Compliance Program Definition ISO 22301
Janco's Disaster Recovery Business Continuity Template is the best choice for a framework to meet objectives
Compliance Program Definition ISO 22301 is the first international standard for Business Continuity Management (BCM), has been developed to help organizations minimize the risk of such disruptions. ISO 22301 is, “Societal security - Business continuity management systems - Requirements”, the new international standard for Disaster Recovery and Business Continuity Management System. This standard replaced BS 25999.
ISO 22301 defines requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to prepare for, respond to and recover from disruptive events when they arise. The requirements specified in ISO 22301 are generic and intended to be applicable to all organizations (or parts thereof), regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.
The structure of the ISO Guide for ISO 22301 is organized into the following main areas:
- Context of the organization
- Performance evaluation
Context of the organization
During an audit the organization needs to determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the expected outcomes of its Disaster Recovery/Business Continuity Plan including defining:
- The organization's activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to an incident
- Links between the business continuity policy and the organization's objectives and other policies, including its overall risk management strategy
- The level of risk the organization can assume
- The needs and expectations of relevant interested parties
- Legal, regulatory and other requirements to which the organization subscribes
Top management needs to show an ongoing commitment to the Disaster Recovery/Business Continuity Processes. Through its leadership and actions, management can create an environment in which different actors are fully involved and in which the management system can operate effectively in synergy with the objectives of the organization. Leadership responsibilities include:
- Ensuring the DR/BC process is compatible with the strategic direction of the organization
- Integrating the DR/BC Process requirements into the organization's business processes
- Providing the necessary resources for the DR/BC Process
- Communicating the importance of effective disaster recovery and business continuity management
- Ensuring that the DR/BC Process achieves its expected outcomes
- Directing and supporting continual improvement
- Establish and communicate a disaster recovery and business continuity policy
- Ensuring that DR/BC Process objectives and plans are established
- Ensuring that the responsibilities and authorities for relevant roles are assigned
This is the process were organizations shows that it has defined strategic objectives and guiding principles for the DR/BC Process as a whole. The objectives of a DR/BC Process are the expression of the intent of the organization to treat the risks identified and/or to comply with requirements of organizational needs. The planning objectives must:
- Be consistent with disaster recovery and business continuity policy
- Take into account the minimum level of products and services that is acceptable to the organization to achieve its objectives
- Create and apply metrics
- Take into account applicable requirements
- Be reviewed constantly and updated as appropriate
The day-to-day management of an effective business continuity management system relies on using the appropriate resources for each task. These include competent staff with relevant (and demonstrable) training and supporting services, awareness and communication. This must be supported by properly managed documented information.
Both internal and external communications of the organization must be considered in this area, including the format, the content and the proper timing of such communications. This requirement includes:
- Business Impact Analysis (BIA): This activity enables an organization to identify the critical processes that support its key products and services, the interdependencies between processes and the resources required to operate the processes at a minimally-acceptable level.
- Risk assessment: ISO 22301 proposes to refer to the ISO 31000 standard to implement that process. The goal of this requirement is to establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyzes, and evaluates the risk of disruptive incidents to the organization.
- Disaster Recovery and Business continuity strategy: After requirements have been established through the BIA and the risk assessment, strategies can be developed to identify arrangements that will enable the organization to protect and recover critical activities based on organizational risk tolerance and within defined recovery time objectives. Experience and good practice clearly indicate that the early provision of an overall organizational BCM strategy will ensure BCM activities are aligned with and support the organization's overall business strategy. The strategy should be an integral component of an institution's corporate strategy.
- Business continuity procedures: The organization should document procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive incident. The procedures have to:
- Establish an appropriate internal and external communications protocol
- Be specific regarding the immediate steps that are to be taken during a disruption
- Be flexible to respond to unanticipated threats and changing internal and external conditions
- Focus on the impact of events that could potentially disrupt operations; be developed based on stated assumptions and an analysis of interdependencies
- Be effective in minimizing consequences through implementation of appropriate mitigation strategies.
- Exercising and testing: To ensure that disaster recovery and business continuity procedures are consistent with their objectives, an organization should test them regularly. Exercising and testing are the processes of validating business continuity plans and procedures to ensure the selected strategies are capable of providing response and recovery results within the timeframes agreed to by management
Once the DR/BC Process is implemented, ISO 22301 requires permanent monitoring of the system as well as periodic reviews to improve its operation:
- Monitoring the extent to which the organization's business continuity policy, objectives and targets are met
- Measuring the performance of the processes, procedures and functions that protect its prioritized activities
- Monitoring compliance with this standard and the business continuity objectives
- Monitoring historical evidence of deficient DR/BC Process' performance conducting internal audits at planned intervals
- Evaluating the results of the performance evaluations with senior management
Continual improvement can be defined as all the actions taken throughout the organization to increase effectiveness (reaching objectives) and efficiency (an optimal cost/benefit ratio) of security processes and controls to bring increased benefits to the organization and its stakeholders. An organization can continually improve the effectiveness of its management system through the use of the business continuity policy, objectives, audit results, analysis of monitored events, indicators, corrective and preventive actions and review. If you follow the workplan provided with the Template and complete all of the activities you will be able to pass an ISO 22301 audit. The options to acquire the template include:
Disaster Recovery Business Continuity Template (WORD) - comes with the latest electronic forms and is fully compliant with all mandated US, EU, and ISO requirements.
- Fully editable Disaster Recovery Business Continuit template
- Disaster Recovery Business Continuity Audit Program - Compliant with ISO 27031, ISO 22301, and ISO 28000
- Disaster Recovery Manager Job Description
- Manager Disaster Recovery & Business Continuity Job Description
- Application Inventory and Business Impact Analysis Questionnaire
- Incident Communication Plan and Policy with BEST PRACTICES for
- News Conferences
- Media Relations
- Social Network Checklist
- Included with the template are Electronic Forms which have been designed to lower the cost of maintenance of the plan. Electronic Forms that can be e-mailed, completed via a computer or tablet, and stored electronically including:
- LAN Inventory, Location Contact Numbers, Off-Site Inventory, Personnel Locations, Plan Distribution, Remote Location Contact Information, Server Registration, Team Call List, and Vendor Contact Information
- Added Bonus - Safety Program Electronic Forms -- Area Safety Inspection, Employee Job Hazard Analysis, First Report of Injury, Inspection Checklist - Alternative Locations, Inspection Checklist - Office Locations, New Employee Safety Checklist, Safety Program Contact List, and Training Record
- Disaster Recovery Business Continuity Template
- 20 Job Descriptions (WORD)
Chief Information Officer - CIO, Chief Security Officer - CSO, Chief Compliance Officer - CCO, Chief Mobility Officer - CMO, VP Strategy and Architecture, Director Disaster Recovery and Business Continuity, Director e-Commerce, Director Media Communications, Manager Disaster Recovery, Manager Disaster Recovery and Business Continuity, Disaster Recovery Coordinator, Disaster Recovery - Special Projects Supervisor, Manager Database, Capacity Planning Supervisor, Manager Media Library Support, Manager Record Administrator, Manager Site Management, and Pandemic Coordinator
- Disaster Recovery Business Continuity Template - Full template with all of its attachements.
- 288 IT Job Descriptions including all of the job descriptions contained in the Premium edition.
With this offer you save almost 50% from the base price of these two very popular products
- Disaster Recovery Business Continuity Template - Standard Edition
- Security Manual Template - Standard Edition
- 25 Job Descriptions
- CIO; CCO; CSO; VP Strategy and Architecture; Director e-Commerce; Database Administrator; Data Security Administrator; Manager Data Security; Manager Database; Manager Disaster Recovery; Manager Disaster Recovery and Business Continuity; Pandemic Coordinator; Manager Facilities and Equipment; Manager Media Library Support; Manager Network and Computing Services; Manager Network Services; Manager Site Management; Manager Training and Documentation; Manager Voice and Data Communication; Manager Wireless Systems;Capacity Planning Supervisor; Disaster Recovery Coordinator; Disaster Recovery - Special Projects Supervisor; Network Security Analyst; System Administrator - Unix; System Administrator - Windows
- Disaster Recovery Business Continuity Template - Standard Edition
- Security Manual Template - Standard Edition
- 288 Job Descriptions which includes all of the job descriptions in the premium edition
"Best of Breed - Best Practices Disaster Recovery Planning / Business Continuity Planning, Security Policies, IT Job Descriptions" according to the IT Productivity Center