O documento discute a importância da auditoria de sistemas de informação para garantir a segurança e integridade da informação nas empresas. Ele explica como a informação é um ativo valioso que requer proteção e como as políticas de segurança, treinamento de funcionários e auditoria dos sistemas podem ajudar a mitigar riscos.
Este documento presenta una guía para el desarrollo de un Plan de Continuidad de Negocio. Inicia con una breve introducción sobre la importancia de contar con un plan de continuidad. Luego, describe el objetivo principal de la guía, que es proporcionar una descripción detallada de las fases y tareas necesarias para desarrollar un plan de continuidad. Finalmente, presenta algunos antecedentes sobre incidentes que pueden afectar la continuidad de una organización y las consecuencias de no contar con un plan de continuidad.
Palestra sobre Gestão de Continuidade de NegóciosGLM Consultoria
O documento fornece um resumo sobre gestão de continuidade de negócios, abordando normas, planos de continuidade, ameaças, impactos, comunicação e treinamento. É apresentado o currículo do especialista Guilherme Lopes Matsushita e referências bibliográficas sobre o tema.
IT Governance Vs IT Management Presentation V0.1Richard Willis
IT governance involves establishing responsibility and accountability for major IT decisions and ensuring IT strategy alignment with business strategy. Effective IT governance increases profitability and shareholder returns. Frameworks like COBIT, ITIL, and ISO/IEC 38500 provide best practices for IT governance and management. IT governance is concerned with strategic decision making while IT management focuses on operational excellence. Organizations can assess their IT governance maturity to continually improve practices over time.
O documento discute a importância dos planos de continuidade de negócios para garantir que serviços essenciais sejam preservados após desastres. Ele descreve os componentes de um plano de continuidade, incluindo planos de administração de crises, recuperação de desastres e continuidade operacional. Além disso, apresenta a solução CIMCORP para criação de planos de continuidade de negócios de acordo com metodologias internacionais.
This document discusses two ISO standards: ISO/IEC 27014:2013, which provides guidance on governance of information security, and ISO/IEC 38500:2008, which provides guidance on governance of information technology. It notes some key differences between the two standards, such as ISO 27014 focusing specifically on information security while ISO 38500 focuses more broadly on IT governance. It also discusses the development process for ISO 27014 and some of the challenges faced in creating the standard over five years of work.
Este documento apresenta um módulo de um curso sobre COBIT 4.1. Ele introduz o curso, discute sua estrutura e conteúdo, que inclui módulos sobre governança de TI, COBIT e processos. O documento também fornece detalhes sobre o instrutor e como acessar os recursos do curso.
O documento discute a importância da auditoria de sistemas de informação para garantir a segurança e integridade da informação nas empresas. Ele explica como a informação é um ativo valioso que requer proteção e como as políticas de segurança, treinamento de funcionários e auditoria dos sistemas podem ajudar a mitigar riscos.
Este documento presenta una guía para el desarrollo de un Plan de Continuidad de Negocio. Inicia con una breve introducción sobre la importancia de contar con un plan de continuidad. Luego, describe el objetivo principal de la guía, que es proporcionar una descripción detallada de las fases y tareas necesarias para desarrollar un plan de continuidad. Finalmente, presenta algunos antecedentes sobre incidentes que pueden afectar la continuidad de una organización y las consecuencias de no contar con un plan de continuidad.
Palestra sobre Gestão de Continuidade de NegóciosGLM Consultoria
O documento fornece um resumo sobre gestão de continuidade de negócios, abordando normas, planos de continuidade, ameaças, impactos, comunicação e treinamento. É apresentado o currículo do especialista Guilherme Lopes Matsushita e referências bibliográficas sobre o tema.
IT Governance Vs IT Management Presentation V0.1Richard Willis
IT governance involves establishing responsibility and accountability for major IT decisions and ensuring IT strategy alignment with business strategy. Effective IT governance increases profitability and shareholder returns. Frameworks like COBIT, ITIL, and ISO/IEC 38500 provide best practices for IT governance and management. IT governance is concerned with strategic decision making while IT management focuses on operational excellence. Organizations can assess their IT governance maturity to continually improve practices over time.
O documento discute a importância dos planos de continuidade de negócios para garantir que serviços essenciais sejam preservados após desastres. Ele descreve os componentes de um plano de continuidade, incluindo planos de administração de crises, recuperação de desastres e continuidade operacional. Além disso, apresenta a solução CIMCORP para criação de planos de continuidade de negócios de acordo com metodologias internacionais.
This document discusses two ISO standards: ISO/IEC 27014:2013, which provides guidance on governance of information security, and ISO/IEC 38500:2008, which provides guidance on governance of information technology. It notes some key differences between the two standards, such as ISO 27014 focusing specifically on information security while ISO 38500 focuses more broadly on IT governance. It also discusses the development process for ISO 27014 and some of the challenges faced in creating the standard over five years of work.
Este documento apresenta um módulo de um curso sobre COBIT 4.1. Ele introduz o curso, discute sua estrutura e conteúdo, que inclui módulos sobre governança de TI, COBIT e processos. O documento também fornece detalhes sobre o instrutor e como acessar os recursos do curso.
يمثل الافصاح السردى (الاختيارى) narrative disclosure دورا هاما فى تنبؤ كل من المحللين الماليين والمستثمرين بآداء المنظمات ويتمثل البحث فى مدى أهمية الافصاح الغير مالى فى اتخاذ القرارات
O documento discute vários tópicos relacionados à engenharia organizacional, incluindo gestão de projetos, gestão estratégica e organizacional, gestão do desempenho organizacional, redes de empresas, gestão da informação e gestão do conhecimento. O foco é ajudar as organizações a se adaptarem continuamente às mudanças no ambiente externo e interno para se manterem eficientes e competitivas.
Este documento apresenta os objetivos e conteúdo de um curso e-learning sobre a norma NBR ISO/IEC 27001:2006. O curso visa ensinar os requisitos da norma e como implantar e manter um sistema de gestão de segurança da informação eficaz. O conteúdo programático inclui módulos sobre conceitos de segurança da informação, visão geral das normas ISO 27001 e ISO 17799, e interpretação dos requisitos da norma ISO 27001.
The presentation provides a basic understanding of the Environmental Management System certification ISO 14001 with regard to mineral based industries.
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
Considering the increased number of cyberattacks and the significant damage caused to the IT infrastructure, organizations should ensure that their efforts to secure IT operations are linked with efforts to maintain resiliency within organizations.
The webinar covers
• Cybersecurity during pandemic through statistics
• Attack trends during pandemic
• Mitigating steps to take
• Relevance of IT Disaster Recovery in the time of Cloud computing
• Achieving optimal alignment and efficiency regarding your ISMS, BCP, BIA and Risk Management efforts
• Post-pandemic cyber and privacy considerations
• BCP and pandemic scenario planning 'beyond COVID'
• How to keep your privacy policy and incident response plan actionable
• How to keep your BCP short, sharp, up-to-date and user-friendly during an actual invocation
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/0AbrywA5oic
O documento descreve os principais processos industriais, incluindo processos contínuos, em batelada e discretos. É dado o exemplo do processo de fabricação da cerveja, com as etapas de recebimento de malte, moagem, mosturação, fervura, fermentação, maturação, filtragem, engarrafamento e pasteurização.
ISO TS16949 2002 Apresentação dos RequisitosRogério Souza
Este documento apresenta a norma técnica ISO/TS 16949:2002, que estabelece os requisitos de um sistema de gestão da qualidade para organizações do setor automotivo. A norma descreve princípios como foco no cliente, liderança, melhoria contínua e gestão por processos. Além disso, refere-se a manuais como APQP, FMEA, MSA e PPAP que fornecem diretrizes para o sistema de gestão da qualidade.
O documento discute a ISO 27001, um padrão internacional para sistemas de gestão de segurança da informação. Ele explica os princípios, benefícios e etapas de implementação da ISO 27001, e fornece um caso de sucesso da Algar Tech, a primeira empresa brasileira certificada pela ISO 27001.
ISO 22301: The New Standard for Business Continuity Best PracticeMissionMode
ISO 22301 is the new international standard for Business Continuity Management best practice. It provides organizations with a framework to manage risk and ensure that they can continue operations in any type of event. In this webinar, ISO 22301 expert John McGill will help you understand the ISO standard, why it's important, and how to plan for certification.
ISO/IEC 27002 Foundation - Preparatório para Certificação ISO 27002 FoundationCompanyWeb
O documento descreve os serviços e treinamentos oferecidos pela empresa CompanyWeb em governança e gestão de TI. A CompanyWeb tem 14 anos de experiência e presta serviços para grandes empresas nos setores de petróleo, bancos, bebidas e outros. O documento também apresenta um consultor especializado da empresa e detalha os diversos cursos e certificações oferecidos em áreas como governança, gestão de riscos, segurança da informação e metodologias ágeis.
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
This document outlines a 6-phase process for developing an information security management system (ISMS) to ensure compliance with HIPAA security regulations. Phase 1 involves planning the project. Phase 2 develops security policies and standards. Phase 3 performs a risk assessment to identify threats, vulnerabilities and risks. Phase 4 manages identified risks. Phase 5 implements security controls. Phase 6 prepares documentation of the compliance program. The goal is to establish an ongoing management system for maintaining security and regulatory compliance.
Simulado ISO 27002 exin 01 - Segurança da InformaçãoFernando Palma
Este documento fornece um simulado de exame sobre Fundamentos da Segurança da Informação baseados na norma ISO/IEC 27002 com 40 questões de múltipla escolha. O objetivo é testar os conhecimentos dos candidatos sobre conceitos como confiabilidade da informação, análise e gerenciamento de riscos, incidentes de segurança e medidas de segurança.
The document summarizes the key changes between ISO 27001:2022 and the previous 2013 version. Some of the main changes include:
1. A new name that includes cybersecurity and privacy protection.
2. Shorter at 19 pages compared to 23.
3. New terminology and structure for some clauses around objectives, communication, monitoring and management review.
4. A new annex with 93 controls categorized by type and security properties, compared to the previous 114 controls.
5. Organizations will need to evaluate their existing ISMS and make updates to address the new requirements and structure of ISO 27001:2022.
Стандарт ISO/IEC 27001:2013 – все слышали, мало кто видел
Сложность темы ИБ находит отражение в стандарте. Полное внедрение ISO 27001, с использованием всех рекомендаций - потребует годы для средней организации.
Как создать с нуля сбалансированную СУИБ, как выбрать только реально необходимые защитные меры и как правильно внедрить процессы ИБ?
1. O documento discute a implementação da governança de TI com base nas melhores práticas de Cobit, ITIL e BSC.
2. São apresentadas as melhores práticas Cobit, ITIL e BSC e como implantar a governança de TI com base no Cobit.
3. O autor é um especialista em governança de TI e gestão de negócios que fornece orientações sobre como implementar a governança de TI.
يمثل الافصاح السردى (الاختيارى) narrative disclosure دورا هاما فى تنبؤ كل من المحللين الماليين والمستثمرين بآداء المنظمات ويتمثل البحث فى مدى أهمية الافصاح الغير مالى فى اتخاذ القرارات
O documento discute vários tópicos relacionados à engenharia organizacional, incluindo gestão de projetos, gestão estratégica e organizacional, gestão do desempenho organizacional, redes de empresas, gestão da informação e gestão do conhecimento. O foco é ajudar as organizações a se adaptarem continuamente às mudanças no ambiente externo e interno para se manterem eficientes e competitivas.
Este documento apresenta os objetivos e conteúdo de um curso e-learning sobre a norma NBR ISO/IEC 27001:2006. O curso visa ensinar os requisitos da norma e como implantar e manter um sistema de gestão de segurança da informação eficaz. O conteúdo programático inclui módulos sobre conceitos de segurança da informação, visão geral das normas ISO 27001 e ISO 17799, e interpretação dos requisitos da norma ISO 27001.
The presentation provides a basic understanding of the Environmental Management System certification ISO 14001 with regard to mineral based industries.
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
Considering the increased number of cyberattacks and the significant damage caused to the IT infrastructure, organizations should ensure that their efforts to secure IT operations are linked with efforts to maintain resiliency within organizations.
The webinar covers
• Cybersecurity during pandemic through statistics
• Attack trends during pandemic
• Mitigating steps to take
• Relevance of IT Disaster Recovery in the time of Cloud computing
• Achieving optimal alignment and efficiency regarding your ISMS, BCP, BIA and Risk Management efforts
• Post-pandemic cyber and privacy considerations
• BCP and pandemic scenario planning 'beyond COVID'
• How to keep your privacy policy and incident response plan actionable
• How to keep your BCP short, sharp, up-to-date and user-friendly during an actual invocation
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/0AbrywA5oic
O documento descreve os principais processos industriais, incluindo processos contínuos, em batelada e discretos. É dado o exemplo do processo de fabricação da cerveja, com as etapas de recebimento de malte, moagem, mosturação, fervura, fermentação, maturação, filtragem, engarrafamento e pasteurização.
ISO TS16949 2002 Apresentação dos RequisitosRogério Souza
Este documento apresenta a norma técnica ISO/TS 16949:2002, que estabelece os requisitos de um sistema de gestão da qualidade para organizações do setor automotivo. A norma descreve princípios como foco no cliente, liderança, melhoria contínua e gestão por processos. Além disso, refere-se a manuais como APQP, FMEA, MSA e PPAP que fornecem diretrizes para o sistema de gestão da qualidade.
O documento discute a ISO 27001, um padrão internacional para sistemas de gestão de segurança da informação. Ele explica os princípios, benefícios e etapas de implementação da ISO 27001, e fornece um caso de sucesso da Algar Tech, a primeira empresa brasileira certificada pela ISO 27001.
ISO 22301: The New Standard for Business Continuity Best PracticeMissionMode
ISO 22301 is the new international standard for Business Continuity Management best practice. It provides organizations with a framework to manage risk and ensure that they can continue operations in any type of event. In this webinar, ISO 22301 expert John McGill will help you understand the ISO standard, why it's important, and how to plan for certification.
ISO/IEC 27002 Foundation - Preparatório para Certificação ISO 27002 FoundationCompanyWeb
O documento descreve os serviços e treinamentos oferecidos pela empresa CompanyWeb em governança e gestão de TI. A CompanyWeb tem 14 anos de experiência e presta serviços para grandes empresas nos setores de petróleo, bancos, bebidas e outros. O documento também apresenta um consultor especializado da empresa e detalha os diversos cursos e certificações oferecidos em áreas como governança, gestão de riscos, segurança da informação e metodologias ágeis.
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
This document outlines a 6-phase process for developing an information security management system (ISMS) to ensure compliance with HIPAA security regulations. Phase 1 involves planning the project. Phase 2 develops security policies and standards. Phase 3 performs a risk assessment to identify threats, vulnerabilities and risks. Phase 4 manages identified risks. Phase 5 implements security controls. Phase 6 prepares documentation of the compliance program. The goal is to establish an ongoing management system for maintaining security and regulatory compliance.
Simulado ISO 27002 exin 01 - Segurança da InformaçãoFernando Palma
Este documento fornece um simulado de exame sobre Fundamentos da Segurança da Informação baseados na norma ISO/IEC 27002 com 40 questões de múltipla escolha. O objetivo é testar os conhecimentos dos candidatos sobre conceitos como confiabilidade da informação, análise e gerenciamento de riscos, incidentes de segurança e medidas de segurança.
The document summarizes the key changes between ISO 27001:2022 and the previous 2013 version. Some of the main changes include:
1. A new name that includes cybersecurity and privacy protection.
2. Shorter at 19 pages compared to 23.
3. New terminology and structure for some clauses around objectives, communication, monitoring and management review.
4. A new annex with 93 controls categorized by type and security properties, compared to the previous 114 controls.
5. Organizations will need to evaluate their existing ISMS and make updates to address the new requirements and structure of ISO 27001:2022.
Стандарт ISO/IEC 27001:2013 – все слышали, мало кто видел
Сложность темы ИБ находит отражение в стандарте. Полное внедрение ISO 27001, с использованием всех рекомендаций - потребует годы для средней организации.
Как создать с нуля сбалансированную СУИБ, как выбрать только реально необходимые защитные меры и как правильно внедрить процессы ИБ?
1. O documento discute a implementação da governança de TI com base nas melhores práticas de Cobit, ITIL e BSC.
2. São apresentadas as melhores práticas Cobit, ITIL e BSC e como implantar a governança de TI com base no Cobit.
3. O autor é um especialista em governança de TI e gestão de negócios que fornece orientações sobre como implementar a governança de TI.
BDU Grundsätze ordnungsgemäßer Markenbewertung Nestler 2016Dr. Anke Nestler
Der Bundesverband der Unternehmensberater hat Ende 2015 Grundsätze ordnungsgemäßer Markenbewertung (GoM) veröffentlicht. Im Ergebnis stelle ich fest, dass die GoM den Anspruch von „allgemein akzeptierten Grundsätzen“ nach meiner Einschätzung nicht erfüllen. Sie geben zwar einige interessante Hinweise für die Bewertungspraxis, wie eine Marke und deren Funktion charakterisiert werden kann. Die GoM lassen aber wichtige Grundprinzipien einer sachgerechten Bewertung außer Acht und sind m. E. eher eine exemplarische Zusammenstellung verschiedener Aspekte einer Markenbewertung.
This document is the 2014 World Disasters Report published by the International Federation of Red Cross and Red Crescent Societies (IFRC). The report focuses on the links between culture and risk, and how understanding these links is important for disaster risk reduction and humanitarian efforts. Some key points:
- The IFRC is the world's largest humanitarian network, comprising 189 National Red Cross and Red Crescent Societies. It aims to save lives and reduce vulnerabilities through various strategies and programmes.
- Culture influences how people perceive risks and behave when facing hazards and disasters. Understanding local cultures is important for effective risk reduction and humanitarian assistance.
- The report examines how factors like religion, livelihoods, community structures, the
This document summarizes the costs associated with ineffective business continuity programs. It finds that IT/telecommunications outages can cost organizations millions, with minor incidents costing on average $53,210 per minute of downtime. Data breaches and cyber attacks were found to cost on average $11.6 million annually according to one study. Adverse weather events in the US alone resulted in $12.8 billion in insurance payouts in 2013 according to one report. The document concludes by recommending that organizations strengthen their business continuity programs to reduce costs from disruptions.
This document is a dictionary of business continuity management terms compiled by Lyndon Bird, International Development Director at the Business Continuity Institute. It contains definitions for over 200 terms related to business continuity from A-Z. The definitions are sourced from standards and guidelines such as GPG2010, BS25999, AS/NZ 5050, and the BCI's own preferred meanings. References for where terms are defined in other standards are provided. The dictionary is intended to help standardize understanding of business continuity terminology.
This report by the World Economic Forum analyzes global risks and their interconnections. It surveys over 700 global leaders on 31 global risks, finding that fiscal crises, unemployment, and water crises are the risks of highest concern. Environmental and economic risks like extreme weather and income disparity are seen as high impact and likelihood. Risks like fiscal crises and unemployment are highly interconnected. The report explores how risks related to a changing geopolitical order, high youth unemployment, and threats to cyberspace could interact systemically. It aims to foster dialogue on building resilience to global risks through international cooperation.
The Symantec Intelligence Report for December 2013 provides the following key information:
1) Targeted attacks decreased in December after above average numbers in October and November. Large organizations of 2500+ employees are targeted in 39% of attacks.
2) The number of data breaches reported increased in December, many of which occurred earlier in the year. The largest breach exposed 40 million identities in November.
3) The number of new mobile malware variants declined for the third straight month to 161 new variants in December.
4) A total of 471 new vulnerabilities were discovered in December, bringing the yearly total to 6,436. Browser vulnerabilities in Google Chrome and plug-in vulnerabilities in Oracle Java led among
In 2013:
- Asia experienced the highest overall losses from natural catastrophes at $60 billion, followed by Europe at $37.5 billion and North America at $22.5 billion.
- North America experienced the highest insured losses at $17 billion, accounting for 56% of total insured losses worldwide. Asia experienced $9 billion in insured losses.
- Overall losses in 2013 of $125 billion were similar to the 1980-2012 average of $115 billion per year. However, insured losses were higher in 2013 at $31 billion compared to the 1980-2012 average of $30 billion.
The document analyzes countries most affected by extreme weather events from 1993-2012 based on data from Munich Re NatCatSERVICE. Honduras, Myanmar and Haiti were the most affected countries overall in this period. In 2012, Haiti, the Philippines and Pakistan experienced the largest impacts from extreme weather. The analysis finds that developing countries are generally more affected than industrialized countries. It calls for increased international support for adaptation and disaster risk reduction in vulnerable developing nations.
The survey summarizes the key findings of the 5th annual Supply Chain Resilience survey conducted by the Business Continuity Institute. 519 respondents from 71 countries shared that 75% still do not have full visibility of supply chain disruptions. 75% experienced at least one disruption in the past year, and 42% originated from lower tier suppliers. The top causes of disruption were IT outages, adverse weather, and outsourcer failures. Disruptions cost over €1 million for 15% of respondents. The survey concludes that supply chain disruptions continue to significantly impact businesses and better management is still needed.
Business Continuity Awareness Week was held from March 18-22, 2013 to promote business continuity and resilience. The event aimed to improve organizations' ability to mitigate risks through business continuity planning. Participants could join and follow Business Continuity Awareness Week online at the listed website.
Tests und Übungen im BCM-Lifecycle
Der Artikel hierzu findet sich bei BCM-News:
http://www.bcm-news.de/2012/12/16/die-phase-tests-und-uebungen-im-bcm-lifecycle/#more-18059
The document summarizes the challenges of recovering from major earthquakes in Christchurch, New Zealand two years after significant earthquakes in 2010 and 2011. It describes the extensive damage to infrastructure and buildings from liquefaction. Key ongoing issues included the closure of the central business district, developing a recovery plan addressing long-term instability from liquefaction, removing entire damaged neighborhoods, and population movements. The recovery faced challenges around insurance claims, coordination across agencies, and financing the long-term rebuild. The document argues for proactive mitigation to reduce earthquake impacts.
- 73% of respondents experienced at least one disruptive supply chain incident in the past 12 months, with an average of five incidents.
- 39% of analyzed disruptions originated below the immediate tier one supplier, underscoring the deep-rooted nature of disruptions.
- Unplanned IT or telecom outages jumped to the top cause of disruptions, affecting 52% of organizations to some or a high degree. Adverse weather also remained a prominent cause.
- Failure of service provision by outsourcing suppliers doubled from 2011 and joins the top three causes of disruptions.
Iso 22301 - der neue Standard für Business Continuity Management
BCM Stakeholder Management
1. Die Schwierigkeit, alle BCM-Stakeholder "bei Laune"
zu halten
Management der „Interested party“ im BCM
Interested party
BCI-Kongress 2012, Stuttgart 6. September 2012
Matthias Hämmerle MBCI, 10.06.2012
,
2. Stakeholder Management im BCM
„Das Geheimnis des Erfolges
ist, den Standpunkt des
anderen zu verstehen“
Henry Ford
2
3. Agenda
• Wer sind die internen und externen Stakeholder des BCM?
• Welche unterschiedlichen, teils widersprüchliche Anforderungen haben Sie an
das BCM?
• Wie kann diesen unterschiedlichen Anforderungen gerecht werden, ohne die
Kernaufgaben aus dem Auge zu verlieren?
• Welche Kommunikationsmedien stehen dem BC Manager hierfür zur
Verfügung?
• Welche Fallstricke lauern und gibt es Patentrezepte?
Viele Fragen, auf die der Vortrag eine Antwort versucht, ohne diese immer als
Patentrezept finden.
Aber auch geteiltes Leid ist halbes Leid.
3
4. BCM Stakeholder Management
A Anforderungen an das Stakeholder Management
B Management der Anforderungen
C Lessons learned - Do´s and Don´ts
4
5. BCM Stakeholder Management
A Anforderungen an das Stakeholder Management
B Management der Anforderungen
C Lessons learned - Do´s and Don´ts
5
6. BCM-Stakeholder haben im neuen Standard ISO 22301 mehr
Bedeutung erhalten
Einer der wesentlichen Änderungen gegenüber BS 25999 ist die Rolle der „interested
interested
party“ im BCM-Lifecycle gegenüber Stakeholder im BS 25999
BS 25999-1, -2 ISO 22301, ISO 22313
Stakeholder als Rolle “interested party” als Rolle
definiert definiert (weite Definition)
( )
Aber nur an wenigen Stellen Eigener Abschnitt
des Standards werden “Understanding the needs
konkrete Anforderungen
g and expectations of
p
definiert interested parties”
(Scope und Incident Anforderungen an das
Response, stakeholder Stakeholder Management
management im über den gesamten BCM
BS 25999-1) Lifecycle definiert
6
7. Interested parties im PDCA-Cycle des ISO 22301 und ISO 22313
Continual i
C ti l improvement of b i
t f business continuity
ti it
management systems (BCMS)
Interested Establish Interested
parties (Plan) parties
Maintain and Implement
improve and operate
(Act) (Do)
Requirements Monitor and Managed
for business review business
continuity (Check) continuity
Quelle: ISO 22313
7
8. Gliederung ISO 22301 und ISO 22313 Draft
„Interested parties“ werden in den neuen ISO-Standards wesentlich mehr
Bedeutung zugemessen als im BS 25999 (expliziter Gliederungspunkt)
edeutu g uge esse a s S 5999 (e p te G ede u gspu t)
Quelle: ISO 22313 Draft 1/2012
8
9. „Interested parties“ im ISO 22313 Draft
Definition von „interested parties“ im BCM
When establishing its BCMS, the organization should ensure that the
needs and requirements of interested parties are taken into
consideration.
The organization should identify all interested parties that are of
ISO 22313
relevance to its BCMS and based on their needs and expectations,
4.2
determine their requirements. It is important to identify not only
Understanding
the needs and obligatory and stated requirements but also any that are implied.
expectations of
interested NOTE When establishing the BCM, the organization needs to be aware of not only ‘those
parties g p
groups without whose support the organization would cease to exist’, the Stanford Research
pp g ,
Institute’s definition of stakeholders, but additionally those who have an interest in the
organization, such as the media, the public nearby, competitors and so on. Furthermore a
stakeholder may have defined requirements that must be taken into account, whereas an
interested party in most situations is not able to specify requirements or impose obligations.
„Interested parties“ werden bewusst breiter als „stakeholder“ definiert;
Die Anforderungen sind zu antizipieren, wenn nicht explizit formuliert
9
11. „Interested parties“ im ISO 22313 Draft
Anforderungen an „interested parties“ im BCM
When planning and implementing the BCMS, it is important to
identify actions that are appropriate in relation to interested
ISO 22313 parties but differentiate between the different categories For
categories.
4.2 example, it is likely to be appropriate to communicate with all
Understanding interested parties following a disruptive incident but it may not be
the needs and
appropriate to communicate with all interested parties during all stages
expectations of
interested of the business continuity programme referred to in 8.1.1. .
parties
„Interested parties“ sind differenziert zu behandeln
parties
11
12. „Interested parties“ im ISO 22301
“It is not the intent of this International Standard to imply uniformity in the structure of a
Business Continuity Management System (BCMS), but for an organization to design a
(BCMS)
BCMS that is appropriate to its needs and that meets its interested parties’ requirements.”
ISO 22301
take into account interested parties’ needs and interests,
Scope of the BCMS such as customers, investors, shareholders, the supply
chain, public and/or community input and needs,
expectations and interests ( appropriate),
p (as pp p ),
The BCMS policy shall be available to interested parties,
Policy as appropriate
The organization shall establish, implement, and maintain
Communication p ( )
procedure(s) for
– internal communication amongst interested parties and
employees within the organization
– external communication with customers, partner entities,
local community and other interested parties, including
community, parties
the media
12
13. „Interested parties“ im ISO 22301
BIA und Incident Management
ISO 22301
Business impact
p identifying dependencies and supporting resources for
y g p pp g
analysis these activities, including suppliers, outsource partners and
other relevant interested parties
Incident response The response structure shall communicate with interested
structure parties and authorities, as well as the media
Warning and
g The organization shall establish, implement and maintain
procedures for internal communication within the
communication
organization and receiving, documenting and responding to
communication from interested parties
13
14. „Interested parties“ im ISO 22301
Planung, Tests und Management Review
ISO 22301
Business continuity The business continuity plans shall collectively contain
plans details on how and under what circumstances the
organization will communicate with employees and their
relatives, key interested parties and emergency contacts
The organization shall conduct exercises and tests that
Exercising and testing taken together over time validate the whole of its business
continuity arrangements, involving relevant interested
p
parties
The organization shall communicate the results of
Management review management review to relevant interested parties
14
15. BCM Stakeholder Management
A Anforderungen an das Stakeholder Management
B Management der Anforderungen
C Lessons learned - Do´s and Don´ts
15
16. Stakeholder-Management im BCM
Identifikation und Management der interested parties im BCM
Stakeholder-Management in drei Schritten
1 2 3
Identifikation der Identifikation,
Dokumentation und
D k t ti d
„interested parties“ Abstimmung der
Umsetzung
des BCM Anforderungen
W l h
Welche Id tifik ti
Identifikation d
der Dokumentation der
unternehmensinternen Anforderungen und wichtigsten
und Erwartungen Schnittstellen mit den
unternehmensexternen Festlegung der Lieferbeziehungen in
g
interested parties gibt es gegenseitigen der BCM-Policy
für das BCM? Lieferungen und Integration in die BCM-
Leistungen Kommunikation (Bsp.
Festlegung der BCM-Reporting)
Kommunikation
Ziel ist die Festlegung der jeweiligen Schnittstellen zu den identifizierten
Stakeholdern
16
17. Zwiebelmodell „Interested parties“ des BCM
Wer sind die interested parties des BCM?
U-extern
Lieferanten Angehörige
Kunden, Partner, Öffentlichkeit
Service Provider Presse,
Kunden Medien
U-intern
Service
S i Sourcing- Anlieger
Provider Mgt. Mitarbeiter
Presse,
BCM Kommunikaton
Rollen
VO, GF Revision
Aktionäre
BaFin,
,
AR Buba Behörden,
Behörden
Shareholder Aufsichtsorgane
W-Prüfer
17
19. Indirekte Beziehungen zu Stakeholdern
Häufig bestehen nur indirekte Beziehungen vom BCM zur „interested party“, wie zum Beispiel bei
der Kommunikation zur Presse über die Presseabteilung
g
19
20. Interested parties im Regel- und Notbetrieb
Die interested parties unterscheiden sich im Notfall vom Regelbetrieb
Regelbetrieb Notfall, Krise
BCM-Organisation Management, Anteilseigner
U-Intern Schnittstellenbereiche (IT, Risiko- Krisenstab
und Sicherheitsmgt. etc.) Presse und Kommunikation
Kunden BCM im Supply Chain Betroffene Kunden, Zulieferer,
Zulieferer Management: kritische Supplier Dienstleister
Dienstleister Versicherungen
Presse, Medien über Angehörige
Öffentlichkeit Presseinformationen, Anrainer
Geschäftsbericht etc. Presse, Medien
Aufsichtsbehörden Sicherheitsorganisationen
Behörden Relevante Behörden
Organisationen (Gesundheitsamt etc.)
20
21. Klassifizierung von Schnittstellen zu Stakeholdern
Festlegung der Form der Kommunikation
Informationsbereitstellung
zum Beispiel als Teil des BCM Berichtswesens (Policy
BCM-Berichtswesens (Policy,
Konzepte, Pläne etc.) oder Alarmierung und Eskalation
Abstimmung
zum Beispiel Abstimmung von BCM-Konzepten, BC-Plänen
Ausgestaltung etc.
von Schnitt-
stellen zu
Vorgaben
Stakeholdern
zum Beispiel Vorgaben zu Methoden und Verfahren, Templates
etc.
Entscheidungen, Genehmigungen, Freigaben
21
22. Balancierung der unterschiedlicher Interessen
Unterschiedliche Interessen und Vorgehen erkennen und klären Beispiele
BCM Prozessmanagement
Bereichsübergreifende Detaillierte Prozessmodelle
Wertschöpfungsketten
Produktkatalog
BCM IT
IT-Servicekatalog Verfügbarkeitsanforderungen
für Anwendungen, Systeme,
g y
Infrastruktur
BCM Sourcing-Mgt.
Sourcing-Mgt
Berücksichtigung der Zügige
Anforderungen aus dem Vertragsverhandlungen
BCM in den SLA
22
23. RASCI zur Abstimmung und Dokumentation der Schnittstellen mit
interested parties Beispiel
BCM Verantwortungen (RASCI) - Prozess "Business Impact Analyse"
Erstellt von: Datum:
Fachbereiche,
BCM Tochtergesellschaft,
T ht ll h ft Management
M t Audit
A dit
Niederlassung
erne Revision
isen-Manager
esamtvorstan
Zu Vorstand
entrales BCM
Lagezentrum
Fachbereich
Beauftragte
Krisenstab
Rollen
Experten
Prozess-
Bank-
Leiter
BCM-
BCM
WP
d
Aktivität
ust.
bzw. Ergebnis
K
B
Inte
Ge
F
Ze
Kri
Business Impact Analyse
Initiierung der Aktualisierung bzw.
Durchführung von Business Impact R
Analysen
Durchführung bzw. Aktualisierung der BIA
der Bereiche, Tochtergesellschaften, S R A C
Niederlassungen
Freigabe der BIA-Ergebnisse A I
Festlegung der kritischen Prozesse A I
Abstimmung der sich aus der BIA
ergebenden Anforderungen mit allen
S R A
relevanten Organisationseinheiten (Bsp. IT,
Verwaltung) der Bereiche
R = Responsible Durchführungsverantwortung
D hfüh
A = Accountable Genehmigung, Freigabe, Entscheidung
S = Support Beratung, Unterstützung
C = Consulted Fachverantwortung
I = Informed Informationsrecht
23
24. Definition der Liefer- und Leistungsbeziehungen
Wer liefert was an wen, in welchem Rhythmus und welcher Form
Beispiel
Phase Von An
IT IT-Servicekatalog IT Soll-Verfügbarkeiten für
BIA Ist-Verfügbarkeiten für IT- IT-Services und IT-
Services und Service- Serviceprovider
Provider GAP-Analyse der Service-
g
Verfügbarkeiten
Workarounds für IT-
Services
Orga Geschäftsprozesse
Geschäftsprozesse, Orga Kritikalität von
Produkte, Geschäftsprozessen
Wertschöpfungsketten Prozess-Ressourcen
Risk Risk Risikoszenarien Risk Risk Assessments für
Assessment Mgt. Risikoeinschätzungen Mgt. Gebäude, Personal, IT-
Services
Schadensfälle
Vorsorgemaßnahmen
g
24
25. Power / Interest Grid für das Stakeholder Management
Management der Schnittstellen zu den interested parties
+
Keep Manage
Satisfied Closely
Macht Einfluß
t, ß
Monitor Keep Informed
-
- Interesse +
25
26. BCM Stakeholder Management
A Anforderungen an das Stakeholder Management
B Management der Anforderungen
C Lessons learned - Do´s and Don´ts
26
27. Do´s and Don´ts
Lessons Learned des Stakeholder-Management für BCM
Oftmals sind Voraussetzungen für das BCM nicht ideal:
g
Geschäftsprozesse, IT-Servicekatalog, SLA´s.
“Nein” sagen können
BCM kann nicht alle “Sünden der Vergangenheit” beheben
wollen.
Die frühzeitige Klärung dér Schnittstellen hilft
Schnittstellen frühzeitig Mißverständnissen, Doppelarbeit und Inkompatibilitäten
klären vorzubeugen.
Nur verbindlich und einvernehmlich geklärte und
Schnittstellen dokumentierte Schnittstellen helfen weiter. Zum Beispiel
p
verbindlich
bi dli h als Teil der Policy bzw. des verbindlichen BCM-
dokumentieren Regelwerks.
27
28. Do´s and Don´ts
Lessons Learned des Stakeholder-Management für BCM
Viele Schnittstellen zu interested parties sind keine
p
“über die Ecken” direkten Schnittstellen vom BCM, sondern indirekt über
denken (und handeln) andere Bereiche, wie Presse&Kommunikation oder
Outsourcing Management.
Viele interested parties sind nur in Notfall- /
An interested parties in Krisensituationen relevant. Hierzu gehören Behörden,
Krisensituationen Sicherheitsorganisationen, aber auch Angehörige und
denken Anrainer. B it i R
A i Bereits im Regelbetrieb einbinden.
lb t i b i bi d
Interested parties in die Informations- und Kommunikationsmittel und -wege mit
Information und den interested parties abstimmen. Alle
p
Kommunikation Kommunikationsmittel differenziert nutzen (Intranet,
Berichte, Jour Fixes etc.).
einbauen
28
29. Fragen und Diskussion
Vielen Dank!
Matthias Hämmerle MBCI
Business Continuity Manager
BCM-News
www.bcm-news.de
admin@bcm-news.de
29