Introductions
Michael Bittle, MA, BCMP, BCRA
 Managing Director of the Institute for
Business Continuity Training
(www.IBCT.com)
 Registrar of the National Institute for
Business Continuity Management
(www.NIBCM.net)
 Over 40+ years experience in disaster
management, business continuity, internal
and external auditing, information
technology, records management, financial
management, organizational development,
international affairs
 Awarded Honorary Life Member by
 The International Emergency
Management Society (www.TIEMS.org)
and the
 Disaster Recovery Information
Exchange (www.DRIE-SWO.org)
 Email: mebittle@IBCT.com
Institute for Business Continuity Training www.IBCT.com 2

3Institute for Business Continuity Training www.IBCT.com

Course Objectives
 This course is designed for
 individuals who have prior knowledge of financial systems auditing
and want to learn about business continuity management; and/or
 individuals with prior knowledge of business continuity management
principles and concepts who want to learn about BCM auditing.
 The purpose of this course is to provide training that will enable
participants to perform an internal audit on a Business Continuity
Management System based on ISO 22301.
 With reference to the Plan-Do-Check-Act (PDCA) cycle, the course
examines the Business Continuity Management System model based on
ISO 22301 and the role of internal audit in the development, maintenance
and improvement of business continuity management systems.
Institute for Business Continuity Training www.IBCT.com 4

Course Objectives
On conclusion of this course, participants should be able to:
 Explain the purpose and business benefits of a business continuity
management system;
 Explain the Plan-Do-Check-Act lifecycle;
 Explain the processes involved in establishing, implementing, operating,
monitoring, reviewing, maintaining and improving a business continuity
management system, including the significance of this for BCMS auditors;
 Explain the business continuity review process and business continuity
planning outputs and the significance of these for business continuity
management system auditors;
 Explain the process for conducting audit activities within the context of
the Plan-Do-Check-Act lifecycle with respect to ISO 22301 requirements
for internal audit.
Institute for Business Continuity Training www.IBCT.com 5

Agenda
INTRODUCTION TO BUSINESS CONTINUITY MANAGEMENT
 What is Business Continuity Management
 Business Continuity Standards
 Auditing the BCMS Lifecycle
BCMS AUDIT OVERVIEW
 Auditing BC Plans
 Audit Requirements
AUDITING THE BCMS LIFECYCLE
 PLAN - Auditing business continuity policy, objectives, targets, controls,
processes and procedures
 DO - Auditing implementation of business continuity policy, controls,
processes and procedures
 CHECK – Auditing the review process of the business continuity policy
and objectives, including management review, and BCMS remediation
 ACT – Auditing the maintenance and continual improvement of the BCMS
through organizational corrective action, based on the results of
management review
Institute for Business Continuity Training www.IBCT.com 6

Agenda
AUDITING THE BCMS LIFECYCLE (cont’d)
 PLAN - Auditing business continuity policy, objectives, targets, controls,
processes and procedures
 DO - Auditing implementation of business continuity policy, controls,
processes and procedures
 CHECK – Auditing the review process of the business continuity policy
and objectives, including management review, and BCMS remediation
 ACT – Auditing the maintenance and continual improvement of the BCMS
through organizational corrective action, based on the results of
management review
 SAMPLE BCMS AUDIT PROGRAM
 BCRA Certification Exam
Institute for Business Continuity Training www.IBCT.com 7

… and this is the projected impact on our
bonuses if the Call Center goes down
What is
Business
Continuity
Management?
8

Institute for Business Continuity Training www.IBCT.com 9

 Business Continuity Management is a suite of
documented and tested procedures to ensure that
an organization does not experience unacceptable
interruptions in any of its key business activities
even in the event of a critical disruptive incident
(disaster)
- no matter what -
What is Business Continuity Management
Institute for Business Continuity Training www.IBCT.com 10

What is Business Continuity Management?
11Institute for Business Continuity Training www.IBCT.com

BCM consists of three core elements:
 Incident Response and Communications to enable an effective
response to a critical incident. Emergency Management involves
the immediate steps following the incident, and Crisis Management
focuses on stabilizing the situation and preparing the business for
recovery operations if needed
 Business Recovery, or Business Resumption, involves the
recovery of key business activities providing core products or
services to customers, often at an alternate work site
 IT Disaster Recovery addresses the recovery of key IT assets,
primarily those that support key business activities, including
systems, applications, databases, storage and network assets,
often at an alternate data center
What is Business Continuity Management?
Institute for Business Continuity Training www.IBCT.com 12

Institute for Business Continuity Training www.IBCT.com
 BCMS was initially considered as a one-time project (or a series of
one-time projects) – but BCMS is not a one-time effort
 BCMS needs to become part of an on-going program
 This requires the establishment of:
 policies and compliance procedures
 objective and budget setting processes
 It also requires formal assignment of on-going accountabilities and
responsibilities
Planning the BCMS Program
Institute for Business Continuity Training www.IBCT.com 13

14
Business
Continuity
Standards

Institute for Business Continuity Training www.IBCT.com 15
Some BC-related standards in current use:
• NFPA 1600 – US National Fire Protection Association, developed from
dealing with fire and looks at business continuity from a denial of access
perspective
• ISO 27000 – a standard for information security management systems that
manages and minimizes threats to information
• AS/NZS 31000:2009 – shared by Australia/New Zealand, provides risk
management guidelines
• SPRING TR 19 – Singapore technical reference to BCM, which mainly deals
with the technical aspects of systems
• The King II Report on Corporate Governance – these South African
guidelines for risk management look at BCM from a governance perspective
Business Continuity Standards

Institute for Business Continuity Training www.IBCT.com 16
BS 25999: Foundation for ISO 22301
A standard approach to Business Continuity Management
(BCM) had been suggested for years.
This void was obvious for a long time and finally changed
dramatically in 2006 with the publication of BS 25999, a
code of practice for business continuity management.
As with so many other BSI standards, an ISO standard
eventually began to emerge: ISO 22301.
Business Continuity Standards

Institute for Business Continuity Training www.IBCT.com 17
ISO 22301, Societal security
Business continuity management
systems — Requirements
Approved by ISO and published
May 2012
Revised October 2019
First internationally endorsed
Standard for Business Continuity
Management

Scope of ISO 22301
ISO 22301 is intended to be applicable to all
organizations (or parts thereof), regardless
of type, size and nature of the organization,
that wish to:
 establish, implement, maintain and improve a BCMS;
 assure conformity with the organization’s stated
business continuity policy;
 demonstrate conformity to others;
 seek certification/registration of its BCMS by an
accredited third party certification body; or
 make a self-determination and self-declaration of
conformity with this International Standard.
Institute for Business Continuity Training www.IBCT.com 18

All ISO Management Systems
Standards are based on the
PLAN-DO-CHECK-ACT
management lifecycle.
PDCA is a dynamic cycle that
can be applied to each of the
organization’s processes, and
also to the system of
processes as a whole.
It may be used to plan,
implement, control and
continually improve both
product realization and other
management processes.
P-D-C-A at a Glance
Institute for Business Continuity Training www.IBCT.com 19

Institute for Business Continuity Training www.IBCT.com 20
P-D-C-A at a Glance

• Section 1: Scope
• Section 2: Normative References
• Section 3: Terms and Definitions
Introduction
• Section 4: Context of the Organization
• Section 5: Leadership
• Section 6: Planning
• Section 7: Support
• Section 8: Operations
• Section 9: Performance Evaluation
• Section 10: Improvement
Requirements
Table of Contents
ISO 22301 Structure
Institute for Business Continuity Training www.IBCT.com 21
PLAN
DO
CHECK
ACT

PLAN: Clauses 4-7 define the ‘Plan’ phase
Clause 4 – Context of the Organization
 First step involves getting to know the organization, both internal and external needs, and
setting clear boundaries for the scope of the business continuity management system.
This requires the organization to understand the requirements of relevant interested parties,
such as regulators, customers and staff
Clause 5 – Leadership
 ISO 22301 places particular emphasis on the need for appropriate leadership of BCM.
Requires top management to ensure appropriate resources are provided, establish policy
and appoint competent people to implement and maintain the BCMS
Clause 6 – Planning
 Requires the organization to identify risks to the implementation of the management
system and set clear objectives and criteria that can be used to measure its success.
Clause 7 – Support
 People with appropriate knowledge, skills and experience must be in place to both
contribute to the BCMS and respond to incidents when they occur. It is also important that all
staff are aware of their own role in responding to incidents
The need for communication about the BCMS – for instance in telling customers that the
organization has an appropriate BCMS in place – and preparedness to communicate
following an incident (when normal channels may be disrupted) is also required
Institute for Business Continuity Training www.IBCT.com 22

DO: Clause 8 defines the ‘Do’ phase
Clause 8 – Operation
 Organizations must undertake Business Impact Analysis to understand how
its business is affected by disruption and how this changes over time. Risk
Assessments seek to understand the risks to the business in a structured way
 These inform the development of business continuity strategy. Steps to avoid
or reduce the likelihood of incidents are developed alongside steps to be taken
when incidents occur.
 ISO 22301 emphasizes the need for a well-defined incident response
structure. This ensures that when incidents occur, responses are escalated in a
timely manner and people are empowered to take the necessary actions to be
effective.
 A requirement not previously addressed in business continuity standards is
the need to plan for a return to normal business.
 Exercises and tests are fundamental in ISO 22301: it is only through
structured exercises – which should stretch the individuals and teams involved –
that an organization can achieve objective assurance that its arrangements will
work as anticipated and when required.
Institute for Business Continuity Training www.IBCT.com 23

CHECK: Clause 9 defines the ‘Check’ phase
Clause 9 – Performance Evaluations
 For any management system, it is essential to evaluate performance against
plan.
 ISO 22301 therefore requires that the organization select and measure itself
against appropriate performance metrics.
 Internal audits must be conducted and there is a requirement that management
review the BCMS and act on these reviews.
Clause 10 – Improvement
 Nonconformity and Corrective Action
No management system is perfect at the outset, and organizations and their
environments are constantly changing and require continual improvement.
 Clause 10 defines actions to take to improve the BCMS over time and ensure
that corrective actions arising from audits, reviews, exercises and so on are
addressed.
ACT: Clause 10 defines the ‘Act’ phase
Institute for Business Continuity Training www.IBCT.com 24

The “INTRODUCTION” session continues in the next section.
Institute for Business Continuity Training www.IBCT.com 25