Università degli studi di Roma La Sapienza Dipartimento di Informatica: La continuità operativa negli standard BS 25999 e ISO 22301

Università degli studi di Roma La Sapienza Dipartimento di Informatica: La continuità operativa negli standard BS 25999 e ISO 22301 Relatore: Laura Schiavon Roma 4 giugno 2012 17/05/2012-1

Contenuti del seminario La Business Continuity è oggi un tema centrale per tutte le aziende ed organizzazioni e la sua gestione èun elemento strategico per il controllo dei rischi. La capacità di un organizzazione di mantenere attivi i propri processi strategici anche in caso di incidenti o eventi anomali e la sua velocità di ripristino della piena operatività, possono rappresentare un concreto e difendibile vantaggio competitivo. 17/05/2012-2

Obiettivi del seminario Avviare in maniera strutturata lo studio dello standard BS 25999; Introdurre il nuovo standard ISO 22301; Descrivere i requisiti della norma; Valutare i benefici dell implementazione di un BCMS; Identificare i criteri di integrazione con altri standard operativi nelle organizzazioni. 17/05/2012-3

Why we need a BCM? 72% of companies surveyed had experienced at least one disruption to their supply chain. 83% had experienced disruption over all. 17/05/2012-4 Courtesy of BSI

Are organisations ready for the next crisis? 83% AGREE BCM is important/very important yet * 58% of CEO s surveyed say they have BCM plans in place 50% of organizations with BCM report that it includes plans for handling the media 45% of organizations with BCM do not require any supply chain partners to have their own plans 50% of organizations with BCM exercise their plans once a year. Around 25% fail to exercise their plans on a regular basis. * BSI/BCI/Cabinet Office survey 2012 with Chartered Management Institute (CMI) 17/05/2012-5 Courtesy of BSI

Business Continuity Management - Drivers CEO s main focus: Reputational Impairment Market Share Loss Increased Customer Confidence Governance Expectation The Right Thing To Do 17/05/2012-6 Courtesy of BSI

Definizioni Continuità operativa: BS 25999 Strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level ISO 22301? BC management BC programe 17/05/2012-7 Courtesy of BSI

Definizioni A management system is a set of interrelated or interacting elements of an organization to establish policy and objectives, and processes to achieve those objectives 17/05/2012-8 Courtesy of BSI

La storia PAS 56 BS 25999 ISO 22301 2003 2006 2012 Started as a PAS (Publicly Available Specification) by BSI Became British Standard BS 25999 in 2006 New ISO 22301 (16May 2012) 17/05/2012-9 Courtesy of BSI

La storia ISO 22301 supersedes BSI s British Standard BS 25999 the world s most recognised & adopted BCM standard. BS 25999 sold in over 100 countries. Certificates in 43 countries. Certificate applications in another 15 countries* 800 sites already certified by BSI with 400 pending* Market leaders in BS 25999 certification. 17/05/2012-10 Courtesy of BSI

BS 25999 global adoption 17/05/2012-11 Courtesy of BSI

BS 25999 multi-sector adoption 17/05/2012-12 Courtesy of BSI

Benefici nell adozione dello Standard Allows organizations to benefit from global BCM best practice, regardless of whether they are planning to certify or not Provides a foundation and a common vocabulary for BCM best practice and guidance Saves you having to reinvent the wheel 17/05/2012-13 Courtesy of BSI

Elementi costitutivi dei due standard The Plan Do Check Act cycle Business continuity policy Business impact analysis Risk assessment and risk treatments Business continuity plans and strategy Exercising Internal audit Management review Non conformity and corrective action Improvement actions 17/05/2012-14 Courtesy of BSI

La nuova ISO 22301 New international standard for business continuity management (BCM) Its official title is ISO 22301 Societal Security - Business continuity management system - Requirements All core business continuity elements in BS 25999-2 are present in ISO 22301 17/05/2012-15 Courtesy of BSI

La nuova ISO 22301 Provides the requirements for a business continuity management system (BCMS) Based on global BCM best practice Created in response to strong interest in the original British Standard BS 25999-2 and other regional standards BS 25999-2 key source text in its development For those certified to or aligned with BS 25999-2, the additional requirements are not onerous 17/05/2012-16 Courtesy of BSI

Novità Il titolo: ISO 22301 Societal Security - Business continuity management system - Requirements ISO 22301 now comes under a wider societal security remit This acknowledges the important role that BCM has to play in protecting society and ensuring our ability to respond to incidents, emergencies and disasters. 17/05/2012-17 Courtesy of BSI

Cambiamenti più significativi Notable shifts in emphasis from BS 25999-2:2007: First standard written in accordance with Guide 83 Change in the way an organization is defined Clearer expectations on management Preventive action has been replaced with actions to address risks and opportunities and features earlier ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics aligning BC to top management strategic thinking 17/05/2012-18 Courtesy of BSI

Cambiamenti più significativi 22301 requires more careful planning for and preparing the resources needed for ensuring business continuity Communication elements more demanding and there is a responsibility to the wider community defined BIA similar but with some changes to terminology There is a stronger link to the organizations approach to risk To reflect the societal security approach some new terminology has been introduced, see ISO 22300 17/05/2012-19 Courtesy of BSI

Nuovi concetti ed attività, qualche dettaglio in più Context of the organization Interested parties Leadership Maximum acceptable outage (MAO) Minimum business continuity objective (MBCO) Performance evaluation Prioritized timeframes Warning and communication 17/05/2012-20 Courtesy of BSI

Transition plan Certification certificates will remain valid during the two year transitional period Organizations will need to complete their transition to the new revision by 1 June 2014 Failure to do this will result in the expiry of their certificate 17/05/2012-21 Courtesy of BSI

Il confronto migliora il lavoro di tutti, grazie per le vostre domande 17/05/2012-22

Contatti l.schiavon@enigmadefense.it 17/05/2012-23

Chi siamo Enigma Defense è un'azienda giovane, che nasce dalla spinta di professionisti accreditati decisi a far convergere in questa entità la loro esperienza e capacità Enigma Defense affronta ogni incarico con approccio Enigma Defense offre un insieme completo di strutturato e metodologie accreditate, avvalendosi soluzioni e servizi, a partire dalla valutazione dei delle forti competenze ed esperienze progettuali dei livelli di sicurezza presenti e necessari, alla propri Soci e Collaboratori su molteplici aree della progettazione di soluzioni e piattaforme di sicurezza sicurezza e della continuitàoperativa (business complesse ed integrate, sino agli aspetti di continuity/disaster recovery) Governance e formazione 17/05/2012-25

17/05/2012-26 L offerta

17/05/2012-27 Principali Clienti

Partnership Il nostro approccio Le competenze ed esperienze maturate da Enigma Defense associate alle specifiche competenze dei nostri Partner hanno favorito e favoriscono nuove iniziative di business 17/05/2012-28

17/05/2012-29 Principali Partnership

Riferimenti societari Roberto D Addario r.daddario@enigmadefense.it 17/05/2012-30