ISO 22301.2012.Eng.pdf

July 25, 2017 | Author: Mauro Mendes | Category: Business Continuity, Leadership & Mentoring, Leadership, Business, Accountability
Share Embed Donate


Short Description

Download ISO 22301.2012.Eng.pdf...

Description

INTERNATIONAL STANDARD

ISO 22301 First edition 2012-05-15

Societal security — Business continuity management systems — Requirements Sécurité sociétale — Gestion de la continuité des affaires — Exigences

Reference number ISO 22301:2012(E)

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

© ISO 2012

ISO 22301:2012(E)

COPYRIGHT PROTECTED DOCUMENT ©

ISO 2012

Tel. + 41 22 749 01 11 Web www.iso.org

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ii

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

Contents Foreword ............................................................................................................................................................................ iv 0 Introduction ..................................................................................................................................................................... v 0.1 General .......................................................................................................................................................................... v 0.2 The Plan-Do-Check-Act (PDCA) model ................................................................................................................ v 0.3 Components of PDCA in this International Standard ...................................................................................... vi 1

Scope ...................................................................................................................................................................... 1

2

Normative references ......................................................................................................................................... 1 ......................................................................................................................................... 1

4 4.1 4.2 4.3 4.4

Context of the organization .............................................................................................................................. 8 Understanding of the organization and its context.................................................................................... 8 Understanding the needs and expectations of interested parties ......................................................... 9 Determining the scope of the business continuity management system ........................................... 9 Business continuity management system ................................................................................................. 10

5 5.1 5.2 5.3 5.4

Leadership........................................................................................................................................................... 10 Leadership and commitment ......................................................................................................................... 10 Management commitment............................................................................................................................... 10 Policy .................................................................................................................................................................... 11 Organizational roles, responsibilities and authorities ............................................................................ 11

6 6.1 6.2

Planning ............................................................................................................................................................... 12 Actions to address risks and opportunities............................................................................................... 12 Business continuity objectives and plans to achieve them .................................................................. 12

7 7.1 7.2 7.3 7.4 7.5

Support................................................................................................................................................................. 12 Resources ........................................................................................................................................................... 12 Competence ........................................................................................................................................................ 13 Awareness ........................................................................................................................................................... 13 Communication .................................................................................................................................................. 13 Documented information................................................................................................................................. 14

8 8.1 8.2 8.3 8.4 8.5

Operation ............................................................................................................................................................. 15 Operational planning and control ................................................................................................................. 15 Business impact analysis and risk assessment ....................................................................................... 15 Business continuity strategy ......................................................................................................................... 16 Establish and implement business continuity procedures ................................................................... 17 Exercising and testing ..................................................................................................................................... 19

9 9.1 9.2 9.3

Performance evaluation................................................................................................................................... 19 Monitoring, measurement, analysis and evaluation ................................................................................ 19 Internal audit ....................................................................................................................................................... 20 Management review .......................................................................................................................................... 21

10 10.1 10.2

Improvement ....................................................................................................................................................... 22 Nonconformity and corrective action .......................................................................................................... 22 Continual improvement ................................................................................................................................... 23

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

Bibliography ..................................................................................................................................................................... 24

© ISO 2012 – All rights reserved

iii

ISO 22301:2012(E)

Foreword

Societal security.

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

iv

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

0 Introduction 0.1 General

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---



0.2 The Plan-Do-Check-Act (PDCA) model

management systems management systems

© ISO 2012 – All rights reserved

Quality Environmental management systems Information security Information technology — Service management

v

ISO 22301:2012(E)

Continual improvement of business continuity management system (BCMS)

Establish (Plan)

Interested parties

Interested parties

Maintain and improve (Act) Requirements for business continuity

Implement and operate (Do)

Monitor and review (Check)

Managed business continuity

Figure 1 — PDCA model applied to BCMS processes Table 1 — Explanation of PDCA model Plan

Do procedures. Check

Act

0.3 Components of PDCA in this International Standard cover the following components.

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

vi

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

© ISO 2012 – All rights reserved

vii

--`````,`,,`````````,`,```,

INTERNATIONAL STANDARD

ISO 22301:2012(E)

Societal security — Business continuity management systems — Requirements 1 Scope

2 Normative references -

3.1 activity

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

© ISO 2012 – All rights reserved

1

ISO 22301:2012(E)

3.2 audit

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

3.3 business continuity following disruptive incident [SOURCE: ISO 22300] 3.4 business continuity management

3.5 business continuity management system BCMS

3.6 business continuity plan

3.7 business continuity programme

3.8 business impact analysis [SOURCE: ISO 22300] 3.9 competence 3.10 conformity [SOURCE: ISO 22300]

2

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

3.11 continual improvement [SOURCE: ISO 22300] 3.12 correction [SOURCE: ISO 22300]

[SOURCE: ISO 22300] 3.14 document

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

3.13 corrective action

3.15 documented information

3.16 effectiveness [SOURCE: ISO 22300] 3.17 event

© ISO 2012 – All rights reserved

3

ISO 22301:2012(E)

3.18 exercise

[SOURCE: ISO 22300] 3.19 incident [SOURCE: ISO 22300] 3.20 infrastructure 3.21 interested party stakeholder

3.22 internal audit

3.23 invocation

3.24 management system

4

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

3.25 maximum acceptable outage MAO

3.26 maximum tolerable period of disruption MTPD

3.27 measurement 3.28 minimum business continuity objective MBCO

3.29 monitoring

3.30 mutual aid agreement [SOURCE: ISO 22300] 3.31 nonconformity [SOURCE: ISO 22300] 3.32 objective

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

© ISO 2012 – All rights reserved

5

ISO 22301:2012(E)

3.33 organization

3.34 outsource (verb)

process is within the scope.

3.35 performance

3.36 performance evaluation 3.37 personnel

3.38 policy

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

3.39 procedure 3.40 process 3.41 products and services

3.42 prioritized activities

[SOURCE: ISO 22300]

6

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

3.43 record 3.44 recovery point objective RPO

3.45 recovery time objective RTO

resources must be recovered

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---



3.46 requirement

3.47 resources

3.48 risk

© ISO 2012 – All rights reserved

7

ISO 22301:2012(E)

3.49 risk appetite 3.50 risk assessment

3.51 risk management

3.52 testing

[SOURCE: ISO 22300] 3.53 top management

3.54

3.55 work environment set of conditions under which work is performed

[SOURCE: ISO 22300]

4 Context of the organization 4.1

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`-

8

Understanding of the organization and its context

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

4.2

Understanding the needs and expectations of interested parties

4.2.1

General

4.2.2

Legal and regulatory requirements

4.3 4.3.1

Determining the scope of the business continuity management system General

© ISO 2012 – All rights reserved

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

9

ISO 22301:2012(E)

4.3.2

4.4

Scope of the BCMS

Business continuity management system

5 Leadership Leadership and commitment

5.2

Management commitment

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

5.1

10

© ISO 2012 – All rights reserved

5.3

Policy

5.4

Organizational roles, responsibilities and authorities

© ISO 2012 – All rights reserved

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 22301:2012(E)

11

ISO 22301:2012(E)

6 Planning 6.1

b)

6.2

Actions to address risks and opportunities

how to

Business continuity objectives and plans to achieve them

7 Support 7.1

12

Resources

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

7.2

Competence

7.3

Awareness

d)

7.4

their own role during disruptive incidents.

Communication

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

© ISO 2012 – All rights reserved

13

ISO 22301:2012(E)

7.5

Documented information

7.5.1



General

the competence of persons.

7.5.2

Creating and updating

7.5.3

Control of documented information

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

14

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

8 Operation 8.1

Operational planning and control

8.2

Business impact analysis and risk assessment

8.2.1

General

order in which these will be conducted.

8.2.2

Business impact analysis

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

© ISO 2012 – All rights reserved

15

ISO 22301:2012(E)

8.2.3

Risk assessment

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

8.3

Business continuity strategy

8.3.1

Determination and selection

8.3.2

Establishing resource requirements

16

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

8.4

Protection and mitigation

Establish and implement business continuity procedures

8.4.1

General

8.4.2

Incident response structure

© ISO 2012 – All rights reserved

17

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

8.3.3

ISO 22301:2012(E)

Warning and communication

8.4.4

Business continuity plans

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

8.4.3

18

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

8.5

Recovery

Exercising and testing

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

8.4.5

9 Performance evaluation 9.1 9.1.1

Monitoring, measurement, analysis and evaluation General

© ISO 2012 – All rights reserved

19

ISO 22301:2012(E)

Evaluation of business continuity procedures

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

9.1.2

9.2

20

Internal audit

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

9.3

Management review

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

© ISO 2012 – All rights reserved

21

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 22301:2012(E)

10 Improvement 10.1 Nonconformity and corrective action

22

© ISO 2012 – All rights reserved

ISO 22301:2012(E)

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

10.2 Continual improvement

© ISO 2012 – All rights reserved

23

ISO 22301:2012(E)

Bibliography Quality management systems — Requirements Environmental management systems — Requirements with guidance for use Guidelines for auditing management systems Information Technology — Service Management Societal security — Terminology Societal security — Guideline for incident preparedness and operational continuity management Information technology — Security techniques — Guidelines for Information and communications technology disaster recovery services Information Security Management Systems Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity Risk Management — Principles and Guidelines Risk management — Risk assessment techniques Risk management — Vocabulary Business continuity management — Code of practice

Security and continuity management systems — Requirements and guidance for use Standard on disaster/emergency management and business continuity programs [17]

Business Continuity Plan Drafting Guideline Business Continuity Guideline Organizational Resilience: Security, Preparedness, and Continuity Managements Systems – Requirements with Guidance for Use Singapore Standard for Business Continuity Management

[20]

24

Business Continuity Management Systems: Requirements with Guidance for Use

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

© ISO 2012 – All rights reserved

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 22301:2012(E)

ICS 03.100.01 --`````,`,,`````````,`,```,,,-`-`,

© ISO 2012 – All rights reserved

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF