1、BSI Standards Publication Societal security Business continuity management systems Guidelines for business impact analysis (BIA) PD ISO/TS 22317:2015National foreword This Published Document is the UK implementation of ISO/TS 22317:2015. The UK participation in its preparation was entrusted by Techn
2、ical Committee CAR/1, Continuity and Resilience, to Panel CAR/1/-/11, Business Impact Analysis. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are respon
3、sible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 86367 7 ICS 03.100.01 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Sta
4、ndards Policy and Strategy Committee on 30 November 2015. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD PD ISO/TS 22317:2015 ISO 2015 Societal security Business continuity management systems Guidelines for business impact analysis (BIA) Scurit socitale Systmes de
5、 management de la continuit en affaires Lignes directrices pour lanalyse dimpact en affaires TECHNICAL SPECIFICATION ISO/TS 22317 Reference number ISO/TS 22317:2015(E) First edition 2015-09-15 PD ISO/TS 22317:2015ISO/TS 22317:2015(E) ii ISO 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO 2
6、015, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permissio
7、n. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Te l . + 4 1 2 2 7 4 9 0 1 1 1 Fax +41 22 749 09 47 copyrightiso.org www.iso.org PD ISO/TS 223
8、17:2015ISO/TS 22317:2015(E) Foreword v Introductionvi 1 Scope . 1 2 Normative references 1 3 Te r m s and definitions . 1 4 Prerequisites 1 4.1 General . 1 4.2 BC programme context and scope 2 4.2.1 BC programme context . 2 4.2.2 Scope of the BC programme . 2 4.3 BC programme roles. 2 4.3.1 BC progr
9、amme roles and responsibilities 2 4.3.2 BIA process-specific roles and competencies . 2 4.4 BC programme commitment . 4 4.5 BC programme resources 4 5 Performing the business impact analysis. 4 5.1 General . 4 5.2 Project planning and management 5 5.2.1 General 5 5.2.2 Initial BIA considerations . 6
10、 5.3 Product and service prioritization . 6 5.3.1 Overview . 6 5.3.2 Inputs . 8 5.3.3 Outcomes 9 5.4 Process prioritization 9 5.4.1 General 9 5.4.2 Inputs . 9 5.4.3 Outcomes 9 5.5 Activity prioritization .10 5.5.1 Overview 10 5.5.2 Inputs 10 5.5.3 Information collection11 5.5.4 Outcomes .12 5.6 Anal
11、ysis and consolidation 12 5.6.1 Overview 12 5.6.2 Inputs 12 5.6.3 Methods 12 5.6.4 Outcomes .13 5.7 Obtain top management endorsement of BIA results 13 5.7.1 General.13 5.7.2 Inputs 13 5.7.3 Methods 13 5.7.4 Outcomes .14 5.8 After the BIA Business continuity strategy selection 14 6 BIA process monit
12、oring and review14 Annex A (informative) Business impact analysis within an ISO 22301 business continuity management system16 Annex B (informative) Business impact analysis terminology mapping.17 Annex C (informative) Business impact analysis information collecting methods.18 Annex D (informative) O
13、ther uses for the business impact analysis process.24 ISO 2015 All rights reserved iii Contents Page PD ISO/TS 22317:2015ISO/TS 22317:2015(E) Bibliography .27 iv ISO 2015 All rights reserved PD ISO/TS 22317:2015ISO/TS 22317:2015(E) Foreword ISO (the International Organization for Standardization) is
14、 a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represen
15、ted on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. The procedures used to develop
16、 this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IE
17、C Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the
18、 development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning
19、of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/TC 292, Se
20、curity and resilience. ISO 2015 All rights reserved v PD ISO/TS 22317:2015ISO/TS 22317:2015(E) Introduction This Technical Specification provides detailed guidance for establishing, implementing, and maintaining a business impact analysis (BIA) process consistent with the requirements in ISO 22301.
21、This Technical Specification is applicable to the performance of any BIA process, whether part of a business continuity management system (BCMS) or business continuity programme (BC programme). Hereinafter, BC programme means either BCMS or BC programme. Figure 1 notes the relationship of the BIA pr
22、ocess to the BC programme as a whole. The organization should complete a cycle of the BIA process before business continuity strategies are selected. Figure 1 Elements of business continuity management (Source: ISO 22313) The BIA process analyses the consequences of a disruptive incident on the orga
23、nization. The outcome is a statement and justification of business continuity requirements. The BIA process consists of a number of individual BIAs, each focusing of a sub-set of the BC programme scope. The BIA process prioritizes products and services, and continues with prioritizing processes and
24、activities that together cover the entire scope of the BC programme. After a period of time determined by the organization, individual BIAs are repeated to ensure that the BC requirements remain current. NOTE In this Technical Specification, business continuity requirements has the same meaning as c
25、ontinuity and recovery priorities, objectives, and targets (ISO 22301:2012, 8.2.2). The purposes of this Technical Specification are the following: provide a basis for understanding, developing, implementing, reviewing, maintaining, and continually improving an effective BIA process within an organi
26、zation; provide guidance for planning, conducting, and reporting on a BIA; assist the organization with conducting a BIA in a consistent manner that reflects good practices; enable proper coordination between the BIA process and the overarching BC programme. vi ISO 2015 All rights reserved PD ISO/TS
27、 22317:2015ISO/TS 22317:2015(E) The outcomes of the BIA process include the following: endorsement or modification of the organizations BC programme scope; identification of legal, regulatory, and contractual requirements (obligations) and their effect on business continuity requirements; evaluation
28、 of impacts on the organization over time, which serves as the justification for business continuity requirements (time and capability); identification and confirmation of product/service delivery requirements following a disruptive incident, which then sets the prioritized timeframes for activities
29、 and resources; identification and establishment of the relationships between products/services, processes, activities, and resources; determination of the resources needed to perform prioritized activities (e.g. facilities; people; equipment; information, communication and technology assets; suppli
30、es; and financing); understanding of the dependencies on other activities, supply chains, partners, and other interested parties; determination of how up to date the information needs to be. NOTE For purposes of this Technical Specification, supply chains produce supplies of goods, works, and servic
31、es, which are referred to as supplies throughout the remainder of this document. The following diagram displays the BIA process, together with prerequisites and its relationship to strategy identification. The clauses referenced in the diagram are subsections of this Technical Specification. Figure
32、2 Business impact analysis process ISO 2015 All rights reserved vii PD ISO/TS 22317:2015Societal security Business continuity management systems Guidelines for business impact analysis (BIA) 1 Scope This Technical Specification provides guidance for an organization to establish, implement, and maint
33、ain a formal and documented business impact analysis (BIA) process. This Technical Specification does not prescribe a uniform process for performing a BIA, but will assist an organization to design a BIA process that is appropriate to its needs. This Technical Specification is applicable to all orga
34、nizations regardless of type, size, and nature, whether in the private, public, or not-for-profit sectors. The guidance can be adapted to the needs, objectives, resources, and constraints of the organization. It is intended for use by those responsible for the BIA process. 2 Normative references The
35、 following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 22300,
36、 Societal security Terminology 3 T erms an d definiti ons For the purposes of this document, the terms and definitions in ISO 22300 apply. NOTE All terms and definitions contained in ISO 22300 are available on the ISO Online Browsing Platform: www.iso.org/obp. 4 Prerequisites 4.1 General As noted in
37、 the Introduction, this Technical Specification is consistent with ISO 22301, but it could be used to develop, implement, review, maintain, and continually improve a BIA process addressing other standards or regulatory requirements. Whether part of a BCMS or a BC programme, the organization should c
38、onsider a number of prerequisites before starting the BIA process. Clause 4 summarizes these prerequisites, many of which are from ISO 22301. The organization should take a number of steps within the BC programme before beginning the BIA process, which include the following: define the context and s
39、cope (4.2); define and communicate roles and responsibilities (4.3); obtain leadership commitment (4.4); allocate adequate resources (4.5). NOTE For additional information, see Annex A for a mapping of each step to ISO 22301. TECHNICAL SPECIFICATION ISO/TS 22317:2015(E) ISO 2015 All rights reserved
40、1 PD ISO/TS 22317:2015ISO/TS 22317:2015(E) 4.2 BC programme context and scope 4.2.1 BC programme context Successful BIA process outcomes are dependent on the organization understanding the following: the external environment in which it operates so that it can achieve its purpose by delivering its p
41、roducts and services to customers; the internal operating environment, inclusive of processes, activities, and resources, as well as the potential impact caused by disrupting the delivery of products and services; and laws and regulations mandating the BIA process and how it is performed. NOTE In or
42、ganizations operating within a non-commercial environment, the customer can be the public or an overseeing authority, such as government. 4.2.2 Scope of the BC programme Before determining the BIA process scope, the organization should define and document the scope of the BC programme in terms of it
43、s products and services. The BIA process may assist the organization to review the scope of the BC programme. Following the definition of the BC programme scope, the organization can determine the BIA process scope which may be conducted as a single BIA to cover the whole scope of the BC programme;
44、or undertaken in a number of phases that, over time, covers the whole scope of the BC programme. NOTE If the organization chooses to undertake the BIA process in phases, it should first determine the prioritization of all products and services (see 5.2) and then continue with the remaining individua
45、l BIAs. 4.3 BC programme roles 4.3.1 BC programme roles and responsibilities Prior to performing the BIA process, top management should ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. 4.3.2 BIA pr oc ess-specific ro l e s and
46、 co m p e t e n c i e s Following the assignment of BC programme roles, top management should provide resources necessary to perform the BIA process, which may include appointing the following roles: the person sponsoring the BIA process; BIA steering committee; the person leading the BIA process; t
47、he person managing the BIA project (project manager); process owners; activity managers. The person sponsoring the BIA process should be an executive representing top management, be well respected within the organization by other members of top management, have an organization-wide perspective, 2 IS
48、O 2015 All rights reserved PD ISO/TS 22317:2015ISO/TS 22317:2015(E) have the authority to commit the organization to action, and make final decisions regarding the BIA process. The BIA steering committee should represent top management, provide ongoing advice and guidance on the conduct of the BIA p
49、rocess, agree on the methods and outcomes, make decisions regarding business continuity requirements, and assist the person leading the BIA process and project manager in determining the competences required for BIA process-specific roles and responsibilities and the awareness, knowledge, understanding, skills, and experience needed to fulfil them. The person leading the BIA process should have an understanding of the organization, in partic
