Advancing the Profession Through Global Standards: ISO/TC 292 Dr. Wolfgang H. Mahr, M.Sc., BBA, FBCI, CISA governance & continuuuity gmbh CH-8408 Winterthur, Switzerland www.continuuuity.ch LinkedIn, XING, Twitter, YouTube wolfgang.mahr@continuuuity.ch

Contents Abstract Why Standards? Before ISO Standards Basic Principles of ISO How is ISO working? History, Composition and Deliverables of ISO/TC 292 Business-Continuity-related Deliverables (WG2) ISO 22301:2012, ISO 22313:2012, ISO/TS 22317:2015 ISO/TS 22318:2015, ISO/DIS 22316 ISO/TS 17021-6:2014 Work in Progress Conclusions

Abstract ISO, the International Organization for Standardization, through their Technical Committee 292 (formerly 223) has developed a range of standards in the continuity and resilience fields. Developed by experts from dozens of countries and adopted by a solid majority of national standards associations, these standards advance the profession by providing practitioners, regulators, management and customers with valuable implementation and auditing tools. Find out about the deliverables provided by this Technical Committee and how they may support you.

Why Standards?   Standards serve to raise the level of competencies of involved parties Standards help understand involved parties’ degree of preparation and maturity Standards help training of key personnel Standards enable certification of organizations against publicly accepted criteria International standards enable global organizations to achieve compliance in a number of jurisdictions Management system standards enable a continuous improvement

Before ISO standards   Many countries had local standards (UK, US, Israel, Singapore, Australia,…) Many countries had no standards (Switzerland, Germany,…) International organizations faced uncertainties British standard BS25999 served as de facto international standard

Basic principles of ISO Equal representation: one vote per country Voluntary membership: ISO does not have the authority to force adoption of its standards Business orientation: ISO only develops standards for which a market demand exists Consensus approach: looking for a large consensus among the different stakeholders International Corporation: over 160 member countries plus liaison bodies

How is ISO working?   ISO is a network of national standardization bodies from about 160 countries The final results of ISO developments are published as International Standards Over 20,000 standards have been published since 1947 Standards are sold via www.iso.org or national standards associations Table of contents of most standards can be viewed

History of ISO/TC 292 Amalgamation of three technical committees: ISO/TC 223 Societal security (2001-2014) ISO/TC 247 Fraud countermeasures and controls (2009-2014) ISO/PC 284 Management system for quality of PSC operations (2013-2014) In June 2014 the Technical management Board of ISO (TMB) took the decision to create a new ISO Technical committee called ISO/TC 292 where three committees were merged into one. More info: http://www.isotc292online.org/

Composition of ISO/TC 292 WG 1 Terminology WG 2 Continuity and organizational resilience WG 3 Emergency management (no change) WG 4 Authenticity, integrity and trust for products and documents WG 5 Community resilience WG 6 Protective security

Deliverables of ISO/TC 292 General ISO 22300 Societal security – Terminology ISO/TR 22312 Societal security – Technological capabilities

Deliverables of ISO/TC 292 Business continuity management ISO 22301 Societal security – Business continuity management systems – Requirements ISO 22313 Societal security – Business continuity management systems – Guidance ISO/TS 22317 Societal security – Business continuity management systems – Guidelines for business impact analysis ISO/TS 22318 Societal security – Business continuity management systems – Guidelines for supply chain continuity ISO/IEC/TS 17021-6 Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 6: Competence requirements for auditing and certification of business continuity management systems

Deliverables of ISO/TC 292 Emergency management ISO 22320 Societal security – Emergency management – Requirements for incident response ISO 22322 Societal security – Emergency management – Guidelines for public warning ISO 22324 Societal security – Emergency management – Guidelines for colour coded alert ISO/TR 22351 Societal security – Emergency management – Message structure for exchange of information

Deliverables of ISO/TC 292 Community resilience ISO 22315 Societal security – Mass evacuation – Guidelines for planning ISO 22397 Societal security – Guidelines for establishing partnering arrangements ISO 22398 Societal security – Guidelines for exercises

Deliverables of ISO/TC 292 Authenticity, integrity and trust for products and documents ISO 12931 Performance criteria for authentication solutions used to combat counterfeiting of material goods ISO 16678 Guidelines for interoperable object identification and related authentication systems to deter counterfeiting and illicit trade

Deliverables of ISO/TC 292 Protective security ISO 22311 Societal security – Video-surveillance – Export interoperability* ISO 18788 Management system for private security operations - Requirements with guidance for use ISO 28000 Specification for security management systems for the supply chain ISO 28001 Security management systems for the supply chain - Best practices for implementing supply… ISO 28002 Security management systems for the supply chain - Development of resilience in the supply chain… ISO 28003 Security management systems for the supply chain - Requirements for bodies providing audit and certification … ISO 28004 Security management systems for the supply chain - Guidelines for the implementation of ISO 28000 (Part 1-4)

Deliverables of ISO/TC 292 WG2 (Selection)   BIA Supply Chain 22317 22300 22316 22318 Other TC/292 Standards Glossary 22313 Audit 22301 17021 Emergency Management 17021-6 Audit BCMS Guidance WIP BCMS Specifications WIP Organizational Resilience Lifecycle: The Business Continuity Institute

ISO 22301:2012 BCMS   Published 2012, revision process under evaluation Based on ISO 22300 Management System for Business Continuity Management Based on ISO Management System Guidelines Similar structure as ISO 9001, ISO 27001, etc. Certifiable standard: Specification (”shall”) Varying acceptance worldwide Non-mandatory except when prescribed by jurisdiction Based on the Plan-Do-Check-Act Cycle 22301

ISO 22301:2012 BCMS 22301 Contents: Introduction Scope Normative references Terms and definitions Context of the organization Leadership Planning Support Operation Performance evaluation Improvement Bibliography 22301

ISO 22301:2012 BCMS Plan – Do – Check – Act Cycle 22301 Reference: ISO 22301:2012

ISO 22301:2012   22301

ISO 22313:2012 22313 Published 2012, revision process under evaluation Based on ISO 22300 and ISO 22301 Identical structure as ISO 22301 Non-certifiable standard: Guidance (”should”) 22313

ISO/TS 22317 on BIA   Published in September 2015 Based on ISO 22301, ISO 22313 and ISO 22300 Non-certifiable standard: Guidance (”should”) Focus on Performing the BIA: Project Planning and Management Product and Service Prioritisation Process Prioritisation Activity Prioritisation Analysis and Consolidation Top Management Endorsement of BIA Results Annexes on Terminology Mapping Information Collection Methods 22317

Challenges when doing a BIA Commitment Level of effort “Right” effort Correctness /Completeness No excessive overlap / no white spots 22317

ISO/TS 22318 on Supply Chain Continuity Published in 2015 Based on ISO 22301, ISO 22300 Non-certifiable standard: Guidance (”should”) Focus on Supply Chain Continuity: Why supply chain continuity is important Analysis of the supply chain SCCM strategies (Supply Chain Continuity Management) Managing a disruption in the supply chain Performance evaluation 22318

ISO/TS 17021-6 Competence Requirements Published in 2014 Based on ISO 22301 and ISO 17021 Developed in cooperation with ISO CASCO Conformity Assessment www.iso.org/iso/casco Full title: Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 6: Competence requirements for auditing and certification of business continuity management systems Non-certifiable standard: Guidance (”should”) Focus on Auditor Competencies: Generic competence requirements Competence requirements for the Auditors and personnel reviewing audit reports and making certification decisions Conducting the application review to determine or the team competence required, to select the audit's team members, and to determine that audit time Annex A: Knowledge for the BCMS auditing and certification 17021-6

ISO/DIS 22316 on Organizational Resilience To be published in 2016 Based on ISO 22301, ISO 22300 Non-certifiable standard: Guidance (”should”) Focus on Organizational Resilience: Principles and approach Attributes and activities for organizational resilience Evaluating the organization's strategy for organizational resilience Annex A: Relevant vocabulary Annex B: Relevant management disciplines 22316

Work In Progress WIP Within WG2: standards on … Human factors in business continuity (based on an UK standard) Standard on business continuity strategy … WIP

Conclusions Standards… serve to promote good practices allow an assessment of a situation may serve as a base for certification serve to promote confidence in suppliers take some time to for their development reflect the knowledge of a range of subject matter experts facilitate international operations and trade may serve as minimum requirements as prescribed by a regulator

Thank you