Updates from April, 2016

  • ISO 22301 Case Study – How Coral made a Card Processor Business Continuity Certified 

    Background

    ISO 22301 – 2012 provides detail specification for Business Continuity Management System (BCMS) certification.

    The detail list of ISO 22301 – 2012 are listed here – http://www.coralesecure.com/pg/47/iso-22301-2012-standard.html

    Business Context

    This is a case of Payment card processor in Mauritius, who is responsible for card application and its associated availability infrastructure. Availability of the network is extremely crucial with very low tolerance of downtime. The downtime involve loosing revenue and customer penalty. 

    Coral Methodology

    We divided the assignment into the following key phases.

    Phase 1 – Business Impact Analysis and Risk Assessment

    Phase 2 – Business Continuity Strategy

    Phase 3 – Business Continuity Plan documentation

    Phase 4 – Testing and Exercising of documented plans

    Phase 5 – Internal Audit

    Phase 6 – Certification Body Audits

    Listed below are unique highlights about each of the phases.

    Phase 1 – Business Impact Analysis and Risk Assessment

    First we started with understanding the business and its impact in case of disruption. We also assessed the amount of transactions that were involved that would be under loss in case of each minute or hour or usage including the revenue and commercial loss besides penalties for customer banks – to whom the service were provided. 

    • Customer and legal obligations
    • Service Identification – whose unavailability will result in revue loss
    • Dependencies factors for site, technology, people and vendors
    • Single point of failures in each aspect of operations
    • Gap analysis of individual ISO 22301 -2012 detail 91 requirements

    Phase 2 – Business Continuity Strategy

    As a result of phase 1, we were able to advise the organisation on finalization of the following figures:

    • Maximum tolerable period of disruption (MTPOD)
    • Recovery Time Objectives (RTO)
    • Recovery Point Objective (RPO) or the amount of data loss that is acceptable
    • Minimum Business continuity Objectives (Layer 1 Requirement)
    • Strategy for return to normalcy (Layer 2 requirement)

    Phase 3 – Business Continuity Plan Documentation

    In the context of strategy we helped the organisation define their business continuity plans. We documented each requirement of the ISO 22301 – 2012 standard on one hand, and ownership of the plans.

    • Crisis Management Team, Business continuity Roles, and Plan wise assessment and restoration Teams
    • Individual business continuity plans for each areas of business
    • Training – that involved awareness sessions to the leadership teams
    • Management sign off multiple policies and procedures

    Phase 4 – Exercising and Testing

    This is the meat of the business continuity plan. Irrespective of how good is your documented plan, your business continuity plans are as good as they are tested. So we lay a great emphasis of involving of each individual, each member of the top management and each infrastructure that need to restored, as part of the exercises.

    Phase 5 – Internal Audit

    An independent team was created that combined both Coral Consultants and the internal team that was entrusted with the task of auditing the BCMS. This resulted in the following documented processes/outputs.

    • Internal Audit Process
    • Awareness Check of Personnel
    • Compliance rating for each individual requirement covering ISO 20000 – 2011 clause 4 to Clause 10.2 91 identified requirements.

    Crisis Management Team and Management review – The process concluded with the management attending a formal crisis management exercise – where each plan owner participated and presented there are a of recovery in shorter slots.

    Phase 6 – Certification Body Audits

    Finally the certification body arrived, to perform the two stages of audit:

    Stage 1 – Documentation Audit – In this they verified all the documentary requirements of the standard. As we documented and checked the compliance at each of the detail 91 compliance requirements, the auditor could find compliance in all areas, with few suggestions for improvements.

    Stage 2 – Implementation Audit – In this phase the audit was more rigorous and involved checking awareness of personnel towards their individual plans in correlation to the RTO that was set for their recovery processes.

    Finally the company was recommended for successful ISO 22301 – 2012 certification.

    Final benefits

    The organisation has embedded business continuity in their organisation culture, So whenever there are changes that effect their infrastructure, they update their Business Continuity plan. They also have a annual plan where they regularly test their plans by playing different test scenarios on their existing documented plans.

    For a detail analysis of how Coral can help you align your organisation to ISO 22301 -2012, please write to us at roadmap@www.coralesecure.com.

     
  • Crisis Management Exercise – How to do it? 

    Crisis can come to any organisation in various shapes and sizes.

    Background work

    Every organisation needs a specialist to identify applicable events and applicable outages. Specialist can be internal or external. So first create your own list with consultation of historical events, industry peers, and likely events. One can never make a complete list but it is better to have ‘the most likely’ ones in place, and prepare the organisation towards them.

    The next step is to nominate personnel in the organisation who will be responsible for managing the crisis. Call them ‘crisis managers’.  The general rule for responsibility allocation is that events that are external and impacts the organisation are to be faced by external facing teams, and the internal ones by internal support groups. Ideally it is the head of departments who should be nominated.

    How to Prepare?

    Each head of department or ‘crisis manager’ should have a list of applicable list of crisis that he/she is entrusted with. Documented procedures/steps should be discussed and finalised with them before making him/her ready.

    3-layer approach

    Crisis Management Exercise should be done at 3 layers:

    • Round 1 – Within team members responsible for a specific crisis
    • Round 2 – With other ‘crisis managers’
    • Round 3 – General Staff – for awareness

    Round 1 – Crisis Management – Table Top Exercise for Specific Crisis

    The audience is here are those that are responsible for and are ‘in the front’ to face the crisis and taking steps to minimise, mitigate, manage, and communicate. So involve everyone in relation to that crisis. Ensure everyone has understood their own individual role at the time of the crisis.

    Round 2 – Crisis Management – Table Top Exercise with other ‘crisis managers’

    Once the round 1 is complete, on a given day, each ‘crisis manager’ should speak about the crisis and how he/she plans to manage the risk to an audience of other ‘crisis managers’. One by one each one should explain their own ‘crisis’ and their ‘plans’. The members of audience get to understand both the ‘crisis’ and ‘their readiness’.

    Take Feedback – It would be good to have a feedback of all staff present. For the crisis coordinators (CRO/BCP Manager) the feedbacks will help to improve the processes, and scale up exercises for future.

    Round 3 – Crisis Management – General Staff

    Round 3 can take many forms as generally it is not possible to gather everyone in one place together. It can the form of emails, posters, team specific meetings to name a few.

    Once the process is complete, you can add more ‘crisis’ in your list and rehearse with applicable teams, thereby ensuring that this is now ingrained in your organisation culture.

    Hope this helps!

     
  • Business Continuity tabletop exercise – who to involve? 

    The tabletop exercise involves involving each individual whose responsibility is defined and documented in your business continuity plan. The days that you spent in creating the plan should be completely wasted – unless each role and individual named agrees to the content.

    Top Management – Even if you cannot get the CEO, involve someone from your core customer facing team. The role will check if the continuity fulfils customer or core operations in case of restoration.

    Business continuity Manager – This role has the complete oversight of how fast the enterprise needs to be responding to each documented plan. Involving him/her ensures that the outcome of the business continuity plan is achieved in line with business objectives.

    Assuming you have plans to manage site outage, technology outage, vendor outage and people outage, involve both process and support teams to be a part of this exercise.

    Information Technology – Whether it is hot site/warm site or cold site strategy, individuals should acknowledge their ability to restore within the recovery point objectives(RPO), in line with return time objective (RTO).

    Human Resources – If your people outage involves cross training or replacement of existing employees to do a specific task, then the head of those teams should agree and acknowledge that the replaced employee will be able to do the desired work.

    Procurement – If your vendor outage strategy involves seeking an alternate service provider, the procurement team and the respective team whose services will be effected, should agree and acknowledge the alternative plan.

    Physical Security – The physical security team should be able acknowledge the availability of the alternate site and its readiness in case of a site outage as defined in the plan.

    Crisis Management Team(CMT) - CMT Members are the ones who invoke the continuity plans. They should understand each of the outage scenarios, the human element of crisis, and the outage plans. They know that it takes time, and resources to invoke these plans, and there role is to manage the human part of the process.

    Taking Feedback

    Ask questions to members attending the session – are you now more aware of the business continuity or your own responsibility? If the answer is Yes, half of the battle is won. Organisationally, you are now prepared for the next maturity level of continuity – which can be a combination of simulation test or a full blow one.

    Documenting Results

    All the teams participating should give a formal feedback about the outcome of the test, and their feedbacks should be documented for improving your overall continuity plan.

    If your business continuity plan is at version 1 – it is perhaps that it has never been read and reviewed. It is highly unlikely that post a formal tabletop exercise it will remain at version 1.

    Hope it helps!

     
  • How to achieve Business Continuity ISO 22301 Implementation – ISO 22301 certification? 

    Business continuity (BC) is about bringing back your business post crisis or a disaster situation. BC is about managing ‘black swan’ events in your organisation – something that you never expected. However there is a scope – defined in terms of outages. You can chiefly plan against four outage scenarios – namely site outage, people or skill outage, technology outage and vendor outage. Can you think of anything else – please write to me!

    Here are the key requirements that ISO 22301 demands that must be done to demonstrate a formal business continuity management system leading to successful certification.

    Step 1 – Business Impact Analysis (BIA)  – BIA is the assessment of what is most important of to your business and how long can you survive without it without losing any revenue. If you are a Bank you may say my customers are unwilling to wait outside the ATM if they are not getting cash. Apply the same logic for your customers and ask them to how long can they wait. You have two values from this analysis  – Your Revenue generating services (RGS) and maximum acceptable outage(MAO). Both of these – will determine your business continuity plan (BCP). They will answer ‘what to restore’ and ‘how fast’?

    Step 2 – Risk Assessment is the assessment of how prepared are you for ensuring availability. It identifies your single point of failures in all four capabilities – namely site outage, people or skill outage, technology outage and vendor outage. It questions are you are prepared or you need a plan. The flaws identified are fed into a plan strategy.

    Step 3 – Business Continuity Strategy is your choice based on budget of what you wish to address. This is also a choice where a likely failure is imminent. For each outage scenario – there are options. For example for technology outage – you have redundancy, cold site, warm site and hot site.

    Step 4 – BC Plans including incident management structure – who will invoke the plans, incident wise plans and continuity plans based on outages – reflect the list of plans against each scenario , who will do what, and how fast we will recover. Documented plans reflect your organisations’ formal approach. No documentation = no certification = no formal ‘intent’.

    Step 5 – BC Testing the above list of plans is the next step as well as most crucial. No testing = No BC. Testing approaches start from Table Top exercises (least expensive) to Switching off the mains (most expensive) – all options are available depending upon the confidence you wish to have. Additionally test whether your plans will ensure the same time as defined in the MAO.

    Step 6 – Internal Audit – If you are seeking ISO 22301 also perform an internal audit against all requirements as well as compliance against the MAO objectives will ensure the auditors do not question your overall business continuity objectives.

    Step 7 – Communication and training are additional elements to ensure your ROI on BC. More People awareness equals more aware ‘junta’, thereby ensuring least opportunity of failure.

    Hope you liked the article

     
  • How to calculate your Business Continuity budget? 

    Premise: Business continuity is about your recovery of your business post crisis not before. Insurance does not recover business, it recovers losses or existing investment.

    The true recovery is your ability to continue your business as before. Put simply your business should be able to generate same sales as planned as before.

    So how to calculate your business continuity budget?

    We use this is a benchmark. See if this works for you.

    In order to do this, first assess your current insurance strategy.

    To make this simpler we take the case of an individual life insurance.  If your life insured value is 1 crore (or 10 million) and your annual premium is 250,000/- the percent you pay to 2.5% per year.

    Note this amount is for your family members to receive typically after you are gone. It is not the price for ensuring for your continuity, which is your own life. Your life continues when you yourself can ensure your annual compensation.

    Today every business has set of insurance policies. Get all the policies together. Get the annual premium together and annual insured value. Remember that you recover the losses not your business. But the ratio of  premium to insured value gives an indicator – a percent.

    The percent is your existing risk appetite. Apply this appetite/percent to your sales. This value is your business continuity budget.

    An example with numbers!

    Lets say your combined percent of premium to recovery is 2.5%. So if your sales turnover is 10 crores (or 100 million), then your business continuity must be 25,00,000 or 2.5m. Since you are already paying tax premium deduct this from 2.5m and what you get is the remaining budget for business continuity.

    You can do the annual calculation of business continuity at the end of the financial year, which will then set the target for the next year.

    Summary

    (1) Identify your insurance cost or insurance premium per year

    (2) Identify your insured value

    (3) Divide 1 by 2 into percentage terms. You have a percentage.

    (4) Apply the percentage to your sales turnover from the last financial year. You have the business continuity budget for the next year.

    (5) Deduct the existing annual premiums (1) from (4) – you get the balance value.

    We deduct (1) from (4) because (1) represent a part of your risk management strategy.

    This is your pending budget for business continuity for this year.

    Hope this helps!

     
  • Primer for CEO – How Business Continuity Management Works? 

    Listed below are key steps for a comprehensive business continuity program.

    1. Identification of mission critical activities that needs a continuity plan. In order to assess the requirement for BCP, one needs to understand enterprise context. We divide an organisation unit into mission critical teams/services such as revenue generating services (RGS) for profit making businesses, customer facing services for non-profit, essential infrastructure services (EIS) such as power, utilities, IT and security, and delayed start services (DSS) – services that can wait during emergency. This assessment helps you prioritise recovery. EIS – first to recover, RGS – second to recover and DSS – last to recover.
    2. Maximum tolerable period of disruption (MTPOD) is a business term that determines the number of hours you are willing to be out of business. Different organisation/services have different degree of tolerance. For a bank it can be negligible for a service sector there can be little more . (Indicative not prescriptive). This term is important to agree as it determines the speed of recovery strategies.
    3. Recovery time objective (RTO) – a measure of continuity planning. It answers question such as how fast ‘WE plan’ to recover’? This is generally set at 75% of the MTPOD value.
    4. Minimum service levels (MSL) – determine is the minimum service target post disaster. For organisations whose service delivery is customer facing, the question can be ‘what minimum services are to be guaranteed as per SLA agreed’?. As an organisation you may have 2 or more layers of recovery starting with minimum recovery – immediately and then scale up recovery
    5. Continuity Planning – Don’t plan for events (e.g. Fire) – plan for outages (building not available). Chances are that you already have event wise plans. Those plans are designed to prevent. Business continuity is planning for outages. They can be broadly 4. Site outage, people/skill outage, vendor outage and technology outages. (They can be more – but you got the point). You need plan for each. Assumption for planning is ‘all preventive controls have failed – now how do we restore?”
    6. Continuity Strategies – For each outage there are 2-3 options to choose from. People outage includes skill transfer, suitable vendor, or increasing manpower. Vendor outage planning include skill insourcing, alternative vendor and/or increase capacity from the same vendor. Location outage includes work from home, work from alternate location, work from reciprocal location. Technology outage includes warm, cold or hot site. Risk and budget drives your choice of options.
    7. Testing Strategies and Tests – Your testing is dependent on your continuity strategy. From table top/documents review to full-blown main power switch off – all options exist. Your test result should ensure recovery within RTO. Your BCP is as good (or bad as) as your testing success.
    8. Monitoring – Create a dashboard for monitoring. Dashboard items should include dynamic and static events. Dynamic events include acquisition of a new customer that may challenge all your existing business continuity metrics. Static events include testing results and whether they match designed RTO. Spend 30 minutes every month on the BCM dashboard and you have a great continuity plan in place.

    Hope this helps! Please share your feedback.

    Considering a business continuity plan? Call or write to us!

     
  • As the CEO – what assurance you need from business continuity program? 

    If you are the CEO, seek responses for the following questions.

    1. “What customers pay us for?”

    Business continuity program should ensure cash registers rolling. It should not restore to a point less than this. If your business continuity continuity program fails to ensure this, there is a serious lapse between your continuity strategy and business objectives. This single minded focus will alone drive the outcome of the business continuity strategy.

    1. ‘How many hours of business downtime is acceptable to our customer”? (Did your customer just say “None”?)

    Restoration of business in specific time is key to successful Business continuity management system (BCMS).  This is done through a formal Business impact analysis (BIA). Get a BIA done. It will give you a quick answer to the question.

    1. “How much are we willing to pay to protect our revenue?”

    Business continuity program is not cheap, but then the value of restoration is also not cheap. No other alternative (such as insurance) restores continuity. Smart design (read less expensive) strategies including increasing resilience in processes, working from home, alternate vendors/suppliers, moving core technology infrastructure into cloud – all could be part of the ‘saving cost’ strategy. So speak to your teams and seek whether they are adequately funded.

    1. How prepared are we?”

    Documented plans are required based on events and outages.  So you need a plan for each known event such as ‘fire’ (evacuation) as much as outage (such as building not available). The former is called ‘threat-event’, and the latter ‘threat-impact’. The question that you should ask is ‘which part of the restoration is not documented’?

    1. “How many tests have we performed?”

    No tests = no BCP. Your business continuity plan is as good as, or as weak as the number of tests performed. You may have the best of documentation but without tests, no BCP exists. In fact a smarter strategy of building BCMS actually starts with a BCP test for top management because that is where the ‘impact will be felt more’. Bring them in a conference room give them a disaster scenario unfolding, see how many different directions you get. Did you participate in any one of them, do you have a visibility of the restoration process?

    1. “Does our business continuity manager know what changed in the business today?”

    You will be surprised – many continuity manager are sitting in one corner of the office with no knowledge of what changed in the business today. They will restore business of yesterday or may more be few months back when they knew what changed. So bring him in the fold of any major strategy decision where you consider that he/she should incorporate the new changes.

    Hope this helped!

     
  • Thinking of BCP? Start with Business Impact Analysis(BIA)! 

    Every organisation needs a business continuity plan. Very few often go for a formal ISO 22301.

    How many times did you come across a statement like this  – “we have a BCP but I am not sure whether it really covers every part of the business”. Well if  this is not an unfamiliar statement, the flaw lies in not having a good business impact analysis (BIA). BIA is a comprehensive exercise that brings every part of your business together to establish what is really urgent to be recovered in case of an outage.

    Most organisations build their BCMS around IT – well it is a good investment made but that does not guarantees full return on investment. If you wish to get a good return on investment consider Business impact analysis. You will be surprised that a good BIA can reduce your overall budget and save costs.

    Business Impact Analysis (BIA) is the analysis of identifying and prioritizing an organization’s services (internal and external) that should be up and running in the event of disaster. Combined with maximum tolerable period of disruption(MTPOD), Recovery time objective (RTO), return point objective (RPO) and minimum business continuity objectives (MBCO), it gives the CEO the ‘requirement’ for the Business continuity plan. Note that this is not IT strategy, it is business strategy first.

    Here are the key steps:

    Take a look at your organization structure (some call it organogram) and identify the teams.

    For each team identify whether they are revenue generating service (RGS) , and/or a supporting team. Easier than said, you need to have a specific questionnaire that helps you identify this. One of the the way to identify an RGS is to ask – does your discontinuity results in cash loss? If the answer is Yes, the team is RGS. All other teams are supporting services.

    Assess how long the RGS team can afford to be ‘completely out of work’ resulting in no loss – this will give the MTPOD value; A team which can afford to be out for 7 days cannot be (in my experience) a RGS.

    Assess how many resources – people, applications, information systems, internal support teams and external service providers needed to resume (not restore) operations. This will give you RTO, RPO and MBCO. Note that this a temporary readiness, you also need a questionnaire for ‘how long can you remain in MBCO?’.

    Now classify the pending teams/services as either essential infrastructure or delayed start service. EIS is a service that needs to be restored before a RGS teams comes into play. Whereas a DSS team is the last to be restored. I dont wish to write any team as an example here as it is ‘unique in every organization’. Classifying a team such as Human resources as DSS without knowing what they actually do will be a big mistake.

    Now you have a list for RGS, EIS and DSS in the organization.

    Having this in place now you can design risk assessment questionnaire which can reveal either single point of failures (SPOF) on one side, and readiness for different outage scenario on the other.

    In order to identify single point of failures, you need to verify what within each of the list of services has no redundancy. This can be a role, network infrastructure, physical location and/or an external services provider. What you derive is a list of weaknesses which if implemented makes your business inherently stronger and more resilient.

    In order to identify outage-preparedness you need to then verify preparedness. Site outage, people outage, network/IT infrastructure outage and external service provider outage are sample outages that you need to check and verify the readiness.

    This whole exercise could have taken anywhere between two weeks to two months depending the scale and complexity of your organization.

    ISO 22301 BIA will then get formally closed when you have the following in place:

    1. Organisation list of services – internal and external
    2. Classification of organisation services as RGS, EIS and DSS
    3. Inherent vulnerability in the business processes such as single point of failures
    4. Readiness against each identified outage.

    Each of the above points should be summarised and presented to management for further action. The inputs so given will help the management then decide the scope of business continuity. Your business continuity strategy can be ‘lets prepare for site outage’ across the organisation. Such decisions are taken because you have a limited budget.

    Whether you are seeking ISO 22301 compliance or not for your Business Continuity Management System (BCMS), business impact analysis (BIA) is the foundation of the BCMS.

    Next time someone says that “we have a BCP but I am not sure whether it really covers every part of the business”‘  you now know what went wrong.

    Hope this helps!

     
  • Risk Assessment – What is the ‘ideal’ approach? 

    The benefit of performing risk assessment far outweighs the cost or impact that an organization may have to suffer in case an incident takes place.

    Thanks to implementation of international standards such as ISO 27001, ISO 31000, ISO 22301, ISO 20000, SSAE 16, COBIT, PCI-DSS, HIPAA, DPA (not exhaustive) there is more and more interest in understanding risk assessment methodologies and how it can benefit an organizations’ business.

    The need for understanding the finer nuances is increasing but is far from maturity levels demanded by any of the international standards. If you are certified to any of the management system certifications, one common flaw that most auditors find in any organization, they will surely respond “I wish they had a better risk assessment..”.

    What is going wrong with risk assessments today?

    The absence and maturity of the formal risk assessment is contributed by some of the following key factors:

    • International standards are sometimes confusing to the layman – if you search for the word ‘risk’ you will several interpretations for the same key word risk; ISO 31000 defines risk closer to a (positive) opportunity whereas ISO 22301/ISO 27001/ISO 20000  reflects a negative interpretation of the word risk.
    • Lack of management interest and what it can do for them – Most management do not see it as a constructive activity, it is seen as related to an event such as ISO 27001 (or any other) certification. Management says “get it somehow done, and we should be compliant..”. If implemented correctly, risk assessment can be part of each business activity and it pays to be ‘risk-aware’.
    • Inability to correlate internal and external events with risk assessment methodology – Owners of risk assessment, people who perform risk assessment, in the organization are often at pain to discuss internal and external events with their risk assessment. It is generally something that someone does and only he knows how it is done. Ideally the response should be “we are all involved”.

    What can be done to ensure completeness?

    Consider the following key parameters for your risk assessment approach to make it successful and beneficial to the business(not exhaustive).

    Agree on Terms and definitions: Risk is a function of asset, business impact, threat, vulnerability, probability. Define each one of  them, and explain how this correlates in the risk valuation of the asset.

    Agree on rating methodology:  Methodology includes valuation. Valuation can be quantitative as well as qualitative. While measuring provide a range 1-4 or 1-10, 1 being lowest, and 4 being highest. The focus of rating should be based on your organization valuation not someone else. If you rate Availability as 4 for an asset it needs to reflect that the asset’s unavailability can hinder continuity of the business, in other other words make it contextually relevant.

    Make it simple, provide a guidance: Provide support to suggest how something is to be rated as 4(Very High). An asset containing salary data may be rated as Very High, and it encompasses all forms of that assets and teams.

    Agree on context: Context is the scope of risk that you wish to address. Is it service risk, information risk or business risk? Since most risk assessments are driven by compliance objectives define the context in terms of assets/service/function that needs to be covered. Once you see the value you can increase the context itself.

    Start from the top: Starts from the CEO. We have found that those we started with the CEO were much more successful. If the CEO is not involved, it is a sure shot failure, i doubt it will the light of the day.

    Involve department heads (if not everybody) and make them ‘own': Explain and involve the head of departments/business process owners, they will appreciate and help you evolve. Again this is not just IT or security teams, it involves everyone. if you explain a team such as R&D how risk assessment helps reduce the assets of R&D, they will surely participate.

    Consider trigger points for reassessment/change: Once you decide the context, also decide the trigger point for change. Change can be in methodology, rating, new assets, new threats, new weakness, new events – internal and external, to name a few.

    Consider a Target and period of measurement: Management is interested in numbers, we all know that. Define a risk target. Also apply this by showing how your risks improved for a given period of time. Note the true objective is to reduce risk at optimum level that supports business.

    Consider the above as a guideline for your risk assessment process and I am sure your risk assessment will improve manifold.

    Hope this helped, let me know your reactions!

     
  • ISO 22301 Lead Auditor Training coverage 

    Course Overview

    If you wish to become an auditor for business continuity, this is an essential learning curriculum. This five-day intensive course prepares delegates for the qualification process for ISO 22301: 2012 and trains them on how to conduct audits for Certification Bodies. Whether you wish to become an implementer, internal audit, join a certification body or join a consulting organization you would be required to conduct a management audit – which is what you learn in this course. It also empowers you to give practical help and information to those who are working towards and maintain compliance and certification requirements.

    Training Coverage – ISO 22301  
    1.    Introduction to ISO 22301 business continuity management systems and the process approach
    2.    Components of PDCA in ISO 22301
    3.    Scope of ISO 22301
    4.    Normative references and terms & definitions applied to ISO 22301
    5.    Context of the organization (Understanding the organization, Needs & expectations of interested parties,
    6.    Legal requirements, risk appetite and Scope of BCMS)
    7.    Leadership (Top management commitment, BC policy, roles, responsibilities and authorities)
    8.    Planning ( Risk and opportunities, BC objectives)
    9.    Support ( BCMS Resources, Competence, Awareness, Communication, Document controls)
    10.    Operation (BIA, RA with Introduction to ISO 31000, BCM Strategy, BC procedures, Incident response
    11.    structure, Warning & communication, BCP, Exercising & testing)
    12.    Performance evaluation (BCM measurement & monitoring, Internal audit, Management reviews)
    13.    Improvement (Nonconformity & corrective action, Continual improvement)
    14.    Similarities and differences between ISO 22301 and BS 25999
    15.    Audit Process and Planning
    16.    Checklist
    17.    Opening Meeting
    18.    Audit techniques
    19.    Raising Non-conformities
    20.    Audit Reporting and Audit Follow Up Actions
    21.    Closing Meeting
    22.    Case study and exercises on various BCM elements and auditing practices for effective implementation

    Call or write to us at training@www.coralesecure.com to know more.