John Zeppos - BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard
1. BS25999-2:2007
Certification & Transition to new
ISO22301 BCM Standard
John Zeppos
OTE Group Business Continuity Management Deputy Director
August 2012
2. How has Business Continuity Management Developed?
Holistic approach BS25999 formed the
USA - Natural Disasters
intended to reduce risks key input to the
and resulting impacts ISO22301
UK - Irish Terrorist attacks
resulted in the “Disaster- US standard NFPA
1600 – a recommended ISO22301 Standard
Recovery” approach in the
approach for Disaster May 2012
UK to deal with the
aftermath of an event Management – based on
Natural, Human or
Technological disasters
Current
1970s 1990s situation
1980s 2000s
Standards Start to be developed
2003/2004 PAS56 - UK - never
developed into a full standard
NFPA1600 USA – became programme
based
BCM professionals BS25999 – Code of Practice &
recognised the need to Specification (2006/7) – organisations able
understand the Impact to to be independently certified
the Business – hence BIA, o Management System approach aligned
Risk Assessment etc with existing Management Systems
o Lifecycle to ensure that the business is
protected – not Disaster and then Recover
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 2
3. 2006/2007
2003 2012
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 3
4. BCMS Certification
Why should one decide to undertake certification ?
BS25999 / ISO22301 is the most appropriate standard containing both the Continuity and Crisis Management
They are is based on a Management System approach fully aligned with ISO9001 and ISO27001
They provide independent proof that one’s BCMS is fit for purpose
Senior Management confidence that the approach that they are being asked to underwrite is appropriate.
Certificate could significantly reduce Insurance costs
Certification Programme
Initial pre-assessment by qualified independent auditors ( gap analysis )
Certification project internal kick off meeting with all relevant functions
Stage 1 Assessment – finalise scope and agree timing
Stage 2 Assessment – Certification Audit
1 Month later - Certificate can be officially issued
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 4
5. ISO22301:2012
ISO22301 published w/b May 15
UKAS transition project under way
1st May 2012 with internal actions, document
BS25999-2 will be withdrawn in November 2012 preparation, internal training etc.
No new applications accepted for
No new applications for certification after 22nd 31st October 2012 accreditation to BS 25999-2
October 2012
Transition Assessments begin as part
Scope extensions for existing certifications 1st November 2012 of the normal surveillance cycle
supported to end October 2013
No new BS 25999-2 scope extensions
31st October 2013 accepted by UKAS
After 1st November 2012 all visits based on ISO
22301 No new BS 25999-2 certificates to be
31st December 2013 issued by CABs
Existing certificates remain valid until the end of All CABS to have transitioned to ISO
30th May 2014
transitional period (30th May 2014) 22301
All CAB clients to have transitioned
No new certificates or renewals after 31st within one year of Accreditation to
December 2013 ISO 22301.
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 5
6. ISO TC 223
ISO TC 223 is the Technical Committee responsible
TC 223 deals with all matters regarding Societal Security
o provision of International Standards to enhance all actors capacity in society to handle all
phases before, during and after disruptive events
45 countries are participating members
All standards from this committee are prefixed “Societal Security” and are number 223xx
Other standards being developed include:
o Mass evacuation
o Emergency Management Command and Control
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 6
7. Contributors
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 7
8. ISO22301:2012
Source documents included
o BS25999-2
o NFPA 1600
o ASIS OR standard
o Singapore standards
o ISO27031
o ISO Guide 73
o ISO/PAS22399
So ISO 22301 is not simply an international version of BS25999-2:2007
ISO moving towards standardization of management systems headings and text
o In development as it was being written
o Agreed now and published as ISO Guide 83
o Rules on how to apply this were not always clear so had to be changed
Hence our interpretation may differ in detail from others like ISO 27001 – all management systems
standards will follow Guide 83’s standardized headings and text
Integration of management systems will be easier
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 8
9. ISO22301:2012
ISO 22301 is the requirements document
ISO 22313 is the guidance document that accompanies ISO22301
o It was originally planned to publish these together but in practicality 22301 has run ahead of
the guidance
o It is aligned to 22301, clearly BS25999-1 was not
ISO 22313 should be published early next year
o Currently at DIS
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 9
10. John Zeppos Twitter : @jzeppos
yzeppos@cosmote.gr http://www.linkedin.com/in/johnzeppos
+30 697 9666844
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 10