Rolf von Roessing CISA, CISM, CGEIT, CISSP, FBCI Session Overview Continuous Improvement Tools Audit Universe and Scoping Applicable Standards Audit Programme BCMS and Life Cycle BCM Controls Sources of Further Information and Q & A
CONTINUOUS IMPROVEMENT TOOLS BCM Continuous Improvement Audit and Other Initiatives Continuous Improvement Tools Process Model Continuous Improvement Process Ad hoc Improvement Process PDCA (Plan Do Check Act ISO-based version of Deming Cycle Pervasive throughout ISO 22301, 27031 etc. Coexistence with BCM Life Cycle Audit and Review 1st Line of Defence: Management Review 2nd Line of Defence: Independent Review 3rd Line of Defence: Audit Improvement Processes Continuous Improvement Process use to improve the BCMS (i.e. the Toolbox) in a controlled and regular manner CIP is needed to maintain the BCMS up to date and in line with recognised standards Ad hoc Improvement Process use to address operational improvements from various sources: Test / exercise results Audit findings Local regulatory changes etc. PDCA Cycle Embedded in most standards addressing BCM and ITSCM, e.g. ISO 22301 and ISO 27031 Links BCM to other disciplines such as IT Security, ITIL / ISO 20000, Quality Mgmt etc. The phases Plan, Do, Check, Act are projected onto the elements of the life cycle in ISO 22313, ISO 27031 and the BCI Good Practice Guidelines Your processes, controls and indicators should always link to at least one phase of the PDCA cycle to maintain alignment AUDIT UNIVERSE AND SCOPING Auditing Business Continuity BCM Developments 2009 Information Security IT Service Continuity Mgmt BCM Critical Infrastructure Prot. ORM Corporate Governance Civil Defence Business Information / Technology Strategy Enterprise Risk Management 2010 2011 Public / Private Technical Resilience Business Resilience Integrated Resilience Model 20xx Security Audit Universe and Scoping Control Design BCMS and Life Cycle (including PDCA) Templates, Standards Alignment etc. BC Organisation, Resources Control Effectiveness Contents of documents, e. g. strategy, BC plans Key performance indicators BC as part of the internal control system
APPLICABLE STANDARDS Auditing Business Continuity 11 ISO 22300 Roadmap BCI Prof. Practices Joint Standards BS 7799 ISO 17799 BS PAS 56 (2003) BS PAS 77 ISO 27001 ISO PAS 22399-1 BS 25777 BS 25999 (2006) ISO 22301 ISO 27031 Applicable Standards ISO and GPG (2013) note the new life cycle! Include subsidiary ISO 223xx standards as they are published Sector-specific: Banking / Basel III and Insurance / Solvency II, e.g. High level principles for business continuity (2006) Include international (indirect) regulations, e. g. MAS in Singapore If IT is involved: ISO 27031, ISO 24762 (for outsourcing DR)
AUDIT PROGRAMME Auditing Business Continuity Audit Programme AP must be modular life cycle phases and BCMS form the highest level Define clear drill-down paths linked to risk and maturity Define the audit question to be answered (compliance? feasibility study? due diligence? forensic?) Select appropriate subset of global audit programme Communicate to auditee and make necessary adjustments
Audit Mode Point in time traditional method of auditing as at a certain date: financial year end asymmetric, for instance towards a certification date Project-based in line with delivering v1.0 of an initiative or project often used in the early stages pre-implementation, post-implementation, accompanying the project Continuous comparatively new method of auditing, taken from financial and IT audit Cooperative involvement of auditors at any time Audit and advice converge BCMS AND LIFE CYCLE Auditing Business Continuity BCMS and Life Cycle Take a maturity and risk based approach Top-down approach recommended Audit phases of the life cycle AND the PDCA cycle Adapt your audit programme in line with self- assessments delivered by the auditee organisation
BCM CONTROLS Auditing Business Continuity BCM Controls BIA completeness, plausibility (relative), links to balance sheet and P/L as well as previous events RA method and procedure (not the individual risks) Strategy completeness, method, adequacy Plans completeness, adequacy, timeliness, strategy alignment Test strategy completeness and adequacy (maturity based) Test and exercise master plan alignment with test strategy Individual testing and exercising planning, deployment (observation), post exercise analysis, reporting Continuous improvement PDCA alignment, timeliness, completeness 1st and 2nd lines of defence ensure that reviews and audits have been performed adequately and comprehensively
FURTHER INFORMATION, Q & A Auditing Business Continuity Further Information BCM audit is explained in detail (about 700 pages) in the 2nd edition of Auditing Business Continuity: Global Best Practices, to be published by Rothstein Associates soon Sequel to the 1st (2002) edition, now includes all relevant laws, regulations, standards Enhanced and extended standard audit programme More web-based support, e. g. audit library
Contact Details Forfa AG provides independent advice on ITSCM / BCM and business resilience. We further consult in Governance, Risk and Compliance (GRC) and all aspects of security
Forfa AG Holding Andhauser Str. 62 8572 Berg TG, Switzerland Phone: +41 71 636 1770 mobile: +49 172 6712322 rvr@scmltd.com We form a network with Controllit AG Stresemannstr. 342 22761 Hamburg, Germany Phone: +49 40 890 66 46 0 mrosenberg@controll-it.de JANUS Consulting GmbH Max-Planck-Str. 6 63128 Dietzenbach, Germany Phone: +49 6074 729 348 0 bernd.buehler@janusconsulting.de also visible on LinkedIn, XING (but definitely not on Facebook)