logging in or signing up BS 25999 & The BCI GPG gawasti Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1252 Category: Business & Fin.. License: All Rights Reserved Like it (1) Dislike it (0) Added: June 03, 2009 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: RobinDG (23 month(s) ago) This looks to be a very clear explanation of what BS 25999-2 covers and why it is a valuable process. Thanks Mahammad. Robin DG Director Continuity-solutions.co.uk Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Slide 1: Implementing BS 25999 for Business Continuity Management (Preview) CPE Event of ISACA Karachi Chapter 20th May 2009 Muhammad Ghazali A. Wasti Associate Member of the BCI ISO 27001 / BS 25999 Consultant/Trainer Chair – CPE Committee ISACA Karachi Chapter Senior Manager – EIRM FAMCO ASSOCIATES PVTLTD Slide 2: The New Standard for Business Continuity Management - BS25999 2 Presenter’s Profile Muhammad Ghazali A. Wasti Associate of Business Continuity Institute (ABCI) Consultant for BS 25999/BS 25777, BCM/DR and ISO27001 Delivered Awareness Trainings on BS 25999/BCP/DRP and BS7799 Serves as the “Official Regional Representative” of the Business Continuity Institute (BCI) for the Middle East and Pakistan Founder and Moderator of Middle East Business Continuity Professionals and Continuity Pakistan Regular writer on BCM and IT Assurance domains at National and International Print Media Slide 3: Senior Management Commitment Evidence of organisations failing despite having BCPs. Plans not exercised Plans not kept up to date People not trained or made aware of BCP Too many plans written to get a ‘tick in the box’ Why a BCM Standard was needed Slide 4: BCM is based on a ‘lifecycle’ – it is a continuous process Must become part of the organisational culture Commitment from the top, and throughout the organisation Referencing principles, guidelines, regulations and policies BCM must be proven by exercise and lessons learnt BCM must be maintained in a changing environment A specification against which certification can be achieved Key Elements of the Standard Slide 5: BIA and Risk Assessment carried out Strategies developed BCM implemented …and then? Nothing Getting that tick in the box The common scenario Slide 6: 1997 – Professional practice standard exists in the UK & US 1999 – work commenced on a uniform assessment of BCM for Y2K 2001 – FSA requires BCM ‘good practice’ guidelines 2002 – BCI publishes BCI BCM Good Practice Guidelines 2003 – Publication of PAS 56 by BSI 2006 – BSI publishes BS25999-1 in November 2007 –BS25999-2 published in November 2008 UKAS pilot accreditation scheme for certification Development of the BCM Standard History of BS 25999- BCI Affiliation Slide 7: The New Standard for Business Continuity Management - BS25999 Requirement – “Shall statements” - Auditable Code of Practice Best Practice Not Auditable Code of Practice and Specification Slide 8: The New Standard for Business Continuity Management - BS25999 BS 25999 – 2 (Layout) The Plan-Do-Check-Act (PDCA) cycle Slide 9: The Implementation Cycle using The Business Continuity Institute GPG 08 Slide 10: The Implementation Cycle Why are you introducing BCM? What are the requirements for BC, taking into account: – Organisation’s objectives – Obligations - legal, regulatory, contractual Interests of key stakeholders Scope of BC in terms of products and services Slide 11: The Implementation Cycle What are the key services & products? What are the critical activities? What processes are used to deliver critical activities? Who and what is used in these processes? Internally Externally The impact if key services & products are disrupted – for whatever reason The Maximum Tolerable Period of Disruption - MTPoD/MTO Slide 12: The organization Shall Develop Implement Maintain and Continually Improve a documented BCMS Identify Requirement of Business Continuity Key stakeholders Accept level of Risk Products and Services BS 25999 -2 Clause 3 Slide 13: The Implementation Cycle The most appropriate strategy or strategies will depend on a range of factors such as: The maximum tolerable period of disruption (MTPoD) of the service The cost of implementing the strategy or strategies The consequences of inaction/interruption Recognise critical functions, dependencies and single points of failure. Slide 14: The organization shall: Define a fit-for-purpose, predefined and documented incident response structure Determine - how it will recover each critical activity within its recovery time objective Resources required for resumption Determine how it will manage relationships with its key stakeholders BS 25999 – 2 Clause 4.2 Slide 15: The Implementation Cycle Plan Invocation Invocation Teams Incident Management Communications Management Information Management BC Planning Slide 16: The organization shall nominate incident response personnel with the responsibility, authority and competence. The incident response structure shall provide for personnel to: Confirm the nature and extent of incident Coordination and communication Have resources available to support the plans Procedures to manage an incident; and Communicate with stakeholders. BS 25999 -2 Clause 4.3 BCM Response Slide 17: The Implementation Cycle Exercising: An opportunity to measure the quality and effectiveness Exercise Process Requires: Senior management commitment Planning team Documentation Briefing Exercise Review of lessons learnt Funding Post results update for maintenance Slide 18: The organization shall Develop exercises the BCMS Have a program approved by top management to ensure exercises are carried out at planned intervals and when significant changes occur; Define the aims and objectives of every exercise Carry out a post-exercise review Produce a written report of the exercise. BCM exercising BS 25999-2- Clause 4.4 Slide 19: The Implementation Cycle BCMS Review at a planned intervals OR at a significant change in process, Infrastructure, resources Where changes are needed this will lead to re-writing, re-issue and re-training and endorsement by management team. Slide 20: Internal audit The organization shall ensure that internal audits of the BCMS at planned intervals Provide information on the results of audits to management. BS 25999-2 - Clause 5 Management review of the BCM Management shall review the organization’s BCMS This review shall include assessing opportunities for improvement of business continuity management policy and business continuity management objectives. The results of the reviews shall be clearly documented . Slide 21: Preventive and corrective actions The organization shall improve the BCMS through preventive and corrective actions. Any preventive or corrective action taken shall be aligned with business continuity policy and objectives. Changes arising shall be reflected in the BCMS documentation. Continual improvement The organization shall continually improve the effectiveness of the BCMS BS25999-2- Clause 6 Slide 22: Mapping of BS 25999-2 with The BCI GPG 08 3 2 1 4 5 6 Clause 3 of BS 25999-2 Clause 3 & 4.1 of BS 25999-2 Clause 4.2 of BS 25999 Clause 4.3 of BS 25999-2 Clause 4.4 of BS 25999-2 Clause 5 & 6 of BS 25999-2 Slide 23: Certified Companies Since November 2007, 40 companies have be certified so far on this standard few includes Kokuyo Furniture Co., Ltd Samsung Life Insurance, Korea Industrial Bank of Korea Vodafone - UK Citigroup Accenture Slide 24: Q & A Thank You Ghazali.wasti@famco.com.pk gawasti@yahoo.com You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
BS 25999 & The BCI GPG gawasti Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1252 Category: Business & Fin.. License: All Rights Reserved Like it (1) Dislike it (0) Added: June 03, 2009 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: RobinDG (23 month(s) ago) This looks to be a very clear explanation of what BS 25999-2 covers and why it is a valuable process. Thanks Mahammad. Robin DG Director Continuity-solutions.co.uk Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Slide 1: Implementing BS 25999 for Business Continuity Management (Preview) CPE Event of ISACA Karachi Chapter 20th May 2009 Muhammad Ghazali A. Wasti Associate Member of the BCI ISO 27001 / BS 25999 Consultant/Trainer Chair – CPE Committee ISACA Karachi Chapter Senior Manager – EIRM FAMCO ASSOCIATES PVTLTD Slide 2: The New Standard for Business Continuity Management - BS25999 2 Presenter’s Profile Muhammad Ghazali A. Wasti Associate of Business Continuity Institute (ABCI) Consultant for BS 25999/BS 25777, BCM/DR and ISO27001 Delivered Awareness Trainings on BS 25999/BCP/DRP and BS7799 Serves as the “Official Regional Representative” of the Business Continuity Institute (BCI) for the Middle East and Pakistan Founder and Moderator of Middle East Business Continuity Professionals and Continuity Pakistan Regular writer on BCM and IT Assurance domains at National and International Print Media Slide 3: Senior Management Commitment Evidence of organisations failing despite having BCPs. Plans not exercised Plans not kept up to date People not trained or made aware of BCP Too many plans written to get a ‘tick in the box’ Why a BCM Standard was needed Slide 4: BCM is based on a ‘lifecycle’ – it is a continuous process Must become part of the organisational culture Commitment from the top, and throughout the organisation Referencing principles, guidelines, regulations and policies BCM must be proven by exercise and lessons learnt BCM must be maintained in a changing environment A specification against which certification can be achieved Key Elements of the Standard Slide 5: BIA and Risk Assessment carried out Strategies developed BCM implemented …and then? Nothing Getting that tick in the box The common scenario Slide 6: 1997 – Professional practice standard exists in the UK & US 1999 – work commenced on a uniform assessment of BCM for Y2K 2001 – FSA requires BCM ‘good practice’ guidelines 2002 – BCI publishes BCI BCM Good Practice Guidelines 2003 – Publication of PAS 56 by BSI 2006 – BSI publishes BS25999-1 in November 2007 –BS25999-2 published in November 2008 UKAS pilot accreditation scheme for certification Development of the BCM Standard History of BS 25999- BCI Affiliation Slide 7: The New Standard for Business Continuity Management - BS25999 Requirement – “Shall statements” - Auditable Code of Practice Best Practice Not Auditable Code of Practice and Specification Slide 8: The New Standard for Business Continuity Management - BS25999 BS 25999 – 2 (Layout) The Plan-Do-Check-Act (PDCA) cycle Slide 9: The Implementation Cycle using The Business Continuity Institute GPG 08 Slide 10: The Implementation Cycle Why are you introducing BCM? What are the requirements for BC, taking into account: – Organisation’s objectives – Obligations - legal, regulatory, contractual Interests of key stakeholders Scope of BC in terms of products and services Slide 11: The Implementation Cycle What are the key services & products? What are the critical activities? What processes are used to deliver critical activities? Who and what is used in these processes? Internally Externally The impact if key services & products are disrupted – for whatever reason The Maximum Tolerable Period of Disruption - MTPoD/MTO Slide 12: The organization Shall Develop Implement Maintain and Continually Improve a documented BCMS Identify Requirement of Business Continuity Key stakeholders Accept level of Risk Products and Services BS 25999 -2 Clause 3 Slide 13: The Implementation Cycle The most appropriate strategy or strategies will depend on a range of factors such as: The maximum tolerable period of disruption (MTPoD) of the service The cost of implementing the strategy or strategies The consequences of inaction/interruption Recognise critical functions, dependencies and single points of failure. Slide 14: The organization shall: Define a fit-for-purpose, predefined and documented incident response structure Determine - how it will recover each critical activity within its recovery time objective Resources required for resumption Determine how it will manage relationships with its key stakeholders BS 25999 – 2 Clause 4.2 Slide 15: The Implementation Cycle Plan Invocation Invocation Teams Incident Management Communications Management Information Management BC Planning Slide 16: The organization shall nominate incident response personnel with the responsibility, authority and competence. The incident response structure shall provide for personnel to: Confirm the nature and extent of incident Coordination and communication Have resources available to support the plans Procedures to manage an incident; and Communicate with stakeholders. BS 25999 -2 Clause 4.3 BCM Response Slide 17: The Implementation Cycle Exercising: An opportunity to measure the quality and effectiveness Exercise Process Requires: Senior management commitment Planning team Documentation Briefing Exercise Review of lessons learnt Funding Post results update for maintenance Slide 18: The organization shall Develop exercises the BCMS Have a program approved by top management to ensure exercises are carried out at planned intervals and when significant changes occur; Define the aims and objectives of every exercise Carry out a post-exercise review Produce a written report of the exercise. BCM exercising BS 25999-2- Clause 4.4 Slide 19: The Implementation Cycle BCMS Review at a planned intervals OR at a significant change in process, Infrastructure, resources Where changes are needed this will lead to re-writing, re-issue and re-training and endorsement by management team. Slide 20: Internal audit The organization shall ensure that internal audits of the BCMS at planned intervals Provide information on the results of audits to management. BS 25999-2 - Clause 5 Management review of the BCM Management shall review the organization’s BCMS This review shall include assessing opportunities for improvement of business continuity management policy and business continuity management objectives. The results of the reviews shall be clearly documented . Slide 21: Preventive and corrective actions The organization shall improve the BCMS through preventive and corrective actions. Any preventive or corrective action taken shall be aligned with business continuity policy and objectives. Changes arising shall be reflected in the BCMS documentation. Continual improvement The organization shall continually improve the effectiveness of the BCMS BS25999-2- Clause 6 Slide 22: Mapping of BS 25999-2 with The BCI GPG 08 3 2 1 4 5 6 Clause 3 of BS 25999-2 Clause 3 & 4.1 of BS 25999-2 Clause 4.2 of BS 25999 Clause 4.3 of BS 25999-2 Clause 4.4 of BS 25999-2 Clause 5 & 6 of BS 25999-2 Slide 23: Certified Companies Since November 2007, 40 companies have be certified so far on this standard few includes Kokuyo Furniture Co., Ltd Samsung Life Insurance, Korea Industrial Bank of Korea Vodafone - UK Citigroup Accenture Slide 24: Q & A Thank You Ghazali.wasti@famco.com.pk gawasti@yahoo.com