1、May 2016 English price group 23No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 03.100.01!%SL“2484198www.din.deDIN E
2、N ISO 22313Societal security Business continuity management systems Guidance (ISO 22313:2012);English version EN ISO 22313:2014,English translation of DIN EN ISO 22313:2016-05Sicherheit und Schutz des Gemeinwesens Business Continuity Management Systems Leitlinie (ISO 22313:2012);Englische Fassung EN
3、 ISO 22313:2014,Englische bersetzung von DIN EN ISO 22313:2016-05Scurit socitale Systmes de management de la continuit dactivit Lignes directrices (ISO 22313:2012);Version anglaise EN ISO 22313:2014,Traduction anglaise de DIN EN ISO 22313:2016-05www.beuth.deDocument comprises 57 pagesDTranslation by
4、 DIN-Sprachendienst.In case of doubt, the German-language original shall be considered authoritative.04.16 DIN EN ISO 22313:2016-05 2 A comma is used as the decimal marker. National foreword The text of ISO 22313:2012 has been prepared by Technical Committee ISO/TC 223 “Societal Security” and has be
5、en taken over without any modification as EN ISO 22313:2012 by Technical Committee CEN/TC 391 “Societal and Citizen Security” (Secretariat: NEN, Netherlands). The responsible German body involved in its preparation was DIN-Normenausschuss Feuerwehrwesen (DIN Standards Committee Firefighting and Fire
6、 Protection), Working Committee NA 031-05 FBR Fachbereichsausschuss Sicherheit und Schutz des Gemeinwesens SpA zu ISO/TC 223 Societal security. The terms have been translated into German taking into consideration the terminology standard DIN EN ISO 22300, as well as DIN EN ISO 22301 and the technica
7、l terms commonly used and in deviation from the preferred translations. The following terms also deviate from the preferred translations: The English expression “Business impact analysis (BIA)” has only been partly translated into German (the German term “Analyse” is used instead of the English word
8、 “analysis”) and the English expression “Business continuity management (BCM)” has been taken over completely, because these terms have become established in German as well. “Incident response” has been translated as “Reaktion auf einen Zwischenfall”. However, the expression “Einsatz zur Gefahrenabw
9、ehr” is also used in practice. Correspondingly, “response” has been translated as “Reaktion” or “Gefahrenabwehr”, depending on the context. The DIN Standards corresponding to the International Standards referred to in this document are as follows: ISO 19011 DIN EN ISO 19011 ISO 22300 DIN EN ISO 2230
10、0 ISO 22301 DIN EN ISO 22301 ISO 27002 DIN EN ISO 27002 National Annex NA (informative) Bibliography DIN EN ISO 19011, Guidelines for auditing management systems DIN EN ISO 22300, Societal security - Terminology DIN EN ISO 22301, Societal security Business continuity management systems Requirements
11、DIN ISO/IEC 27002, Information technology Security techniques Code of practice for information security management EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 22313 November 2014 ICS 03.100.01 English Version Societal security - Business continuity management systems - Guidance (ISO 223
12、13:2012) Scurit socitale - Systmes de management de la continuit dactivit - Lignes directrices (ISO 22313:2012) Sicherheit und Schutz des Gemeinwesens - Aufrechterhaltung der Betriebsfhigkeit - Leitlinie (ISO 22313:2012) This European Standard was approved by CEN on 18 October 2014. CEN members are
13、bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to th
14、e CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Cent
15、re has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuani
16、a, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION C OM I T EUR O P EN DE NOR M AL I S ATI ON EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marn
17、ix 17, B-1000 Brussels 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN ISO 22313:2014 E Contents PageEuropean foreword .3Introduction 51 Scope 102 Normative references . 103 Terms and definitions 104 Context of the organizatio
18、n 104.1 Understanding of the organization and its context 104.2 Understanding the needs and expectations of interested parties . 114.3 Determining the scope of the management system . 134.4 Business continuity management system 135 Leadership . 135.1 Leadership and commitment 135.2 Management commit
19、ment . 145.3 Policy 145.4 Organizational roles, responsibilities and authorities. 156 Planning 166.1 Actions to address risks and opportunities 166.2 Business continuity objectives and plans to achieve them 167 Support 167.1 Resources 167.2 Competence 177.3 Awareness 197.4 Communication . 207.5 Docu
20、mented information 218 Operation 238.1 Operational planning and control . 238.2 Business impact analysis and risk assessment 268.3 Business continuity strategy 308.4 Establish and implement business continuity procedures 378.5 Exercising and testing 379 Performance evaluation 499.1 Monitoring, measu
21、rement, analysis and evaluation 499.2 Internal audit . 519.3 Management review 5210 Improvement .5310.1 Nonconformity and corrective action 5310.2 Continual improvement . 54Bibliography .552DIN EN ISO 22313:2016-05 EN ISO 22313:2014 (E)Foreword 4European foreword The text of ISO 22313:2012 has been
22、prepared by Technical Committee ISO/TC 223 “Societal security” of the International Organization for Standardization (ISO) and has been taken over as EN ISO 22313:2014 by Technical Committee CEN/TC 391 “Societal and Citizen Security” the secretariat of which is held by NEN. This European Standard sh
23、all be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by May 2015, and conflicting national standards shall be withdrawn at the latest by May 2015. Attention is drawn to the possibility that some of the elements of this document m
24、ay be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austri
25、a, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden,
26、 Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO 22313:2012 has been approved by CEN as EN ISO 22313:2014 without any modification. 3DIN EN ISO 22313:2016-05 EN ISO 22313:2014 (E)ForewordISO (the International Organization for Standardization) is a worldwide federation
27、 of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee.
28、International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.International Standards are drafted in accordance with
29、 the rules given in the ISO/IEC Directives, Part 2.The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval
30、 by at least 75 % of the member bodies casting a vote.Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights.ISO 22313 was prepared by Technical Committee IS
31、O/TC 223, Societal security.4DIN EN ISO 22313:2016-05 EN ISO 22313:2014 (E)IntroductionGeneralThis International Standard provides guidance, where appropriate, on the requirements specified in ISO 22301:2012 and provides recommendations (should) and permissions (may) in relation to them. It is not t
32、he intention of this International Standard to provide general guidance on all aspects of business continuity.This International Standard includes the same headings as ISO 22301 but does not repeat the requirements for business continuity management systems and its related terms and definitions. Org
33、anizations wishing to be informed of these must therefore refer to ISO 22301 and ISO 22300.To provide further clarification and explanation of key points, this International Standard includes a number of figures. All such figures are for illustrative purposes only and the related text in the body of
34、 this International Standard takes precedence.A business continuity management system (BCMS) emphasizes the importance of: understanding the organizations needs and the necessity for establishing business continuity policy and objectives; implementing and operating controls and measures for managing
35、 an organizations overall capability to manage disruptive incidents; monitoring and reviewing the performance and effectiveness of the BCMS; and continual improvement based on objective measurement.A BCMS, like any other management system, includes the following key components:a) a policy;b) people
36、with defined responsibilities;c) management processes relating to:1) policy;2) planning;3) implementation and operation;4) performance assessment;5) management review; and6) improvement.d) a set of documentation providing auditable evidence; ande) any BCMS processes relevant to the organization.Busi
37、ness continuity is generally specific to an organization, however, its implementation can have far reaching implications on the wider community and other third parties. An organization is likely to have external organizations that it depends upon and there will be others that depend on it. Effective
38、 business continuity therefore contributes to a more resilient society.The Plan-Do-Check-Act cycleThis International Standard applies the Plan-Do-Check-Act (PDCA) cycle to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness
39、of an organizations BCMS.5DIN EN ISO 22313:2016-05 EN ISO 22313:2014 (E)Figure 1 illustrates how the BCMS takes interested parties requirements as inputs for business continuity management (BCM) and, through the required actions and processes, produces business continuity outcomes (i.e. managed busi
40、ness continuity) that meet those requirements.Establish(Plan)Implement and operate(Do)Monitor and review(Check)Maintain and improve(Act)Continual improvement of business continuity management system (BCMS)Interested partiesRequirements for business continuityInterested partiesManaged business contin
41、uityFigure 1 PDCA model applied to BCMS processesTable 1 Explanation of PDCA modelPlan (Establish)Establish business continuity policy, objectives, controls, processes and procedures relevant to improving business continuity in order to deliver results that align with the organizations overall polic
42、ies and objectives.Do (Implement and operate)Implement and operate the business continuity policy, controls, processes and procedures.Check (Monitor and review)Monitor and review performance against business continuity objectives and policy, report the results to management for review, and determine
43、 and authorize actions for remediation and improvement.Act (Maintain and improve)Maintain and improve the BCMS by taking corrective actions, based on the results of management review and re-appraising the scope of the BCMS and business conti-nuity policy and objectives.Components of PDCA in this Int
44、ernational StandardThere is a direct relationship between the content of Figure 1 and the clauses of this International Standard:6DIN EN ISO 22313:2016-05 EN ISO 22313:2014 (E)Table 2 Relationship between PDCA model and Clauses 4 to 10PDCA component Clause addressing PDCA componentPlan (Establish)Cl
45、ause 4 (Context of the organization) sets out what the organization has to do in order to make sure that the BCMS meets its requirements, taking into account all relevant external and internal factors, including: The needs and expectations of interested parties. Its legal and regulatory obligations.
46、 The required scope of the BCMS.Clause 5 (Leadership) sets out the key role of management in terms of demon-strating commitment, defining policy and establishing roles, responsibilities and authorities.Clause 6 (Planning) describes the actions required to establish strategic objec-tives and guiding
47、principles for the BCMS as a whole. These set the context for the business impact analysis and risk assessment (8.2) and business continuity strat-egy (8.3).Clause 7 (Support) identifies the key elements that need to be in place to support the BCMS, namely: resources, competence, awareness, communic
48、ation and docu-mented information.Do (Implement and operate)Clause 8 (Operation) identifies the elements of business continuity management (BCM) that are needed to achieve business continuity.Check (Monitor and review)Clause 9 (Performance evaluation) provides the basis for improvement of the BCMS t
49、hrough measurement and evaluation of its performance.Act (Maintain and improve)Clause 10 (Improvement) covers the corrective action needed to address noncon-formity identified through performance evaluation.Business continuityBusiness continuity is the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business continuity management (BCM) is t
