A major new British Standard [BS 31111] is in development to help senior executives and risk managers improve their cyber risk management and build the cyber resilience of their organizations.
Over the past year, the BSI Risk Management Committee has been working on developing new guidance that aims to help top executives better understand and manage the technology risks to their organizations.
The International Standards Organisation has issued the Draft for Public Comment (DPC) for its new standard covering Organizational Resilience - Principles and Guidelines | ISO 22316.
The closing date for comments is 13 Jun 2016. Comments can be made through the BSI Draft Review System (DRS).
This International Standard provides guidance to enhance organizational resilience for any size or type of public or private organization and is not specific to any industry or sector. It can be applied throughout the life of an organization.
Last winter heavy rain, storm force winds and large waves combined with high spring tides presented England with unprecedented flooding from the sea, rivers, groundwater and surface water.
Thousands of properties were flooded, infrastructure was damaged and tragically, eight people lost their lives. The full impact of these events has not yet been calculated but we do know that 175,000 businesses in England are at risk of flooding [note1].
Department of Business, Innovation & Skills Minister, Right Hon David Willetts MP, has announced the certification framework for Cyber Essentials, the governments new initiative aimed at creating a minimum expected capability for cyber security.
This is a short introduction to the world of Standards outlining how they are developed.
A standard is a document defining best practice, established by consensus and approved by a recognized body (such as BSI, ANSI or ISO). Each standard is kept current through a process of maintenance and review whereby it is updated, revised or withdrawn as necessary.
PD ISO/TS 22318:2015 - Overview of new ISO Supply Chain Continuity Guidance
An Introduction by Lead author Duncan Ford MBCI
BSi has just published the UK edition of the recently released ISO Technical Specification 22318 Guidelines for Supply Chain Continuity. The title describes where this document fits in with the established BCM standards 22301 and 22313. A technical specification is not a full standard; its purpose is to amplify not undermine the established standards.
Every organisation has a supply chain which may range from the purchase of basic resources to complex outsourcing arrangements for the delivery of a core service including both external suppliers and internal support such as the provision of IT services. Each of these arrangements presents a risk to the organisation if it is unavailable, which needs to be properly understood and appropriate contingency measures put in place to protect against disruption of that product supply or service. 22318 provides guidelines on how to manage Supply Chain Continuity challenges.
The scope of this Technical Specification was deliberately constrained. It considers specifically the issues faced by an organisation which needs continuity of supply of products or services to protect its business activities and the continuity strategies for current suppliers which can be used to mitigate the impact of disruption.
The approach is broken into five stages which align with the requirements of BS/ISO 22301 which ensures that Supply Chain Continuity Management (SCCM) can be managed within an established BCM programme:
Ø Policy and strategy which considers the requirement for supply chain continuity and the parameters each organisation should define to frame its approach to SCCM.
Ø Analysis of the supply chain which draws upon the organisation’s BIA to identify critical activities or processes and focusses on identifying the particular risks and impacts to these processes arising from disruption in the associated supply chain.
Ø Consideration of appropriate and achievable Supply Chain Continuity strategies which can help to mitigate the emerging risks and identify an approach to manage disruption.
Ø Planning to manage a supply chain disruption event and the requirement to integrate this with BC plans.
Ø Ongoing performance management to maintain an appropriate level of continuity management within the supply chain and deliver continuous improvement.
Effective SCCM generates its own challenges for an organisation, it may impact procurement strategies as continuity requirements may be contrary to strategies of minimising supply chain cost. The process of analysis should bring a focus onto the pressure points, for example where a critical process is dependent on a single supplier, and allow the associated risk to the organisation to be recognised and managed.
A key approach is to encourage openness between an organisation and its critical suppliers delivering better understanding of each other’s priorities and risks and integrated continuity planning. This leads to continuous improvement and reducing risk.
SCCM is relevant to organisations of every size and type, TS 22318 focusses on a key aspect of managing the risks in the supply chain.
As an ISO document it is available as reference to support global supply arrangements helping the purchaser to define its continuity requirements to be included in contracts, monitor suppliers’ continuity provisions and be prepared to manage the impacts of disruption. The hope of the project team who worked on this document supported by the contributions from many global standards organisations is that PD ISO/TS 22318 takes another step towards improved global continuity and resilience.
The government backed Cyber Essentials scheme has been recognised with the Editors Award from SC Magazine. The scheme was developed by BIS and CESG to help businesses put in place practical measures that have been proven to help protect against cyber risk following an extensive period of industry consultation.
The BSI has been working to produce standaised Guidance for Damage Management that outlines the processes followed to facilitate the reinstatement and future integrity of affected public, commercial or domestic property, contents, facilities and assets, in the event of an incident or peril that causes damage. The consultation closes at the end of April 2015.
This code of practice called BS 12999 builds on the already recognized BDMA Standards and connects and supports other standards covering Business Continuity and Recovery Management .
For the past few years one of the BSI committees has been working to develop a guidance standard that can be used by organisations to better direct, inform and support their Organizations and positively impact on its resilience.
The Standard known as “BS 65000:2014 Guidance on organizational resilience” has challenged the author group and been through extensive revisions before finally getting to the Public comments stage.
In March 2013, the UK Department for Business, Innovation and Skills issued a “Call for Views and Evidence” that built on the commitments made in the 2011 Cyber Security Strategy published by government.
The Call for Evidence focused on the intention of government to encourage the adoption of industry led standards that can be used by organisations to improve the management of cyber risk. The particular focus of this work stream, that is part of a series of connected developments across business and government, was centred on the needs of SME companies.