Slide 1:Implementing BS 25999 for Business Continuity Management (Preview) CPE Event of ISACA Karachi Chapter 20th May 2009 Muhammad Ghazali A. Wasti Associate Member of the BCI ISO 27001 / BS 25999 Consultant/Trainer Chair – CPE Committee ISACA Karachi Chapter Senior Manager – EIRM FAMCO ASSOCIATES PVTLTD


Slide 2:The New Standard for Business Continuity Management - BS25999 2 Presenter’s Profile Muhammad Ghazali A. Wasti Associate of Business Continuity Institute (ABCI) Consultant for BS 25999/BS 25777, BCM/DR and ISO27001 Delivered Awareness Trainings on BS 25999/BCP/DRP and BS7799 Serves as the “Official Regional Representative” of the Business Continuity Institute (BCI) for the Middle East and Pakistan Founder and Moderator of Middle East Business Continuity Professionals and Continuity Pakistan Regular writer on BCM and IT Assurance domains at National and International Print Media


Slide 3:Senior Management Commitment Evidence of organisations failing despite having BCPs. Plans not exercised Plans not kept up to date People not trained or made aware of BCP Too many plans written to get a ‘tick in the box’ Why a BCM Standard was needed


Slide 4:BCM is based on a ‘lifecycle’ – it is a continuous process Must become part of the organisational culture Commitment from the top, and throughout the organisation Referencing principles, guidelines, regulations and policies BCM must be proven by exercise and lessons learnt BCM must be maintained in a changing environment A specification against which certification can be achieved Key Elements of the Standard


Slide 5:BIA and Risk Assessment carried out Strategies developed BCM implemented …and then? Nothing Getting that tick in the box The common scenario


Slide 6:1997 – Professional practice standard exists in the UK & US 1999 – work commenced on a uniform assessment of BCM for Y2K 2001 – FSA requires BCM ‘good practice’ guidelines 2002 – BCI publishes BCI BCM Good Practice Guidelines 2003 – Publication of PAS 56 by BSI 2006 – BSI publishes BS25999-1 in November 2007 –BS25999-2 published in November 2008 UKAS pilot accreditation scheme for certification Development of the BCM Standard History of BS 25999- BCI Affiliation


Slide 7:The New Standard for Business Continuity Management - BS25999 Requirement – “Shall statements” - Auditable Code of Practice Best Practice Not Auditable Code of Practice and Specification


Slide 8:The New Standard for Business Continuity Management - BS25999 BS 25999 – 2 (Layout) The Plan-Do-Check-Act (PDCA) cycle


Slide 9:The Implementation Cycle using The Business Continuity Institute GPG 08


Slide 10:The Implementation Cycle Why are you introducing BCM? What are the requirements for BC, taking into account: – Organisation’s objectives – Obligations - legal, regulatory, contractual Interests of key stakeholders Scope of BC in terms of products and services


Slide 11:The Implementation Cycle What are the key services & products? What are the critical activities? What processes are used to deliver critical activities? Who and what is used in these processes? Internally Externally The impact if key services & products are disrupted – for whatever reason The Maximum Tolerable Period of Disruption - MTPoD/MTO


Slide 12:The organization Shall Develop Implement Maintain and Continually Improve a documented BCMS Identify Requirement of Business Continuity Key stakeholders Accept level of Risk Products and Services BS 25999 -2 Clause 3


Slide 13:The Implementation Cycle The most appropriate strategy or strategies will depend on a range of factors such as: The maximum tolerable period of disruption (MTPoD) of the service The cost of implementing the strategy or strategies The consequences of inaction/interruption Recognise critical functions, dependencies and single points of failure.


Slide 14:The organization shall: Define a fit-for-purpose, predefined and documented incident response structure Determine - how it will recover each critical activity within its recovery time objective Resources required for resumption Determine how it will manage relationships with its key stakeholders BS 25999 – 2 Clause 4.2


Slide 15:The Implementation Cycle Plan Invocation Invocation Teams Incident Management Communications Management Information Management BC Planning


Slide 16:The organization shall nominate incident response personnel with the responsibility, authority and competence. The incident response structure shall provide for personnel to: Confirm the nature and extent of incident Coordination and communication Have resources available to support the plans Procedures to manage an incident; and Communicate with stakeholders. BS 25999 -2 Clause 4.3 BCM Response


Slide 17:The Implementation Cycle Exercising: An opportunity to measure the quality and effectiveness Exercise Process Requires: Senior management commitment Planning team Documentation Briefing Exercise Review of lessons learnt Funding Post results update for maintenance


Slide 18:The organization shall Develop exercises the BCMS Have a program approved by top management to ensure exercises are carried out at planned intervals and when significant changes occur; Define the aims and objectives of every exercise Carry out a post-exercise review Produce a written report of the exercise. BCM exercising BS 25999-2- Clause 4.4


Slide 19:The Implementation Cycle BCMS Review at a planned intervals OR at a significant change in process, Infrastructure, resources Where changes are needed this will lead to re-writing, re-issue and re-training and endorsement by management team.


Slide 20:Internal audit The organization shall ensure that internal audits of the BCMS at planned intervals Provide information on the results of audits to management. BS 25999-2 - Clause 5 Management review of the BCM Management shall review the organization’s BCMS This review shall include assessing opportunities for improvement of business continuity management policy and business continuity management objectives. The results of the reviews shall be clearly documented .


Slide 21:Preventive and corrective actions The organization shall improve the BCMS through preventive and corrective actions. Any preventive or corrective action taken shall be aligned with business continuity policy and objectives. Changes arising shall be reflected in the BCMS documentation. Continual improvement The organization shall continually improve the effectiveness of the BCMS BS25999-2- Clause 6


Slide 22:Mapping of BS 25999-2 with The BCI GPG 08 3 2 1 4 5 6 Clause 3 of BS 25999-2 Clause 3 & 4.1 of BS 25999-2 Clause 4.2 of BS 25999 Clause 4.3 of BS 25999-2 Clause 4.4 of BS 25999-2 Clause 5 & 6 of BS 25999-2


Slide 23:Certified Companies Since November 2007, 40 companies have be certified so far on this standard few includes Kokuyo Furniture Co., Ltd Samsung Life Insurance, Korea Industrial Bank of Korea Vodafone - UK Citigroup Accenture


Slide 24:Q & A Thank You Ghazali.wasti@famco.com.pk gawasti@yahoo.com