SlideShare una empresa de Scribd logo

Business Continuity Audit

Descargar como PPTX, PDF
Institute for Business Continuity Training
Institute for Business Continuity Training

A section of the Welcome session of the course ECP-501 Business Continuity Audit and Evaluation, by the Institute for Business Continuity Training, https://www.ibct.com

Educación
1 de 25
Introductions Michael Bittle, MA, BCMP, BCRA  Managing Director of the Institute for Business Continuity Training (www.IBCT.com)  Registrar of the National Institute for Business Continuity Management (www.NIBCM.net)  Over 40+ years experience in disaster management, business continuity, internal and external auditing, information technology, records management, financial management, organizational development, international affairs  Awarded Honorary Life Member by  The International Emergency Management Society (www.TIEMS.org) and the  Disaster Recovery Information Exchange (www.DRIE-SWO.org)  Email: mebittle@IBCT.com Institute for Business Continuity Training www.IBCT.com 2
3Institute for Business Continuity Training www.IBCT.com
Course Objectives  This course is designed for  individuals who have prior knowledge of financial systems auditing and want to learn about business continuity management; and/or  individuals with prior knowledge of business continuity management principles and concepts who want to learn about BCM auditing.  The purpose of this course is to provide training that will enable participants to perform an internal audit on a Business Continuity Management System based on ISO 22301.  With reference to the Plan-Do-Check-Act (PDCA) cycle, the course examines the Business Continuity Management System model based on ISO 22301 and the role of internal audit in the development, maintenance and improvement of business continuity management systems. Institute for Business Continuity Training www.IBCT.com 4
Course Objectives On conclusion of this course, participants should be able to:  Explain the purpose and business benefits of a business continuity management system;  Explain the Plan-Do-Check-Act lifecycle;  Explain the processes involved in establishing, implementing, operating, monitoring, reviewing, maintaining and improving a business continuity management system, including the significance of this for BCMS auditors;  Explain the business continuity review process and business continuity planning outputs and the significance of these for business continuity management system auditors;  Explain the process for conducting audit activities within the context of the Plan-Do-Check-Act lifecycle with respect to ISO 22301 requirements for internal audit. Institute for Business Continuity Training www.IBCT.com 5
Agenda INTRODUCTION TO BUSINESS CONTINUITY MANAGEMENT  What is Business Continuity Management  Business Continuity Standards  Auditing the BCMS Lifecycle BCMS AUDIT OVERVIEW  Auditing BC Plans  Audit Requirements AUDITING THE BCMS LIFECYCLE  PLAN - Auditing business continuity policy, objectives, targets, controls, processes and procedures  DO - Auditing implementation of business continuity policy, controls, processes and procedures  CHECK – Auditing the review process of the business continuity policy and objectives, including management review, and BCMS remediation  ACT – Auditing the maintenance and continual improvement of the BCMS through organizational corrective action, based on the results of management review Institute for Business Continuity Training www.IBCT.com 6
Agenda AUDITING THE BCMS LIFECYCLE (cont’d)  PLAN - Auditing business continuity policy, objectives, targets, controls, processes and procedures  DO - Auditing implementation of business continuity policy, controls, processes and procedures  CHECK – Auditing the review process of the business continuity policy and objectives, including management review, and BCMS remediation  ACT – Auditing the maintenance and continual improvement of the BCMS through organizational corrective action, based on the results of management review  SAMPLE BCMS AUDIT PROGRAM  BCRA Certification Exam Institute for Business Continuity Training www.IBCT.com 7
… and this is the projected impact on our bonuses if the Call Center goes down What is Business Continuity Management? 8
Institute for Business Continuity Training www.IBCT.com 9
 Business Continuity Management is a suite of documented and tested procedures to ensure that an organization does not experience unacceptable interruptions in any of its key business activities even in the event of a critical disruptive incident (disaster) - no matter what - What is Business Continuity Management Institute for Business Continuity Training www.IBCT.com 10
What is Business Continuity Management? 11Institute for Business Continuity Training www.IBCT.com
BCM consists of three core elements:  Incident Response and Communications to enable an effective response to a critical incident. Emergency Management involves the immediate steps following the incident, and Crisis Management focuses on stabilizing the situation and preparing the business for recovery operations if needed  Business Recovery, or Business Resumption, involves the recovery of key business activities providing core products or services to customers, often at an alternate work site  IT Disaster Recovery addresses the recovery of key IT assets, primarily those that support key business activities, including systems, applications, databases, storage and network assets, often at an alternate data center What is Business Continuity Management? Institute for Business Continuity Training www.IBCT.com 12
Institute for Business Continuity Training www.IBCT.com  BCMS was initially considered as a one-time project (or a series of one-time projects) – but BCMS is not a one-time effort  BCMS needs to become part of an on-going program  This requires the establishment of:  policies and compliance procedures  objective and budget setting processes  It also requires formal assignment of on-going accountabilities and responsibilities Planning the BCMS Program Institute for Business Continuity Training www.IBCT.com 13
14 Business Continuity Standards
Institute for Business Continuity Training www.IBCT.com 15 Some BC-related standards in current use: • NFPA 1600 – US National Fire Protection Association, developed from dealing with fire and looks at business continuity from a denial of access perspective • ISO 27000 – a standard for information security management systems that manages and minimizes threats to information • AS/NZS 31000:2009 – shared by Australia/New Zealand, provides risk management guidelines • SPRING TR 19 – Singapore technical reference to BCM, which mainly deals with the technical aspects of systems • The King II Report on Corporate Governance – these South African guidelines for risk management look at BCM from a governance perspective Business Continuity Standards
Institute for Business Continuity Training www.IBCT.com 16 BS 25999: Foundation for ISO 22301 A standard approach to Business Continuity Management (BCM) had been suggested for years. This void was obvious for a long time and finally changed dramatically in 2006 with the publication of BS 25999, a code of practice for business continuity management. As with so many other BSI standards, an ISO standard eventually began to emerge: ISO 22301. Business Continuity Standards
Institute for Business Continuity Training www.IBCT.com 17 ISO 22301, Societal security Business continuity management systems — Requirements Approved by ISO and published May 2012 Revised October 2019 First internationally endorsed Standard for Business Continuity Management
Scope of ISO 22301 ISO 22301 is intended to be applicable to all organizations (or parts thereof), regardless of type, size and nature of the organization, that wish to:  establish, implement, maintain and improve a BCMS;  assure conformity with the organization’s stated business continuity policy;  demonstrate conformity to others;  seek certification/registration of its BCMS by an accredited third party certification body; or  make a self-determination and self-declaration of conformity with this International Standard. Institute for Business Continuity Training www.IBCT.com 18
All ISO Management Systems Standards are based on the PLAN-DO-CHECK-ACT management lifecycle. PDCA is a dynamic cycle that can be applied to each of the organization’s processes, and also to the system of processes as a whole. It may be used to plan, implement, control and continually improve both product realization and other management processes. P-D-C-A at a Glance Institute for Business Continuity Training www.IBCT.com 19
Institute for Business Continuity Training www.IBCT.com 20 P-D-C-A at a Glance
• Section 1: Scope • Section 2: Normative References • Section 3: Terms and Definitions Introduction • Section 4: Context of the Organization • Section 5: Leadership • Section 6: Planning • Section 7: Support • Section 8: Operations • Section 9: Performance Evaluation • Section 10: Improvement Requirements Table of Contents ISO 22301 Structure Institute for Business Continuity Training www.IBCT.com 21 PLAN DO CHECK ACT
PLAN: Clauses 4-7 define the ‘Plan’ phase Clause 4 – Context of the Organization  First step involves getting to know the organization, both internal and external needs, and setting clear boundaries for the scope of the business continuity management system. This requires the organization to understand the requirements of relevant interested parties, such as regulators, customers and staff Clause 5 – Leadership  ISO 22301 places particular emphasis on the need for appropriate leadership of BCM. Requires top management to ensure appropriate resources are provided, establish policy and appoint competent people to implement and maintain the BCMS Clause 6 – Planning  Requires the organization to identify risks to the implementation of the management system and set clear objectives and criteria that can be used to measure its success. Clause 7 – Support  People with appropriate knowledge, skills and experience must be in place to both contribute to the BCMS and respond to incidents when they occur. It is also important that all staff are aware of their own role in responding to incidents The need for communication about the BCMS – for instance in telling customers that the organization has an appropriate BCMS in place – and preparedness to communicate following an incident (when normal channels may be disrupted) is also required Institute for Business Continuity Training www.IBCT.com 22
DO: Clause 8 defines the ‘Do’ phase Clause 8 – Operation  Organizations must undertake Business Impact Analysis to understand how its business is affected by disruption and how this changes over time. Risk Assessments seek to understand the risks to the business in a structured way  These inform the development of business continuity strategy. Steps to avoid or reduce the likelihood of incidents are developed alongside steps to be taken when incidents occur.  ISO 22301 emphasizes the need for a well-defined incident response structure. This ensures that when incidents occur, responses are escalated in a timely manner and people are empowered to take the necessary actions to be effective.  A requirement not previously addressed in business continuity standards is the need to plan for a return to normal business.  Exercises and tests are fundamental in ISO 22301: it is only through structured exercises – which should stretch the individuals and teams involved – that an organization can achieve objective assurance that its arrangements will work as anticipated and when required. Institute for Business Continuity Training www.IBCT.com 23
CHECK: Clause 9 defines the ‘Check’ phase Clause 9 – Performance Evaluations  For any management system, it is essential to evaluate performance against plan.  ISO 22301 therefore requires that the organization select and measure itself against appropriate performance metrics.  Internal audits must be conducted and there is a requirement that management review the BCMS and act on these reviews. Clause 10 – Improvement  Nonconformity and Corrective Action No management system is perfect at the outset, and organizations and their environments are constantly changing and require continual improvement.  Clause 10 defines actions to take to improve the BCMS over time and ensure that corrective actions arising from audits, reviews, exercises and so on are addressed. ACT: Clause 10 defines the ‘Act’ phase Institute for Business Continuity Training www.IBCT.com 24
The “INTRODUCTION” session continues in the next section. Institute for Business Continuity Training www.IBCT.com 25

Recomendados

Implementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsImplementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsGlobal Risk Forum GRFDavos
 
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementRamiro Cid
 
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)PECB
 
Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301IT Governance Ltd
 
ISO 22301: The New Standard for Business Continuity Best Practice
ISO 22301: The New Standard for Business Continuity Best PracticeISO 22301: The New Standard for Business Continuity Best Practice
ISO 22301: The New Standard for Business Continuity Best PracticeMissionMode
 
what is Business Continuity Management System?
what is Business Continuity Management System?what is Business Continuity Management System?
what is Business Continuity Management System?Ascent World
 
Business Continuity Management Culture at NCBC
Business Continuity Management Culture at NCBC Business Continuity Management Culture at NCBC
Business Continuity Management Culture at NCBCContinuity and Resilience
 
Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationPECB
 

Recomendados

Implementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsImplementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsGlobal Risk Forum GRFDavos
 
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementRamiro Cid
 
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)PECB
 
Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301IT Governance Ltd
 
ISO 22301: The New Standard for Business Continuity Best Practice
ISO 22301: The New Standard for Business Continuity Best PracticeISO 22301: The New Standard for Business Continuity Best Practice
ISO 22301: The New Standard for Business Continuity Best PracticeMissionMode
 
what is Business Continuity Management System?
what is Business Continuity Management System?what is Business Continuity Management System?
what is Business Continuity Management System?Ascent World
 
Business Continuity Management Culture at NCBC
Business Continuity Management Culture at NCBC Business Continuity Management Culture at NCBC
Business Continuity Management Culture at NCBCContinuity and Resilience
 
Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationPECB
 
Khaidzir-IIAM Tea Talk 18 2 16
Khaidzir-IIAM Tea Talk 18 2 16Khaidzir-IIAM Tea Talk 18 2 16
Khaidzir-IIAM Tea Talk 18 2 16Nusaibah Hamizan
 
Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Bryghtpath LLC
 
WK12 Implementation and Control
WK12 Implementation and ControlWK12 Implementation and Control
WK12 Implementation and ControlAjOb
 
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...BCM Institute
 
Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...
Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...
Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...EagleCompliance
 
Presentation by bhaskar bhindie ind ii
Presentation by bhaskar bhindie ind iiPresentation by bhaskar bhindie ind ii
Presentation by bhaskar bhindie ind iiIndonesia Infrastructure Initiative
 
Principles of Management Unit 5: Controlling
Principles of Management Unit 5: Controlling Principles of Management Unit 5: Controlling
Principles of Management Unit 5: Controlling Ganesha Pandian
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysiswebmentorman
 
Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ssKashif Rana ACCA
 
Topic 2
Topic 2Topic 2
Topic 2kim rae KI
 
Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewAhmed Riad .
 
Iso 22301
Iso 22301Iso 22301
Iso 22301Craig Willetts ISO Expert
 
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdf
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdfiso22301businesscontinuitymanagement-140207090550-phpapp01.pdf
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdfVictorNagesparan
 
PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...
PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...
PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...PECB
 
Building a strong BC programme with ISO 22301
Building a strong BC programme with ISO 22301Building a strong BC programme with ISO 22301
Building a strong BC programme with ISO 22301PECB
 
BCMS Presentation1
BCMS Presentation1BCMS Presentation1
BCMS Presentation1barbytee
 
Qsys Profile
Qsys ProfileQsys Profile
Qsys ProfileBirendra Raturi
 
Business Continuity Strategy Benchmarking April 8th, 2009
Business Continuity Strategy Benchmarking April 8th, 2009Business Continuity Strategy Benchmarking April 8th, 2009
Business Continuity Strategy Benchmarking April 8th, 2009Mauro Giorgi
 
Charlotte FENG - What you need to know in 2014!
Charlotte FENG - What you need to know in 2014!Charlotte FENG - What you need to know in 2014!
Charlotte FENG - What you need to know in 2014!Ken Witt
 
ISO 22301 | Business Continuity Awareness
ISO 22301 | Business Continuity Awareness ISO 22301 | Business Continuity Awareness
ISO 22301 | Business Continuity Awareness himalya sharma
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRobert Kloots
 
SAMA BCM Framework
SAMA BCM Framework SAMA BCM Framework
SAMA BCM Framework Continuity and Resilience
 

Más contenido relacionado

La actualidad más candente

Khaidzir-IIAM Tea Talk 18 2 16
Khaidzir-IIAM Tea Talk 18 2 16Khaidzir-IIAM Tea Talk 18 2 16
Khaidzir-IIAM Tea Talk 18 2 16Nusaibah Hamizan
 
Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Bryghtpath LLC
 
WK12 Implementation and Control
WK12 Implementation and ControlWK12 Implementation and Control
WK12 Implementation and ControlAjOb
 
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...BCM Institute
 
Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...
Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...
Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...EagleCompliance
 
Principles of Management Unit 5: Controlling
Principles of Management Unit 5: Controlling Principles of Management Unit 5: Controlling
Principles of Management Unit 5: Controlling Ganesha Pandian
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysiswebmentorman
 

La actualidad más candente (10)

Khaidzir-IIAM Tea Talk 18 2 16
Khaidzir-IIAM Tea Talk 18 2 16Khaidzir-IIAM Tea Talk 18 2 16
Khaidzir-IIAM Tea Talk 18 2 16
 
Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...
 
WK12 Implementation and Control
WK12 Implementation and ControlWK12 Implementation and Control
WK12 Implementation and Control
 
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
 
Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...
Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...
Export Compliance Management Seminar 29 May 2012: Key Issues & Complexity in ...
 
Presentation by bhaskar bhindie ind ii
Presentation by bhaskar bhindie ind iiPresentation by bhaskar bhindie ind ii
Presentation by bhaskar bhindie ind ii
 
Principles of Management Unit 5: Controlling
Principles of Management Unit 5: Controlling Principles of Management Unit 5: Controlling
Principles of Management Unit 5: Controlling
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysis
 
Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ss
 
Topic 2
Topic 2Topic 2
Topic 2
 

Similar a Business Continuity Audit

Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewAhmed Riad .
 
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdf
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdfiso22301businesscontinuitymanagement-140207090550-phpapp01.pdf
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdfVictorNagesparan
 
PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...
PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...
PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...PECB
 
Building a strong BC programme with ISO 22301
Building a strong BC programme with ISO 22301Building a strong BC programme with ISO 22301
Building a strong BC programme with ISO 22301PECB
 
BCMS Presentation1
BCMS Presentation1BCMS Presentation1
BCMS Presentation1barbytee
 
Business Continuity Strategy Benchmarking April 8th, 2009
Business Continuity Strategy Benchmarking April 8th, 2009Business Continuity Strategy Benchmarking April 8th, 2009
Business Continuity Strategy Benchmarking April 8th, 2009Mauro Giorgi
 
Charlotte FENG - What you need to know in 2014!
Charlotte FENG - What you need to know in 2014!Charlotte FENG - What you need to know in 2014!
Charlotte FENG - What you need to know in 2014!Ken Witt
 
ISO 22301 | Business Continuity Awareness
ISO 22301 | Business Continuity Awareness ISO 22301 | Business Continuity Awareness
ISO 22301 | Business Continuity Awareness himalya sharma
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRobert Kloots
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACAMDFazlaRabbiAbir
 
Governance Tools Boyd Carter 2006
Governance Tools Boyd Carter 2006Governance Tools Boyd Carter 2006
Governance Tools Boyd Carter 2006Freelancer Training
 
02 Practical Strategies of Conducting BIA
02 Practical Strategies of Conducting BIA02 Practical Strategies of Conducting BIA
02 Practical Strategies of Conducting BIABCM Institute
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...PECB
 
ISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docxISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docxSunil Arora
 
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptxPPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptxssuserd1791e
 

Similar a Business Continuity Audit (20)

Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An Overview
 
Iso 22301
Iso 22301Iso 22301
Iso 22301
 
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdf
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdfiso22301businesscontinuitymanagement-140207090550-phpapp01.pdf
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdf
 
PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...
PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...
PECB Webinar: Rethinking Business Continuity: Applying ISO 22301 to improve r...
 
Building a strong BC programme with ISO 22301
Building a strong BC programme with ISO 22301Building a strong BC programme with ISO 22301
Building a strong BC programme with ISO 22301
 
BCMS Presentation1
BCMS Presentation1BCMS Presentation1
BCMS Presentation1
 
Qsys Profile
Qsys ProfileQsys Profile
Qsys Profile
 
Business Continuity Strategy Benchmarking April 8th, 2009
Business Continuity Strategy Benchmarking April 8th, 2009Business Continuity Strategy Benchmarking April 8th, 2009
Business Continuity Strategy Benchmarking April 8th, 2009
 
Charlotte FENG - What you need to know in 2014!
Charlotte FENG - What you need to know in 2014!Charlotte FENG - What you need to know in 2014!
Charlotte FENG - What you need to know in 2014!
 
ISO 22301 | Business Continuity Awareness
ISO 22301 | Business Continuity Awareness ISO 22301 | Business Continuity Awareness
ISO 22301 | Business Continuity Awareness
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
 
SAMA BCM Framework
SAMA BCM Framework SAMA BCM Framework
SAMA BCM Framework
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
 
Governance Tools Boyd Carter 2006
Governance Tools Boyd Carter 2006Governance Tools Boyd Carter 2006
Governance Tools Boyd Carter 2006
 
02 Practical Strategies of Conducting BIA
02 Practical Strategies of Conducting BIA02 Practical Strategies of Conducting BIA
02 Practical Strategies of Conducting BIA
 
Process
ProcessProcess
Process
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
 
ISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docxISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docx
 
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptxPPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
 
Donna Febriani
Donna FebrianiDonna Febriani
Donna Febriani
 

Último

Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Shubhangi Sonawane
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfChris Hunter
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 

Último (20)

Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 

Business Continuity Audit

  • 1.
  • 2. Introductions Michael Bittle, MA, BCMP, BCRA  Managing Director of the Institute for Business Continuity Training (www.IBCT.com)  Registrar of the National Institute for Business Continuity Management (www.NIBCM.net)  Over 40+ years experience in disaster management, business continuity, internal and external auditing, information technology, records management, financial management, organizational development, international affairs  Awarded Honorary Life Member by  The International Emergency Management Society (www.TIEMS.org) and the  Disaster Recovery Information Exchange (www.DRIE-SWO.org)  Email: mebittle@IBCT.com Institute for Business Continuity Training www.IBCT.com 2
  • 3. 3Institute for Business Continuity Training www.IBCT.com
  • 4. Course Objectives  This course is designed for  individuals who have prior knowledge of financial systems auditing and want to learn about business continuity management; and/or  individuals with prior knowledge of business continuity management principles and concepts who want to learn about BCM auditing.  The purpose of this course is to provide training that will enable participants to perform an internal audit on a Business Continuity Management System based on ISO 22301.  With reference to the Plan-Do-Check-Act (PDCA) cycle, the course examines the Business Continuity Management System model based on ISO 22301 and the role of internal audit in the development, maintenance and improvement of business continuity management systems. Institute for Business Continuity Training www.IBCT.com 4
  • 5. Course Objectives On conclusion of this course, participants should be able to:  Explain the purpose and business benefits of a business continuity management system;  Explain the Plan-Do-Check-Act lifecycle;  Explain the processes involved in establishing, implementing, operating, monitoring, reviewing, maintaining and improving a business continuity management system, including the significance of this for BCMS auditors;  Explain the business continuity review process and business continuity planning outputs and the significance of these for business continuity management system auditors;  Explain the process for conducting audit activities within the context of the Plan-Do-Check-Act lifecycle with respect to ISO 22301 requirements for internal audit. Institute for Business Continuity Training www.IBCT.com 5
  • 6. Agenda INTRODUCTION TO BUSINESS CONTINUITY MANAGEMENT  What is Business Continuity Management  Business Continuity Standards  Auditing the BCMS Lifecycle BCMS AUDIT OVERVIEW  Auditing BC Plans  Audit Requirements AUDITING THE BCMS LIFECYCLE  PLAN - Auditing business continuity policy, objectives, targets, controls, processes and procedures  DO - Auditing implementation of business continuity policy, controls, processes and procedures  CHECK – Auditing the review process of the business continuity policy and objectives, including management review, and BCMS remediation  ACT – Auditing the maintenance and continual improvement of the BCMS through organizational corrective action, based on the results of management review Institute for Business Continuity Training www.IBCT.com 6
  • 7. Agenda AUDITING THE BCMS LIFECYCLE (cont’d)  PLAN - Auditing business continuity policy, objectives, targets, controls, processes and procedures  DO - Auditing implementation of business continuity policy, controls, processes and procedures  CHECK – Auditing the review process of the business continuity policy and objectives, including management review, and BCMS remediation  ACT – Auditing the maintenance and continual improvement of the BCMS through organizational corrective action, based on the results of management review  SAMPLE BCMS AUDIT PROGRAM  BCRA Certification Exam Institute for Business Continuity Training www.IBCT.com 7
  • 8. … and this is the projected impact on our bonuses if the Call Center goes down What is Business Continuity Management? 8
  • 9. Institute for Business Continuity Training www.IBCT.com 9
  • 10.  Business Continuity Management is a suite of documented and tested procedures to ensure that an organization does not experience unacceptable interruptions in any of its key business activities even in the event of a critical disruptive incident (disaster) - no matter what - What is Business Continuity Management Institute for Business Continuity Training www.IBCT.com 10
  • 11. What is Business Continuity Management? 11Institute for Business Continuity Training www.IBCT.com
  • 12. BCM consists of three core elements:  Incident Response and Communications to enable an effective response to a critical incident. Emergency Management involves the immediate steps following the incident, and Crisis Management focuses on stabilizing the situation and preparing the business for recovery operations if needed  Business Recovery, or Business Resumption, involves the recovery of key business activities providing core products or services to customers, often at an alternate work site  IT Disaster Recovery addresses the recovery of key IT assets, primarily those that support key business activities, including systems, applications, databases, storage and network assets, often at an alternate data center What is Business Continuity Management? Institute for Business Continuity Training www.IBCT.com 12
  • 13. Institute for Business Continuity Training www.IBCT.com  BCMS was initially considered as a one-time project (or a series of one-time projects) – but BCMS is not a one-time effort  BCMS needs to become part of an on-going program  This requires the establishment of:  policies and compliance procedures  objective and budget setting processes  It also requires formal assignment of on-going accountabilities and responsibilities Planning the BCMS Program Institute for Business Continuity Training www.IBCT.com 13
  • 15. Institute for Business Continuity Training www.IBCT.com 15 Some BC-related standards in current use: • NFPA 1600 – US National Fire Protection Association, developed from dealing with fire and looks at business continuity from a denial of access perspective • ISO 27000 – a standard for information security management systems that manages and minimizes threats to information • AS/NZS 31000:2009 – shared by Australia/New Zealand, provides risk management guidelines • SPRING TR 19 – Singapore technical reference to BCM, which mainly deals with the technical aspects of systems • The King II Report on Corporate Governance – these South African guidelines for risk management look at BCM from a governance perspective Business Continuity Standards
  • 16. Institute for Business Continuity Training www.IBCT.com 16 BS 25999: Foundation for ISO 22301 A standard approach to Business Continuity Management (BCM) had been suggested for years. This void was obvious for a long time and finally changed dramatically in 2006 with the publication of BS 25999, a code of practice for business continuity management. As with so many other BSI standards, an ISO standard eventually began to emerge: ISO 22301. Business Continuity Standards
  • 17. Institute for Business Continuity Training www.IBCT.com 17 ISO 22301, Societal security Business continuity management systems — Requirements Approved by ISO and published May 2012 Revised October 2019 First internationally endorsed Standard for Business Continuity Management
  • 18. Scope of ISO 22301 ISO 22301 is intended to be applicable to all organizations (or parts thereof), regardless of type, size and nature of the organization, that wish to:  establish, implement, maintain and improve a BCMS;  assure conformity with the organization’s stated business continuity policy;  demonstrate conformity to others;  seek certification/registration of its BCMS by an accredited third party certification body; or  make a self-determination and self-declaration of conformity with this International Standard. Institute for Business Continuity Training www.IBCT.com 18
  • 19. All ISO Management Systems Standards are based on the PLAN-DO-CHECK-ACT management lifecycle. PDCA is a dynamic cycle that can be applied to each of the organization’s processes, and also to the system of processes as a whole. It may be used to plan, implement, control and continually improve both product realization and other management processes. P-D-C-A at a Glance Institute for Business Continuity Training www.IBCT.com 19
  • 20. Institute for Business Continuity Training www.IBCT.com 20 P-D-C-A at a Glance
  • 21. • Section 1: Scope • Section 2: Normative References • Section 3: Terms and Definitions Introduction • Section 4: Context of the Organization • Section 5: Leadership • Section 6: Planning • Section 7: Support • Section 8: Operations • Section 9: Performance Evaluation • Section 10: Improvement Requirements Table of Contents ISO 22301 Structure Institute for Business Continuity Training www.IBCT.com 21 PLAN DO CHECK ACT
  • 22. PLAN: Clauses 4-7 define the ‘Plan’ phase Clause 4 – Context of the Organization  First step involves getting to know the organization, both internal and external needs, and setting clear boundaries for the scope of the business continuity management system. This requires the organization to understand the requirements of relevant interested parties, such as regulators, customers and staff Clause 5 – Leadership  ISO 22301 places particular emphasis on the need for appropriate leadership of BCM. Requires top management to ensure appropriate resources are provided, establish policy and appoint competent people to implement and maintain the BCMS Clause 6 – Planning  Requires the organization to identify risks to the implementation of the management system and set clear objectives and criteria that can be used to measure its success. Clause 7 – Support  People with appropriate knowledge, skills and experience must be in place to both contribute to the BCMS and respond to incidents when they occur. It is also important that all staff are aware of their own role in responding to incidents The need for communication about the BCMS – for instance in telling customers that the organization has an appropriate BCMS in place – and preparedness to communicate following an incident (when normal channels may be disrupted) is also required Institute for Business Continuity Training www.IBCT.com 22
  • 23. DO: Clause 8 defines the ‘Do’ phase Clause 8 – Operation  Organizations must undertake Business Impact Analysis to understand how its business is affected by disruption and how this changes over time. Risk Assessments seek to understand the risks to the business in a structured way  These inform the development of business continuity strategy. Steps to avoid or reduce the likelihood of incidents are developed alongside steps to be taken when incidents occur.  ISO 22301 emphasizes the need for a well-defined incident response structure. This ensures that when incidents occur, responses are escalated in a timely manner and people are empowered to take the necessary actions to be effective.  A requirement not previously addressed in business continuity standards is the need to plan for a return to normal business.  Exercises and tests are fundamental in ISO 22301: it is only through structured exercises – which should stretch the individuals and teams involved – that an organization can achieve objective assurance that its arrangements will work as anticipated and when required. Institute for Business Continuity Training www.IBCT.com 23
  • 24. CHECK: Clause 9 defines the ‘Check’ phase Clause 9 – Performance Evaluations  For any management system, it is essential to evaluate performance against plan.  ISO 22301 therefore requires that the organization select and measure itself against appropriate performance metrics.  Internal audits must be conducted and there is a requirement that management review the BCMS and act on these reviews. Clause 10 – Improvement  Nonconformity and Corrective Action No management system is perfect at the outset, and organizations and their environments are constantly changing and require continual improvement.  Clause 10 defines actions to take to improve the BCMS over time and ensure that corrective actions arising from audits, reviews, exercises and so on are addressed. ACT: Clause 10 defines the ‘Act’ phase Institute for Business Continuity Training www.IBCT.com 24
  • 25. The “INTRODUCTION” session continues in the next section. Institute for Business Continuity Training www.IBCT.com 25