EN ISO 22313-2014 en Societal security - Business continuity management systems - Guidance《社会安全 企业连续性管理系统 指南(ISO 22313 2012)》.pdf

1、BSI Standards PublicationSocietal security Business continuity management systems GuidanceBS EN ISO 22313:2014BS EN ISO 22313:2014National forewordThis British Standard is the UK implementation of EN ISO 22313:2014. It is identical to ISO 22313:2012. It supersedes BS ISO 22313:2012, which is withdra

2、wn.The UK participation in its preparation was entrusted by Technical Committee BCM/1, Business continuity management to Subcommittee BCM/1/-/3, Supply Chain Continuity.A list of organizations represented on this subcommittee can be obtained on request to its secretary.This publication does not purp

3、ort to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2014. Published by BSI Standards Limited 2014ISBN 978 0 580 85895 6ICS 03.100.01Compliance with a British Standard cannot confer immunity fromlegal obligati

4、ons.This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 December 2012.Amendments/corrigenda issued since publicationDate Text affected31 December 2014 This corrigendum renumbers BS ISO 22313:2012 as BS EN ISO 22313:2014BRITISH STANDARDEUROPEAN

5、 STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 22313 November 2014 ICS 03.100.01 English Version Societal security - Business continuity management systems - Guidance (ISO 22313:2012) Scurit socitale - Systmes de management de la continuit dactivit - Lignes directrices (ISO 22313:2012) Sicherheit

6、und Schutz des Gemeinwesens - Aufrechterhaltung der Betriebsfhigkeit - Leitlinie (ISO 22313:2012) This European Standard was approved by CEN on 18 October 2014. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard

7、the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, Fr

8、ench, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgari

9、a, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turke

10、y and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Re

11、f. No. EN ISO 22313:2014 Eii ISO 2012 All rights reservedForeword The text of ISO 22313:2012 has been prepared by Technical Committee ISO/TC 223 “Societal security” of the International Organization for Standardization (ISO) and has been taken over as EN ISO 22313:2014 by Technical Committee CEN/TC

12、391 “Societal and Citizen Security” the secretariat of which is held by NEN. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by May 2015, and conflicting national standards shall be withdrawn at the

13、latest by May 2015. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national st

14、andards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,

15、 Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO 22313:2012 has been approved by CEN as EN ISO 22313:2014 without any modification. BS EN ISO 22313:2014 EN ISO 22313:2

16、014 (E) ISO 2012 All rights reserved iiiContents PageivIntroduction .1 Scope 12 Normative references . 13 Terms and definitions 14 Context of the organization 14.1 Understanding of the organization and its context . 14.2 Understanding the needs and expectations of interested parties 24.3 Determining

17、 the scope of the management system 44.4 Business continuity management system . 45 Leadership . 45.1 Leadership and commitment . 45.2 Management commitment 55.3 Policy . 55.4 Organizational roles, responsibilities and authorities 66 Planning 76.1 Actions to address risks and opportunities . 76.2 Bu

18、siness continuity objectives and plans to achieve them . 77 Support 77.1 Resources . 77.2 Competence . 87.3 Awareness . .107.4 Communication . 117.5 Documented information . .128 Operation .148.1 Operational planning and control .148.2 Business impact analysis and risk assessment 178.3 Business cont

19、inuity strategy 218.4 Establish and implement business continuity procedures 288.5 Exercising and testing 389 Performance evaluation .409.1 Monitoring, measurement, analysis and evaluation 409.2 Internal audit .4210 Improvement9.3Management review 43 4410.1 Nonconformity and corrective action 44Bibl

20、iography10.2 Continual improvement 45 46.BS EN ISO 22313:2014 EN ISO 22313:2014 (E)iv ISO 2012 All rights reservedIntroductionGeneralThis International Standard provides guidance, where appropriate, on the requirements specified in ISO 22301:2012 and provides recommendations (should) and permissions

21、 (may) in relation to them. It is not the intention of this International Standard to provide general guidance on all aspects of business continuity.This International Standard includes the same headings as ISO 22301 but does not repeat the requirements for business continuity management systems and

22、 its related terms and definitions. Organizations wishing to be informed of these must therefore refer to ISO 22301 and ISO 22300.To provide further clarification and explanation of key points, this International Standard includes a number of figures. All such figures are for illustrative purposes o

23、nly and the related text in the body of this International Standard takes precedence.A business continuity management system (BCMS) emphasizes the importance of: understanding the organizations needs and the necessity for establishing business continuity policy and objectives; implementing and opera

24、ting controls and measures for managing an organizations overall capability to manage disruptive incidents; monitoring and reviewing the performance and effectiveness of the BCMS; and continual improvement based on objective measurement.A BCMS, like any other management system, includes the followin

25、g key components:a) a policy;b) people with defined responsibilities;c) management processes relating to:1) policy;2) planning;3) implementation and operation;4) performance assessment;5) management review; and6) improvement.d) a set of documentation providing auditable evidence; ande) any BCMS proc

26、esses relevant to the organization.Business continuity is generally specific to an organization, however, its implementation can have far reaching implications on the wider community and other third parties. An organization is likely to have external organizations that it depends upon and there will

27、 be others that depend on it. Effective business continuity therefore contributes to a more resilient society.The Plan-Do-Check-Act cycleThis International Standard applies the Plan-Do-Check-Act (PDCA) cycle to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and c

28、ontinually improving the effectiveness of an organizations BCMS.BS EN ISO 22313:2014 EN ISO 22313:2014 (E) ISO 2012 All rights reserved vFigure 1 illustrates how the BCMS takes interested parties requirements as inputs for business continuity management (BCM) and, through the required actions and pr

29、ocesses, produces business continuity outcomes (i.e. managed business continuity) that meet those requirements.Establish(Plan)Implement and operate(Do)Monitor and review(Check)Maintain and improve(Act)Continual improvement of business continuity management system (BCMS)Interested partiesRequirements

30、 for business continuityInterested partiesManaged business continuityFigure 1 PDCA model applied to BCMS processesTable 1 Explanation of PDCA modelPlan (Establish)Establish business continuity policy, objectives, controls, processes and procedures relevant to improving business continuity in order t

31、o deliver results that align with the organizations overall policies and objectives.Do (Implement and operate)Implement and operate the business continuity policy, controls, processes and procedures.Check (Monitor and review)Monitor and review performance against business continuity objectives and p

32、olicy, report the results to management for review, and determine and authorize actions for remediation and improvement.Act (Maintain and improve)Maintain and improve the BCMS by taking corrective actions, based on the results of management review and re-appraising the scope of the BCMS and business

33、 conti-nuity policy and objectives.Components of PDCA in this International StandardThere is a direct relationship between the content of Figure 1 and the clauses of this International Standard:BS EN ISO 22313:2014 EN ISO 22313:2014 (E)vi ISO 2012 All rights reservedTable 2 Relationship between PDCA

34、 model and Clauses 4 to 10PDCA component Clause addressing PDCA componentPlan (Establish)Clause 4 (Context of the organization) sets out what the organization has to do in order to make sure that the BCMS meets its requirements, taking into account all relevant external and internal factors, includi

35、ng: The needs and expectations of interested parties. Its legal and regulatory obligations. The required scope of the BCMS.Clause 5 (Leadership) sets out the key role of management in terms of demon-strating commitment, defining policy and establishing roles, responsibilities and authorities.Clause

36、6 (Planning) describes the actions required to establish strategic objec-tives and guiding principles for the BCMS as a whole. These set the context for the business impact analysis and risk assessment (8.2) and business continuity strat-egy (8.3).Clause 7 (Support) identifies the key elements that

37、need to be in place to support the BCMS, namely: resources, competence, awareness, communication and docu-mented information.Do (Implement and operate)Clause 8 (Operation) identifies the elements of business continuity management (BCM) that are needed to achieve business continuity.Check (Monitor an

38、d review)Clause 9 (Performance evaluation) provides the basis for improvement of the BCMS through measurement and evaluation of its performance.Act (Maintain and improve)Clause 10 (Improvement) covers the corrective action needed to address noncon-formity identified through performance evaluation.Bu

39、siness continuityBusiness continuity is the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business continuity management (BCM) is the process of achieving business continuity and is about preparing an orga

40、nization to deal with disruptive incidents that might otherwise prevent it from achieving its objectives.Placing BCM within the framework and disciplines of a management system creates a business continuity management system (BCMS) that enables BCM to be controlled, evaluated and continually improve

41、d.In this International Standard, the word business is used as an all-embracing term for the operations and services performed by an organization in pursuit of its objectives, goals or mission. As such it is equally applicable to large, medium and small organizations operating in industrial, commerc

42、ial, public and not-for-profit sectors.Any incident, large or small, natural, accidental or deliberate has the potential to cause major disruption to the organizations operations and its ability to deliver products and services. However, implementing business continuity before a disruptive incident

43、occurs, rather than waiting for this to happen will enable the organization to resume operations before unacceptable levels of impact arise.BCM involves:a) being clear on the organizations key products and services and the activities that deliver them;b) knowing the priorities for resuming activitie

44、s and the resources they require;c) having a clear understanding of the threats to these activities, including their dependencies, and knowing the impacts of not resuming them;d) having tried and trusted arrangements in place to resume these activities following a disruptive incident; andBS EN ISO 2

45、2313:2014 EN ISO 22313:2014 (E) ISO 2012 All rights reserved viie) making sure that these arrangements are routinely reviewed and updated so that they will be effective in all circumstances.Business continuity can be effective in dealing with both sudden disruptive incidents (e.g. explosions) and gr

46、adual ones (e.g. flu pandemics).Activities are disrupted by a wide variety of incidents, many of which are difficult to predict or analyse. By focusing on the impact of disruption rather than the cause, business continuity identifies those activities on which the organization depends for its surviva

47、l, and enables the organization to determine what is required to continue to meet its obligations. Through business continuity, an organization can recognize what needs to be done to protect its resources (e.g. people, premises, technology and information), supply chain, interested parties and reput

48、ation, before a disruptive incident occurs. With that recognition, the organization is able to take a realistic view on the responses that are likely to be needed as and when a disruption occurs, so that it can be confident of managing the consequences and avoid unacceptable impacts.An organization

49、with appropriate business continuity in place can also take advantage of opportunities that might otherwise be judged to be too high risk.The following diagrams (Figures 2 and 3) are intended to illustrate conceptually how business continuity can be effective in mitigating impacts in certain situations. No particular timescales are implied by the relative distance between the stages depicted in either diagram.Recovery Time ObjectiveTime at which impacts become unacceptableLevel ofoperationsTimeIncidentMitigating impacts t