Background

ISO 22301 – 2012 provides detail specification for Business Continuity Management System (BCMS) certification.

The detail list of ISO 22301 – 2012 are listed here – http://www.coralesecure.com/pg/47/iso-22301-2012-standard.html

Business Context

This is a case of Payment card processor in Mauritius, who is responsible for card application and its associated availability infrastructure. Availability of the network is extremely crucial with very low tolerance of downtime. The downtime involve loosing revenue and customer penalty. 

Coral Methodology

We divided the assignment into the following key phases.

Phase 1 – Business Impact Analysis and Risk Assessment

Phase 2 – Business Continuity Strategy

Phase 3 – Business Continuity Plan documentation

Phase 4 – Testing and Exercising of documented plans

Phase 5 – Internal Audit

Phase 6 – Certification Body Audits

Listed below are unique highlights about each of the phases.

Phase 1 – Business Impact Analysis and Risk Assessment

First we started with understanding the business and its impact in case of disruption. We also assessed the amount of transactions that were involved that would be under loss in case of each minute or hour or usage including the revenue and commercial loss besides penalties for customer banks – to whom the service were provided. 

  • Customer and legal obligations
  • Service Identification – whose unavailability will result in revue loss
  • Dependencies factors for site, technology, people and vendors
  • Single point of failures in each aspect of operations
  • Gap analysis of individual ISO 22301 -2012 detail 91 requirements

Phase 2 – Business Continuity Strategy

As a result of phase 1, we were able to advise the organisation on finalization of the following figures:

  • Maximum tolerable period of disruption (MTPOD)
  • Recovery Time Objectives (RTO)
  • Recovery Point Objective (RPO) or the amount of data loss that is acceptable
  • Minimum Business continuity Objectives (Layer 1 Requirement)
  • Strategy for return to normalcy (Layer 2 requirement)

Phase 3 – Business Continuity Plan Documentation

In the context of strategy we helped the organisation define their business continuity plans. We documented each requirement of the ISO 22301 – 2012 standard on one hand, and ownership of the plans.

  • Crisis Management Team, Business continuity Roles, and Plan wise assessment and restoration Teams
  • Individual business continuity plans for each areas of business
  • Training – that involved awareness sessions to the leadership teams
  • Management sign off multiple policies and procedures

Phase 4 – Exercising and Testing

This is the meat of the business continuity plan. Irrespective of how good is your documented plan, your business continuity plans are as good as they are tested. So we lay a great emphasis of involving of each individual, each member of the top management and each infrastructure that need to restored, as part of the exercises.

Phase 5 – Internal Audit

An independent team was created that combined both Coral Consultants and the internal team that was entrusted with the task of auditing the BCMS. This resulted in the following documented processes/outputs.

  • Internal Audit Process
  • Awareness Check of Personnel
  • Compliance rating for each individual requirement covering ISO 20000 – 2011 clause 4 to Clause 10.2 91 identified requirements.

Crisis Management Team and Management review – The process concluded with the management attending a formal crisis management exercise – where each plan owner participated and presented there are a of recovery in shorter slots.

Phase 6 – Certification Body Audits

Finally the certification body arrived, to perform the two stages of audit:

Stage 1 – Documentation Audit – In this they verified all the documentary requirements of the standard. As we documented and checked the compliance at each of the detail 91 compliance requirements, the auditor could find compliance in all areas, with few suggestions for improvements.

Stage 2 – Implementation Audit – In this phase the audit was more rigorous and involved checking awareness of personnel towards their individual plans in correlation to the RTO that was set for their recovery processes.

Finally the company was recommended for successful ISO 22301 – 2012 certification.

Final benefits

The organisation has embedded business continuity in their organisation culture, So whenever there are changes that effect their infrastructure, they update their Business Continuity plan. They also have a annual plan where they regularly test their plans by playing different test scenarios on their existing documented plans.

For a detail analysis of how Coral can help you align your organisation to ISO 22301 -2012, please write to us at roadmap@www.coralesecure.com.

Author : Probal C

Tags :