There are many risks that may threaten any organization by disrupting its business processes. The spectrum of risks and threats may start as a leakage in the supply pipe and may also extend to cyber crime and terrorism. Business Continuity Management serves as an ongoing process, submerged in the basic management principles of an organization including disaster recovery, business recovery, business resumptions and contingency planning.
Management Principles of ISO in Business Continuity Management
Authors: S. J. Daharwal, A. Sharma and R. B. Saudagar
Address: Institute of Pharmacy, Pt. Ravishankar Shukla University, Raipur (C.G.)
Abstract
There are many risks that may threaten any organization by disrupting its business processes. The spectrum of risks and threats may start as a leakage in the supply pipe and may also extend to cyber crime and terrorism. Business Continuity Management serves as an ongoing process, submerged in the basic management principles of an organization including disaster recovery, business recovery, business resumptions and contingency planning. From the very beginning ISO has keenly focused the fact that its standards should become a part of the system.Thus we achieve a perfect matrix of business continuity management and ISO standards, capable of facing almost any situation that may lead to discontinuity.
Introduction
Management is creative problem solving. This creative problem solving is accomplished through four functions of management: planning, organizing, leading and controlling. The intended result is the use of an organization’s resources in a way that accomplishes its mission and objectives.
Planning is the ongoing process of developing the business’ mission and objectives and determining how they will be accomplished. Planning includes both the broadest view of the organization, e.g., its mission, and the narrowest, e.g., a tactic for accomplishing a specific goal.
Organizing is establishing the internal organizational structure of the organization. The focus is on division, coordination, and control of tasks and the flow of information within the organization. It is in this function that managers distribute authority to job holders.
Staffing is filling and keeping filled with qualified people all positions in the business. Recruiting, hiring, training, evaluating and compensating are the specific activities included in the function. In the family business, staffing includes all paid and unpaid positions held by family members including the owner/operators.
Directing is influencing people’s behavior through motivation, communication, group dynamics, leadership and discipline. The purpose of directing is to channel the behavior of all personnel to accomplish the organization’s mission and objectives while simultaneously helping them accomplish their own career objectives.
Controlling is a four-step process of establishing performance standards based on the firm’s objectives, measuring and reporting actual performance, comparing the two, and taking corrective or preventive action as necessary.
An Important Qualification to Success:
Management success is gained through accomplishment of mission and objectives. Managers fail when they do not accomplish mission and objectives. Success and failure are tied directly to the reasons for being in business, i.e., mission and objectives. However, accomplishing mission and objectives is not sufficient. Success requires both effectiveness and efficiency. Managers who accomplish their mission and objectives are said to be effective. Efficiency describes the relationship between the amount of resources used (input) and the extent to which objectives were accomplished (output). If the cost of accomplishing an objective is prohibitive, then the objective is not realistic in the context of the firm’s resources. Additional planning is necessary.{mospagebreak}
AN OVERVIEW OF BUSINESS CONTINUITY MANAGEMENT (BCM):
A Definition of Business Continuity Management:
Business Continuity Management means ensuring the continuity or uninterrupted provision of operations and services. Business Continuity Management is an on-going process with several different but complementary elements. Planning for business continuity is a comprehensive process that includes disaster recovery, business recovery, business resumption, and contingency planning.
Definition used by the European based Business Continuity professional body – The Business Continuity Institute (BCI):
- ·Is a holistic management process that identifies possible impacts that potentially threaten an organization.
- ·Provides a framework for building resilience and the capability for an effective response.
- ·Safeguards the interests of an organization’s key stakeholders, reputation, brand and value creating activities.
There are many risks that may threaten your organization by disrupting your business processes. These risks include traditional emergencies like fires, floods, earthquakes and tornados as well as risks form physical and cyber terrorism, cyber crime, computer and telecommunications failures, theft, employee sabotage, and labor strife. Any one of these can all be very disruptive for your business. BCM efforts are likely to make money for your firm as they serve to minimize disruptions and financial loss during even minor events. These means increased reliability and productivity for your company. These means competitive advantage and increased market share. Business Continuity Management is a relatively new term that is often thought of as another way to say “disaster recovery” but it means so much more. Business Continuity Management includes disaster recovery, business recovery, business resumption, contingency planning, and crisis management. As described above, Business Continuity Management is meant to have a very broad meaning and is often used as an all-encompassing term to describe an integrated and enterprise-wide process that should include the following in alphabetical order: Viz. Accident prevention; business impact analysis business recovery; business resumption planning; command centers; computer security; contingency planning; crisis communication; crisis management; disaster recovery; emergency management and response; event management; exercising and training; information security; mitigation planning; project management and quality control; risk control; risk financing and insurance; risk management; safety and security; software management Business Continuity Management therefore, is a comprehensive process to ensure the continuation and improvement of business in the face of whatever challenges any firm may face. Continuity planning requires that these many processes be used together, to create a complete continuity plan. The plan must be maintained and updated as business processes change. Continuity plans must be tested. Table top drills and functional exercises are generally used to make sure that to ensure that they will work.
BCM Planning process:
The first step in the planning process is to conduct a risk assessment and a business impact assessment. The next step is to decide what measures can be put in place to prevent risks becoming reality and to minimize damage if a disaster does occur. Not all risks are preventable, but steps can be taken to minimize the likelihood that they will happen. {mospagebreak}
Step by step interpretation of Business continuity planning involves
Stage 1 – Project Initiation:
Planning and implementing an effective, targeted Business Continuity Plan is a complex task – it can take several months to complete an initial BCP. It is therefore essential to set the planning process within the framework of a formal project, so that it is managed and co-coordinated throughout the planning cycle . Like all well run projects, we start with a project initiation phase. During this stage we set up our BCP project team and formally establish Senior Management commitment to the BCP by developing and getting their endorsement of a Business Continuity Management Policy Statement. We also ensure that any essential, pre-requisite processes are in place to ensure the continued viability of the Business Continuity Plan. e.g., in the context of Information and Communications Technology (ICT), an effective Configuration Management Policy and Change Control Process is in place – key to the continued viability of any Business Continuity Plan.
Stage 2 – Functional Requirements:
During the second stage we seek to gain a thorough understanding of the business. We establish the operational and business aims and objectives of the organization, and the mission critical activities and processes that support them. We conduct a Business Impact Analysis (BIA) and Risk Identification, Assessment & Control exercise to ensure that we plan only for those risks that are relevant to the organization – those that could threaten Business Critical Activities and Resources. In other words, we identify the Business Continuity Scenarios we need to plan for. This very important stage provides an all-important focus for the subsequent stages in the BCP process. From experience, this stage is best achieved by first conducting interviews to gather baseline information and then, using this information as the basis, running a number of workshops, which should be facilitated by a Business Continuity Management consultant, and attended by key stakeholders from the organization. This approach has proven to be very successful, since it allows all participants to contribute and be brought up to a common level of understanding of what we wish to achieve. It engenders ownership and buy-in to the whole process – an important aspect that should never be underestimated.
Stage 3 – Design & Development:
We are now at the stage where we know the Business Continuity Scenarios for which we need to develop a Business Continuity Management Strategy, or should I say Strategies, because we will need to develop strategies to deal with issues at Organizational and Process level and a strategy to address Recovery of Resources. These will give a high-level outline of the Plans to be developed.
Stage 4 – Developing & Implementing BCPs:
Once we have agreed our strategies for the different levels of the organization, and got the all-important senior management sign up to these, it is time to start developing the detailed plans that will be brought to bear for each of our endorsed BCP Scenarios. There are a range of issues that must be addressed by the detailed BCP, ranging through:
- Emergency Response and Operations.
- Crisis management.
- Liaison with external bodies & organizations.
- 4 Typical aspects would include but not be limited to: information backup strategies, degree of resilience required, call-out and other procedures, use of off-site DR facilities,
- Resourcing (both internal and through outsourcing partners).
- Communications and ….
- How to deal with Public Relations and the Media
The benefits of planning for these latter items are often underestimated but…. it is a critical aspect that gives the public the lasting impression of how you dealt with the crisis situation, an important consideration when considering how quickly and how well you recover from an incident. Lose the confidence of your customers and they will not hesitate to go elsewhere! There are other aspects, of course, and these are covered in the BSI BCP Management Guide, resulting in a plan describing who does what, where, when and how, what the DR plan invocation triggers are and when you can “stand down”
. Stage 5 – Building & Embedding a BCP Culture:
The best strategies and plans in the world are absolutely useless unless the staff required to implement them buy into the rationale and understand why the plans are needed. In other words, you need to develop a BCP culture within your organization. I alluded to this earlier when I discussed the benefits of using the workshops approach in Stage 2, but the difficulty in building up this culture should not be under-estimated. Establishing a BCP is likely to mean changes to existing working practices and, like all change, people can be resistant to them. However, by developing an effective and, importantly, ongoing, awareness, education and training programme, the culture will become embedded into your organization. Good 2-way communications and taking the concerns of staff into account will be important, after all, the staff will know how practical a plan is in practice – a critical test of whether the BCP will succeed or fail.
Stage 6 – Exercising, Maintenance & Updating:
The benefits of a well thought out training and exercising programme cannot be under-estimated. · You should design the exercise schedule such that each element of the plan is tested, usually on an annual rolling basis to minimize disruption to normal operations.
- The Business Continuity exercises provide a valuable vehicle for validating the efficacy of your plans, for rehearsing and training your staff and BCP teams and reassuring both them and senior management that the plans will work when they are invoked for real.
- Almost inevitably, you will find errors or shortcomings in the processes during these exercises or you may find that your operations have moved on and elements of the plans you previously developed no longer support the needs of the organization. The BCP exercises provide a valuable means of validating your plans. The lessons learned should be fed back into the planning process and the underlying business assumptions upon which your plans had been based, and if necessary the plans themselves, be amended.
- In addition to the exercise schedule or perhaps in parallel with it, each plan should be reviewed on at least an annual basis to ensure that they remain relevant to the business. You do this by reviewing you business critical processes and outputs and checking that the plans you have still support them.
- More regular updating should be delegated to the Plan “owner”, an operational manager, who can incorporate this into routine business processes. This is particularly relevant for dynamic information, such as critical phone numbers, names, suppliers, locations, etc., which may change more frequently than can be managed by an annual review. Clearly, it is critical that these key changes are reflected in the BCP.
- Finally, to ensure that the plans remain effective and that staff training is being kept current, a regular audit of the business continuity management process should be conducted.
{mospagebreak}
The world of ISO:
ISO is a network of the national standards institutes of 157 countries, on the basis of one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO is a non-governmental organization: its members are not, as is the case in the United Nations system, delegations of national governments. Nevertheless, ISO occupies a special position between the public and private sectors. This is because, on the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations. Therefore, ISO is able to act as a bridging organization in which a consensus can be reached on solutions that meet both the requirements of business and the broader needs of society, such as the needs of stakeholder groups like consumers and users.
What ISO’s name means:
Because “International Organization for Standardization” would have different abbreviations in different languages (“IOS” in English, “OIN” in French for Organisation internationale de normalisation), it was decided at the outset to use a word derived from the Greek isos, meaning “equal”. Therefore, whatever the country, whatever the language, the short form of the organization’s name is always ISO.
How it all started:
International standardization began in the electrotechnical field: the International Electrotechnical Commission (IEC) was established in 1906. Pioneering work in other fields was carried out by the International Federation of the National Standardizing Associations (ISA), which was set up in 1926. The emphasis within ISA was laid heavily on mechanical engineering. ISA’s activities came to an end in 1942. In 1946, delegates from 25 countries met in London and decided to create a new international organization, of which the object would be “to facilitate the international coordination and unification of industrial standards”. The new organization, ISO, officially began operations on 23 February 1947.
What ‘international standardization’ means:
When the large majority of products or services in a particular business or industry sector conform to International Standards, a state of industry-wide standardization can be said to exist. This is achieved through consensus agreements between national delegations representing all the economic stakeholders concerned – suppliers, users, government regulators and other interest groups, such as consumers. They agree on specifications and criteria to be applied consistently in the classification of materials, in the manufacture and supply of products, in testing and analysis, in terminology and in the provision of services. In this way, International Standards provide a reference framework, or a common technological language, between suppliers and their customers – which facilitates trade and the transfer of technology.
How ISO standards benefit society:
For businesses, the widespread adoption of International Standards means that suppliers can base the development of their products and services on specifications that have wide acceptance in their sectors. This, in turn, means that businesses using International Standards are increasingly free to compete on many more markets around the world.
For customers, the worldwide compatibility of technology which is achieved when products and services are based on International Standards brings them an increasingly wide choice of offers, and they also benefit from the effects of competition among suppliers
For governments, International Standards provide the technological and scientific bases underpinning health, safety and environmental legislation.
For trade officials negotiating the emergence of regional and global markets, International Standards create “a level playing field” for all competitors on those markets. The existence of divergent national or regional standards can create technical barriers to trade, even when there is political agreement to do away with restrictive import quotas and the like. International Standards are the technical means by which political trade agreements can be put into practice.
For developing countries, International Standards that represent an international consensus on the state of the art constitute an important source of technological know-how. By defining the characteristics that products and services will be expected to meet on export markets, International Standards give developing countries a basis for making the right decisions when investing their scarce resources and thus avoid squandering them.
For consumers, conformity of products and services to International Standards provides assurance about their quality, safety and reliability
For everyone, International Standards can contribute to the quality of life in general by ensuring that the transport, machinery and tools we use are safe.
For the planet we inhabit, International Standards on air, water and soil quality, and on emissions of gases and radiation, can contribute to efforts to preserve the environment.
ISO and world trade:
ISO – together with IEC (International Electro technical Commission) and ITU (International Telecommunication Union) – has built a strategic partnership with the WTO (World Trade Organization) with the common goal of promoting a free and fair global trading system. The political agreements reached within the framework of the WTO require underpinning by technical agreements. ISO, IEC and ITU, as the three principal organizations in international standardization, have the complementary scopes, the framework, the expertise and the experience to provide this technical support for the growth of the global market. The WTO’s Agreement on Technical Barriers to Trade (TBT) includes the Code of Good Practice for the Preparation, Adoption and Application of Standards. The TBT Agreement recognizes the important contribution that International Standards and conformity assessment systems can make to improving efficiency of production and facilitating international trade. Therefore, where International Standards exist or their completion is imminent, the Code states that standardizing bodies should use them as a basis for standards they develop. The Code requires that standardizing bodies that have accepted its terms notify this fact to the ISO/IEC Information Centre located at the ISO Central Secretariat. Standardizing bodies having accepted the Code must publish their work programmes and also notify the existence of their work programmes to the ISO/IEC Information Centre. On behalf of the WTO, ISO periodically publishes a Directory of standardizing bodies that have accepted the WTO TBT Standards Code.
ISO and developing countries:
ISO standards represent a reservoir of technology. Developing countries in particular, with their scarce resources, stand to gain from this wealth of knowledge. For them, ISO standards are an important means both of acquiring technological know-how that is backed by international consensus as the state of the art, and of raising their capability to export and compete on global markets. The whole spectrum of ISO’s activities in favour of developing countries is encompassed in the ISO Action Plan for developing countries 2005-2010. ISO has a policy committee on developing country matters, DEVCO, with a membership of nearly 117 standards institutes from both industrialized and developing countries. {mospagebreak}
The big, wide world of ISO standards:
Between 1947 and the present day, ISO published more than 16 000 International Standards. ISO’s work programme ranges from standards for traditional activities, such as agriculture and construction, through mechanical engineering, to medical devices, to the newest information technology developments, such as the digital coding of audio-visual signals for multimedia applications. Standardization of screw threads helps to keep chairs, children’s bicycles and aircraft together and solves the repair and maintenance problems caused by a lack of standardization that were once a major headache for manufacturers and product users. Standards establishing an international consensus on terminology make technology transfer easier and can represent an important stage in the advancement of new technologies. Without the standardized dimensions of freight containers, international trade would be slower and more expensive. Without the standardization of telephone and banking cards, life would be more complicated. A lack of standardization may even affect the quality of life itself: for the disabled, for example, when they are barred access to consumer products, public transport and buildings because the dimensions of wheel-chairs and entrances are not standardized. Standardized symbols provide danger warnings and information across linguistic frontiers. Consensus on grades of various materials gives a common reference for suppliers and clients in business dealings.Agreement on a sufficient number of variations of a product to meet most current applications allows economies of scale with cost benefits for both producers and consumers. An example is the standardization of paper sizes. Standardization of performance or safety requirements of diverse equipment makes sure that users’ needs are met while allowing individual manufacturers the freedom to design their own solution on how to meet those needs. Standardized protocols allow computers from different vendors to “talk” to each other. Standardized documents speed up the transit of goods, or identify sensitive or dangerous cargoes that may be handled by people speaking different languages. Standardization of connections and interfaces of all types ensures the compatibility of equipment of diverse origins and the interoperability of different technologies. Agreement on test methods allows meaningful comparisons of products, or plays an important part in controlling pollution – whether by noise, vibration or emissions. Safety standards for machinery protect people at work, at play, at sea… and at the dentist’s.Without the international agreement contained in ISO standards on quantities and units, shopping and trade would be haphazard, science would be – unscientific – and technological development would be handicapped. More than half a million organizations in more 149 countries are implementing ISO 9000 which provides a framework for quality management throughout the processes of producing and delivering products and services for the customer. ISO 14000 environmental management systems are helping organizations of all types to improve their environmental performance at the same time as making a positive impact on business results.
How the ISO system is managed?
All strategic decisions are referred to the ISO members, who meet for an annual General Assembly. The proposals put to the members are developed by the ISO Council, drawn from the membership as a whole, which resembles the board of directors of a business organization. ISO Council meets two times a year and its membership is rotated to ensure that it is representative of ISO’s membership. Operations are managed by a Secretary-General, which is a permanent appointment. The Secretary-General reports to the ISO Council, the latter being chaired by the President who is a prominent figure in standardization or in business, elected for two years. The Secretary-General is based at ISO Central Secretariat in Geneva, Switzerland, with a compact staff which provides administrative and technical support to the ISO members, coordinates the decentralized standards’ development programme, and publishes the output.
How the ISO system is financed?
ISO’s national members pay subscriptions that meet the operational cost of ISO’s Central Secretariat. The subscription paid by each member is in proportion to the country’s Gross National Income and trade figures. Another source of revenue is the sale of standards. However, the operations of ISO Central Secretariat represent only about one fifth of the cost of the system’s operation. The main costs are borne by the member bodies which manage the specific standards’ development projects and the business organizations which provide experts to participate in the technical work. These organizations are, in effect, subsidizing the technical work by paying the travel costs of the experts and allowing them time to work on their ISO assignments. {mospagebreak}
Who develops ISO standards?
ISO standards are developed by technical committees comprising experts from the industrial, technical and business sectors which have asked for the standards, and which subsequently put them to use. These experts may be joined by others with relevant knowledge, such as representatives of government agencies, testing laboratories, consumer associations, environmentalists, academic circles and so on. The experts participate as national delegations, chosen by the ISO national member institute for the country concerned. These delegations are required to represent not just the views of the organizations in which their participating experts work, but of other stakeholders too. According to ISO rules, the member institute is expected to take account of the views of the range of parties interested in the standard under development and to present a consolidated, national consensus position to the technical committee.
How ISO standards are developed?
The national delegations of experts of a technical committee meet to discuss, debate and argue until they reach consensus on a draft agreement. This is then circulated as a Draft International Standard (DIS) to ISO’s membership as a whole for comment and balloting. Many members have public review procedures for making draft standards known and available to interested parties and to the general public. The ISO members then take account of any feedback they receive in formulating their position on the draft standard. If the voting is in favor, the document, with eventual modifications, is circulated to the ISO members as a Final Draft International Standard (FDIS). If that vote is positive, the document is then published as an International Standard. Every working day of the year, an average of ten ISO meetings are taking place somewhere in the world. In between meetings, the experts continue the standards’ development work by correspondence. Increasingly, their contacts are made by electronic means and some ISO technical bodies have already gone over entirely to electronic working, which speeds up the development of standards and reduces travel costs.
ISO’s international partners:
ISO collaborates with its partners in international standardization, the IEC (International Electro technical Commission) and ITU (International Telecommunication Union). The three organizations, all based in Geneva, Switzerland have formed the World Standards Cooperation in order to better coordinate their activities, as well as the implementation of International Standards.ISO is one of the few non-governmental organizations having an observer status in the World Trade Organization. Its contribution is increasingly solicited in relation to the elimination of technical barriers to trade. ISO collaborates with the United Nations Organization and its specialized agencies and commissions, particularly those involved in the harmonization of regulations and public policies such as: CODEX, Alimentarius for food safety measurement, management and traceability;
UNECE, for the use of ISO Standards in relation to the safety of motor vehicles or the transportation of dangerous goods;
WHO, the World Health Organization for health technologies;
IMO, the International Maritime Organization, for securing maritime and inter modal transport; WTO-T, the World Tourism Organization, for the quality of services related to tourism; or with those engaged in bringing assistance and support to developing countries such as UNCTAD, UNIDO or the International Trade Centre. ISO’s technical committees have formal liaison relations with some 580 international and regional organizations, which complement this impressive network and which, together with the network of its national members, is key for the global relevance, actual use and recognition of its Standards by the market forces and the general public. Relations with international groups of stakeholders have also been reinforced. ISO is now an institutional member of the World Economic Forum, has increased its collaboration with NGOs representing societal or professional interests, such as Consumers International, the World Business Council on Sustainable Development or the international Federation of Standards Users (IFAN) and collaborates regularly with the major international organizations involved in metrology, quality and conformity assessment. {mospagebreak}
Management principles of ISO in Business Continuity Management:
Effective integration of ISO to the basic management principles (planning, controlling leading and organizing) leads to effective business continuity management.
According to this study the perfect approach to business continuity managements with an integration of management principles of ISO should involve the design of a business continuity process. This involves the four fundamental regions which are–
- Assessment of the possible threat
- Continuity planning
- Disaster recovery
- Contingency planning
The ISO standards focused in this study are:
ISO 9000 ISO 20000 ISO 15489 ISO 28000ISO 9000/2000 ISO 19770 ISO 15408 ISO 9000(3)ISO /PAS28000 ISO/IEC TR 18044 ISO 13335 ISO 12207ISO 17799/2005 ISO 18043 ISO 27001 ISO 21827
Quality management principles:
The eight quality management principles are defined in ISO 9000:2000, Quality management systems Fundamentals and vocabulary, and in ISO 9004:2000, Quality management systems Guidelines for performance improvements. This document gives the standardized descriptions of the principles as they appear in ISO 9000:2000 and ISO 9004:2000. In addition, it provides examples of the benefits derived from their use and of actions that managers typically take in applying the principles to improve their organizations’ performance.
- Principle 1 Customer focus
- Principle 2 Leadership
- Principle 3 Involvement of people
- Principle 4 Process approach
- Principle 5 System approach to management
- Principle 6 Continual improvement
- Principle 7 Factual approach to decision making
- Principle 8 Mutually beneficial supplier relationships
- The next step
{mospagebreak}
Principle 1 Customer focus
Organizations depend on their customers and therefore should understand current and future customer needs, should meet customer requirements and strive to exceed customer expectations.Key benefits:
- Increased revenue and market share obtained through flexible and fast responses to market opportunities.
- Increased effectiveness in the use of the organization’s resources to enhance customer satisfaction.
- Improved customer loyalty leading to repeat business. Applying the principle of customer focus typically leads to:
- Researching and understanding customer needs and expectations.
- Ensuring that the objectives of the organization are linked to customer needs and expectations.
- Communicating customer needs and expectations throughout the organization.
- Measuring customer satisfaction and acting on the results.
- Systematically managing customer relationships.
- Ensuring a balanced approach between satisfying customers and other interested parties (such as owners, employees, suppliers, financiers, local communities and society as a whole).
Principle 2 Leadership
Leaders establish unity of purpose and direction of the organization. They should create and maintain the internal environment in which people can become fully involved in achieving the organization’s objectives.
Key benefits:
- People will understand and be motivated towards the organization’s goals and objectives.
- Activities are evaluated, aligned and implemented in a unified way.
- Miscommunication between levels of an organization will be minimized.
- Applying the principle of leadership typically leads to:
- Considering the needs of all interested parties including customers, owners, employees, suppliers, financiers, local communities and society as a whole.
- Establishing a clear vision of the organization’s future.
- Setting challenging goals and targets.
- Creating and sustaining shared values, fairness and ethical role models at all levels of the organization.
- Establishing trust and eliminating fear.
- Providing people with the required resources, training and freedom to act with responsibility and accountability.
- Inspiring, encouraging and recognizing people’s contributions.
Principle 3 Involvement of people
People at all levels are the essence of an organization and their full involvement enables their abilities to be used for the organization’s benefitKey benefits:
- Motivated, committed and involved people within the organization.
- Innovation and creativity in furthering the organization’s objectives.
- People being accountable for their own performance.
- People eager to participate in and contribute to continual improvement.
- Applying the principle of involvement of people typically leads to:
- People understanding the importance of their contribution and role in the organization.
- People identifying constraints to their performance.
- People accepting ownership of problems and their responsibility for solving them.
- People evaluating their performance against their personal goals and objectives.
- People actively seeking opportunities to enhance their competence, knowledge and experience.
- People freely sharing knowledge and experience.
- People openly discussing problems and issues.
{mospagebreak}
Principle 4 Process approach:
A desired result is achieved more efficiently when activities and related resources are managed as a process.Key benefits:
- Lower costs and shorter cycle times through effective use of resources.
- Improved, consistent and predictable results.
- Focused and prioritized improvement opportunities.
- Applying the principle of process approach typically leads to:
- Systematically defining the activities necessary to obtain a desired result.
- Establishing clear responsibility and accountability for managing key activities.
- Analysing and measuring of the capability of key activities.
- Identifying the interfaces of key activities within and between the functions of the organization.
- Focusing on the factors such as resources, methods, and materials that will improve key activities of the organization.
- Evaluating risks, consequences and impacts of activities on customers, suppliers and other interested parties.
Principle 5 System approach to management:
Identifying, understanding and managing interrelated processes as a system contributes to the organization’s effectiveness and efficiency in achieving its objectives.
Key benefits:
- Integration and alignment of the processes that will best achieve the
desired results.
- Ability to focus effort on the key processes.
- Providing confidence to interested parties as to the consistency, effectiveness and efficiency of the organization.
- Applying the principle of system approach to management typically leads to:
- Structuring a system to achieve the organization’s objectives in the most effective and efficient way.
- Understanding the interdependencies between the processes of the system.
- Structured approaches that harmonize and integrate processes.
- Providing a better understanding of the roles and responsibilities necessary for achieving common objectives and thereby reducing cross-functional barriers.
- Understanding organizational capabilities and establishing resource constraints prior to action.
- Targeting and defining how specific activities within a system should operate.
- Continually improving the system through measurement and evaluation.
Principle 6 Continual improvement:
Continual improvement of the organization’s overall performance should be a permanent objective of the organization.Key benefits:
- Performance advantage through improved organizational capabilities.
- Alignment of improvement activities at all levels to an organization’s strategic intent.
- Flexibility to react quickly to opportunities.
Applying the principle of continual improvement typically leads to:
- Employing a consistent organization-wide approach to continual improvement of the organization’s performance.
- Providing people with training in the methods and tools of continual improvement.
- Making continual improvement of products, processes and systems an objective for every individual in the organization.
- Establishing goals to guide, and measures to track, continual improvement.
- Recognizing and acknowledging improvements.
{mospagebreak}
Principle 7 Factual approach to decision making:
Effective decisions are based on the analysis of data and informationKey benefits:
- Informed decisions.
- An increased ability to demonstrate the effectiveness of past decisions through reference to factual records.
- Increased ability to review, challenge and change opinions and decisions.
- Applying the principle of factual approach to decision making typically leads to:
- Ensuring that data and information are sufficiently accurate and reliable.
- Making data accessible to those who need it.
- Analysing data and information using valid methods.
- Making decisions and taking action based on factual analysis, balanced with experience and intuition.
Principle 8 Mutually beneficial supplier relationships:An organization and its suppliers are interdependent and a mutually beneficial relationship enhances the ability of both to create valueKey benefits:
- Increased ability to create value for both parties.
- Flexibility and speed of joint responses to changing market or customer needs and expectations.
- Optimization of costs and resources.
Applying the principles of mutually beneficial supplier relationships typically leads to:
- Establishing relationships that balance short-term gains with long-term considerations.
- Pooling of expertise and resources with partners.
- Identifying and selecting key suppliers.
- Clear and open communication.
- Sharing information and future plans.
- Establishing joint development and improvement activities.
- Inspiring, encouraging and recognizing improvements and achievements by suppliers.
The next step: This document provides a general perspective on the quality management principles underlying the ISO 9000:2000 series. It gives an overview of these principles and shows how, collectively, they can form a basis for performance improvement and organizational excellence. There are many different ways of applying these quality management principles. The nature of the organization and the specific challenges it faces will determine how to implement them. Many organizations will find it beneficial to set up quality management systems based on these principles. The requirements of quality management systems and supporting guidelines are given in the ISO 9000 – Selection and use. {mospagebreak}
ISO 9000:2000 the new modified standards are focused more on results and quality management principles. It has a very strong emphasis on the managerial commitment. These standards involved in implementation of such measures which improve and consistently preserve the quality of the process and the finished products. Proper documentation and inspection by authorities.
ISO 9000 Part 3: Guidelines for the application of ISO 9001 to the development, supply and maintenance of software covers software engineering, guiding the application of ISO 9000, the quality assurance standards, to the systems development process
ISO/PAS 28000:ISO/28000 is the series of standards which underpins the operational requirements now being implemented by most supply chain operators as they strive to enhance security and deal with threats from both terrorists and criminals.ISO/28000 specification helps companies demonstrate to their supply chain partners and stakeholders that they have top management commitment and sound operations arrangements in place for identifying threats and managing risks. More companies are now expected to comply with codes and regulations like C-TPAT, the World Customs Organization’s Framework of Standards and the EC’s Regulation for Enhancing Supply Chain Security. However, they will only achieve the necessary operational objectives if companies have in place a sound management systems framework, like ISO/PAS 28000, to ensure requirements are implemented and verified. All businesses that are reliant on the supply chain for business continuity will benefit by adopting the sound management principles in ISO 28000.
ISO/IEC 17799:2005 Information technology – Security techniques – Code of practice for information security management:
Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity, information is now exposed to a growing number and a wider variety of threats and vulnerabilities (see also OECD Guidelines for the Security of Information Systems and Networks). Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected.Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met. This should be done in conjunction with other business management processes. An improved version of the joint ISO/IEC standard that has become the burgeoning e-commerce community’s international benchmark for information security management has just been published. The revised ISO/IEC 17799, Information technology – Security techniques – Code of practice for information security management, integrates the latest developments in the field to maintain it as the international standard code of practice. The modern interconnected e-commerce environment, with Information now exposed to a growing number and a wider variety of threats and vulnerabilities, is the main beneficiary of the standard. Ted Humphreys, Convener of the ISO/IEC working group that developed ISO/IEC 17799:2005, said: “The revised version of this standard provides organizations with many state-of-the-art additions and improvements in information security best practice. “For example, better management of security arrangements with external businesses, outsourcing and service providers, enhanced indicant handling capability, dealing with problems of patch management, mobile devices, wireless technologies and harmful mobile code via the Internet, improvements in best practice managing human resources and several other new features.”ISO/IEC 17799:2005 is a code of practice for information security management. It is not a certification standard and was neither designed, nor is it suitable for this purpose. It will be followed in the last quarter of the year (publication currently expected in November 2005) by the specification standard ISO/IEC 27001, Information security management system (ISMS) requirements, which can be used for certification. The new version addresses the security of information in its widest sense, providing best business practice, guidelines and general principles for implementing, maintaining and managing information security in any organization, producing and using information in any form. Any organization has assets, essential to its continuity. Arguably, information in its various forms is the most important asset, be it printed, stored electronically, posted or e-mailed, shown on film or spoken. For most businesses, information security may be essential to maintain competitive edge, cash flow, profitability, legal compliance and commercial image. But many businesses and most non-business organizations may hold information as their only asset. An absence of information security may threaten their integrity and, therefore, very existence. ISO/IEC 17799:2005 recognizes that the level of security that can be achieved purely through technical means is limited. The required level of security – established through assessing the levels of risk and associated costs through breaches of security, against the costs of implementing security, should always be driven by appropriate management controls and procedures. Information security management requires, as a minimum, participation by all employees in the organization. It may also require participation from shareholders, suppliers, third parties and customers. ISO/IEC 17799:2005 identifies the controls that form the starting point for information security. It covers the critical success factors, the organization of information security, asset management, human resources, physical and environmental security, communications and operations management, information systems acquisition, development and maintenance, incident management, business continuity management and compliance. It is destined to become an essential tool for organizations of every type and size, whether public or private. Ted Humphreys commented: “Users of this standard can also demonstrate to business partners, customers and suppliers that they are fit enough and secure enough to do business with, providing the chance for them to turn their investment in information security into business-enabling opportunities. “In summary, this revised ISO/IEC 17799 is the most important of standard for managing information security that has been developed – it establishes a truly international common language for information security for all organizations around the world to engage with each other to do business.” ISO/IEC 17799:2005, Information technology – Security techniques – Code of practice for information security management, costs 200 Swiss francs and is available from ISO national member institutes and from ISO Central Secretariat It was developed by ISO/IEC Joint Technical Committee JTC 1, Information technology, Subcommittee SC 27, Security techniques, Working Group WG 1, Requirements, security services and guidelinesInternational Standard ISO/IEC 17799 was prepared by the British Standards Institution (as BS 7799) and was adopted, under a special “fast-track procedure”, by Joint Technical Committee ISO/IEC JTC 1, Information technology, in parallel with its approval by national bodies of ISO and IEC.It Provides common approaches to manage risk and is applicable to every system and not always practical in smaller organizations. ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. {mospagebreak} The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
- security policy;
- organization of information security;
- asset management;
- human resources security;
- physical and environmental security;
- communications and operations management;
- access control;
- information systems acquisition, development and maintenance;
- information security incident management;
- business continuity management;
- Compliance.
Security policy: Adopting a security process that outlines an organization’s expectations for security, this can then demonstrate management’s support and commitment to security.
Security organization: Having a management structure for security, including appointing security coordinators, delegating security management responsibilities and establishing a security incident response process
Business continuity management: Planning for disasters–natural and man-made–and recovering from them. Asset classification and control: Conducting a detailed assessment and inventory of an organization’s information infrastructure and information assets to determine an appropriate level of security.
Personnel security: Making security a key component of the human resources and business operations. This includes writing security expectations in job responsibilities (IT admins and end users), screening new personnel for criminal histories, using confidentiality agreements when dealing with sensitive information and having a reporting process for security incidents.
Physical and environmental security: Establishing a policy that protects the IT infrastructure, physical plant and employees. This includes controlling building access, having backup power supplies, performing routine equipment maintenance and securing off-site equipment.
“It contains 71 Pages of Security Management Goodness the main highlighting features are.”
The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities. {mospagebreak}
State-of-the-art information security management systems with new ISO/IEC 27001:2005 standard:
Information security flaws can result in escalating financial losses and wreak havoc with business operations. The newly published ISO/IEC 27001:2005 standard for information security management systems can help organizations plug existing leaks and prevent future threats. “The publication of ISO/IEC 27001:2005 is a big event in the world of information security and the standard has been eagerly awaited,” said Ted Humphreys, Convener of the working group responsible for managing the development of the standard. “It is a standard that all security-conscious organizations should look to implement.” ISO/IEC 27001:2005 can be used by a broad range of organizations – small, medium and large – in most of the commercial and industrial market sectors: finance and insurance, telecommunications, utilities, retail and manufacturing sectors, various service industries, transportation sector, governments and many others.The implementation of ISO/IEC 27001:2005 will reassure customers and suppliers that information security is taken seriously within the organizations they deal with because they have in place state-of-the-art processes to deal with information security threats and issues. Information is an asset, which, like other important business assets, adds value to an organization and consequently needs to be protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems. ISO /IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, specifies the processes to enable a business to establish, implement, review and monitor, manage and maintain an effective ISMS. ISO/IEC 27001:2005 integrates the process-based approach of ISO’s management system standards – ISO 9001:2000 and ISO 14001:2004 – including the Plan-Do-Check-Act (PDCA) cycle and requirement for continual improvement. The new standard forms a complementary pair with the recently published ISO/IEC 17799:2005 “code of practice” on information security management. Organizations that so wish can have their information security management systems independently certified as conforming to the requirements of ISO/IEC 27001:2005, although certification is not a requirement of the standard.Up to now, organizations that wished to have their ISMS certified have done so in conformity with the British Standard BS 7799 Part 2. This is now possible against ISO/IEC 27001:2005, which is an International Standard. ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, cost 124 Swiss francs and is available from ISO national member institutes and from the ISO Central Secretariat (see below). It was developed by ISO/IEC Joint Technical Committee JTC 1, Information technology, Subcommittee SC 27, Security techniques, Working Group WG 1, Requirements, security services and guidelines
ISO 12207 covers software life cycle processes, providing a conceptual framework and terminology.
ISO 15288:2002 System Life Cycle Processes covers systems engineering by defining a set of processes and terminology. {mospagebreak}
ISO 13335 – IT security management
ISO 13335 (which started life as a Technical Report TR before becoming a full ISO standard) comprises a set of guidelines for the management of IT security, focusing primarily on technical security control measures:
- ISO 13335-1:2004 “Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management”. Explains the concepts and models for information and communications technology security management. (ISO/IEC TR 13335 parts 1 and 2 were combined into the revised ISO/IEC 13335-1: 2004. The original TR13335-2:1997 “Guidelines for the management of IT security – Part 2: Managing and planning IT security” was cancelled.)
- ISO 13335-2, when published, is expected to cancel and replace ISO/IEC TR 13335-3:1998 and ISO/IEC TR 13335-4:2000.
- ISO TR 13335-3:1998 “Information technology – Guidelines for the Management of IT Security – Part 3: Techniques for the management of IT Security”. Covers techniques for the management of IT security. This standard is currently under revision and will be inserted into ISO 27005
- ISO TR 13335-4:2000 covers the selection of safeguards (meaning technical security controls). This standard is also currently under revision and will be inserted into ISO 27005
- ISO TR 13335-5:2001 provides management guidance on network security. This standard is currently under revision, being merged into ISO/IEC 18028-1. ISO/IEC 18028-1 will eventually cancel and replace ISO/IEC TR 13335-5:2001.
ISO 15408 – Common Criteria
ISO 15408:1999 describes the Common Criteria for Information Technology Security Evaluation. Products that are evaluated against the Common Criteria have a defined level of assurance as to their information security capabilities that is recognized in most of the world. Unfortunately, the evaluation process is quite costly and slow, and is therefore not very widely used apart from the government and defense markets.
ISO 15489 – Records Management
ISO 15489:2001 is a records management standard in two parts:
- Part 1 describes a “high level framework for recordkeeping and specifically addresses the benefits of records management, regulatory considerations affecting its operation and the importance of assigning of responsibilities for recordkeeping. It also discusses high level records management requirements, the design of recordkeeping systems and actual processes involved in records management, such as record capture, retention, storage, access etc. It concludes with a discussion of records management audit operations and training requirements for all staff of an organization.”
- Part 2 provides “practical and more detailed guidance about how to implement the framework outlined in Part 1. For example it provides specific detail about the development of records management policy and responsibility statements and outlines the DIRKS process for developing recordkeeping systems. Part 2 also provides practical guidance about the development of records processes and controls and specifically addresses the development of key recordkeeping instruments such as thesauri, disposal authorities and security and access classification schemes. It then discusses the use of these tools to capture, register, classify, store, provide access to and otherwise manage records. Part 2 also provides specific guidance about the establishment of monitoring, auditing and training programs to promote and effectively implement records management within an organization.” {mospagebreak}
ISO 18043 – Selection, Deployment and Operations of Intrusion Detection Systems (IDS):
ISO/IEC 18043:2006 focuses on the security principles behind unauthorized intrusion into computer systems/networks and how organizations can establish frameworks to enable comprehensive Intrusion Detection Systems (IDS). It addresses IDS selection, deployment and operation to help IT managers set up standard, and hence interoperable, IDS configurations.
ISO/IEC TR 18044:
ISO/IEC TR 18044:2004 explains best practice information security incident management processes for information security and system managers. Effective responses to security incidents require extensive technical and procedural preparations. Incident responses require immediate, short- and long-term actions that should follow documented security incident response procedures.The standard provides:· Information on the benefits to be obtained from and the key issues associated with a sound incident management approach;
- Examples of information security incidents and insights into their possible causes;
- An outline of the planning and documentation required to introduce a well-structured information security incident management approach, along with a description of the recommended process steps.
ISO 19770 – Software Asset Management:
ISO/IEC 19770-1:2006 promotes the implementation of an integrated set of software asset management processes, using good practices for efficient software management. Contents:· Scope, terms and definitions
- Field of application
- Conformance
- Intended usage
- Agreement compliance
- General Software Asset Management processes
- Control environment for Software Asset Management
- Planning and implementation
- Inventory processes
- Verification and compliance processes
- Operations management processes and interfaces
- Life cycle process interfaces
{mospagebreak}
ISO 20000 – ITIL – IT Service Management:
“ITIL (IT Infrastructure Library) is the most widely accepted approach to IT Service Management in the world. ITIL provides a cohesive set of best practice, drawn from the public and private sectors internationally. It is supported by a comprehensive qualifications scheme, accredited training organizations, and implementation and assessment tools.” ITIL standard BS 15000 has now become ISO 20000, a two part standard: · ISO/IEC 20000 Part 1:2005 “Information technology service management. Specification for Service Management.” describes the requirements for IT service management against which organizations may be independently certified.
ISO/IEC 20000 Part 2:2005 “Information technology service management. Code of Practice for Service Management.” gives more practical guidance to implementers, a suite of best practices for IT service management
ISO 21827 – Systems Security Engineering Capability Maturity Model:
Like other Capability Maturity Models (CMMs), the Systems Security Engineering (SSE) CMM defines the essential characteristics of SSE processes, emphasizing those which indicate process maturity. The model covers the entire systems development lifecycle from concept definition to decommissioning. It applies to those developing or integrating secure products/systems, and those providing specialist security services such as security engineering
Conclusion
Along with the recent promotion of networking business processes in areas such as supply chain management (SCM) or e-commerce, the scope of our business community has been expanding and increasing in terms of transaction volumes and speed. Thanks to the development of information and network technologies, the requirements this creates are easily fulfilled, from business organizations through to the governmental level. On the other hand, we have occasionally come across incidents of business discontinuity not only in one specific organization, but also in several organizations linked within a supply chain ore-commerce network. The scope of disruption has also been expanding and increasing in size and speed. In such circumstances, BCP (Business Continuity Planning) has become increasingly important to ensure “resiliency” in business communities as a proactive business initiative. BCP has evolved from conventional DRP (Disaster Recovery Planning) and has integrated the perspective of continuing business operations at an acceptable level to protect the tangible and intangible assets of organizations based on business impact analysis. Stand-alone BCP is insufficient to achieve “resiliency” in the business community as a whole. Some methodologies, systems for professional skill development, and social systems for wide spread application of BCP will be required to establish security in business communities. In Japan, several BCP guidelines have already been issued, or will soon be issued, by the Ministry of Economy, Trade and Industry, the Cabinet Office, the Small and Medium Enterprise Agency, and major industry associations. Many private and public organizations have already recognized the importance of BCP and started establishing BCP programmes to share within their own communities.
Although international standardization of BCP will no doubt contribute to supporting those efforts, careful discussions regarding the scope of application and approaches to implementation will be required to avoid an unnecessary burden on organizations. Too much standardization may become a threat to business continuity. Required levels and threats to business continuity should differ by organization, industry, or country. The differences in each organization’s mission and social responsibility should also be reflected. Considering those discussion points, international standardization of BCP will be desirable in a guideline format to provide each organization with as hared baseline framework for each business community, to be supported by local standardization through development of specific action plans. {mospagebreak}
Reference
1) Managing a Network Vulnerability Assessment by Thomas R. Peltier, Justin Peltier, John A. Blackley
2) Enterprise information systems assurance and system security: managerial and technical issues by Rayford Vaughn, Merrill Warkentin
3) Information Technology Auditing: An Evolving Agenda – by Jagdish Pathak – Business & Economics – Paulus, ISSE 2006
4) Electronic Safety and Soundness: securing finance in a new age by Thomas C. Glaessner, Valerie MacNevin, Tom Kellermann – 2004
5) Business Continuity: It Risk Management for International Corporations by Martin (EDT) Wieczorek, Robert (EDT) Bartlett, Uwe. Naujoks – Business & Economics – 2002.
6) Business Continuity Planning: Protecting Your Organization’s Life by Ken Doughty – 2001
7) Integrated Business Continuity: Maintaining Resilience in Uncertain Times by Geary W. Sikich – 2003.
8) Managing Operational Risk: 20 Firm wide Best Practice Strategies by Douglas G. Hoffman – Business & Economics – 2002 .
9) The CPM Dictionary: The Single Source for Acronyms, Terms, and Abbreviations in Business by Paul Kirvan – 2004.
10) Information Systems Project Management: How to Deliver Function and Valuein Information… – Page 173 by Jolyon E. Hallows – Business & Economics – 2005 .
11) IT Policies & Procedures: Tools & Techniques That Work, 2006 Edition, Wallace, Webber by Michael Wallace, Larry Webber – 2005 .
12) Integrative Document and Content Management: strategies for exploiting enterprise knowledge , by Len Asprey, Michael Middleton – Business & Economics – 2003 .
13) Chunawala,S.A.,Patel,D.R.,’Production and Operations Management’, 5th edition(reprint),2004,Himalaya publication house, Mumbai.
14) Dr.StampleEdward etal,’ Principle of pharmaceutical marketing’, third edition.
15) http://www.davislogic.com/bcm.htm
16) http://www.surreycc.gov.uk/
17) http://www.iso.org/iso/en/commcentre/index.htm
18) http://www.iso.org/iso/en/ISOOnline.frontpage
Leave A Comment