Presented by Ramesh Ramani (LRQA) AGENDA Introduction-BCMS and ISMS International Standards, UAE Regulations (NCEMA, ADSIC, NESA, ISR, GDPR). Dubai Data Law PDCA Cycle Common Factors-BCMS and ISMS Organisational Considerations Joint Project Management Where this will work? Where this will not work Q&A

1. Continuity and Resilience (CORE)
ISO 22301 BCM Consulting Firm
Presentations by speakers at the
8th ME Business & IT Resilience Summit
March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE
Our Contact Details:
UAE INDIA
Continuity and Resilience
Website: www.coreconsulting.ae
Tel: +971 2 6594006
PO Box: 25722, Abu Dhabi, United Arab Emirates
Email: info@continuityandresilience.com
Continuity and Resilience
Tel: +91 11 41055534 | Direct: +91 11 6467 9380
Email: info@continuityandresilience.com
Website: www.coreconsulting.ae
Level 15, Eros Corporate Towers, Nehru Place, New Delhi
– 110019, India

2. Business
Continuity and
Information
Security- An
Excellent Fit!
Ramesh Ramani

3. Agenda
• Introduction-BCMS and ISMS
• International Standards, UAE Regulations (NCEMA, ADSIC, NESA, ISR, GDPR). Dubai Data Law
• PDCA Cycle
• Common Factors-BCMS and ISMS
• Organisational Considerations
• Joint Project Management
• Where this will work?
• Where this will not work
• Q&A

4. Standards, Regulations
• ISO 27001:2013-Information Security
• ISO 22301:2012-Business Continuity
• UAE Regulations
✓ NCEMA 7001:2015 (National Emergency Crisis and Disasters Management Authority)
✓ ADSIC –(Abu Dhabi Systems and Information Centre)
✓ NESA Standards (National Electronic Security Authority)
✓ ISR (Information Security Regulation)
✓ Regulating Data Dissemination and Exchange (Dubai Data Law)
✓ ADSIC- (ABU DHABI GOVERNMENT DATA MANAGEMENT STANDARDS)

5. PDCA Cycle
Business Continuity
(ISO 22301)
Information Security
(ISO 27001)
Plan (Establish)
Gap Analysis, Information Risk
Assessment, BIA,Risk Mitigation
Plan
Gap Analysis, Information Risk
Assessment, Risk Mitigation Plan
Do (Implement)
Implementing BCM response,
Risk Mitigation
Risk Mitigation
Check (Monitor)
Internal Audit/Management
reviews
Internal Audit/Management
reviews
Act (Improve)
Exercising and maintaining BC
Arrangements and embedding
BC culture
Continual Improvement
Program Management Program Management Program Management
PDCA Cycle

6. Organisational Considerations
• Risk Management
• ISO 31000
• Risk management in your organization
• Cl 4 of 27001 and 22301
• ERM and Relation with Other Functions
• International best practices-Risk management
• RA Methodology-Specific to ADSIC/NESA
Start
With

7. Organisational Considerations
• Scope of ISMS/BCMS
• Scope Document (Common)
• Exclusions
• Scope Statement
• ISR/NESA-Scope Requirements
• Cl 4 of 27001/22301
Finish
With

8. Organisational Considerations
BCMS/ISMS-Objectives-Next Step
• Measurable-Measured
• Monitorable-Monitored
• Balance Score Card
• COBIT

9. BCMS Common Factors - Framework
Testing DRP/BCP
Establishment of DR site
Drawing of RFP for DR site
Disaster Recovery Strategy Plan
Drawing of IT Continuity Plan
Business Continuity Plan
RTO / RPO / Max Outage
Business Impact Analysis
Risk Assessment (Critical Assets) Vulnerability
Value
Threat
ISO 22301
ISO 27031
Existing setup /
Redundancy / New
Technologies

10. ISMS Common Factors - Framework
Plan Risk Assessment
Risk Mitigation Plan
Vulnerability
Threat
People
Processes.
Procedures
Technical
Asset Value
Do Risk Mitigation Products, Processes or People Controls
Audit Internal AuditCheck
Continual Improvement Closing of Audit Gaps/Raising the BarAct
Continue with PDCA Cycle-ISO 27001 Certification

11. Joint Project Management - Plan
Lloyd's Register 11
PLAN
PLAN
BC & IS

12. Joint Project Management - Plan
Lloyd's Register 12
PLAN
PLAN
BC & IS

13. Joint Project Management - Do
Lloyd's Register 13
DO
DO
BC & IS

14. Joint Project Management - Check
Lloyd's Register 14
BC & IS
Check
Check
BC (Availability) IS (CIA) Activity
Internal Audit, Management Review, BC
Tests/DR Tests
Internal Audit, Management Review,
BC
Internal Audit, Management Review,
BC Tests/DR Tests (Common)

15. Joint Project Management - Act
Lloyd's Register 15
ACT
ACT
BC & IS

16. Lloyd's Register 16
Aim-Provide initial
planning and
preparation for the
assignment.
1.Scope and
Service
Acceptance
Document C
2.ISMS/BCMS
Scope definition
3.BC/IS Policy
Statement C
4.BCM/Information
Security Steering
Committee Charter
C
Aim to collect all
relevant data
pertaining to the
scope
- develop BIA/Risk
Assessment
methodology
- perform asset
enumeration/valuat
ion
1.BIA/Risk
Assessment
Methodology
2.Information Asset
Valuation/Critical
Asset Valuation-
C,I,A-C
3.Critical/
information assets
register-C
Aim-Perform BIA/
Risk Assessment
on the identified
critical/Informatio
n assets and
develop BCP/Risk
Treatment Plan.
Develop
mandatory
policies and
controls
1.Vulnerability
Assessment-C
2.Threat
Assessment-C
3.Risk
Assessment
Report (IS)
4.BIA (RTO/RPO)
5.BCP/DRP
6.Risk Mitigation &
Treatment Plan C
7.Statement of
Applicability (ISO
27001)
8.BCP/DR Policies
and Procedures C
Aim-Implement
BCP/Risk
Mitigation
Controls based
on the
BCP/control
implementation
road map
1.Implement
controls
identified
2.People
(Training/Duties)
C
3.Implementing
products C?
4.Implementing
Processes
Aim
- To Test the
BCP/DRP
-To audit the ISMS
Prepare for ISO
27001/22301
Certification
1.BC/DR Test
Results
2.ISO 27001 Audit
Reports
Aim-Continual
Improvement of
BCMS/ISMS
Certification
against ISO
22301/ISO 27001
Initial Plan
Acquire/
Analyze Data
Develop
BCMS/ISMS
Implement
BCMS/ISMS
Test
BCM/S/ISMS
Continual
Improvement

17. Where this WILL work?
Software
Industry
BPO / ITESGovernment Organizations
Banking and
Financial Services
Oil Industry

18. What Do Auditors Look for?
✓ Scope of Certification/BCMS
✓ BCMS Objectives
✓ RA and BIA
✓ BCP Strategy/BCP
✓ DR ( IT) and BCP Coordination
✓ PDCA Cycle
✓ Documentation Requirements
✓ BC Testing Evidences
✓ Senior Management Commitments-Evidences

19. Our Information Security & Business Continuity Assessment and Training Services
Lloyd's Register 19
Our range of online and face-to-face assessment services is suitable for organisations of all sizes and locations, and can help you
make the most of the standards.
TrainingCertifications
Integrated
management
system
assessment
Gap Analysis
Surveillance

20. Certification journey
Lloyd's Register 20
Stage 1 Stage 2 Themed
surveillance
Focused
visits
Renewal
Risk-based
methodology
Our experts tailor the assessment
according to the maturity of your
systems to ensure they are
appropriate to the real risks you
face.
Reporting
Our aim is to leave a report with
you at the end of your visit, or as
soon as possible afterwards. Rapid
feedback is important, because
once a risk has been identified, it
needs to be addressed promptly
Non-conformity
Taking notice of the non-
conformities can help prevent
costly mistakes and even legal
action by the regulators.
Improvement log
Details your progress and the
effective implementation of the
improvements. A mechanism for
tracking the progress of strategic
improvements around the key
issues.
SurveillanceInitial assessment Certificate

21. Thank You
W: LRQAMEA.COM
T: +971 (4) 701 4150
E: LRQA-MEA@LR.org
Lloyd's Register 21

22. Lloyd's Register 22
Continuity and Resilience (CORE)
ISO 22301 BCM Consulting Firm
Presentations by speakers at the
8th ME Business & IT Resilience Summit
March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE
Our Contact Details:
UAE INDIA
Continuity and Resilience
Website: www.coreconsulting.ae
Tel: +971 2 6594006
PO Box: 25722, Abu Dhabi, United Arab Emirates
Email: info@continuityandresilience.com
Continuity and Resilience
Tel: +91 11 41055534 | Direct: +91 11 6467 9380
Email: info@continuityandresilience.com
Website: www.coreconsulting.ae
Level 15, Eros Corporate Towers, Nehru Place, New Delhi
– 110019, India