Luigi BRUSAMOLINO CISM, CRISC – Managing Director Southern Europe BSI

1. Societal Security – the new standard ISO 22301 for
Business Continuity Management
Luigi Brusamolino, Managing Director Southern EMEA - BSI
Copyright © 2012 BSI. All rights reserved.

2. Who is BSI? – 10 fast facts
No owners/
Global independent
Founded in business services
shareholders …
all profit
1901 organization reinvested into the
business
Standards,
assessment, testing, National #1 certification >2,500 staff
certification, training, Standards body in the UK and >50% non-
software
Body in the UK and USA UK
53 offices 64,000 clients £244.9m
located around in 147 revenue in
the world countries 2011
Copyright © 2012 BSI. All rights reserved. 2

3. What is business continuity?
• “Business continuity is the capability of an organization to
continue delivery of products or services at acceptable
predefined levels following disruptive incident.” (ISO
22301 – Societal security – Terminology)
Copyright © 2012 BSI. All rights reserved. 3

4. Examples of disruptions
• Extreme weather conditions
• Loss of IT/Cyber Security
• Loss of people
• Supply chain disruption
• Transport Disruption
• Loss of access to site
The dependency on offshore outsourcing, the use of just-in-time sourcing, and
the reliance on global supply chains make businesses highly vulnerable.
Copyright © 2012 BSI. All rights reserved. 4

5. Organisations which are at risk
• 72% of companies surveyed had experienced at least one disruption to their
supply chain.
• 83% had experienced disruption over all.
Copyright © 2012 BSI. All rights reserved. 5

6. 6
Are organisations ready for the next crisis?
83% AGREE BCM is important/very important yet…*
• 61% of CEO’s surveyed say they have BCM plans in place
• 50% of organizations with BCM report that it includes plans for handling the
media
• 45% of organizations with BCM do not require any supply chain partners to
have their own plans
• 50% of organizations with BCM exercise their plans once a year.
• Around 25% fail to exercise their plans on a regular basis.
* BSI/BCI/Cabinet Office survey 2012 with Chartered Management Institute (CMI)
Copyright © 2012 BSI. All rights reserved. 6

7. 2012 BCM survey – key findings
• The business case for BCM – 81 per cent of managers whose
organisations activated their Business Continuity Management (BCM)
arrangements in the last 12 months agree that it effectively reduced disruption.
The same number agree that the benefits outweighed the cost.
• Adoption of BCM – Overall 61 per cent of managers report that their
organisation has BCM in place, up from 58 per cent last year and 49 per cent in
2010.
Copyright © 2012 BSI. All rights reserved. 7

8. 2012 BCM survey – key findings
• Drivers – the three biggest external drivers of BCM were corporate
governance (42%), demand from existing or potential customers (37%) and
regulation (33%).
• Disruptive events of 2011 – four in ten were affected by the BlackBerry
outage in 2011, 55% of organisations by public sector strikes and 26% by the
summer riots*
• Disruptive weather – severe weather conditions caused disruption to 49% of
organisations over the last year.
*UK specific disruptive events of 2011
Copyright © 2012 BSI. All rights reserved. 8

9. 9
International development of BCM standard
PAS 56 BS 25999 ISO 22301
2003 2006 2012
• Started as a “PAS” (Publicly Available Specification) by BSI
• Became British Standard BS 25999 in 2006
• New ISO 22301 (16 May 2012)
Copyright © 2012 BSI. All rights reserved. 9

10. Introducing ISO 22301
• ISO 22301 Societal Security - Business
continuity management system - Requirements.
• Management system standard
• All core business continuity elements in BS
25999-2 are present in ISO 22301
Copyright © 2012 BSI. All rights reserved. 10

11. Societal Security – ISO 223xx family standard
The term Societal Security was first uded by Barry Buzan in the book People, States
and Fear: National Security Problems in International Relations (1991).
ISO defines Societal Security as the challenge an organization, group of organizations or
society may face before, during and after a disruptive event.
Societal Security ISO 223xx family standards integrates a range of interconnected
disciplines: asset protection, security, risk management, preparedness, crisis management,
emergy management, business continuity management , recovery management and
disaster management.
In order to assure sustainability of operations and maintain resilience, competitiveness and
performance, organizations must have an integrated framework and system to
manage risks.
Copyright © 2012 BSI. All rights reserved. 29/08/12 11

12. B2S – Business to Society paradigma
The term Societal Security and the importance of the
economic, political, social environment ini which an organization
operate, re-define the business priorities and focus from traditional
B2C, B2B models to a B2S (Business-to-Society) model in
which the importance of interested parties (supply chain,
governments, local authorities, citizens,..) is critical to the success
and sustainability of an organization.
Copyright © 2012 BSI. All rights reserved. 29/08/12 12

13. What is ISO 22301?
• Provides the requirements for a business continuity management system
(BCMS)
• Based on global BCM best practice
• Created in response to strong interest in the original British Standard BS 25999-
2 and other regional standards
• BS 25999-2 key source text in its development
• For those certified to or aligned with BS 25999-2, the additional requirements
are not onerous
Copyright © 2012 BSI. All rights reserved. 13

14. Societal Security and BCM?
• ISO 22301 now comes under a wider societal
security remit
• This acknowledges the important role that BCM
has to play in protecting society and ensuring our
ability to respond to incidents, emergencies and
disasters.
Copyright © 2012 BSI. All rights reserved. 14

15. Comparing ISO 22301 and BS 25999-2
Includes all core requirements
• The ‘Plan Do Check Act’ cycle atte
e
w dd
rra tt ieew aann
• Business continuity policy pee nndd eenn
oop aa em m r i
vvi r
ree ti toor k
• Business impact analysis mp
pl le
Mo
onn
h ec
Im D o M
• Risk assessment and risk treatments
I C
• Exercising
• Business continuity plans and strategy vee
shh oov
• Internal audit bbl li is r
ppr nndd ai nn
i
ttaa m
• Management review
s i im aa ntta c t
Es
E
l an aai
in A
• Non conformity and corrective action P MM
• Improvement actions
Copyright © 2012 BSI. All rights reserved. 15

16. Key changes and aspects
Notable shifts in emphasis from BS 25999-2:2007:
• First standard written in accordance with Guide 83
• Change in the way an organization is defined (extended enterprise)
• Clearer expectations on management
• Preventive action has been replaced with “actions to address risks and
opportunities” and features earlier
• ISO 22301 puts a much greater emphasis on setting the objectives, monitoring
performance and metrics – aligning BC to top management strategic thinking
Copyright © 2012 BSI. All rights reserved. 16

17. Key changes and aspects
• 22301 requires more careful planning for and preparing the resources needed
for ensuring business continuity
• Communication elements more demanding and there is a responsibility to the
wider community defined
• BIA similar but with some changes to terminology
• There is a stronger link to the organizations approach to risk (integrated risk-
management)
• To reflect the societal security approach some new terminology has been
introduced, see ISO 22300
Copyright © 2012 BSI. All rights reserved. 17

18. BCM standard global adoption
Copyright © 2012 BSI. All rights reserved. 18

19. Multi-sector adoption
Copyright © 2012 BSI. All rights reserved. 19

20. Benefits of ISO 22301
• Allows organizations to benefit from global BCM
best practice, regardless of whether they are
planning to certify or not
• Provides a foundation and a common
vocabulary for BCM best practice and guidance
• Consensus standards like ISO 22301 represent
the input and recommendations of hundreds of
BC professionals and industry experts
• Saves you having to reinvent the wheel
Copyright © 2012 BSI. All rights reserved. 20

21. Benefits of certification
• Certification offers many advantages, including:
• It challenges your BCM programme and organization to reach a higher level of
maturity and preparedness
• Supply chain requirement
• Prequalification for tenders
• Provides a competitive advantage
• Signifies a base level of readiness and a commitment and seriousness about
BCM
Copyright © 2012 BSI. All rights reserved. 21

22. Questions?
Copyright © 2012 BSI. All rights reserved. 22

23. Contact us
Address: BSI
Via Fara, 35
Milano 20124
Telephone: +39 02 6679091
Email: Marketing.italy@bsigroup.com
Links: www.bsigroup.it
Copyright © 2012 BSI. All rights reserved. 23