DIN EN ISO 22301-2014 Societal security - Business continuity management systems - Requirements (ISO 22301 2012) German version EN ISO 22301 2014《社会安全 业务连续性管理系统 要求 (ISO 22301-2012).pdf

1、December 2014 Translation by DIN-Sprachendienst.English price group 15No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).I

2、CS 03.100.01!%t“2278881www.din.deDDIN EN ISO 22301Societal security Business continuity management systems Requirements (ISO 22301:2012);English version EN ISO 22301:2014,English translation of DIN EN ISO 22301:2014-12Sicherheit und Schutz des Gemeinwesens Business Continuity Management System Anfor

3、derungen (ISO 22301:2012);Englische Fassung EN ISO 22301:2014,Englische bersetzung von DIN EN ISO 22301:2014-12Scurit socitale Systmes de management de la continuit dactivit Exigences (ISO 22301:2012);Version anglaise EN ISO 22301:2014,Traduction anglaise de DIN EN ISO 22301:2014-12www.beuth.deDocum

4、ent comprises 32 pagesIn case of doubt, the German-language original shall be considered authoritative.01.15 DIN EN ISO 22301:2014-12 2 A comma is used as the decimal marker. National foreword The text of ISO 22301:2012 has been prepared by Technical Committee ISO/TC 223 “Societal Security” and has

5、been taken over without any modification as EN ISO 22301:2012 by Technical Committee CEN/TC 391 “Societal and Citizen Security” (Secretariat: NEN, Netherlands). The responsible German body involved in its preparation was the DIN-Normenausschuss Feuerwehrwesen (DIN Standards Committee Firefighting an

6、d Fire Protection), Working Committee NA 031-05 FBR Fachbereichsausschuss Sicherheit und Schutz des Gemeinwesens SpA zu ISO/TC 223 Societal security. The following terms have been translated into German taking the technical terms commonly used into consideration and in deviation from the preferred t

7、ranslations: The English expression “Business impact analysis (BIA)“ has only been partly translated into German (the German term “Analyse” is used instead of the English word “analysis”) and the English expression “Business continuity management (BCM)” has been taken over completely, because these

8、terms have become established in German as well. The term “invocation” (3.2.3) has been literally translated into German as “Aufruf ”, although in crisis management the expression “in Kraft setzen” is used. The term “business continuity” (3.3) has been translated throughout as “Aufrechterhaltung der

9、 Betriebsfhigkeit”. “Incident response” (8.4.2) has been translated as “Reaktion auf einen Zwischenfall”. However, the expression “Einsatz zur Gefahrenabwehr” is also used in practice. EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 22301 July 2014 ICS 03.100.01 English Version Societal sec

10、urity - Business continuity management systems - Requirements (ISO 22301:2012) Scurit socitale - Systmes de management de la continuit dactivit - Exigences (ISO 22301:2012) Sicherheit und Schutz des Gemeinwesens - Business Continuity Management System - Anforderungen (ISO 22301:2012) This European S

11、tandard was approved by CEN on 17 July 2014. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning

12、 such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its

13、 own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, German

14、y, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR N

15、ORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN ISO 22301:2014 EContents PageForeword . 30 Introduction . 40.1 General . 40.2 The Plan-Do-Check-Act (PDCA)

16、 model 40.3 Components of PDCA in this International Standard 51 Scope 72 Normative references . 73 Terms and definitions . 74 Context of the organization 144.1 Understanding of the organization and its context 144.2 Understanding the needs and expectations of interested parties . 154.3 Determining

17、the scope of the business continuity management system . 154.4 Business continuity management system .165 Leadership .165.1 Leadership and commitment .165.2 Management commitment .165.3 Policy 175.4 Organizational roles, responsibilities and authorities 176 Planning .186.1 Actions to address risks a

18、nd opportunities .186.2 Business continuity objectives and plans to achieve them 187 Support .187.1 Resources .187.2 Competence 197.3 Awareness .197.4 Communication 197.5 Documented information .208 Operation .218.1 Operational planning and control .218.2 Business impact analysis and risk assessment

19、 .218.3 Business continuity strategy .228.4 Establish and implement business continuity procedures .238.5 Exercising and testing .259 Performance evaluation .259.1 Monitoring, measurement, analysis and evaluation 259.2 Internal audit .269.3 Management review 2710 Improvement .2810.1 Nonconformity an

20、d corrective action 2810.2 Continual improvement .29Bibliography .30DIN EN ISO 22301:2014-12 EN ISO 22301:2014 (E) 2 Foreword The text of ISO 22301:2012 has been prepared by Technical Committee ISO/TC 223 “Societal security” of the International Organization for Standardization (ISO) and has been ta

21、ken over as EN ISO 22301:2014 by Technical Committee CEN/TC 391 “Societal and Citizen Security” the secretariat of which is held by NEN. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by January 201

22、5, and conflicting national standards shall be withdrawn at the latest by January 2015. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights

23、. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, G

24、ermany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO 22301:2012 has been approved by CEN as EN ISO 2230

25、1:2014 without any modification. DIN EN ISO 22301:2014-12 EN ISO 22301:2014 (E) 3 0 Introduction0.1 GeneralThis International Standard specifies requirements for setting up and managing an effective Business Continuity Management System (BCMS).A BCMS emphasizes the importance of understanding the or

26、ganizations needs and the necessity for establishing business continuity management policy and objectives, implementing and operating controls and measures for managing an organizations overall capability to manage disruptive incidents, monitoring and reviewing the performance and effectiveness of t

27、he BCMS, and continual improvement based on objective measurement.A BCMS, like any other management system, has the following key components:a) a policy;b) people with defined responsibilities;c) management processes relating to1) policy,2) planning,3) implementation and operation,4) performance ass

28、essment,5) management review, and6) improvement;d) documentation providing auditable evidence; ande) any business continuity management processes relevant to the organization.Business continuity contributes to a more resilient society. The wider community and the impact of the organizations environm

29、ent on the organization and therefore other organizations may need to be involved in the recovery process.0.2 The Plan-Do-Check-Act (PDCA) modelThis International Standard applies the “Plan-Do-Check-Act” (PDCA) model to planning, establishing, implementing, operating, monitoring, reviewing, maintain

30、ing and continually improving the effectiveness of an organizations BCMS.This ensures a degree of consistency with other management systems standards, such as ISO 9001 Quality management systems, ISO 14001, Environmental management systems, ISO/IEC 27001, Information security management systems, ISO

31、/IEC 20000-1, Information technology Service management, and ISO 28000, Specification for security management systems for the supply chain, thereby supporting consistent and integrated implementation and operation with related management systems.Figure 1 illustrates how a BCMS takes as inputs intere

32、sted parties, requirements for continuity management and, through the necessary actions and processes, produces continuity outcomes (i.e. managed business continuity) that meet those requirements.DIN EN ISO 22301:2014-12 EN ISO 22301:2014 (E) 4 InterestedpartiesManaged business continuityInterestedp

33、artiesRequirementsfor business continuityContinual improvement of business continuitymanagement system (BCMS)Establish(Plan)Monitor and review(Check)Maintain and improve(Act)Implement and operate(Do)Figure 1 PDCA model applied to BCMS processesTable 1 Explanation of PDCA modelPlan (Establish)Establi

34、sh business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity in order to deliver results that align with the organizations overall policies and objectives.Do (Implement and operate)Implement and operate the business continuity polic

35、y, controls, processes and procedures.Check (Monitor and review)Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement.Act (Maintain and improve)Maintain and im

36、prove the BCMS by taking corrective action, based on the results of management review and reappraising the scope of the BCMS and business continuity policy and objectives.0.3 Components of PDCA in this International StandardIn the Plan-Do-Check-Act model as shown in Table 1, Clause 4 through Clause

37、10 in this International Standard cover the following components. Clause 4 is a component of Plan. It introduces requirements necessary to establish the context of the BCMS as it applies to the organization, as well as needs, requirements, and scope. Clause 5 is a component of Plan. It summarizes th

38、e requirements specific to top managements role in the BCMS, and how leadership articulates its expectations to the organization via a policy statement. Clause 6 is a component of Plan. It describes requirements as it relates to establishing strategic objectives and guiding principles for the BCMS a

39、s a whole. The content of Clause 6 differs from establishing risk treatment opportunities stemming from risk assessment, as well as business impact analysis (BIA) derived recovery objectives.DIN EN ISO 22301:2014-12 EN ISO 22301:2014 (E) 5 NOTE The business impact analysis and risk assessment proces

40、s requirements are detailed in Clause 8. Clause 7 is a component of Plan. It supports BCMS operations as they relate to establishing competence and communication on a recurring/as-needed basis with interested parties, while documenting, controlling, maintaining and retaining required documentation.

41、Clause 8 is a component of Do. It defines business continuity requirements, determines how to address them and develops the procedures to manage a disruptive incident. Clause 9 is a component of Check. It summarizes requirements necessary to measure business continuity management performance, BCMS c

42、ompliance with this International Standard and managements expectations, and seeks feedback from management regarding expectations. Clause 10 is a component of Act. It identifies and acts on BCMS non-conformance through corrective action.DIN EN ISO 22301:2014-12 EN ISO 22301:2014 (E) 6 1 ScopeThis I

43、nternational Standard for business continuity management specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from

44、disruptive incidents when they arise.The requirements specified in this International Standard are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the org

45、anizations operating environment and complexity.It is not the intent of this International Standard to imply uniformity in the structure of a Business Continuity Management System (BCMS), but for an organization to design a BCMS that is appropriate to its needs and that meets its interested parties

46、requirements. These needs are shaped by legal, regulatory, organizational and industry requirements, the products and services, the processes employed, the size and structure of the organization, and the requirements of its interested parties.This International Standard is applicable to all types an

47、d sizes of organizations that wish toa) establish, implement, maintain and improve a BCMS,b) ensure conformity with stated business continuity policy,c) demonstrate conformity to others,d) seek certification/registration of its BCMS by an accredited third party certification body, ore) make a self-determination and self-declaration of conformity with this International Standard.This International Standard can b