Standards & Best Practices

ISO/IEC 20000-1:2011 Standard Formally Released

April 15, 2011 By Continuity_Compliance 3 Comments

by: Sally Smoczynski, Contributing Writer

I just wanted to let you know that ISO has just issued a new update to the ISO/IEC 20000-1:2005 standard. There is now a revised standard, ISO/IEC 20000-1:2011. It is available for purchase at http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=51986

What does this mean for you???

At this time, and if you have been already certified to the old version of the standard, your Service Management System is still valid! In the near future, the Registrars will issue a transition plan that will require certified organizations to transition to the new requirements of the standard. It is usually an 18 months transition period.

I have highlighted a few of the changes for you to consider:

The updated standard refers to a Service Management System instead of an IT Service Management System.
Clauses 3 and 4 have been collapsed in to one clause and have been aligned with ISO 9001 and ISO 27001 requirement statements.
There are additional definitions in the glossary.
There is more clarification in most sections

ISO/IEC 20000-1:2005	ISO/IEC 20000-1:2011
Clauses 3 & 4 have been merged into one Clause
Clause 3 Management Responsibility	Clause 4 Service Management Responsibility
Clause 4 PDCA Service Management
Clause 5 has been expanded to a more ITIL based Service Design and Transition process
Clause 5 New or Changed Services	Clause 5 Design and Transition of New or Changed Services
Clause 6 has added more clarification and expansion on requirements for each sub clause
Clause 7 has added additional guidance on supplier management
Clause 8 has included service request to incident management
Clause 8.2 Incident Management	Clause 8.2 Incident and Service Request Management
Clause 9 has included Release and Deployment Management, Clause 10 is removed
Clause 10 Release Management	Clause 9.3 Release and Deployment Management

I am certain that more will be written about these changes and their effects on organizations already certified to ISO.IEC 20000-1:2005 or those considering to become either in compliance with or certified to the new standard ISO/IEC 20000-2011 — so be watchful for those notices on this website or other websites dealing with this standard.

Photo courtesy of samanage.com

Filed Under: IT Service Management, Regulatory Compliance, Standards & Best Practices, Standards & Best Practices Tagged With: ISO 27001, ISO 9001, IT Service Management System, Service Management System. ISO/IEC 20000-1:2011

Business Continuity, BS 25999-2 and now ISO 22301

March 2, 2011 By Continuity_Compliance Leave a Comment

Many readers have recently sent us questions regarding the potential replacement of the leading business continuity standard BS 25999-2 and its proposed replacement by an international standard ISO 22301.

In our search for answers regarding business continuity, this website often turns to a blog authored by Dejan Kosutic. Mr. Kosutic once again satisfies our requirements and offers a concise posting regarding this matter.

Click here to read the full “ISO 22301 to Replace BS 25999-2” article by Mr. Kosutic, and, if you are aware of any other developments or facts concerning this transition of standards from BS 25999-2 to ISO 22301, please share them with our readers – thank you.

If applicable, pass this information along to those business continuity planning and risk management strategy team members in your organization.

Filed Under: Business Continuity Info, Standards & Best Practices Tagged With: BS-25999, BS-25999-2, Business Continuity, business continuity planning, business continuity standard, international standard ISO 22301, ISO 22301, risk management strategy

Business Continuity: Legislations, Regulations, Standards and Guidelines

January 31, 2011 By Continuity_Compliance Leave a Comment

This website is often asked about finding a single source listing or documentation about current legislation, regulation and standards that exist nationally and internationally for and about Business Continuity and the management of the same.

While we realize that because there are regular changes and amendments at a country level and often inconsistent terminology between countries, sectors and legislators, it is difficult if not impossible to provide a definitive list of those regulations and standards.

However, our staff would like to present for consideration a document organized and improved by amendment changes over time by the Business Continuity Institute. This most recent revision of this document is entitled “Business Continuity Management Legislations, Regulations and Standards: Version 6 – January 2011.”

The document is divided into four (4) basic headings:

Legislation: Government laws which include aspects of Business Continuity Management by name or are sufficiently similar in nature (Disaster Recovery, Emergency Response, Crisis Management) to be treated as BCM legislation for this purpose. To be included in this category they must be legally enforceable legislation passed by a national, federal, state or provincial government depending upon the legal structure in each particular country.
Regulation: Mandatory rules or audited guidance documents from official regulatory bodies.
Standards: Official standards from national (and international) accredited standards bodies which relate to Business Continuity as a whole or specific related subset such as IT Service Continuity.
Guidelines: Guidelines published as good (or best) practice by various authoritative organizations.

If any of our readers are aware of a more comprehensive listing or updated version of same, please share that source of information with our readership.

Certainly, our staff believes that this kind of information ranks highly to be included in a reference library of any business continuity or risk management team active in your organization. And, given the close ties to the methodologies encompassed in the recent PS-Prep program, we believe that there also exists a potential application of this information applied to the new PS-Prep teams now being organized in many private sector businesses across the United States.

Click here to read the full *.pdf version of this document, and we want to acknowledge and thank the Business Continuity Institute for leading the charge in organizing this repository of information and making it freely available to the internet BC community.

Filed Under: Business Continuity Info, Regulatory Compliance, Risk Management, Standards & Best Practices Tagged With: Business Continuity, guidelines, IT Service Continuity, legislation, private sector, PS-Prep, PS-Prep Program, regulation, risk management, Standards

BCM.01-2010 (New Business Continuity Standard) in the News Again

December 15, 2010 By Continuity_Compliance Leave a Comment

Photo courtesy of blog.abn.org.au

BCM.01-2010 (Business Continuity management Systems: Requirements with Guidance for Use (ANSI/ASIS/BSI BCM.1-2010)) — the new business continuity management standard that is the product of collaboration between ASIS International and the British Standards Institute (BSI) — has been receiving new posting coverage on a variety of websites again lately.

As this website posted earlier this year, this new standard has been designated an American standard by the American National Standards Institute (ANSI). And, we are pleased to also remind our readers, that two of our staff members – Ms. Lisa DuBrock and Mr. Don Byrne – were very active participants of several committees and discussions leading to the final development and issuance processes for this standard.

In an article recently posted on the Security Magazine website, it was stated that “…the standard provides auditable criteria with accompanying guidance for developing and implementing a business continuity management system that improves an organization’s ability to prepare for, respond to, and recover from a disruptive event.“ Click here to read the full article.

Using the globally-accepted ISO “plan-do-check-act” model, the new ASIS/BSI business continuity management standard specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and improving a Business Continuity Management System.

However, a question that remains to be answered regarding this new standard is “Will the Department of Homeland Security (DHS) add this new offering to the list of approved standards for PS Prep?”

While it can be stated that no one knows for sure, this website did build a case for this and that position was posted earlier on our website … click here.

Meanwhile, we do feel fairly confident in stating that the ASIS/BSI Business Continuity Management Standard complements the ANSI/ASIS Organizational Resilience standard (ASIS SPC.1-2009) as well as BSI’s BS 25999 standard and addresses most if not all of the core elements of the DHS PS-Prep Program.

If applicable, please pass this information along to those business continuity, risk management, organizational resilience and compliance management team members in your organization.

All ASIS Standards and Guidelines are available through the ASIS website, http://www.asisonline.org/.

This website is committed to keeping our readership informed and up to date as more details and postings emerge around and about this topic.

Filed Under: Business Continuity Info, PS-Prep Program, Regulatory Compliance, Standards & Best Practices Tagged With: American National Standards Institute, ANSI, ASIS International, ASIS/BSI Business Continuity Management Standard, BCM.01-2010, British Standards Institute, BS-25999, BSI, Business Continuity, business continuity management system, compliance management, Department of Homeland Security, DHS, ISO, organizational resilience, plan-do-check-act, PS-Prep Program, risk management

Compliance and Ethics Roundtable Discusses Enforcement Forecasts for 2011

December 3, 2010 By Continuity_Compliance Leave a Comment

So often, comments and requests come to this website seeking more clarification on the topic of compliance. Fully recognizing the complexity of the subject and yet remaining committed to satisfying the requests of our readership, we have asked our writers, reporters, and staff to search for a suitable response to such requests.

The first response to our request comes from a new follower of this website by the name of Amy E. Hutchens, JD, CCEP. Ms. Hutchens serves as General Counsel and Vice President of Compliance and Ethics Services for the Watermark Risk Management International group, and, recommends that our readers join fellow ethics and compliance leaders for an exclusive Regional Roundtable on Business Ethics: Best Practices discussion which is sponsored by the DuPont Sustainable Solutions group and to be held at the Richmond Virginia Marriott Hotel on Tuesday, January 25, 2011.

One of the reasons, Ms. Hutchens recommends this event is that it offers its attendees a unique opportunity to share best practices, acquire fresh insights on sustaining an ethical culture, and exchange strategies to assess, communicate and help mitigate compliance risks within an organization.

The compliance enforcement forecast for 2011 is another key area of discussion that Ms. Hutchens believes will be addressed, and, that topic alone should be of great interest to so many of the business continuity, risk management and organization resilience team members in any organization.

Other compliance experts that will join Ms. Hutchens in discussion are:

Mark Brzezinski, Partner and manager of the international law practice in the Washington DC office of McGuire Woods, LLP.

J. Patrick Rowan, Partner in McGuire Woods, LLP where his practice focuses on government and internal investigations, white collar criminal defense and complex civil litigation.

Matthew J. McGonegle, CCEP, who, in his role as Ethics and Compliance Manager, leads content development for all ethics and compliance training solutions globally, and works directly with practicing attorneys in DuPont Primary Law Firms throughout the world.

W. Carter Younger, Partner, who represents management in the areas of employment discrimination, union-management relations, international employment, executive employment contracts, and government regulation of the employment relationship at McGuire Woods, LLP.

Charles N. Whitaker, serves as Senior Vice President, Human Resources & Compliance, Altria Client Services, and, is responsible for directing the Human Resources an Compliance services for the Altria Group and its family of companies.

For more details and information about this roundtable discussion and to find out how you can attend, click here to fill out a registration form to attend, or call 1.800.285.9107 ext. 3258 to answer some of your other questions.

Filed Under: Business Continuity Info, Regulatory Compliance, Standards & Best Practices Tagged With: Business Continuity, compliance, ethics, organizational resilience, risk management

Business Continuity — New Guidance Document Released by BCI

June 29, 2010 By Continuity_Compliance Leave a Comment

This month, the Business Continuity Institute (BCI) has released a new guidance and overview document to the BC community.

The document is entitled, “Business Continuity Management – Legislations, Regulations and Standards – Version 4 – June 2010”.

BCI states that this document is a response to questions regularly asked by its members and other interested parties about current legislation, regulation and standards that exist nationally and internationally for Business Continuity Management.

The document is presented in the following four (4) sections:

Legislation: Government laws which include aspects of Business Continuity Management by name or are sufficiently similar in nature (Disaster Recovery, Emergency Response, Crisis Management) to be treated as BCM legislation for this purpose. To be included in this category they must be legally enforceable legislation passed by a national, federal, state or provincial government depending upon the legal structure in each particular country.

Regulation: Mandatory rules or audited guidance documents from official regulatory bodies in all sectors such as Financial Services, Energy, Oil and Gas, which could reasonably be construed as having some implications on an organization’s BCM provisions. General help, guidance and suggestions are included under Guidelines.

Standards: Official standards from national (and international) accredited standards bodies which relate to Business Continuity as a whole or specific related subset such as IT Service Continuity. The list also includes standards for different but related topics (like Information Security) when BCM is included only as a minor requirement for compliance. “Standards” that are issued by 3^rd parties or professional groups will only be included if they are ratified by an accredited national standards body or accredited directly by a national accreditation service affiliated to the International Accreditation Forum (IAF).

Guidelines: Guidelines published as good (or best) practices by various authoritive organizations. These documents may form part of a wider set of advice provided by a professional body for whom BCM is only a peripheral activity, or alternatively they might be issued by a BCM professional body as general guidance either locally or internationally. They will provide no mandated rules but will be used and recognized as credible by BCM professionals.

Click here to read the full document.

Please pass this information along to those business continuity, risk management, information security team members in your organization.

Filed Under: Business Continuity Info, Regulatory Compliance, Standards & Best Practices Tagged With: BCI, BCM, best practices, Business Continuity, Business Continuity Guidelines, business continuity management, compliance, crisis management, disaster recovery, emergency response, IAF, Information Security, International Accreditation Forum, IT Service Continuity

ISO 20000-1: Common Misconceptions

June 24, 2010 By Continuity_Compliance Leave a Comment

Over the last several weeks, our staff has received inquiries from our readers regarding the ISO 20000-1 standard, and the need to clarify some common misconceptions between ITIL and ISO 20000-1.

To best address that request, we welcome Subrata Guha to our website as a guest writer and author of a recent whitepaper entitled, “ISO 20000-1: Common Misconceptions”.

Subrata Guha is the Director of IT Services, at UL DQS Inc. and for over 20 years has had hands on experience on the full lifecycle of IT services management processes. We hope that we can share more of Subrata’s writing talents with our readership in the future and we thank him for his contribution of content to assist in fulfilling the needs of our IT Service Management community.

Click the link below to access Mr. Guha’s whitepaper…

Misconceptions about ISO 20000-1

Please pass this information along to those individuals or team members in your organization, who are responsible for the IT service management processes, needs and requirements within that organization.

Filed Under: Risk Management, Standards & Best Practices Tagged With: ISO 20000-1, ISO/IEC 20000-1:2005, ITIL, risk management, Subrata Guha, UL DQS Inc.

Risk Management: BS ISO 31000 vs. BS 31100

June 14, 2010 By Continuity_Compliance Leave a Comment

Several inquiries have reached the attention of our staff regarding BS ISO 31000 and its related code of practice BS 31100, since we recently posted an article regarding the Icelandic Volcano eruption as measured through the lens of ISO 31000.

To respond to those requests, we would like to state that BS ISO 31000 is the international standard for risk management and provides principles and guidelines to the subject. And, BS 31100 is a code of practice that compliments BS ISO 31000. BS 31100 also gives additional guidance to risk management that is not covered in the international standard.

The documents take an almost identical approach to risk management but some of the headings and terms used are different.

For those readers more interested in this topic we suggest you click here to view the BSI Workshop website and read what they have to say about these documents and see how they differ regarding the risk management process.

Hopefully you will find this interesting enough to pass along to those risk assessment team members in your organization(s)……

If you have any comments on these documents, please share them with our business continuity and risk management community of readers of this website.

Filed Under: Regulatory Compliance, Standards & Best Practices Tagged With: BS 31100, BS ISO 31000, Business Continuity, ISO 31000, risk assessment, risk management

ISO 31000: 2009 — New Risk Management Standard

June 5, 2010 By Continuity_Compliance Leave a Comment

In a recent article by Linda Tucci as posted on the SearchCompliance.com website, we find one of our often quoted senior news writers discussing the new ISO 31000: 2009 standard.

We like the FAQ style and approach used by Linda Tucci, and we recommend this article be read by all organizational risk management team members. It provides an introduction to ISO 31000:2009, a new international standard aimed at helping organizations of all types and sizes to manage risk across the enterprise.

As Linda Tucci states, “The ISO 31000:2009 risk management standard was published in November 2009 by the International Organization for Standardization (ISO). A concise 24 pages long, ISO 31000:2009 is noteworthy, not only for its brevity but also for its emphasis on the fundamentals of enterprise risk management.”

Click here to read more …..

Filed Under: Standards & Best Practices Tagged With: enterprise risk management, ISO 31000:2009, risk management

ISO 31000 and the Volcano Crisis in Iceland

May 20, 2010 By Continuity_Compliance Leave a Comment

As we observe events such as the Icelandic volcano crisis, we are reminded of the difficulty facing risk management and crisis management team members when examining potential incidents of risk to corporate plans and ultimately the achievement of business continuity plan provisions or objectives.

As Kevin Knight states in a recent article that he wrote and posted on the International Standards for Business, Government and Society (ISO) website, “….the cloud of ash from the Icelandic volcano and its subsequent blanketing of much of Europe is a classic example of a low probability, severe consequence event that tends to be overlooked by management…” We totally agree with Mr. Knight’s statement.

The whole lack of readiness and response plan effectiveness by so many companies to this event, may well cause you to wonder as to just how seriously, if at all, upper management participates in the planning and testing processes of disruption-related scenarios directly having a potential impact on their organization.

In his article, Mr. Knight clearly points out that risk is all about uncertainty or, more importantly, the effect of uncertainty on the achievement of objectives. On 15 November 2009, ISO published ISO 31000:2009, Risk Management – Principles and guidelines, to help industrial, commercial and public sector organizations to confidently address such risks.

We recommend you read Mr. Knight’s article to help you and your organization improve your capabilities to successfully mitigate similar ever-changing and developing risks that must be managed in an increasingly global economy with greater reliance on “just in time” delivery.

Please pass this information along to your organization’s business continuity and risk management and risk assessment team members.

Click here to read the full article.

Filed Under: Business Continuity Info, Standards & Best Practices Tagged With: Business Continuity, Business Continuity Plan Provisions, crisis management, incidents of risk, risk assessment, risk management