A training course entitled "Business continuity in the banking sector in accordance with ISO22301" for the period from 23-2019 to 6/27

May 26, 2019

To the government / private banks and the financial transfer companies ( continuity of business in the banking sector in accordance with international standards ISO22301 ) ... Click here to view

https://cbi.iq/static/uploads/up/file-155885908752324.pdf

https://cbi.iq/news/view/1117

[size=42]Continuity of activities - ISO 22301 when everything goes very badly[/size]







Emergency planning and disaster recovery activities were initially largely IT-driven initiatives to deal with natural disasters and terrorist threats that hit businesses in the 1980s and early 1980s. 1990.


However, it has become increasingly clear that the process to be established in this area must be taken in hand by the enterprise and encompass the means to guard against multiple forms of disruption. A new discipline, known as Business Continuity Management (BCM), has emerged.
At the same time as they began to recognize the value of this discipline in mitigating the effects of disruptive incidents on society, governments and regulators wanted to be able to ensure that key players were equipped with appropriate devices. to ensure business continuity. At the same time, aware of their interdependence, companies also wanted to be sure that their main suppliers and partners were able to always provide critical products and services, even in the event of incidents.
Thus, there was a need for a recognized benchmark representing good practice in GCA, and several countries, including Australia, the United States, the United Kingdom and Singapore, established national standards dealing with this issue. The British Standard BS 25999, for example, was intended to help set up a business continuity management system, and was the first to serve as a reference for accredited certification purposes.
When internationally active organizations have begun pushing for the establishment of a single International Standard, ISO technical committee ISO / TC 223, Societal security , has started work on ISO 22301: 2012, Societal security - Management of business continuity - Requirements . This new standard, a result of significant global interest, is the culmination of collaborative work and contributions from around the world.

Demonstrate good practices

ISO 22301 is a management system standard for GCA that can be used by organizations of all sizes and types. Once their SCM system is in place, organizations have the opportunity to apply for accredited certification of compliance with the standard to demonstrate compliance with GCA best practices to legislators, potential customers and other interested parties. At the level of the company, the person in charge of the GCA can, thanks to ISO 22301, show to his direction that a recognized standard is indeed in place.
Because ISO 22301 is usable for certification purposes, the requirements it specifies describe the essential elements of GCA in a relatively short and concise manner. A more comprehensive guidance standard (ISO 22313) providing more detail for each requirement of ISO 22301 is in preparation.
ISO 22301 can also be used as a reference for the company to assess its situation in relation to good practice, and for auditors to report to management. The value of this standard is by no means limited to simply obtaining a certificate of conformity.
 

The context of social security

• ISO 22300: 2012, Societal security - Terminology
  
• ISO 22320: 2011, Societal security - Emergency management - Requirements for relief operations
  
• ISO / TR 22312: 2011, Societal security - Technological capabilities
  
• ISO / PAS 22399: 2007, Societal security - Guidelines for incident preparedness and business continuity management
  

[size]
The following projects are under development:
[/size]

• ISO 22311, Societal security - Video surveillance - Export interoperability
  
• ISO 22313, Social security - Business continuity management - Guidelines
  
• ISO 22315, Social security - Mass evacuation
  
• ISO 22322, Societal security - Emergency management - Public warnings
  
• ISO 22323, Societal security - Organizational Resilience Management Systems - Requirements and guidelines for its use
  
• ISO 22325, Societal security - Guidelines for the assessment of organizations' emergency management capacity
  
• ISO 22351, Societal security - Emergency management - Concerted assessment of the situation
  
• ISO 22397, Societal security - Private public partnerships - Guidelines for establishing partnership agreements
  
• ISO 22398, Social security - Guidelines for exercise and testing
  
• ISO 22324, Social security - Emergency management - Color-coded alert
  

[size]

A difficult start

The genesis of work on ISO 22301 goes back to an ISO Workshop on "Emergency Preparedness" in Florence, Italy, in 2006. At that time, many experts were of the opinion that their own national standard was the one that best suited to serve as the basis for an International Standard.
In order to get things done, a meeting of all the main actors was organized to identify the similarities between the standards. The resulting consensus led to the publication of a guidance document, ISO / PAS 22399: 2007, Societal Security - Guidelines for Incident Preparedness and Business Continuity Management.
For ISO 22301, it was the large number of national documents on the subject that was the problem on which it had been difficult to reach agreement.
At this stage, the committee was ready to create a management system standard with specified requirements that could be used for certification purposes. The text of the different national standards was used to draft the initial project, which was gradually put into shape to produce a new document bringing together good practices from around the world. Various countries including Australia, France, Germany, Japan, Republic of Korea, Singapore, Sweden, Thailand and the United States have contributed significantly to the document. Many other countries took part in the work, which shows the truly international character of the interest and collaboration around this standard.

ISO 22301 under the magnifying glass

ISO 22301 is the second management system standard to adopt the new high-level structure and standardized text agreed within ISO. The aim is to ensure consistency with all future and revised standards of this type and to facilitate integration with different standards, for example, ISO 9001 (quality), ISO 14001 (environment) and ISO / IEC 27001 (safety). some information).
The standard consists of ten articles with, in order, Scope, Normative References, Terms and Definitions, and various requirements including:
[/size]

• Article 4 - Organizational Context
  The first step is to clearly identify the organization, what it needs internally and externally, and to set clear limits on the scope of the management system. In particular, it is important for the organization to be aware of the requirements of relevant stakeholders, regulators, clients and staff. It must also, and above all, know the applicable legal and regulatory requirements. It will be able to determine the scope of the Business Continuity Management System (BCMS).
  
• Article 5 - Leadership
  ISO 22301 places special emphasis on the need for appropriate leadership of the CACS. Management must ensure that adequate resources are made available, establishes policies and designates those responsible for implementing and maintaining the CACS.
  
• Article 6 - Planning
  The organization shall identify the risks associated with the implementation of the management system and set clear objectives and criteria that can be used to measure its success.
  
• Article 7 - Support
  Since implementation requires resources, here comes the important notion of competence. To ensure business continuity, there is a need for people with the knowledge, skills and experience to contribute to the CACS and to respond to incidents. It is also important for everyone to be aware of the role they must play in the operational response. This article discusses all of these aspects as well as the issue of what to report about the CACS - for example, clients should be aware that the organization has a formal CACS in place - and the intended mode of communication. in the event of an incident (because normal communication channels may be disturbed).
  
• Article 8 - Activities
  This is the main body of specific business continuity skills. The organization must conduct an impact analysis of its activities to understand the impact of disruptions and the evolution over time. The business risk assessment is to be done in a structured way and this needs to be taken into account when establishing a business continuity strategy. In addition to measures to prevent or limit the probability of incidents, measures should be developed in the event of an incident. Since it is impossible to predict and prevent all incidents, the risk reduction and planning approach for all contingencies is complementary. In this case, we must be able to hope for the best, while having foreseen the worst. ISO 22301 emphasizes the need for a well-defined incident response structure. Thus, in the event of an incident, interventions are triggered at the right time and everyone knows he is authorized to take the necessary emergency measures. Personal safety is a fundamental aspect and the organization must communicate with outside parties that may be endangered, for example, if an incident poses a toxic or explosive risk to those who live nearby. The requirements for business continuity plans are also defined in clause 8. In this regard, easy-to-understand documents are more appropriate than the larger files intended for auditors. It will certainly be more useful to have several small plans rather than one big plan.
  

[size]
A requirement that has not been addressed so far in the business continuity standards is the need to plan for a return to normal business. This simple requirement involves in-depth thinking as organizations need to define what needs to be done once emergency operations are completed.
The last paragraph of Article 8 deals with practical exercises and testing, a key element of the GCA. The tests make it possible to verify concretely the elements of the continuity device that work (successful test) and those that do not work (failure). For example, you can turn on the backup generator to verify that it works. A practical exercise may involve testing, but it is usually an attempt to simulate some aspects of the operational response. Exercise usually involves preliminary work of training and awareness on how to handle disruptive incidents in a difficult and unusual context, and at the same time to check if the processes are working, as expected.
Exercises and tests are fundamental in the ISO 22301 standard: it is only through structured exercises - designed to prepare the individuals and teams involved - that an organization can obtain objective assurance that its device will function as intended under time.
[/size]

• Article 9 - Evaluation
  For any management system, it is essential to evaluate performance against the plan. ISO 22301 therefore requires the organization to choose the measurement parameters against which it will evaluate the appropriate performance. Internal audits must be performed and management must review the CACS and act accordingly.
  
• Article 10 - Improvement
  No management system is perfect from the outset and, in addition, organizations and their environments are constantly evolving. Article 10 defines the actions to be undertaken to improve the CACS over time and to ensure that corrective actions highlighted by audits, reviews, exercises, etc. be well done.
  

[size]

Successful implementation

For a good application of ISO 22301, organizations must have understood the requirements. Each line and word is important and the relative importance of a subject is not necessarily proportional to the number of words devoted to it. The GCA is not a project or a simple "plan" to put in place, it is a continuous management process involving competent people working with appropriate support and adequate structures that will be implemented when it will have to
 
 

Stefan Tangen

Stefan Tangen
Secretary of ISO / TC 221, Societal security
SIS
 
 
Sweden
 
 
 
Stefan Tangen is Secretary of ISO / TC 223, Societal Security . He has been active in the field of standardization for six years. He is also Secretary of the JTCG (Joint Technical Coordination Group) on Harmonization of Management Systems. Project Manager at SIS, Swedish Standards Institute, he holds a PhD in Production Engineering.
 

Dave Austin

Dave Austin
Project Manager for ISO 22301
 
 
 
United Kingdom
 
 
Project Manager for ISO 22301. Founder and Director of Operational Resilience (Oprel) Ltd, he has extensive experience in business continuity, ICT continuity and crisis management consulting. He was at the beginning of his career, Systems Sustainability Manager for the Royal Bank of Scotland. Later, at Siemens, he developed and managed a business continuity consulting service.

 


[/size]

https://www.iso.org/fr/news/2012/06/Ref1602.html