Security and resilience -- Business continuity management systems -- Guidelines for developing business continuity plans and procedures

Sécurité et résilience -- Systèmes de management de la continuité d’activité -- Lignes directrices pour le développement des plans et procédures de continuité d’activité

General Information

Status
Published
Publication Date
27-May-2021
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
21-Apr-2021
Completion Date
21-Apr-2021
Ref Project

Buy Standard

Draft
ISO/PRF TS 22332 - Security and resilience -- Business continuity management systems -- Guidelines for developing business continuity plans and procedures
English language
20 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

TECHNICAL ISO/TS
SPECIFICATION 22332
First edition
Security and resilience — Business
continuity management systems —
Guidelines for developing business
continuity plans and procedures
PROOF/ÉPREUVE
Reference number
ISO/TS 22332:2021(E)
ISO 2021
---------------------- Page: 1 ----------------------
ISO/TS 22332:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/TS 22332:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Prerequisites ............................................................................................................................................................................................................ 1

4.1 General ........................................................................................................................................................................................................... 1

4.2 Interested parties ................................................................................................................................................................................. 1

4.3 Identify approved business continuity strategies and solutions ................................................................. 2

4.4 Business continuity plan development, roles and competencies ............................................................... 2

4.5 Resources for developing and maintaining business continuity plans and procedures ......... 2

5 Response ....................................................................................................................................................................................................................... 3

5.1 General ........................................................................................................................................................................................................... 3

5.2 Response structure ............................................................................................................................................................................. 3

5.3 Competence of team members .................................................................................................................................................. 3

6 Types of business continuity team plans and procedures ........................................................................................ 4

6.1 General ........................................................................................................................................................................................................... 4

6.2 Strategic team plan .............................................................................................................................................................................. 4

6.2.1 Purpose .................................................................................................................................................................................... 4

6.2.2 Team composition .......................................................................................................................................................... 5

6.2.3 Owner ........................................................................................................................................................................................ 5

6.3 Tactical teams’ plans .......................................................................................................................................................................... 5

6.3.1 Purpose .................................................................................................................................................................................... 5

6.3.2 Team composition .......................................................................................................................................................... 5

6.3.3 Owner ........................................................................................................................................................................................ 5

6.4 Operational teams’ plans ................................................................................................................................................................ 6

6.4.1 Purpose .................................................................................................................................................................................... 6

6.4.2 Team composition .......................................................................................................................................................... 6

6.4.3 Owner ........................................................................................................................................................................................ 6

7 Content of business continuity plan and procedures ................................................................................................... 6

7.1 General ........................................................................................................................................................................................................... 6

7.2 Common sections .................................................................................................................................................................................. 6

7.2.1 Purpose .................................................................................................................................................................................... 6

7.2.2 Objectives ............................................................................................................................................................................... 6

7.2.3 Assumptions ........................................................................................................................................................................ 7

7.2.4 Activating and assembling the team ............................................................................................................... 7

7.2.5 Team member roles and responsibilities ................................................................................................... 7

7.2.6 Tasks ........................................................................................................................................................................................... 7

7.2.7 Communications .............................................................................................................................................................. 7

7.2.8 Interrelationships with other plans ................................................................................................................ 8

7.2.9 Standing down the team ........................................................................................................................................... 8

7.2.10 Resource information .................................................................................................................................................. 8

7.2.11 Contact information ...................................................................................................................................................... 8

7.2.12 Appendices .................. .................................................... ...................................................................................................... 9

7.2.13 Version control .................................................................................................................................................................. 9

7.2.14 Plan control and distribution ................................................................................................................................ 9

7.3 Specific procedures ............................................................................................................................................................................. 9

7.3.1 Emergency response procedures ...................................................................................................................... 9

7.3.2 Communications procedures ............................................................................................................................10

7.3.3 Information and Communication Technology (ICT) procedures ........................................11

7.3.4 Alternative facilities setup procedures ......................................................................................................11

7.3.5 Alternative resource procedures ....................................................................................................................11

© ISO 2021 – All rights reserved PROOF/ÉPREUVE iii
---------------------- Page: 3 ----------------------
ISO/TS 22332:2021(E)

8 Plans for response to specific disruptions .............................................................................................................................11

8.1 General ........................................................................................................................................................................................................11

8.2 Pandemic (global) and epidemic (regional) ...............................................................................................................12

8.3 Cyber-attack ...........................................................................................................................................................................................12

9 Guidance on documenting plans .......................................................................................................................................................13

9.1 Clarity ...........................................................................................................................................................................................................13

9.2 Clarity ...........................................................................................................................................................................................................13

9.3 Completeness ........................................................................................................................................................................................13

10 Plan controls, storage and availability .......................................................................................................................................13

11 Next steps after documenting business continuity plans and procedures ...........................................14

11.1 Awareness ................................................................................................................................................................................................14

11.2 Exercising and testing ....................................................................................................................................................................14

12 Monitoring and reviewing business continuity plans and procedures ....................................................14

12.1 Performance review ........................................................................................................................................................................14

12.2 Maintenance ...........................................................................................................................................................................................14

12.3 Management review ........................................................................................................................................................................15

Annex A (informative) Procedures for maintenance of a business continuity capability .........................16

Bibliography .............................................................................................................................................................................................................................20

iv PROOF/ÉPREUVE © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/TS 22332:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 292, Security and resilience.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved PROOF/ÉPREUVE v
---------------------- Page: 5 ----------------------
ISO/TS 22332:2021(E)
Introduction

This document provides guidelines for developing and maintaining business continuity plans and

procedures. This document is consistent with the requirements in ISO 22301 and is applicable to

the performance of any business continuity plan development, or as part of a business continuity

management system (BCMS).

A business continuity plan provides guidance and information to assist teams responding to a

disruption (ISO 22301:2019, 8.4.1) in order to meet expectations regarding delivery of products and

services. The organization should create plans and procedures to address communications, emergency

management, incident response, crisis management, recovery and restoration.

Business continuity plans and procedures should be consistent with organizational goals and objectives

and business continuity objectives (see ISO 22301:2019, 3.4) and detail the actions that teams will take

during a disruption in order to:
— activate the response;
— manage the immediate consequences of a disruption;

— continue or recover prioritized activities within predetermined time frames utilizing, if appropriate,

the agreed business continuity strategies and solutions;
— monitor the impact of the disruption and the organization’s response to it;
— deliver products and services at agreed capacity.

Figure 1 presents the flow between the different components that constitute business continuity

management. The business continuity strategy and solutions process (ISO 22301:2019, 8.3) provides

the input for identifying, developing and maintaining business continuity plans and procedures

(ISO 22301:2019, 8.4). In turn, the business continuity plans and procedures are a prerequisite for

coordinating and performing business continuity exercises and tests (ISO 22301:2019, 8.5).

SOURCE ISO 22313:2020.
Figure 1 — Elements of business continuity management
vi PROOF/ÉPREUVE © ISO 2021 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/TS 22332:2021(E)
The purpose of this document is to provide organizations with:
— detailed methods to develop business continuity plans and procedures;

— a structured approach to collect and organize information to develop plans and procedures;

— advice for maintaining plans and procedures over time to establish a continual improvement

environment.
Following these guidelines will lead to the:

— establishment of a management structure to respond to a disruption, appointing competent and

responsible personnel and teams with the authority to manage the response;

— implementation and maintenance of response processes addressing the protection of life and assets;

— establishment of command and control of the recovery effort following the onset of the disruption;

— implementation and maintenance of communication and warning procedures, including those

necessary to manage the media response and coordination with other interested parties throughout

a disruption;

— continuity or recovery of disrupted business activities and unavailable resources within

predetermined time frames, including procedures necessary to return business activities from the

temporary measures adopted during the incident to normal operations;
— recovery of disrupted technology assets;

— establishment of procedures to maintain capabilities and response readiness such as cross-training

and exercising.
© ISO 2021 – All rights reserved PROOF/ÉPREUVE vii
---------------------- Page: 7 ----------------------
TECHNICAL SPECIFICATION ISO/TS 22332:2021(E)
Security and resilience — Business continuity management
systems — Guidelines for developing business continuity
plans and procedures
1 Scope

This document provides guidelines for developing and maintaining business continuity plans and

procedures. It is applicable to all organizations regardless of type, size and nature, whether in the

private, public, or not-for-profit sectors, that wish to develop effective business continuity plans and

procedures in a consistent manner.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 22300, Security and resilience — Vocabulary
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 22300 apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
4 Prerequisites
4.1 General

Although these guidelines are consistent with ISO 22301, they can be used to develop and maintain

business continuity plans and procedures when aligning or subscribing to other standards, obligations

or regulatory requirements. Regardless of approach, several prerequisites need to be addressed. The

organization should:
— understand the needs and expectations of interested parties (4.2);
— complete strategy determination and selection (4.3);

— define and communicate roles and responsibilities of those required to develop plans (4.4);

— allocate adequate resources to develop and maintain plans (4.5).
4.2 Interested parties

Business continuity should address the needs and expectations of interested parties. Therefore, the

organization should identify its interested parties and determine their requirements for the response

and recovery effort during a disruption.
© ISO 2021 – All rights reserved PROOF/ÉPREUVE 1
---------------------- Page: 8 ----------------------
ISO/TS 22332:2021(E)
4.3 Identify approved business continuity strategies and solutions

Prior to developing business continuity plans and procedures, the organization should have completed

the determination, selection and approval of business continuity strategies and solutions, including

identification of:

— alternate working arrangements to address the loss or inaccessibility of premises;

— arrangements to address the unavailability of personnel;

— capabilities to recover disrupted technology assets and services, including data and communications;

— alternate means to deliver products and services when faced with a supplier disruption.

NOTE See ISO 22301 and ISO 22331.
4.4 Business continuity plan development, roles and competencies

Top management should assign someone with the appropriate authority to oversee a team to develop

the business continuity plans and procedures to cover the scope of the business continuity management

system (BCMS).

Roles or tasks that are relevant to developing business continuity plans and procedures can include:

— managing business continuity planning projects;
— designing a plan template to ensure consistency;
— contributing content to business continuity plans and procedures;
— approving business continuity plans and procedures.

The organization should ensure the competence of persons leading or participating in developing and

maintaining business continuity plans and procedures. Competences should include:

— understanding the organization;
— project planning, management and collaboration;
— information gathering;
— understanding organizational processes and workflows;
— effective oral and written communication;
— methods and techniques necessary to manage the response to a disruption.
4.5 Resources for developing and maintaining business continuity plans and
procedures

The organization should determine and provide the resources needed for developing and maintaining

business continuity plans and procedures that will enable it to:

— comply with its business continuity policy and achieve its business continuity objectives;

— activate its response and recovery strategies and solutions in a timely manner;

— maintain the readiness of its response;

— provide for the continual improvement of its business continuity plans and procedures (e.g.

conducting regular tests).
2 PROOF/ÉPREUVE © ISO 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/TS 22332:2021(E)

Resources include personnel time and financial resources necessary to document and maintain

business continuity plans and procedures.
5 Response
5.1 General
During a disruption, business continuity plans and procedures should:
— enable the organization to make timely decisions;
— be sufficiently flexible to accommodate unanticipated and evolving situations;
— focus on minimizing the anticipated impacts of disruptions;

— make use, where appropriate, of the prepared business continuity strategies and solutions to

minimize impacts;
— identify roles and assign responsibilities for all response activities;
— have available resources required to support response activities.
5.2 Response structure

The organization should establish a response structure consisting of one or more teams, each supported

by a set of documented plans and procedures. Working together during a disruption, these teams will

enable the organization to:
— identify, escalate and manage the incident;
— manage the needs of all interested parties;

— resume the delivery of products and services within predetermined time frames at acceptable

capacity.

If the nature of the incident threatens life or property, immediate actions to protect these can be

initiated.
A hierarchical team structure can be created comprising:

— Strategic team: a top management team that will, if required, manage the strategic issues of the

incident, in particular those external to the organization such as communication, regulatory and

reputation. Top management can choose to delegate the delivery of internal and external messages

to a separate communication team.

— Tactical team(s): a management team, or a number of teams, that manage the internal response to

the incident and recovery of activities. Tactical team(s) analyse the impact of the incident and direct

the operational teams to implement the appropriate solutions from those available, ensure the timely

resumption of product and service delivery and provide progress updates to the strategic team.

— Operational teams: each department or business unit can have plans which, depending on its

function, describes how it will respond to disruptions. It operates under the direction of a tactical

team and reports progress to them.

In a small organization, one team can be appropriate to manage all aspects of the response.

5.3 Competence of team members

In order to meet the objectives of the teams, careful consideration should be given to the selection of

team members. Table 1 highlights characteristics that members of each of the teams should have.

© ISO 2021 – All rights reserved PROOF/ÉPREUVE 3
---------------------- Page: 10 ----------------------
ISO/TS 22332:2021(E)
Table 1 — Characteristics of team members
Team level Team member competence
Strategic team — understand the strategic goals of the organization;
— knowledge of their responsibilities and capability to execute;
— provide oversight to teams;
— decisive under pressure;
— ability to anticipate possible impact(s) to the organization.
Tactical team — knowledge of their responsibilities and capability to execute;
— understand relationships among all teams and plans;

— ability to coordinate multiple activities at the same time and communicate with

strategic, tactical and operational teams;
— understand complexities of the organization and consequences of decisions;
— ability to work and make decisions under pressure;
— demonstrate pragmatic problem solving;
— ability to challenge decisions.

Operational team — knowledge of their responsibilities and capability to execute;

— ability to work accurately and methodically under pressure;
— disciplined to follow instructions;
— ability to escalate concerns or problems.
6 Types of business continuity team plans and procedures
6.1 General
Procedures are documented in plans.
Each team requires a plan to ensure the team:
— understands its scope, objectives and responsibilities;

— has the information immediately available that will enable it to perform its assigned tasks.

The content of each plan will therefore be different, though there should be a common structure across

all the organization’s plans to make them easier to understand, maintain and ensure consistency.

6.2 Strategic team plan
6.2.1 Purpose

The strategic team plan ensures that the organization’s response to an incident is coordinated and

effective, as well as timely. The procedures should include the basis for managing all possible issues

facing the organization during an incident. Strategic plans assist top management in managing:

— strategic direction of the organization during the incident;
— monitoring the severity of the disruption;

— maintaining its reputation through internal and external communications to interested parties;

4 PROOF/ÉPREUVE © ISO 2021 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/TS 22332:2021(E)

— continued compliance of the organization with statutory and regulatory requirements.

6.2.2 Team composition
The strategic team will consist of
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.