ISO 22301.2012.Eng.pdf
Short Description
Download ISO 22301.2012.Eng.pdf...
Description
INTERNATIONAL STANDARD
ISO 22301 First edition 2012-05-15
Societal security — Business continuity management systems — Requirements Sécurité sociétale — Gestion de la continuité des affaires — Exigences
Reference number ISO 22301:2012(E)
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012
ISO 22301:2012(E)
COPYRIGHT PROTECTED DOCUMENT ©
ISO 2012
Tel. + 41 22 749 01 11 Web www.iso.org
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ii
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
Contents Foreword ............................................................................................................................................................................ iv 0 Introduction ..................................................................................................................................................................... v 0.1 General .......................................................................................................................................................................... v 0.2 The Plan-Do-Check-Act (PDCA) model ................................................................................................................ v 0.3 Components of PDCA in this International Standard ...................................................................................... vi 1
Scope ...................................................................................................................................................................... 1
2
Normative references ......................................................................................................................................... 1 ......................................................................................................................................... 1
4 4.1 4.2 4.3 4.4
Context of the organization .............................................................................................................................. 8 Understanding of the organization and its context.................................................................................... 8 Understanding the needs and expectations of interested parties ......................................................... 9 Determining the scope of the business continuity management system ........................................... 9 Business continuity management system ................................................................................................. 10
5 5.1 5.2 5.3 5.4
Leadership........................................................................................................................................................... 10 Leadership and commitment ......................................................................................................................... 10 Management commitment............................................................................................................................... 10 Policy .................................................................................................................................................................... 11 Organizational roles, responsibilities and authorities ............................................................................ 11
6 6.1 6.2
Planning ............................................................................................................................................................... 12 Actions to address risks and opportunities............................................................................................... 12 Business continuity objectives and plans to achieve them .................................................................. 12
7 7.1 7.2 7.3 7.4 7.5
Support................................................................................................................................................................. 12 Resources ........................................................................................................................................................... 12 Competence ........................................................................................................................................................ 13 Awareness ........................................................................................................................................................... 13 Communication .................................................................................................................................................. 13 Documented information................................................................................................................................. 14
8 8.1 8.2 8.3 8.4 8.5
Operation ............................................................................................................................................................. 15 Operational planning and control ................................................................................................................. 15 Business impact analysis and risk assessment ....................................................................................... 15 Business continuity strategy ......................................................................................................................... 16 Establish and implement business continuity procedures ................................................................... 17 Exercising and testing ..................................................................................................................................... 19
9 9.1 9.2 9.3
Performance evaluation................................................................................................................................... 19 Monitoring, measurement, analysis and evaluation ................................................................................ 19 Internal audit ....................................................................................................................................................... 20 Management review .......................................................................................................................................... 21
10 10.1 10.2
Improvement ....................................................................................................................................................... 22 Nonconformity and corrective action .......................................................................................................... 22 Continual improvement ................................................................................................................................... 23
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
Bibliography ..................................................................................................................................................................... 24
© ISO 2012 – All rights reserved
iii
ISO 22301:2012(E)
Foreword
Societal security.
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
iv
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
0 Introduction 0.1 General
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
’
0.2 The Plan-Do-Check-Act (PDCA) model
management systems management systems
© ISO 2012 – All rights reserved
Quality Environmental management systems Information security Information technology — Service management
v
ISO 22301:2012(E)
Continual improvement of business continuity management system (BCMS)
Establish (Plan)
Interested parties
Interested parties
Maintain and improve (Act) Requirements for business continuity
Implement and operate (Do)
Monitor and review (Check)
Managed business continuity
Figure 1 — PDCA model applied to BCMS processes Table 1 — Explanation of PDCA model Plan
Do procedures. Check
Act
0.3 Components of PDCA in this International Standard cover the following components.
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
vi
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
vii
--`````,`,,`````````,`,```,
INTERNATIONAL STANDARD
ISO 22301:2012(E)
Societal security — Business continuity management systems — Requirements 1 Scope
2 Normative references -
3.1 activity
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
1
ISO 22301:2012(E)
3.2 audit
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
3.3 business continuity following disruptive incident [SOURCE: ISO 22300] 3.4 business continuity management
3.5 business continuity management system BCMS
3.6 business continuity plan
3.7 business continuity programme
3.8 business impact analysis [SOURCE: ISO 22300] 3.9 competence 3.10 conformity [SOURCE: ISO 22300]
2
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
3.11 continual improvement [SOURCE: ISO 22300] 3.12 correction [SOURCE: ISO 22300]
[SOURCE: ISO 22300] 3.14 document
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
3.13 corrective action
3.15 documented information
3.16 effectiveness [SOURCE: ISO 22300] 3.17 event
© ISO 2012 – All rights reserved
3
ISO 22301:2012(E)
3.18 exercise
[SOURCE: ISO 22300] 3.19 incident [SOURCE: ISO 22300] 3.20 infrastructure 3.21 interested party stakeholder
3.22 internal audit
3.23 invocation
3.24 management system
4
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
3.25 maximum acceptable outage MAO
3.26 maximum tolerable period of disruption MTPD
3.27 measurement 3.28 minimum business continuity objective MBCO
3.29 monitoring
3.30 mutual aid agreement [SOURCE: ISO 22300] 3.31 nonconformity [SOURCE: ISO 22300] 3.32 objective
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
5
ISO 22301:2012(E)
3.33 organization
3.34 outsource (verb)
process is within the scope.
3.35 performance
3.36 performance evaluation 3.37 personnel
3.38 policy
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
3.39 procedure 3.40 process 3.41 products and services
3.42 prioritized activities
[SOURCE: ISO 22300]
6
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
3.43 record 3.44 recovery point objective RPO
3.45 recovery time objective RTO
resources must be recovered
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
—
3.46 requirement
3.47 resources
3.48 risk
© ISO 2012 – All rights reserved
7
ISO 22301:2012(E)
3.49 risk appetite 3.50 risk assessment
3.51 risk management
3.52 testing
[SOURCE: ISO 22300] 3.53 top management
3.54
3.55 work environment set of conditions under which work is performed
[SOURCE: ISO 22300]
4 Context of the organization 4.1
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`-
8
Understanding of the organization and its context
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
4.2
Understanding the needs and expectations of interested parties
4.2.1
General
4.2.2
Legal and regulatory requirements
4.3 4.3.1
Determining the scope of the business continuity management system General
© ISO 2012 – All rights reserved
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
9
ISO 22301:2012(E)
4.3.2
4.4
Scope of the BCMS
Business continuity management system
5 Leadership Leadership and commitment
5.2
Management commitment
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
5.1
10
© ISO 2012 – All rights reserved
5.3
Policy
5.4
Organizational roles, responsibilities and authorities
© ISO 2012 – All rights reserved
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
11
ISO 22301:2012(E)
6 Planning 6.1
b)
6.2
Actions to address risks and opportunities
how to
Business continuity objectives and plans to achieve them
7 Support 7.1
12
Resources
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
7.2
Competence
7.3
Awareness
d)
7.4
their own role during disruptive incidents.
Communication
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
13
ISO 22301:2012(E)
7.5
Documented information
7.5.1
—
General
the competence of persons.
7.5.2
Creating and updating
7.5.3
Control of documented information
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
14
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
8 Operation 8.1
Operational planning and control
8.2
Business impact analysis and risk assessment
8.2.1
General
order in which these will be conducted.
8.2.2
Business impact analysis
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
15
ISO 22301:2012(E)
8.2.3
Risk assessment
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.3
Business continuity strategy
8.3.1
Determination and selection
8.3.2
Establishing resource requirements
16
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
8.4
Protection and mitigation
Establish and implement business continuity procedures
8.4.1
General
8.4.2
Incident response structure
© ISO 2012 – All rights reserved
17
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.3.3
ISO 22301:2012(E)
Warning and communication
8.4.4
Business continuity plans
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.4.3
18
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
8.5
Recovery
Exercising and testing
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.4.5
9 Performance evaluation 9.1 9.1.1
Monitoring, measurement, analysis and evaluation General
© ISO 2012 – All rights reserved
19
ISO 22301:2012(E)
Evaluation of business continuity procedures
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
9.1.2
9.2
20
Internal audit
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
9.3
Management review
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
21
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
10 Improvement 10.1 Nonconformity and corrective action
22
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
10.2 Continual improvement
© ISO 2012 – All rights reserved
23
ISO 22301:2012(E)
Bibliography Quality management systems — Requirements Environmental management systems — Requirements with guidance for use Guidelines for auditing management systems Information Technology — Service Management Societal security — Terminology Societal security — Guideline for incident preparedness and operational continuity management Information technology — Security techniques — Guidelines for Information and communications technology disaster recovery services Information Security Management Systems Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity Risk Management — Principles and Guidelines Risk management — Risk assessment techniques Risk management — Vocabulary Business continuity management — Code of practice
Security and continuity management systems — Requirements and guidance for use Standard on disaster/emergency management and business continuity programs [17]
Business Continuity Plan Drafting Guideline Business Continuity Guideline Organizational Resilience: Security, Preparedness, and Continuity Managements Systems – Requirements with Guidance for Use Singapore Standard for Business Continuity Management
[20]
24
Business Continuity Management Systems: Requirements with Guidance for Use
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
ICS 03.100.01 --`````,`,,`````````,`,```,,,-`-`,
© ISO 2012 – All rights reserved
View more...
Comments
