Add to collection(s) Add to saved
  1. No category
Uploaded by 임성필

[ISO] 22301 (2012) Societal security - Business continuity management systems - Requirements

advertisement 
INTERNATIONAL
STANDARD
ISO
22301
First edition
2012-05-15
Societal security — Business continuity
management systems — Requirements
Sécurité sociétale — Gestion de la continuité des affaires — Exigences
Reference number
ISO 22301:2012(E)
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012
ISO 22301:2012(E)
COPYRIGHT PROTECTED DOCUMENT
©
ISO 2012
Tel. + 41 22 749 01 11
Web www.iso.org
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ii
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
Contents
Foreword ............................................................................................................................................................................ iv
0 Introduction ..................................................................................................................................................................... v
0.1 General .......................................................................................................................................................................... v
0.2 The Plan-Do-Check-Act (PDCA) model ................................................................................................................ v
0.3 Components of PDCA in this International Standard ...................................................................................... vi
1
Scope ...................................................................................................................................................................... 1
2
Normative references ......................................................................................................................................... 1
......................................................................................................................................... 1
4
4.1
4.2
4.3
4.4
Context of the organization .............................................................................................................................. 8
Understanding of the organization and its context.................................................................................... 8
Understanding the needs and expectations of interested parties ......................................................... 9
Determining the scope of the business continuity management system ........................................... 9
Business continuity management system ................................................................................................. 10
5
5.1
5.2
5.3
5.4
Leadership........................................................................................................................................................... 10
Leadership and commitment ......................................................................................................................... 10
Management commitment............................................................................................................................... 10
Policy .................................................................................................................................................................... 11
Organizational roles, responsibilities and authorities ............................................................................ 11
6
6.1
6.2
Planning ............................................................................................................................................................... 12
Actions to address risks and opportunities............................................................................................... 12
Business continuity objectives and plans to achieve them .................................................................. 12
7
7.1
7.2
7.3
7.4
7.5
Support................................................................................................................................................................. 12
Resources ........................................................................................................................................................... 12
Competence ........................................................................................................................................................ 13
Awareness ........................................................................................................................................................... 13
Communication .................................................................................................................................................. 13
Documented information................................................................................................................................. 14
8
8.1
8.2
8.3
8.4
8.5
Operation ............................................................................................................................................................. 15
Operational planning and control ................................................................................................................. 15
Business impact analysis and risk assessment ....................................................................................... 15
Business continuity strategy ......................................................................................................................... 16
Establish and implement business continuity procedures ................................................................... 17
Exercising and testing ..................................................................................................................................... 19
9
9.1
9.2
9.3
Performance evaluation................................................................................................................................... 19
Monitoring, measurement, analysis and evaluation ................................................................................ 19
Internal audit ....................................................................................................................................................... 20
Management review .......................................................................................................................................... 21
10
10.1
10.2
Improvement ....................................................................................................................................................... 22
Nonconformity and corrective action .......................................................................................................... 22
Continual improvement ................................................................................................................................... 23
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
Bibliography ..................................................................................................................................................................... 24
© ISO 2012 – All rights reserved
iii
ISO 22301:2012(E)
Foreword
Societal security.
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
iv
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
0 Introduction
0.1 General
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
’
0.2 The Plan-Do-Check-Act (PDCA) model
management systems
management systems
© ISO 2012 – All rights reserved
Quality
Environmental management systems
Information security
Information technology — Service management
v
ISO 22301:2012(E)
Continual improvement of business continuity
management system (BCMS)
Establish
(Plan)
Interested
parties
Interested
parties
Maintain and
improve
(Act)
Requirements
for business
continuity
Implement
and operate
(Do)
Monitor and
review
(Check)
Managed
business
continuity
Figure 1 — PDCA model applied to BCMS processes
Table 1 — Explanation of PDCA model
Plan
Do
procedures.
Check
Act
0.3 Components of PDCA in this International Standard
cover the following components.
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
vi
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
vii
--`````,`,,`````````,`,```,
INTERNATIONAL STANDARD
ISO 22301:2012(E)
Societal security — Business continuity management
systems — Requirements
1 Scope
2 Normative references
-
3.1
activity
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
1
ISO 22301:2012(E)
3.2
audit
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
3.3
business continuity
following disruptive incident
[SOURCE: ISO 22300]
3.4
business continuity management
3.5
business continuity management system
BCMS
3.6
business continuity plan
3.7
business continuity programme
3.8
business impact analysis
[SOURCE: ISO 22300]
3.9
competence
3.10
conformity
[SOURCE: ISO 22300]
2
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
3.11
continual improvement
[SOURCE: ISO 22300]
3.12
correction
[SOURCE: ISO 22300]
[SOURCE: ISO 22300]
3.14
document
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
3.13
corrective action
3.15
documented information
3.16
effectiveness
[SOURCE: ISO 22300]
3.17
event
© ISO 2012 – All rights reserved
3
ISO 22301:2012(E)
3.18
exercise
[SOURCE: ISO 22300]
3.19
incident
[SOURCE: ISO 22300]
3.20
infrastructure
3.21
interested party
stakeholder
3.22
internal audit
3.23
invocation
3.24
management system
4
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
3.25
maximum acceptable outage
MAO
3.26
maximum tolerable period of disruption
MTPD
3.27
measurement
3.28
minimum business continuity objective
MBCO
3.29
monitoring
3.30
mutual aid agreement
[SOURCE: ISO 22300]
3.31
nonconformity
[SOURCE: ISO 22300]
3.32
objective
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
5
ISO 22301:2012(E)
3.33
organization
3.34
outsource (verb)
process is within the scope.
3.35
performance
3.36
performance evaluation
3.37
personnel
3.38
policy
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
3.39
procedure
3.40
process
3.41
products and services
3.42
prioritized activities
[SOURCE: ISO 22300]
6
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
3.43
record
3.44
recovery point objective
RPO
3.45
recovery time objective
RTO
resources must be recovered
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
—
3.46
requirement
3.47
resources
3.48
risk
© ISO 2012 – All rights reserved
7
ISO 22301:2012(E)
3.49
risk appetite
3.50
risk assessment
3.51
risk management
3.52
testing
[SOURCE: ISO 22300]
3.53
top management
3.54
3.55
work environment
set of conditions under which work is performed
[SOURCE: ISO 22300]
4 Context of the organization
4.1
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`-
8
Understanding of the organization and its context
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
4.2
Understanding the needs and expectations of interested parties
4.2.1
General
4.2.2
Legal and regulatory requirements
4.3
4.3.1
Determining the scope of the business continuity management system
General
© ISO 2012 – All rights reserved
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
9
ISO 22301:2012(E)
4.3.2
4.4
Scope of the BCMS
Business continuity management system
5 Leadership
Leadership and commitment
5.2
Management commitment
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
5.1
10
© ISO 2012 – All rights reserved
5.3
Policy
5.4
Organizational roles, responsibilities and authorities
© ISO 2012 – All rights reserved
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
11
ISO 22301:2012(E)
6 Planning
6.1
b)
6.2
Actions to address risks and opportunities
how to
Business continuity objectives and plans to achieve them
7 Support
7.1
12
Resources
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
7.2
Competence
7.3
Awareness
d)
7.4
their own role during disruptive incidents.
Communication
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
13
ISO 22301:2012(E)
7.5
Documented information
7.5.1
—
General
the competence of persons.
7.5.2
Creating and updating
7.5.3
Control of documented information
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
14
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
8 Operation
8.1
Operational planning and control
8.2
Business impact analysis and risk assessment
8.2.1
General
order in which these will be conducted.
8.2.2
Business impact analysis
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
15
ISO 22301:2012(E)
8.2.3
Risk assessment
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.3
Business continuity strategy
8.3.1
Determination and selection
8.3.2
Establishing resource requirements
16
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
8.4
Protection and mitigation
Establish and implement business continuity procedures
8.4.1
General
8.4.2
Incident response structure
© ISO 2012 – All rights reserved
17
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.3.3
ISO 22301:2012(E)
Warning and communication
8.4.4
Business continuity plans
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.4.3
18
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
8.5
Recovery
Exercising and testing
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.4.5
9 Performance evaluation
9.1
9.1.1
Monitoring, measurement, analysis and evaluation
General
© ISO 2012 – All rights reserved
19
ISO 22301:2012(E)
Evaluation of business continuity procedures
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
9.1.2
9.2
20
Internal audit
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
9.3
Management review
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
21
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
10 Improvement
10.1 Nonconformity and corrective action
22
© ISO 2012 – All rights reserved
ISO 22301:2012(E)
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
10.2 Continual improvement
© ISO 2012 – All rights reserved
23
ISO 22301:2012(E)
Bibliography
Quality management systems — Requirements
Environmental management systems — Requirements with guidance for use
Guidelines for auditing management systems
Information Technology — Service Management
Societal security — Terminology
Societal security — Guideline for incident preparedness and operational continuity
management
Information technology — Security techniques — Guidelines for Information and
communications technology disaster recovery services
Information Security Management Systems
Information technology — Security techniques — Guidelines for information and
communication technology readiness for business continuity
Risk Management — Principles and Guidelines
Risk management — Risk assessment techniques
Risk management — Vocabulary
Business continuity management — Code of practice
Security and continuity management systems — Requirements and guidance for use
Standard on disaster/emergency management and business continuity programs
[17]
Business Continuity Plan Drafting Guideline
Business Continuity Guideline
Organizational Resilience: Security, Preparedness, and Continuity Managements
Systems – Requirements with Guidance for Use
Singapore Standard for Business
Continuity Management
[20]
24
Business Continuity Management Systems: Requirements with Guidance for Use
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
© ISO 2012 – All rights reserved
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
ICS 03.100.01
--`````,`,,`````````,`,```,,,-`-`,
© ISO 2012 – All rights reserved
Download
advertisement