fax: +1.703.519.6299 www.asisonline.org

12110 Sunset Hills Road, Suite 200 Reston, Virginia 20190-5902 USA +1.800.862.4977 Fax: +1.703.437.9001 www.bsiamerica.com