Business Continuity ISO 22301 Auditor/ Lead Auditor هذه الدورة تدرس باللغة الإنجليزية

تفاصيل الدورة

This course is conducted via SGS Singapore. All instruction and examinations are in English.

Contingency planning and disaster recovery were largely information technology-led responses to natural disasters and terrorism that affected businesses during the 1980s and early 1990s.

There was a growing recognition, however, that this needed to become a business-led process and encompass preparing for many forms of disruption. In light of this, the discipline became known as business continuity management (BCM).

As governments and regulators began to recognize the role of business continuity in mitigating the effects of disruptive incidents on society, they increasingly sought to gain assurance that key players had appropriate business continuity arrangements in place. Similarly, businesses recognized their dependence on each other and sought assurance that key suppliers and partners would continue to provide key products and services, even when incidents occurred.

ISO 22301 is a management systems standard for BCM which can be used by organizations of all sizes and types. These organizations will be able to obtain accredited certification against this standard and so demonstrate to legislators, regulators, customers, prospective customers and other interested parties that they are adhering to good practice in BCM. ISO 22301 also enables the business continuity manager to show top management that a recognized standard has been achieved.

While ISO 22301 may be used for certification and therefore includes rather short and concise requirements describing the central elements of BCM, a more extensive guidance standard (ISO 22313) is being developed to provide greater detail on each requirement in ISO 22301.

ISO 22301 may also be used within an organization to measure itself against good practice, and by auditors wishing to report to management. The influence of the standard will therefore be much greater than those who simply choose to be certified against the standard.

The standard is pided into 10 main clauses, starting with scope, normative references, and terms and definitions.

Following these are the standard’s requirements,

• CLAUSE 4 – CONTEXT OF THE ORGANIZATION

            The first step involves getting to know the organization, both internal and external needs, and setting clear               boundaries for the scope of the management system. In particular, this requires the organization to                           understand the requirements of relevant interested parties, such as regulators, customers and staff. It must             in particular understand the applicable legal and regulatory requirements. This enables it to determine the             scope of the business continuity management system (BCMS).

• CLAUSE 5 – LEADERSHIP

            ISO 22301 places particular emphasis on the need for appropriate leadership of BCM. This is so that top                 management ensures appropriate resources are provided, establishes policy and appoints people to                       implement and maintain the BCMS.

• CLAUSE 6 – PLANNING

            This requires the organization to identify risks to the implementation of the management system and set                   clear objectives and criteria that can be used to measure its success.

• CLAUSE 7 – SUPPORT

            Since resources are required for implementation, Clause 7 introduces the important concept of                                   competence. For business continuity to be successful, people with appropriate knowledge, skills and                       experience must be in place to both contribute to the BCMS and respond to incidents when they occur. It is             also important that all staff are aware of their own role in responding to incidents and this clause deals with             all of these areas. The need for communication about the BCMS – for instance in telling customers that the             organization has appropriate BCM in place – and preparedness to communicate following an incident                    (when normal channels may be disrupted) is also covered here.

• CLAUSE 8 – OPERATIONS

            This section contains the main body of business continuity-specific expertise. The organization must                         undertake business impact analysis to understand how its business is affected by disruption and how this               changes over time. Risk assessment seeks to understand the risks to the business in a structured way and             these inform the development of business continuity strategy. Steps to avoid or reduce the likelihood of                   incidents are developed alongside steps to be taken when incidents occur. As it is impossible to                                 completely predict and prevent all incidents, the approach of balancing risk reduction and planning for all               eventualities is complementary. It might be said, “hope for the best and plan for the worst”.

• CLAUSE 9 – EVALUATION

            For any management system, it is essential to evaluate performance against plan. ISO 22301 therefore                   requires that the organization select and measure itself against appropriate performance metrics. Internal               audits must be conducted and there is a requirement that management review the BCMS and act on these             reviews.

• CLAUSE 10 – IMPROVEMENT

             No management system is perfect at the outset, and organizations and their environments are constantly                changing. Clause 10 defines actions to take to improve the BCMS over time and ensure that corrective                    actions arising from audits, reviews, exercises and so on are addressed.

THE BENEFITS ARE:

ISO 22301 emphasizes the need for a well-defined incident response structure. This ensures that when incidents occur, responses are escalated in a timely manner and people are empowered to take the necessary actions to be effective. Life safety is emphasized and a particular point is made that the organization must communicate with external parties who may be affected, for instance if an incident poses a noxious or explosive risk to surrounding public areas.

The requirements for business continuity plans are laid out in Clause 8, too. Quickly understood, user-focused documents are more suitable than the large, unwieldy documents suited to auditors. Smaller plans are therefore more likely to be needed than one large plan.