Continuity and Resilience (CORE)

ISO 22301 BCM Consulting Firm

Presentations by speakers at the
8th ME Business & IT Resilience Summit
March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE

Our Contact Details:

UAE INDIA

Continuity and Resilience

Continuity and Resilience
Tel: +91 11 41055534 | Direct: +91 11 6467 9380
Website: www.coreconsulting.ae
Email: info@continuityandresilience.com
Tel: +971 2 6594006
Website: www.coreconsulting.ae
PO Box: 25722, Abu Dhabi, United Arab Emirates
Level 15, Eros Corporate Towers, Nehru Place, New Delhi
Email: info@continuityandresilience.com
– 110019, India
Business
Continuity and
Information
Security- An
Excellent Fit!
Ramesh Ramani
Agenda

• Introduction-BCMS and ISMS

• International Standards, UAE Regulations (NCEMA, ADSIC, NESA, ISR, GDPR). Dubai Data Law

• PDCA Cycle

• Common Factors-BCMS and ISMS

• Organisational Considerations

• Joint Project Management

• Where this will work?

• Where this will not work

• Q&A
Standards, Regulations

• ISO 27001:2013-Information Security

• ISO 22301:2012-Business Continuity

• UAE Regulations

✓ NCEMA 7001:2015 (National Emergency Crisis and Disasters Management Authority)

✓ ADSIC –(Abu Dhabi Systems and Information Centre)

✓ NESA Standards (National Electronic Security Authority)

✓ ISR (Information Security Regulation)

✓ Regulating Data Dissemination and Exchange (Dubai Data Law)

✓ ADSIC- (ABU DHABI GOVERNMENT DATA MANAGEMENT STANDARDS)

PDCA Cycle
Business Continuity Information Security
PDCA Cycle
(ISO 22301) (ISO 27001)

Gap Analysis, Information Risk

Gap Analysis, Information Risk
Plan (Establish) Assessment, BIA,Risk Mitigation
Assessment, Risk Mitigation Plan
Plan

Implementing BCM response,

Do (Implement) Risk Mitigation
Risk Mitigation

Internal Audit/Management Internal Audit/Management

Check (Monitor) reviews reviews

Exercising and maintaining BC

Act (Improve) Arrangements and embedding Continual Improvement
BC culture

Program Management Program Management Program Management

Organisational Considerations

• Risk Management

• ISO 31000

• Risk management in your organization

• Cl 4 of 27001 and 22301 Start

• ERM and Relation with Other Functions

• International best practices-Risk management

With
• RA Methodology-Specific to ADSIC/NESA
Organisational Considerations

• Scope of ISMS/BCMS
• Scope Document (Common)
• Exclusions
• Scope Statement Finish
•

•
ISR/NESA-Scope Requirements
Cl 4 of 27001/22301
With
Organisational Considerations
BCMS/ISMS-Objectives-Next Step

• Measurable-Measured
• Monitorable-Monitored
• Balance Score Card
• COBIT
BCMS Common Factors - Framework
Value
Risk Assessment (Critical Assets) Vulnerability

Threat
Business Impact Analysis

RTO / RPO / Max Outage

ISO 22301 Business Continuity Plan Existing setup /

Redundancy / New
Technologies
ISO 27031 Drawing of IT Continuity Plan

Disaster Recovery Strategy Plan

Drawing of RFP for DR site

Establishment of DR site

Testing DRP/BCP
ISMS Common Factors - Framework

Plan Risk Assessment Vulnerability Technical

Threat Processes.
Procedures

Risk Mitigation Plan Asset Value People

Do Risk Mitigation Products, Processes or People Controls

Check Audit Internal Audit

Act Continual Improvement Closing of Audit Gaps/Raising the Bar

Continue with PDCA Cycle-ISO 27001 Certification

Joint Project Management - Plan

BC & IS
PLAN

PLAN

Lloyd's Register 11
Joint Project Management - Plan

BC & IS
PLAN

PLAN

Lloyd's Register 12
Joint Project Management - Do

BC & IS

DO

DO

Lloyd's Register 13
Joint Project Management - Check

BC & IS

Check
BC (Availability) IS (CIA) Activity
Internal Audit, Management Review, BC Internal Audit, Management Review, Internal Audit, Management Review,
Tests/DR Tests BC BC Tests/DR Tests (Common)

Check

Lloyd's Register 14
Joint Project Management - Act

BC & IS

ACT

ACT

Lloyd's Register 15
 Aim-Perform BIA/
Aim to collect all
Risk Assessment Aim-Implement
relevant data
on the identified BCP/Risk Aim
pertaining to the
critical/Informatio Mitigation - To Test the
Aim-Provide initial scope Aim-Continual
n assets and Controls based BCP/DRP
planning and - develop BIA/Risk Improvement of
develop BCP/Risk on the -To audit the ISMS
preparation for the Assessment BCMS/ISMS
Treatment Plan. BCP/control Prepare for ISO
assignment. methodology
Develop implementation 27001/22301
- perform asset
mandatory road map Certification
enumeration/valuat
policies and
ion
controls

Acquire/ Develop Implement Test Continual

Initial Plan
Analyze Data BCMS/ISMS BCMS/ISMS BCM/S/ISMS Improvement

1.Vulnerability
Assessment-C
1.Scope and 2.Threat
1.BIA/Risk
Service Assessment-C 1.Implement
Assessment
Acceptance 3.Risk controls
Methodology
Document C Assessment identified
2.Information Asset
2.ISMS/BCMS Report (IS) 2.People 1.BC/DR Test
Valuation/Critical Certification
Scope definition 4.BIA (RTO/RPO) (Training/Duties) Results
Asset Valuation- against ISO
3.BC/IS Policy 5.BCP/DRP C 2.ISO 27001 Audit
C,I,A-C 22301/ISO 27001
Statement C 6.Risk Mitigation & 3.Implementing Reports
3.Critical/
4.BCM/Information Treatment Plan C products C?
information assets
Security Steering 7.Statement of 4.Implementing
register-C
Committee Charter Applicability (ISO Processes
C 27001)
8.BCP/DR Policies
and Procedures C
Lloyd's Register 16
Where this WILL work?

Government Organizations BPO / ITES

Banking and Software

Financial Services Industry

Oil Industry
What Do Auditors Look for?

✓ Scope of Certification/BCMS

✓ BCMS Objectives

✓ RA and BIA

✓ BCP Strategy/BCP

✓ DR ( IT) and BCP Coordination

✓ PDCA Cycle

✓ Documentation Requirements

✓ BC Testing Evidences

✓ Senior Management Commitments-Evidences

Our Information Security & Business Continuity Assessment and Training Services

Our range of online and face-to-face assessment services is suitable for organisations of all sizes and locations, and can help you
make the most of the standards.

Certifications Training

Integrated
management
Gap Analysis
system
assessment

Surveillance

Lloyd's Register 19
Certification journey

Initial assessment Surveillance Certificate

Stage 1 Stage 2 Themed Focused Renewal

surveillance visits

Risk-based Reporting Non-conformity Improvement log

methodology Our aim is to leave a report with Taking notice of the non- Details your progress and the
you at the end of your visit, or as conformities can help prevent effective implementation of the
Our experts tailor the assessment
soon as possible afterwards. Rapid costly mistakes and even legal improvements. A mechanism for
according to the maturity of your
feedback is important, because action by the regulators. tracking the progress of strategic
systems to ensure they are
once a risk has been identified, it improvements around the key
appropriate to the real risks you
needs to be addressed promptly issues.
face.

Lloyd's Register 20
 W: LRQAMEA.COM
T: +971 (4) 701 4150
E: LRQA-MEA@LR.org

Thank You

Lloyd's Register 21
 Continuity and Resilience (CORE)
ISO 22301 BCM Consulting Firm
Presentations by speakers at the
8th ME Business & IT Resilience Summit
March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE

Our Contact Details:

UAE INDIA

Continuity and Resilience

Continuity and Resilience
Tel: +91 11 41055534 | Direct: +91 11 6467 9380
Website: www.coreconsulting.ae
Email: info@continuityandresilience.com
Tel: +971 2 6594006
Website: www.coreconsulting.ae
PO Box: 25722, Abu Dhabi, United Arab Emirates
Level 15, Eros Corporate Towers, Nehru Place, New Delhi
Email: info@continuityandresilience.com
– 110019, India

Lloyd's Register 22