ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Davos 2012 John Zeppos

?
?
John Zeppos, FBCI
John Zeppos, FBCI

Business continuity management has evolved from focusing on disaster recovery to a holistic approach. BS25999 formed the basis for the new ISO22301 standard published in 2012. Organizations can be certified to ISO22301 to demonstrate they have an appropriate continuity management system and reduce insurance costs. There is a transition period ending in 2014 for certification bodies and their clients to transition from BS25999 to the new ISO22301 standard.

1 of 10
BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard John Zeppos OTE Group Business Continuity Management Deputy Director August 2012
How has Business Continuity Management Developed? ? Holistic approach ? BS25999 formed the ? USA - Natural Disasters intended to reduce risks key input to the and resulting impacts ISO22301 ? UK - Irish Terrorist attacks resulted in the ¡°Disaster- ? US standard NFPA 1600 ¨C a recommended ? ISO22301 Standard Recovery¡± approach in the approach for Disaster May 2012 UK to deal with the aftermath of an event Management ¨C based on Natural, Human or Technological disasters Current 1970s 1990s situation 1980s 2000s ? Standards Start to be developed ? 2003/2004 PAS56 - UK - never developed into a full standard ? NFPA1600 USA ¨C became programme based ? BCM professionals ? BS25999 ¨C Code of Practice & recognised the need to Specification (2006/7) ¨C organisations able understand the Impact to to be independently certified the Business ¨C hence BIA, o Management System approach aligned Risk Assessment etc with existing Management Systems o Lifecycle to ensure that the business is protected ¨C not Disaster and then Recover John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 2
2006/2007 2003 2012 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 3
BCMS Certification ? Why should one decide to undertake certification ? ? BS25999 / ISO22301 is the most appropriate standard containing both the Continuity and Crisis Management ? They are is based on a Management System approach fully aligned with ISO9001 and ISO27001 ? They provide independent proof that one¡¯s BCMS is fit for purpose ? Senior Management confidence that the approach that they are being asked to underwrite is appropriate. ? Certificate could significantly reduce Insurance costs ? Certification Programme ? Initial pre-assessment by qualified independent auditors ( gap analysis ) ? Certification project internal kick off meeting with all relevant functions ? Stage 1 Assessment ¨C finalise scope and agree timing ? Stage 2 Assessment ¨C Certification Audit ? 1 Month later - Certificate can be officially issued John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 4
ISO22301:2012 ? ISO22301 published w/b May 15 UKAS transition project under way 1st May 2012 with internal actions, document ? BS25999-2 will be withdrawn in November 2012 preparation, internal training etc. No new applications accepted for ? No new applications for certification after 22nd 31st October 2012 accreditation to BS 25999-2 October 2012 Transition Assessments begin as part ? Scope extensions for existing certifications 1st November 2012 of the normal surveillance cycle supported to end October 2013 No new BS 25999-2 scope extensions 31st October 2013 accepted by UKAS ? After 1st November 2012 all visits based on ISO 22301 No new BS 25999-2 certificates to be 31st December 2013 issued by CABs ? Existing certificates remain valid until the end of All CABS to have transitioned to ISO 30th May 2014 transitional period (30th May 2014) 22301 All CAB clients to have transitioned ? No new certificates or renewals after 31st within one year of Accreditation to December 2013 ISO 22301. John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 5
ISO TC 223 ? ISO TC 223 is the Technical Committee responsible ? TC 223 deals with all matters regarding Societal Security ? provision of International Standards to enhance all actors capacity in society to handle all phases before, during and after disruptive events ? 45 countries are participating members ? All standards from this committee are prefixed ¡°Societal Security¡± and are number 223xx ? Other standards being developed include: o Mass evacuation o Emergency Management Command and Control John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 6
Contributors John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 7
ISO22301:2012 ? Source documents included o BS25999-2 o NFPA 1600 o ASIS OR standard o Singapore standards o ISO27031 o ISO Guide 73 o ISO/PAS22399 ? So ISO 22301 is not simply an international version of BS25999-2:2007 ? ISO moving towards standardization of management systems headings and text o In development as it was being written o Agreed now and published as ISO Guide 83 o Rules on how to apply this were not always clear so had to be changed ? Hence our interpretation may differ in detail from others like ISO 27001 ¨C all management systems standards will follow Guide 83¡¯s standardized headings and text ? Integration of management systems will be easier John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 8
ISO22301:2012 ? ISO 22301 is the requirements document ? ISO 22313 is the guidance document that accompanies ISO22301 o It was originally planned to publish these together but in practicality 22301 has run ahead of the guidance o It is aligned to 22301, clearly BS25999-1 was not ? ISO 22313 should be published early next year o Currently at DIS John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 9
John Zeppos Twitter : @jzeppos yzeppos@cosmote.gr http://www.linkedin.com/in/johnzeppos +30 697 9666844 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 10

More Related Content

Davos 2012 John Zeppos

  • 1. BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard John Zeppos OTE Group Business Continuity Management Deputy Director August 2012
  • 2. How has Business Continuity Management Developed? ? Holistic approach ? BS25999 formed the ? USA - Natural Disasters intended to reduce risks key input to the and resulting impacts ISO22301 ? UK - Irish Terrorist attacks resulted in the ¡°Disaster- ? US standard NFPA 1600 ¨C a recommended ? ISO22301 Standard Recovery¡± approach in the approach for Disaster May 2012 UK to deal with the aftermath of an event Management ¨C based on Natural, Human or Technological disasters Current 1970s 1990s situation 1980s 2000s ? Standards Start to be developed ? 2003/2004 PAS56 - UK - never developed into a full standard ? NFPA1600 USA ¨C became programme based ? BCM professionals ? BS25999 ¨C Code of Practice & recognised the need to Specification (2006/7) ¨C organisations able understand the Impact to to be independently certified the Business ¨C hence BIA, o Management System approach aligned Risk Assessment etc with existing Management Systems o Lifecycle to ensure that the business is protected ¨C not Disaster and then Recover John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 2
  • 3. 2006/2007 2003 2012 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 3
  • 4. BCMS Certification ? Why should one decide to undertake certification ? ? BS25999 / ISO22301 is the most appropriate standard containing both the Continuity and Crisis Management ? They are is based on a Management System approach fully aligned with ISO9001 and ISO27001 ? They provide independent proof that one¡¯s BCMS is fit for purpose ? Senior Management confidence that the approach that they are being asked to underwrite is appropriate. ? Certificate could significantly reduce Insurance costs ? Certification Programme ? Initial pre-assessment by qualified independent auditors ( gap analysis ) ? Certification project internal kick off meeting with all relevant functions ? Stage 1 Assessment ¨C finalise scope and agree timing ? Stage 2 Assessment ¨C Certification Audit ? 1 Month later - Certificate can be officially issued John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 4
  • 5. ISO22301:2012 ? ISO22301 published w/b May 15 UKAS transition project under way 1st May 2012 with internal actions, document ? BS25999-2 will be withdrawn in November 2012 preparation, internal training etc. No new applications accepted for ? No new applications for certification after 22nd 31st October 2012 accreditation to BS 25999-2 October 2012 Transition Assessments begin as part ? Scope extensions for existing certifications 1st November 2012 of the normal surveillance cycle supported to end October 2013 No new BS 25999-2 scope extensions 31st October 2013 accepted by UKAS ? After 1st November 2012 all visits based on ISO 22301 No new BS 25999-2 certificates to be 31st December 2013 issued by CABs ? Existing certificates remain valid until the end of All CABS to have transitioned to ISO 30th May 2014 transitional period (30th May 2014) 22301 All CAB clients to have transitioned ? No new certificates or renewals after 31st within one year of Accreditation to December 2013 ISO 22301. John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 5
  • 6. ISO TC 223 ? ISO TC 223 is the Technical Committee responsible ? TC 223 deals with all matters regarding Societal Security ? provision of International Standards to enhance all actors capacity in society to handle all phases before, during and after disruptive events ? 45 countries are participating members ? All standards from this committee are prefixed ¡°Societal Security¡± and are number 223xx ? Other standards being developed include: o Mass evacuation o Emergency Management Command and Control John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 6
  • 7. Contributors John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 7
  • 8. ISO22301:2012 ? Source documents included o BS25999-2 o NFPA 1600 o ASIS OR standard o Singapore standards o ISO27031 o ISO Guide 73 o ISO/PAS22399 ? So ISO 22301 is not simply an international version of BS25999-2:2007 ? ISO moving towards standardization of management systems headings and text o In development as it was being written o Agreed now and published as ISO Guide 83 o Rules on how to apply this were not always clear so had to be changed ? Hence our interpretation may differ in detail from others like ISO 27001 ¨C all management systems standards will follow Guide 83¡¯s standardized headings and text ? Integration of management systems will be easier John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 8
  • 9. ISO22301:2012 ? ISO 22301 is the requirements document ? ISO 22313 is the guidance document that accompanies ISO22301 o It was originally planned to publish these together but in practicality 22301 has run ahead of the guidance o It is aligned to 22301, clearly BS25999-1 was not ? ISO 22313 should be published early next year o Currently at DIS John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 9
  • 10. John Zeppos Twitter : @jzeppos yzeppos@cosmote.gr http://www.linkedin.com/in/johnzeppos +30 697 9666844 John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 10