AS ISO 22313 pdf download

AS ISO 22313 pdf download.Security and resilience — Business continuity management systems — Guidance on the use of ISO 22301
1 Scope
This document gives guidance and recommendations for applying the requirements of the business continuity management system (BCMS) given in ISO 22301. The guidance and recommendations are based on good international practice. This document is applicable to organizations that: a] implement, maintain and improve a BCMS; b) seek to ensure conformity with stated business continuity policy; c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; d] seek to enhance their resilience through the effective application of the BCMS. The guidance and recommendations are applicable to all sizes and types of organizations, including large, medium and small organizations operating in industrial, commercial, public and not-for-profit sectors. The approach adopted depends on the organization’s operating environment and complexity.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 22300, Security and resilience一Vocabulary ISO 22301, Security and resilience一Business continuity management systems一Requirements
4 Context of the organization
4.1 Understanding the organization and its context This clause provides recommendations for understanding the context of the organization in relation to the BCMS. Recommendations for establishing and maintaining business continuity are addressed in 8.1. The organization should evaluate and understand the external and internal issues (including positive and negative factors or conditions for consideration) that are relevant to its overall objectives, its products and services, and the amount and type of risk that it may or may not take. This information should be taken into account when implementing and maintaining the organization’s BCMS and assigning priorities. The organization’s external context includes, where relevant, the following: -the political, legal and regulatory environment, whether international, national, regional or local; 一social and cultural aspects; -the financial, technological, economic, natural and competitive environment, whether international, national, regional or local; 一supply chain commitments and relationships (see also ISO/TS 22318); – drivers (e.g. risk, technology) and trends having impact on the objectives and operation of the organization; -relationships with, and perceptions and values of, interested parties outside the organization; 一communication channels， including social media, used for ascertaining and forming such relationships. The organization’s internal context includes, where relevant, the following: – products and services, activities, resources, supply chains and relationships with interested parties; -capabilities in terms of resources and knowledge (e.g. capital, time, people, processes, systems, technologies); . – – existing management systems; -information and data (stored in physical or electronic form) and decision-making processes (formal and otherwise]; – interested parties within the organization, including internal suppliers [consideration of service level agreements (SLAs), assessed resiliency and recovery arrangements], see ISO/TS 22318; – policies and objectives, and the business strategies that are in place to achieve them; – future opportunities and business priorities; perceptions, values and culture; . – standards and reference models adopted by the organization; 4.2 Understanding the needs and expectations of interested parties 4.2.1 General The organization owes a duty of care to a wide range of people within and outside the organization (see also ISO/TS 22330]. When establishing its BCMS, the organization should ensure that the needs and requirements of all interested parties are taken into consideration. The organization should identify all interested parties that are of relevance to its BCMS (see Figure 4) and, based on their needs and expectations, should determine their requirements. It is important to identify not only obligatory and stated requirements, but also any that are implied. When planning and implementing the BCMS, it is important to identify actions that are appropriate in relation to interested parties but differentiate between them. For example, while it can be appropriate to communicate with all interested parties following a disruption, it may not be appropriate to communicate with all interested parties when implementing and maintaining business continuity management (see 8.1.2).