ICOR Presents: ISO/TC 223 Societal Security International Standardization Aimed at Increasing Crisis and Continuity Management Capabilities and Awareness in Order to Improve the Resilience of Society

ISO/TC 223: Early Beginnings

ISO/TC 223 got its start with the sinking of the Russian submarine Kursk in the Barents Sea in Sept. 2000.

The international community lacked the tools necessary to cooperate effectively in emergency situations, resulting in an initiative from the Russian standards organization, GOST, to establish ISO/TC 223.

©2012 ICOR ALL RIGHTS RESERVED 2 From “Civil Defence” to “Societal Security”

In 2001, originally titled, “Civil Defence” with the intention to standardize emergency procedures After the 9/11 attacks as well as a surge in natural disasters, ISO conducted an assessment in 2005 to begin in earnest and renamed it “Societal Security” to broaden its approach from just “Civil”

©2012 ICOR ALL RIGHTS RESERVED 3

Early Optimism & Resulting Challenges Build on 5 major works in emergency management from Australia, Israel, Japan, UK, and USA ISO/PAS 22399:2007 Societal security – Guideline for Incident Preparedness and Operational Continuity Management However – none of the countries wanted to use the new standard in replacement of their national standards… To what extent are countries prepared to relinquish their own solutions in search for common ground?

©2012 ICOR ALL RIGHTS RESERVED 4 ISO/TC 223 Societal Security - Restarted

Technical Committee formed by ISO in 2008 in the area of Societal Security Aim to increase crisis management and business continuity capabilities through improved • Technical, • Human, • Organizational, and • Functional interoperability as well as • Shared situational awareness

©2012 ICOR ALL RIGHTS RESERVED 5

ISO/TC 223 Societal Security

TC 223 develops standards for the protection of society from, and in response to, incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards and technical failures. Its all-hazards perspective covers adaptive, proactive and reactive strategies in all phases before, during and after a disruptive incident. The area of societal security is multi-disciplinary and involves actors from both the public and private sectors. An emphasis on developing deliverables that will contribute to improving the resilience of society

©2012 ICOR ALL RIGHTS RESERVED 6 ISO/TC 223 Societal Security

ISO/TC 223 aspires to answer how individuals, organizations, communities and society can Anticipate, prevent, prepare for, respond to and recover from disruptive events potentially resulting in an incident, emergency, crisis or disaster Protect assets (human, physical, intangible and environmental) from disruptive events Identify, assess, and leverage their capacity and capabilities to withstand disruptive events.

©2012 ICOR ALL RIGHTS RESERVED 7

ISO/TC 223 Societal Security

ISO/TC 223 provides tools to enhance capacity and demonstrate improved performance through: Standardization for the prevention and management of disruptive events Standardization to promote collaboration and coordination of incident identification, response and recovery Standardization for the design, deployment and evaluation of technical capabilities.

©2012 ICOR ALL RIGHTS RESERVED 8 ISO/TC 223 Societal Security

Approximately 45 countries are participating with 17 others observing. At this time there are six work groups working on the following initiatives: 1. Framework Standard on Societal Security Management 2. Terminology 3. Emergency Management 4. Preparedness & Continuity 5. Video Surveillance 6. Mass Evacuation Within each Work Group are different Project Teams that work on specific standards.

©2012 ICOR ALL RIGHTS RESERVED 9

The US Delegation: NFPA / ANSI

©2012 ICOR ALL RIGHTS RESERVED 10 ISO 223 Societal Security Series

ISO 22300: Terminology – published May 2012 ISO 22301: BCMS – published May 2012 ISO 22311: Video surveillance-Export interoperability ISO / TR 22312: Technological capabilities – published 2010 ISO 22313: BCMS Guidelines – published August 2012? ISO 22315: Mass Evacuation ISO 22320: Emergency management – Requirements for incident response – published December 2011 ISO 22322: Emergency management – Public warning ISO 223XX: Organizational Resilience ISO 22324: Emergency management–Colour coded alert ISO 22325: Emergency management – Guidelines for emergency capability assessment ISO 22351: Emergency management – Shared information awareness ISO 22397: Public/Private partnerships - Guidelines to set up partnership agreements ISO 22398: Guideline for exercises and testing ISO / PAS 22399 Guideline for incident preparedness and operational continuity management – published in 2007

11 ©2012 ICOR ALL RIGHTS RESERVED

Types of Standards

Management System Standards Specify requirements that can be applied to any organization, regardless of the product it makes or the service it performs • Auditable • Organizations can be certified to these standards as complying with their requirements – ISO 22301 is the only standard in this series that is a management system standard

©2012 ICOR ALL RIGHTS RESERVED 12 Types of Standards

Guidance

©2012 ICOR ALL RIGHTS RESERVED 13

Types of Standards

Technical Report

©2012 ICOR ALL RIGHTS RESERVED 14 Types of Standards

Published Document

©2012 ICOR ALL RIGHTS RESERVED 15

Types of Standards

Publicly Available Specification A step in the process of standardization. It includes useful and practical information that can be made available quickly to suit the market need of the developers and users of a product, process or service.

©2012 ICOR ALL RIGHTS RESERVED 16 Standards Divided by Discipline

Emergency Management Business Continuity (Public Sector) (Private Sector) ISO 22311: Video surveillance- ISO 22301: BCMS Requirements Export interoperability ISO 22313: BCMS Guidelines ISO 22315: Mass Evacuation ISO 223XX: Organizational ISO 22320: Emergency management – Requirements for Resilience Principles & Guidance incident response ISO 22322: Emergency Both management – Public warning ISO 22300: Terminology ISO 22324: Emergency ISO 22312: Technological capabilities management – Colour coded alert ISO 22397: Public/Private partnerships ISO 22325: Emergency ISO 22398: Guidelines for exercises management – Guidelines for ISO 22399: Guidelines for Incident emergency capability assessment Preparedness & Operational Continuity ISO 22351: Emergency Management management – Shared information awareness

©2012 ICOR ALL RIGHTS RESERVED 17

Emergency Management Standards (Public Sector)

©2012 ICOR ALL RIGHTS RESERVED 18 ISO 22311: Video Surveillance - Export Interoperability

©2012 ICOR ALL RIGHTS RESERVED 19

ISO 22311: Video Surveillance - Export Interoperability Purpose of the Standard: Video- surveillance is a crucial asset in intelligence collection, crime prevention, crisis management, and forensic applications, etc. The minimum requirement in societal security is for the authorities to be able to rapidly use the data collected by different CCTV systems from given locations.

©2012 ICOR ALL RIGHTS RESERVED 20 Video Surveillance-Export Interoperability

Provides an export interoperability profile which constitutes the exchange format and minimum technical requirements that ensure that the digital video-surveillance contents exported Are compatible with the replay systems, Establish an appropriate level of quality and Contain all the context information (metadata) necessary for their processing.

©2012 ICOR ALL RIGHTS RESERVED 21

Video Surveillance-Export Interoperability

It is crucial for societal security that present and future video-surveillance systems implement this interface to allow efficient forensic processing of the material produced, often in massive quantities. This standard also contains provisions to ensure that citizen privacy measures can be implemented.

©2012 ICOR ALL RIGHTS RESERVED 22 Video-Surveillance Systems Generic Architecture A CCTV system usually consists of hardware, software and human elements. A CCTV system for security applications presented as functional blocks, which portray the various parts and functions of the system, as well as the interactions with the human stakeholders

©2012 ICOR ALL RIGHTS RESERVED 23

The Following Graphics are Provided Functional blocks of a CCTV system for security applications Generic files organization Structure of the Audio-Video Package XML description and integration in the folder Arrangement of the XML Descriptor Arrangement of the descriptive metadata Sensor metadata items Event metadata items

©2012 ICOR ALL RIGHTS RESERVED 24 Minimum Requirements for Interoperability The implementation of this standard shall be such that widely available OS independent tools will allow for minimal processing of received standard files by societal security organizations, ensuring as a minimum the following and any combination thereof: Videos and metadata display; Direct access to the metadata without display of the videos; Selection of content time slots; Access to the sources defined by name or scene-location.

©2012 ICOR ALL RIGHTS RESERVED 25

ISO 22315: Mass Evacuation

US Wildfires

WWII Bomb

Israel

Philippines Typhoon

©2012 ICOR ALL RIGHTS RESERVED 26 ISO 22315: Mass Evacuation Governments and Emergency Management Agencies have a duty to prepare to evacuate areas in readiness for major catastrophic incidents. There is no template for the assessment of the plans for mass evacuation. Plans are developed using different assumptions, relying on different data, and are often specific to immediate hazards rather than being broad in scope.

©2012 ICOR ALL RIGHTS RESERVED 27

ISO 22315: Mass Evacuation

Purpose: To develop a framework against which planners can assess their planning for mass evacuation. The framework will allow planners identify how well developed are their plans and where additional resources might add value. The content of the standard will, in part, be informed by a 10-country, 3 year EU project on how countries prepare for mass evacuation.

©2012 ICOR ALL RIGHTS RESERVED 28 ISO 22315: Mass Evacuation

Covers 6 planning activities: 1. Preparing the public to evacuate; 2. Understanding the evacuation zone; 3. Making evacuation decisions; 4. Disseminating the warning message; 5. Evacuating pedestrians and traffic; and 6. Shelter management.

©2012 ICOR ALL RIGHTS RESERVED 29

ISO 22315: Mass Evacuation

Will specify a consistent structure to plan for mass evacuation for a range of risks. Will cover the following tasks Analyzing evacuation situations, Preparing, Training & exercising, A common framework for debriefing/assessing response.

©2012 ICOR ALL RIGHTS RESERVED 30 ISO 22320: Requirements for Incident Response

©2012 ICOR ALL RIGHTS RESERVED 31

ISO 22320: Requirements for Incident Response Published November 2011 Overall approach to preventing emergencies and managing those that occur with a focus on international, national, regional, or local incidents Specifies minimum requirements for effective incident response • Utilizes the “command and control” process • Decision support • Traceability • Information management • Interoperability

©2012 ICOR ALL RIGHTS RESERVED ©2012 ICOR ALL RIGHTS RESERVED 32 ISO 22320: Requirements for Incident Response

Purpose: Need for a multi-national and multi-organizational approach for responding to an incident Enables incident response organizations to improve their capabilities in handling all types of emergencies Specifies minimum requirements for effective incident response

©2012 ICOR ALL RIGHTS RESERVED 33

Process of Providing Operational Information

Dissemination Planning & & Information Direction

Mission

Analysis & Collection Production

Processing & Exploitation

©2012 ICOR ALL RIGHTS RESERVED 34 Multiple Hierarchical Command & Control Process

ISO 22322: Public Warning

©2012 ICOR ALL RIGHTS RESERVED 36 ISO 22322: Public Warning Purpose: Effective incident response needs structured and pre-planned public warning which is the message broadcasted by organizations dealing with societal security tasks to ensure safety and security of the public and the vital functions of society. Public warning consists of alert message and notification message. It is necessary to establish a framework risk identification, hazard monitoring, decision making, warning dissemination and evaluation.

©2012 ICOR ALL RIGHTS RESERVED 37

ISO 22322: Public Warning

All organizations which are responsible for contributing to or issuing a public warning Should be aware of the system so that relevant, accurate, reliable, and timely information will be disseminated promptly (who); Should take continuous efforts to raise and maintain public awareness about the process of public warning (to whom); Should use all available means and technologies systematically and redundantly to ensure the highest quality of information (how); Should specify the following four elements for safety action: when, where, what hazard, and how to cope with (what).

©2012 ICOR ALL RIGHTS RESERVED 38 ISO 22322: Public Warning

Public Warning Process Implementation

Planning / Decision-Making

Hazard Identification Hazard Monitoring Area Identification

Warning Activation coordination

Public Warning Monitoring & Review Warning Area People at risk, andresources, People Warning Methods Warning Dissemination

©2012 ICOR ALL RIGHTS RESERVED 39

ISO 22322: Public Warning

©2012 ICOR ALL RIGHTS RESERVED 40 ISO 22324: Colour-Coded Alert

©2012 ICOR ALL RIGHTS RESERVED 41

ISO 22325: Emergency Capability Assessment

©2012 ICOR ALL RIGHTS RESERVED 42 ISO 22325: Emergency Capability Assessment Purpose: Provide organizations with key elements and an assessment tool in order to determine the organization's state of emergency capability. Will seek to provide • Road map • Assessment model • Assessment procedure • Assessment criteria • Assessment tool

©2012 ICOR ALL RIGHTS RESERVED 43

ISO 22325: Key Elements 1. Leadership 2. Resources 3. Resource Management 4. 5. Rick Analysis 6. Information & Communication 7. Command & Control 8. Coordination & Cooperation 9. Structure 10. Planning 11. Exercise & Training 12. Hazard Mitigation 13. Hazard Mitigation 14. Activation

©2012 ICOR ALL RIGHTS RESERVED 44 Four Level Maturity Model

©2012 ICOR ALL RIGHTS RESERVED 45

Assessment Procedure

©2012 ICOR ALL RIGHTS RESERVED 46 ISO 22351: Shared Situation Awareness

©2012 ICOR ALL RIGHTS RESERVED 47

ISO 22351: Shared Situation Awareness A new standard not yet published in any manner – a new project.

©2012 ICOR ALL RIGHTS RESERVED 48 Standards for Both Public & Private Sectors

©2012 ICOR ALL RIGHTS RESERVED 49

ISO 22300 Societal Security - Terminology

Societal Security “Definition please?”

©2012 ICOR ALL RIGHTS RESERVED 50 ISO 22300 Societal Security - Terminology Purpose: Contains terms and definitions applicable to societal security to establish a common understanding so that consistent terms are used. 6 categories • 2.1 Societal security • 2.2 Management of societal security • 2.3 Operational – Risk reduction • 2.4 Operational – Exercise • 2.5 Operational – Recovery • 2.6 Technology

©2012 ICOR ALL RIGHTS RESERVED 51

ISO 22300 Societal Security - Terminology 2.1 Societal security defined Protection of society from, and response to incidents, emergencies, and disasters caused by intentional and unintentional human acts, natural hazards, and technical failures Civil protection • Measures taken and systems implemented to preserve the lives and health of citizens, their properties, and their environment from unnatural events

©2012 ICOR ALL RIGHTS RESERVED 52 ISO 22300 Societal Security – Terminology

Mitigation Resilience Business Continuity Risk Management All-Hazards

2.1 Event Societal Risk Security Incident Threat Crisis Hazard Disaster Consequence

©2012 ICOR ALL RIGHTS RESERVED 53

ISO 22300 Societal Security – Terminology Partnership Mutual Aid Agreement Emergency Management

Policy Objective Business Impact Performance Analysis 2.2 Continual Management Risk Source Improvement of Societal Security Capacity Risk Owner Effectiveness Competence Residual Risk Corrective Action Exercise Program Conformity / Nonconformity

©2012 ICOR ALL RIGHTS RESERVED 54 ISO 22300 Societal Security – Terminology

Work Environment

Vulnerability

2.3 Risk Assessment Operational – Risk Probability Training Reduction Prioritized Test / Activities Testing Contingency

©2012 ICOR ALL RIGHTS RESERVED 55

ISO 22300 Societal Security – Terminology Strategic Exercise Functional Exercise Exercise Drill Full-Scale Exercise

Observer Scenario 2.4 Inject Monitoring Operational - Exercise Script Exercise Coordinator After-action Report Exercise Safety Officer Exercise Annual Plan

©2012 ICOR ALL RIGHTS RESERVED 56 ISO 22300 Societal Security – Terminology

Command & Control Incident Command Incident Response

Shelter in Coordination Place 2.5 Operational - Recovery Improvisation

Operational Protection Information Recovery

©2012 ICOR ALL RIGHTS RESERVED 57

ISO 22300 Societal Security – Terminology

Video-Surveillance Forensic Scene Location CCTV System

2.6 Technology

©2012 ICOR ALL RIGHTS RESERVED 58 ISO 22312 Societal Security – Technological Capabilities

©2012 ICOR ALL RIGHTS RESERVED 59

ISO 22312 Societal Security – Technological Capabilities A Technical Report that outlines the work of the Technical Committee for ISO 223 ANSI-Homeland Security Standards Panel (HSSP) BEN BT/WG 161 Protection of the Citizen ISO/IEC/ITU-T/SAG-S Asian-Pacific Economic Cooperation (APEC) and Standards Australia Initiative Documents work completed at the launch of the project

©2012 ICOR ALL RIGHTS RESERVED 60 ISO 22397:Public-Private Partnership Agreements

©2012 ICOR ALL RIGHTS RESERVED 61

ISO 22397:Public-Private Partnership Agreements Purpose: Addresses principles, planning and development of partnership agreements with the objective of Managing relations among relevant organizations, Promoting interoperability, Enabling governance and Fulfilling of the agreement. The modeling framework should lead to benefits such as: Structure to avoid and resolve conflicts among the organizations; Synergy in the use of organizations' resources to achieve objectives; Trust and sharing common procedures;

©2012 ICOR ALL RIGHTS RESERVED 62 ISO 22398: Guidelines for Exercises

©2012 ICOR ALL RIGHTS RESERVED 63

ISO 22398: Guidelines for Exercises Purpose: Describes the procedures necessary for planning, implementing, managing, evaluating, reporting and improving exercises, and the testing designs to assess the readiness of an organization to perform the mission.

©2012 ICOR ALL RIGHTS RESERVED 64 ISO 22398: Guidelines for Exercises 4 Establishing the foundation 4.1 Needs and gap analysis 4.2 Base of support 4.3 Framework 4.4 Scope 4.5 Exercises within the system 4.6 Planning Document

©2012 ICOR ALL RIGHTS RESERVED 65

ISO 22398: Guidelines for Exercises 5 Planning & design 5.1.1 Developing aim and performance objectives 5.1.2 Team management 5.1.3 Risk management & information security 5.1.4 Environmental aspects 5.1.5 Gender and diversity aspects 5.1.6 Logistics 5.1.7 Communication 5.1.8 Resources

©2012 ICOR ALL RIGHTS RESERVED 66 ISO 22398: Guidelines for Exercises

©2012 ICOR ALL RIGHTS RESERVED 67

ISO 22398: Guidelines for Exercises 5.2 Design & development 5.2.1 General 5.2.2 Selecting exercise type 5.2.3 Exercise types 5.2.4 Exercise methods 5.2.5 Preparing scenarios 5.2.6 Documentation 5.2.7 Records 5.2.8 Intervention

©2012 ICOR ALL RIGHTS RESERVED 68 ISO 22398: Guidelines for Exercises

Discussion Based Operational Based

Seminar Simulation Workshop Drill Tabletop Functional Game Full-scale

©2012 ICOR ALL RIGHTS RESERVED 69

ISO 22398: Guidelines for Exercises

©2012 ICOR ALL RIGHTS RESERVED 70 ISO 22398: Guidelines for Exercises 6 Conducting Exercises 6.1 Run through 6.2 Briefing 6.3 Launch 6.4 Wrap up 6.5 Post exercise briefing 6.6 Observation

©2012 ICOR ALL RIGHTS RESERVED 71

ISO 22398: Guidelines for Exercises 7 Improvement 7.1 After action review 7.2 Evaluation 7.3 After action report 7.4 Management review 7.5 Corrective action 7.6 Implement follow up

©2012 ICOR ALL RIGHTS RESERVED 72 ISO 22398: Guidelines for Exercises

©2012 ICOR ALL RIGHTS RESERVED 73

ISO 22398: Guidelines for Exercises

©2012 ICOR ALL RIGHTS RESERVED 74 ISO/PAS 22399: Guidelines for Incident Preparedness & Operational Continuity Management

©2012 ICOR ALL RIGHTS RESERVED 75

ISO/PAS 22399: Guidelines for Incident Preparedness & Operational Continuity Management Purpose: Provide general guidance for an organization to develop its own specific performance criteria for incident preparedness and operational continuity and design an appropriate management system. Excludes specific emergency response activities such as disaster relief and social infrastructure recovery

©2012 ICOR ALL RIGHTS RESERVED 76 ISO/PAS 22399: Guidelines for Incident Preparedness & Operational Continuity Management

This standard has essentially been replaced with ISO 22301 and ISO 22313, however it has some good information in it. It has not yet been retired, but it is not being reviewed for updating.

©2012 ICOR ALL RIGHTS RESERVED 77

Business Continuity Management Standards (Private Sector)

©2012 ICOR ALL RIGHTS RESERVED 78 ISO 22301: BCMS - Requirements

Published May 2012 - Developed from BS 25999-2:2007 Scope of the standard Applicable to all types and sizes of organizations that wish to: • Establish, implement, maintain, & improve a BCMS; • Assure conformance with stated BCM policy; • Demonstrate conformance to others; • Seek certification/registration of its BCMS by an accredited third party certification body; or • Make a self-determination and self-declaration of conformance with this International Standard.

©2012 ICOR ALL RIGHTS RESERVED 79

Plan-Do-Check-Act Cycle Applied to BCMS

Continual improvement of preparedness & continuity management system

Establish (Plan) Interested Parties Interested Parties

Maintain & Implement & Improve Operate Requirements for (Act) (Do) Managed preparedness preparedness & continuity & continuity management Monitor & Review (Check)

©2012 ICOR ALL RIGHTS RESERVED 80 ISO 22313: Guidance

This International Standard provides guidance to ISO 22301 for setting up and managing an effective business continuity management system (BCMS)

©2012 ICOR ALL RIGHTS RESERVED .81

8.1.1 BCM Program Elements

From ISO 22313 82 ©2012 ICOR ALL RIGHTS RESERVED BS 25999-2 & ISO 22301 Comparison

*Reference Excel Comparison Document BS 25999-2 ISO 22301 Context of the Organization ---- 4.1 & 4.2.1 Legal & Regulatory 3.2.1.1 4.2.2 Scope & Objectives 3.2.1 4.3 & 4.4 Management Commitment / Provision of 3.2.3& 3.2.4 5 & 7 Resources Policy 3.2.2 5.3 Documentation 3.4 7.5 BIA 4.1.1 8.0, 8.1 & 8.2 Risk Assessment 4.1.2 & 4.1.3 8.2.3 & 6.1 Strategy 4.2 8.3 Plan Documentation / Implementation 4.3 6.2, 8.4 & 7.4 Training & Awareness 3.3 7.3 Exercising & Testing 4.4.2 8.5 Program Maintenance & Improvement 4.4.3,5, & 6 9 & 10

©2012 ICOR ALL RIGHTS RESERVED 83

Review of ISO 22301 by Category

4. Context of the Organization 5. Leadership 6. Planning 7. Support 8. Operation* 9. Performance evaluation 10. Improvement

*contains bulk of the requirements

©2012 ICOR ALL RIGHTS RESERVED 84 4 Context of the Organization

4.1 Understanding the organization and its context

Internal Factors External Factors

©2012 ICOR ALL RIGHTS RESERVED 85

4.2 Understanding Needs & Expectations of Interested Parties

From ISO 22313 ©2012 ICOR ALL RIGHTS RESERVED 86 4.3 Determining Scope of the System

The whole organization?

Or part of the organization?

©2012 ICOR ALL RIGHTS RESERVED 87

Scope of Program vs. Scope of Certification

Scope: BCM Program

Scope: Certification

©2012 ICOR ALL RIGHTS RESERVED 88 5 Leadership

Demonstrated Roles, Responsibilities BCM Policy Management & Authorities Commitment Defined

Management Shall Demonstrate Leadership

©2012 ICOR ALL RIGHTS RESERVED 89

6 Planning

• Assure the BCMS can achieve its intended 6.1 Actions to outcomes Address • Prevent undesired effects • Realize opportunities for improvement Risks & • Evaluate the need to plan actions to address these Opportunities risks and opportunities

6.2 BC • Be consistent with policy • Take account of the minimum level of products and Objectives services acceptable to achieve its objectives & Plans to • Be measurable Achieve • Take into account requirements Them • Be monitored and updated as appropriate

©2012 ICOR ALL RIGHTS RESERVED 90 7 Support 7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented Information

©2012 ICOR ALL RIGHTS RESERVED 91

8 Operation 8.1 Operational Planning & Control

8.2 BIA & Risk Assessment

8.3 Business Continuity Strategy

8.4 Business Continuity Procedures

8.5 Exercising & Testing

©2012 ICOR ALL RIGHTS RESERVED 92 8.1 Operational Planning & Control The organization shall determine, plan, implement, and control those activities needed to address the risks and opportunities by a) Establish criteria for those activities or processes b) Implementing controls c) Keeping documented information to demonstrate that they have been carried out as planned The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary Including those that are contracted out or outsourced ©2012 ICOR ALL RIGHTS RESERVED 93

8.2 The BIA & Risk Assessment

The organization shall have a formal and documented process for business impact analysis and risk assessment that:

Accounts for Includes legal and other systematic analysis Evaluates requirements Prioritization of potential impact risk treatments of a disruptive and costs incident

Defines Defines criteria required output

Information is Establishes BIA & kept up to date context RA and confidential

From ISO 22313 ©2012 ICOR ALL RIGHTS RESERVED 94 8.2.2 Assessing Potential Impacts Over Time

Effects on Staff & Consequences of Public Well-Being Damage to Non-compliance Reputation

Environmental Deterioration of Product Reputation Damage or Service Quality Reduced Financial From ISO 22313 Viability ©2012 ICOR ALL RIGHTS RESERVED 95

New Term: MBCO Minimum Business Continuity Objective (MBCO) Minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption

During a Disruption

Normal Operations

©2012 ICOR ALL RIGHTS RESERVED 96 ISO 31000 Risk Management Process

What may happen and why?

What are the consequences?

What is the probability?

How to mitigate or reduce probability of the risk?

©2012 ICOR ALL RIGHTS RESERVED ©2012 ICOR ALL RIGHTS RESERVED 97

ISO 31000

The process needs to take into consideration Financial Governmental Societal obligations The organization should understand the threats to and vulnerabilities of each resource required for each activity and in particular those Required by activities with high priority With significant replacement lead-time

©2012 ICOR ALL RIGHTS RESERVED 98 Document the Risk Management Strategy

Product/Service at Risk

Transfer / Change, Suspend, Business Accept Risk Mitigate or Terminate Continuity Risk Produce/Service

Options to continue Document & Sign Off = operations at Risk Management Program pre-defined levels

Physical Supply Data & People Facilities Technology Assets Chain Information

©2012 ICOR ALL RIGHTS RESERVED 99

8.3.1 Determination & Selection of Strategies

Remove Risk to Transfer Risk to Activity another part of the Cease or Change Organization or a the Activity Third Party

Control or mitigate

Financing / Insurance Acceptance

From ISO 22313 ©2012 ICOR ALL RIGHTS RESERVED 100 8.3.1 Determination & Selection of Strategies

Resource Relocation Redundancy Resource & Skills Replacement

Temporary Manual Asset Workaround Procedures Restoration ©2012 ICOR ALL RIGHTS RESERVED From ISO 22313 101

8.3.2 Establishing Resource Requirements

Information, Data, Facilities, Equipment Technology & , Utilities & Employees & Telecommunications Consumables Stakeholders Systems

Transportation, Partners & Suppliers Reputation Finance

From ISO 22313 ©2012 ICOR ALL RIGHTS RESERVED 102 8.3.3 Protection & Mitigation The organization shall consider proactive measures that:

Limit the impact of a disruption on the organization’s key services

Shorten the period of disruption

Reduce the likelihood of a disruption

©2012 ICOR ALL RIGHTS RESERVED 103

8.4 Establish & Implement BC Procedures 8.4.1 General

8.4.2 Incident Response Structure

8.4.3 Warning & Communication

8.4.4 Business Continuity Plans

8.4.5 Recovery

©2012 ICOR ALL RIGHTS RESERVED 65 8.4.1 Establish & Implement BC Procedures

The procedures shall: a) Establish an appropriate internal and external communications protocol b) Be specific regarding the immediate steps that are to be taken during a disruption c) Be flexible to respond to unanticipated threats and changing internal and external conditions

©2012 ICOR ALL RIGHTS RESERVED 105

8.4.1 Establish & Implement BC Procedures The procedures shall: d) Focus on the impact of events that could potentially disrupt operations e) Be developed based on stated assumptions and an analysis of interdependencies f) Be effective in minimizing consequences through implementation of appropriate mitigation strategies

©2012 ICOR ALL RIGHTS RESERVED 106 8.4.2 Incident Response Structure The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with Strategic the necessary responsibility, authority, Tactical and competence to manage an incident. Operational

©2012 ICOR ALL RIGHTS RESERVED 107

8.4.3 Warning and Communication The organization shall establish, implement, and maintain procedures for a) Detecting an incident b) Regular monitoring of an incident c) Internal communication within the organization and receiving, documenting, and responding to communication from interested parties d) Receiving, documenting, and responding to any national or regional risk advisory system or equivalent

©2012 ICOR ALL RIGHTS RESERVED 108 8.4.3 Communication and Warning

e) Assuring availability of the means of communication during a disruptive event f) Facilitating structured communication with emergency responders g) Recording of vital information about the incident, actions taken and decisions made

©2012 ICOR ALL RIGHTS RESERVED 109

8.4.4 Business Continuity Plans

The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe.

Such procedures shall address the requirements of those who will use them.

©2012 ICOR ALL RIGHTS RESERVED 110 8.4.4.3 Specific Types of Procedures 8.4.4.3.1 Incident / Strategic

8.4.4.3.2 Communications

8.4.4.3.3 Incident & Welfare

8.4.4.3.4 Resuming Activities

8.4.4.3.5 Recovery of ICT

From ISO 22313 ©2012 ICOR ALL RIGHTS RESERVED 111

8.4.5 Recovery Goal: Get operations back to the state they were in before the incident. Repair damage Migrate operations from temporary premises back to restored or new location

From ISO 22313 ©2012 ICOR ALL RIGHTS RESERVED 112 8.5 Exercising & Testing

The organization shall conduct exercises and tests that: a) Are consistent with the scope of the BCMS; b) Are based on appropriate scenarios that are well planned with clearly defined aims and objectives; c) Taken together over time validate the whole of its business continuity arrangements involving relevant interested parties; d) Minimize the risk of disruption to operations; e) Produce formalized post-exercise reports that contain outcomes, recommendations, and actions to implement improvements; f) Are reviewed within the context of promoting continual improvement; and g) Are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates.

©2012 ICOR ALL RIGHTS RESERVED 113

Sections 9 & 10: Continuous Improvement

©2012 ICOR ALL RIGHTS RESERVED 114 9 Performance Evaluation 9.1 Monitoring, Measurement, Analysis, and Evaluation

9.2 Internal Audit

9.3 Management Review

©2012 ICOR ALL RIGHTS RESERVED 115

10 Improvement 10.1 Nonconformity and corrective action The organization shall: a) Identify nonconformities; and b) React to the nonconformities, and as applicable 1. Take action to control, contain and correct them; 2. Deal with the consequences

©2012 ICOR ALL RIGHTS RESERVED 116 10.2 Continual Improvement

The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. NOTE: The organization can use the processes of the BCMS such as leadership, planning and performance evaluation, to achieve improvement.

©2012 ICOR ALL RIGHTS RESERVED 117

ISO 223XX: Organizational Resilience Guidelines

©2012 ICOR ALL RIGHTS RESERVED 118 ISO 223XX: Organizational Resilience Guidelines

New proposed outline Organizational Resilience Defined What are the Benefits of Enhanced Resilience? Behaviors that Support Resilience Principles & Models that Support Resilience Relationship to Risk Management Measuring & Building Adaptive Capacity

©2012 ICOR ALL RIGHTS RESERVED 119

What is Organizational Resilience?

Organizational resilience is the adaptive capacity of an organization in a complex and changing environment. ISO 22300

o Planning and decision-taking in order to build and sustain the adaptive capacity of an organization in complex and rapidly changing circumstances; o Achieving the agile treatment of a broad range of risks uniquely applicable to each organization; and o Creating a culture that takes full advantage of adaptive change to meet its objectives and aims.

©2012 ICOR ALL RIGHTS RESERVED 120 Benefits of Enhanced Resilience

Organizations with adaptive cultures, innovative thinkers and inner strength thrive in the face of unpredictable markets. As such, building resilience has daily business benefits. Valikangas (2010)

Enhanced Ability to Leadership Improved Change as Capacity Performance Needed

©2012 ICOR ALL RIGHTS RESERVED 121

Resilience Objectives

An organization accepts that adversity may cause it to cease operating

Exist in a reduced form after adversity

Regain pre-adversity position quickly and effectively

Improve aspects of its functioning so that it not only survives but possibly gains from event

©2012 ICOR ALL RIGHTS RESERVED 122 Focus on Protection, Performance & Adaptation

Protection of Performance Adaptation is business systems. refers to the need required when These systems to get things right circumstances need to be robust the first time and change, demanding enough to survive to move quickly to a change in the various assaults business focus, and/or intrusions. correct errors. structure and processes.

©2012 ICOR ALL RIGHTS RESERVED 123

Behaviors that Support Resilience

Open Communication: Communicate as openly and regularly as possible with all concerned stakeholders.

Honesty: Staff need to know that when they receive information it is truthful.

Authenticity: Do what you say. There must be alignment between the purpose and values of the organization and what they do.

Deep Knowledge & Expertise: Extensive training and exercises. Succession planning around key roles.

©2012 ICOR ALL RIGHTS RESERVED 124 The Principles Model of Resilience Resilience is an outcome Resilience is not a static trait Resilience is not a single trait Resilience is multi-dimensional Resilience exists over a range of conditions Resilience is founded upon good risk management

Volume 25, No.02, April 2010

©2012 ICOR ALL RIGHTS RESERVED 125

The Progression of Resilience Maturity

©2012 ICOR ALL RIGHTS RESERVED 126 Static Model vs Principles Model

©2010 ICOR ALL RIGHTS RESERVED 127

Integrated Functions Model

©2012 ICOR ALL RIGHTS RESERVED 128 Attributional Model

©2012 ICOR ALL RIGHTS RESERVED 129

Composite Model

©2012 ICOR ALL RIGHTS RESERVED 130 Herringbone Model

©2012 ICOR ALL RIGHTS RESERVED 131

Resilience Triangle Model

©2012 ICOR ALL RIGHTS RESERVED 132 Resilience Strategies Model

©2010 ICOR ALL RIGHTS RESERVED 133

Characteristics that Support a Resilient State

Ability to Ambiguity Creativity & Stress Learnability recognize Tolerance Agility Coping precedence

©2012 ICOR ALL RIGHTS RESERVED 134 Risk Management Can Increase Resilience

2010 study by FM Global showed a positive correlation between earnings stability of a company and their investment in physical loss prevention.

Pursuing strong physical risk management processes and systems to prevent the likelihood and losses, a company will potentially reap a measurable reduction in earnings viability. (40% less volatile than companies with less advance risk management)

©2012 ICOR ALL RIGHTS RESERVED 135

Resilience Benchmark Survey

©2012 ICOR ALL RIGHTS RESERVED 136 Dimensions & Indicators of Resilience

©2012 ICOR ALL RIGHTS RESERVED 137

Questions? Lynnda Nelson Jim Nelson President, ICOR Chair, ICOR [email protected] President, BCS 866-765-8321 North [email protected] America 866-629-6327 +1630-705-0910 www.BusinessContinuitySvcs.com International www.theICOR.org

©2012 ICOR ALL RIGHTS RESERVED 138