White Paper

Automating ISO 22301:2012

January 2013

Chris Alvord, CEO, COOP Systems ISO 22301 Lead Auditor, CBCP, MBCI

COOP Systems, 607 Herndon Parkway, Suite 200, Herndon, VA 20170 phone 703-464-8700 fax 703-464-9683 www.coop-systems.com

Automating ISO 22301:2012 - - COOP Systems

Page 2

Table of Contents

Introduction ..................................................................................................................................... 3 Current BCM State - - Typically Not Automated ............................................................................. 3 BIA and Risk Assessment (RA) Analysis (8.2.2, 8.2.3) ...................................................................... 3 BIA Data Collection Example ........................................................................................................... 4 Risk Assessment Data Collection Example ...................................................................................... 4 Resources (8.3.2) and Planning (8.4.4) ............................................................................................ 5 H/R System Updating People Details Example ................................................................................ 5 Testing and Exercise Management (8.5) ......................................................................................... 6 Test and Exercise Example .............................................................................................................. 6 Incident Response and Communications (8.4.2, 8.4.3) ................................................................... 6 Incident Command Console Example .............................................................................................. 7 Audit Reporting (9.2) ....................................................................................................................... 7 Audit Reports Example .................................................................................................................... 8 Corrective Actions (10.1) ................................................................................................................. 8 Corrective Action Example .............................................................................................................. 8 Summary.......................................................................................................................................... 9

Automating ISO 22301:2012 - - COOP Systems

Page 3

Introduction ISO 22301:2012, published in May 2012, is the only business continuity management systems (BCMS) standard recognized worldwide. Like all ISO standards, it is the result of the work of experts and is blessed by 160+ countries. It is the best path for an organization wanting to benefit from global acceptance, good practices, and management experience. As an auditable standard, ISO 22301 is difficult to envision without significant automation. Specific features are needed to affordably meet the goals of such a program. This paper addresses some of the major areas (below) requiring systems software. (The numbers following each subject are references to the ISO chapters.) Business Impact Analysis (BIA) and Risk Analysis (RA) (8.2.2, 8.2.3) Resources and planning (8.3.2, 8.4.4) Testing and exercise management (8.5) Incident response and communications (8.4.2, 8.4.3) Audit reporting (9.2) Corrective actions (10.1)

Of course ISO 22301 is much more extensive than just these items. We welcome a discussion with any organization that wants to explore all the aspects of this standard, especially program management guidelines and reporting. Current BCM State - - Typically Not Automated In 2010 Gartner Group published their MarketScope for Business Continuity Management Planning Software1 research indicating that 75% of organizations as of that date did not use automated solutions for business continuity management. Instead, static files and manual methods (e.g., Word, Excel, etc.) were very common. For reasons that follow, this approach will not pass an ISO audit. BIA and Risk Assessment (RA) Analysis (8.2.2, 8.2.3) The language of the standard for BIAs stipulates that the organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. For risk, the organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyzes, and evaluates the risk of disruptive incidents to the organization. The key words in the text are formal and documented, priorities and analyses. It is insufficient to collect BIA information in some rough form (e.g., Excel) and then try to make a conclusion with non-rigorous methods. For example, documentation is needed to show all the people who supplied the information and when it was done. A detailed and repeatable method is needed to rigorously organize and analyze collected data over time.

Gartner Group, MarketScope for BCM Planning Software, 13 May 2010.

Automating ISO 22301:2012 - - COOP Systems

Page 4

The only way to proceed is to present consistent and repeatable BIA and RA forms to collect structured information from users into a database for precise analysis, ensuring responsibilities are tracked and data is managed well. For example, the screen below has captured the overall results for individuals completing a simple Staffing Requirements BIA form for needs over time. Additional forms to collect process, asset and dependency details can be presented with similar simplicity, yielding detailed management of results. BIA Data Collection Example

Similarly, RA forms for necessary ISO31000-compliance can be simply distributed and collected, tracking responsibility for data and ensuring accuracy. The following example shows IT RA findings, with similar processes for other risk types. Risk Assessment Data Collection Example

Automating ISO 22301:2012 - - COOP Systems

Page 5

Resources (8.3.2) and Planning (8.4.4) For resources, the language specifies that the organization shall determine the resource requirements to implement the selected strategies. For planning, the organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. These are interdependent areas of ISO 22301 with the following characteristics: Good sources for resource data are needed to ensure accuracy and efficiency of plans needing to make use of the information, to be stored in a managed database. Resource data changes constantly, far more frequently than annual plan reviews. For example, details on people (responsibilities, location, phone numbers, e-mail address, etc.) change all the time. Plans are highly dependent on accurate resource information. For example, how good are plans when people details are inaccurate or out of date? Automation allows resource details, plan by plan, to be updated whenever resource data changes. Other resource information per ISO standards (e.g., information and data, buildings, work environment and associated utilities, facilities, equipment and consumables, information and communication technology systems, transportation, finance, and partners and suppliers) are also dynamic. In many cases, interfacing with external sources can be established (e.g., H/R system for people details) as an efficient method to update resource tables and (at the same time) affected plans in the BCMS.

For example, the following shows how people details are captured centrally for updating plans across the BCMS. H/R System Updating People Details Example

Automating ISO 22301:2012 - - COOP Systems

Page 6

Testing and Exercise Management (8.5) The ISO states the organization shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives. To ensure that testing is managed well across the enterprise and provide auditable results, the ability to automate, share and track all tasks, calendars and results is important. The following shows how this shared activity can be managed with task lists, calendars, links to Outlook, audit results and other controls. Test and Exercise Example

Incident Response and Communications (8.4.2, 8.4.3) The ISO reads that the organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident. The response structure shall a) b) c) d) identify impact thresholds that justify initiation of formal response, assess the nature and extent of a disruptive incident and its potential impact, activate an appropriate business continuity response, have processes and procedures for the activation, operation, coordination, and communication of the response, e) have resources available to support the processes and procedures to manage a disruptive incident in order to minimize impact, and f) communicate with interested parties and authorities, as well as the media. It is hard to envision meeting this requirement without extensive automation. Beyond the people and activity management and need for rapid notification, responsible BCM staff can gain access to plan details required in response activities in real time using smart phones or tablets.

Automating ISO 22301:2012 - - COOP Systems

Page 7

Below is an example of an Incident Command console with dashboard views of incident and task status. In addition, there are tabs for plans, emergency contacts, incident task details, mass notification, and RSS feeds. Incident Command Console Example

Audit Reporting (9.2) The ISO states the organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system (1) conforms to the organizations own requirements for its BCMS and the requirements of this International Standard, and (2) is effectively implemented and maintained. Automation is especially necessary to confirm the effective control of the overall BCMS process, per the examples below: Versions of plans should be maintained to show the user edits over time, along with the person responsible for changes and the effective date. Activities of individuals should be tracked as they make changes. It is also important to confirm that users are only able to operate within their assigned domain. Changes to resource tables, whether driven by manual or automated processes, should be tracked for review.

As per the following example, reports on content changes, security, and user access in the BCMS should be tracked to facilitate the proof of supporting processes needed for auditing.

Automating ISO 22301:2012 - - COOP Systems

Page 8

Audit Reports Example

Corrective Actions (10.1) All ISO management system standards are based on continual improvement activities. When nonconformities arise, there is a six-step process outlined for formal resolution. Further, the organization shall retain documented information as evidence of (1) the nature of the nonconformities and any subsequent actions taken, and (2) the results of any corrective action. Relying on e-mails and phone calls is not adequate for documentation. Instead, an auditable workflow with methods to assign the work and track to completion is crucial for the standard. Corrective Action Example

Automating ISO 22301:2012 - - COOP Systems

Page 9

Summary After a long history of most BCM programs doing the minimum using manual tools and proprietary methodologies, there is now a clear choice. Of course these substandard approaches can go on, exposing organization to unnecessary risk. Alternatively, the globally accepted ISO 22301 standard details a quality, globally accepted, auditable process for BCM. As a BCMS, the effort of implementing ISO 22301 should include automation. In this paper, six areas were discussed where a systems approach is necessary. Brief notes follow here: BIA and RA analysis - - structured, repetitive, controlled collection and analysis of data Resources/planning - - central data files, with changes automatically updating plans Testing and exercise management - - assigning activities, ensuring results reporting Incident response/communications - - notifications, managing tasks, access to plans. Audit reporting - - tracking all changes and user access Corrective actions - - nonconformities assigned and fixes documented.

There are additional areas where automation would be helpful and efficient, especially in the area of program management formation.