· 公众号:业务连续性+

ISO 22313-2020中文简译(上)

From 前言 To 8.2 业务影响分析和风险评估 (因中英文对照翻译内容较长,故将其分为上下两部分发布)

写在前面 :众所周知,ISO 22301系列国际标准是当前业务连续性管理最佳实践的集大成者。本中文简译稿是为了方便关注业务连续性管理最佳实践的朋友们了解、学习业务连续性管理体系的最新国际标准—ISO 22313:2020,由多名专业人员组成的公益翻译团队共同翻译完成。2020年初,在翻译完ISO 22301:2020后,我就一直在关注ISO 22313新版的发布时间。ISO 22313:2020在2月底正式发布,4月1日我开始在知识星球和朋友圈征集公益翻译人员,很快由林丽玲、刘凌子、劉歆軼、刘宇、鲁荣丹、马骏、王晨、汪洁瑾、王鹏飞、孙书强、姚昊、姚修杰、张楠、张松滨、朱汉乐、苏瑛等专业人员组成了翻译团队。在6月已完成翻译初稿,但由于我个人时间原因,直到8月底才排出时间,在部分参考GB/T 31595-2015(等同采用ISO 22313:2012)等的基础上对全文进行统一审校定稿。

以下是公益翻译团队成员 (排名不分前后,按姓氏拼音排序): 林丽玲(台湾,Lorton Lin) 刘凌子(175340811@qq.com) 劉歆軼(markjlord@msn.com) 刘宇(13316880733@189.cn) 鲁荣丹(2637807046@qq.com) 马骏(patrick.ma2018@outlook.com) 苏瑛(369188992@qq.com) 王晨(Wesley Wang) 汪洁瑾(Gin Wang) 王鹏飞(6181.wang@163.com) 孙书强(HSDJL2@126.com) 姚昊(239712415@qq.com) 姚修杰(yaoxiujie@foxmail.com) 张楠(zhang4@hotmail.com) 张松滨(306589775@qq.com) 朱汉乐(rebmeced@163.com)

感谢公益翻译团队的各位专业人员在疫情期间抽出个人休息时间进行翻译工作。如译文中有任何不准确或理解错误的地方,都是由于我的原因造成,与诸位翻译人员无关。如对译文有意见或修改建议,请给我留言。

另,《ISO 22301白皮书》将于近期同步进行更新,请关注ISO 22301系列国际标准的朋友们继续关注本公众号(ID:bcmplus)。

王曙(kevinwang) 2020.09

前 言 Foreword

国际标准化组织(ISO)是由各国标准化机构(ISO成员机构)组成的世界性联合会。国际标准的制定工作通常由ISO技术委员会进行。各成员机构有权派代表参加就某主题设立的技术委员会。与ISO保持联系的各官方和非官方国际组织,也可以参与标准制定工作。ISO与国际电工委员会(IEC)在所有电工标准化问题上均有密切合作。 ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.

ISO/IEC指令第1部分描述了用于开发本标准和旨在对其进行进一步维护的程序。特别地, 宜 注意不同类型ISO文件需要不同的审批标准。本标准根据ISO/IEC指令第2部分(见 www.iso.org/Directives)的编辑规则起草。 The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives ).

请注意,本标准的某些内容可能涉及专利权问题。ISO不负责确定任何这样的专利权问题。标准编制过程中确定的任何专利权的详细信息都将放在引言和/或收到的ISO专利声明列表中(参见 www .iso .org/ patents)。 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents ).

本标准中使用的任何商品名称均为方便用户而提供的信息,不构成背书。 Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

关于标准的自愿性质的解释,与合格评定相关的ISO特定术语和表达的含义,以及ISO遵守世界贸易组织(WTO)在技术性贸易壁垒(TBT)中的原则的信息,请参阅www .iso .org/ iso/ foreword .html 。 For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html .

本标准由“ISO/TC 292, 安全与韧性”技术委员会编制。 This document was prepared by technical Committee ISO/TC 292, Security and resilience.

此第二版取消并替换了已技术修订的ISO 22313:2012第一版。与上一版本相比,主要变化如下: — 修改结构和内容以使本标准与ISO 22301新版保持一致; — 增加了额外的指导以解释关键概念和术语; —删除8.4中的部分内容,该内容将包括在ISO/TS 22332(正在开发)中。 This second edition cancels and replaces tl1e first edition (ISO 22313:2012), which has been technically revised. The main changes compared witl1 the previous edition are as follows: — structural and content alterations have been rn.ade to align thi.s docun1e11t with the latest edition of ISO 22301; — additional guidance has been added to explain key concepts and terms; — content has been removed fro1n 8.4 that will be included in ISO/TS 22332 (tinder development).

对本标准的任何反馈或问题 宜 直接提交给用户的国家标准化机构,这些机构的完整列表可在www.iso.org/members.html找到。 Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html.

引言Introduction

0.1总则General

本标准为ISO 22301中规定的要求提供了指导(如适用)。但本标准无意为业务连续性的所有方面提供一般性指导。 This document provides guidance, where appropriate, on the requirements specified in ISO 22301. It is not the intention of this document to provide general guidance on all aspects of business continuity.

本标准包括与ISO 22301相同的章节标题,但不会重述要求以及相关术语和定义。 This document includes the same clause headings as ISO 22301 but does not restate the requirements and related terms and definitions.

本指南旨在解释和澄清ISO 22301要求的含义和目的,并协助解决所有理解上的问题。本标准中引用并提供补充指导的国际标准和技术规范包括ISO/TS 22317、1SO/TS 22318、ISO 22322、ISO/TS 22330、1SO/TS 22331和ISO 22398。这些文件的范围超出了1SO 22301的要求。因此,组织 宜 始终参考ISO 22301以验证要满足的要求。 The intention of the guidance is to explain and clarify the meaning and purpose of the requirements of ISO 22301 and assist in the resolution of any issues of interpretation. Other International Standards and Technical Specifications that provide additional guidance, and to which reference is made in this document, are ISO/TS 22317, 1SO/TS 22318, ISO 22322, ISO/TS 22330, 1SO/TS 22331 and ISO 22398. The scope of these documents can extend beyond the requirements of 1SO 22301. Organizations should therefore always refer to ISO 22301 to verify the requirements to be met.

为进一步阐明和解释要点,本标准包括若干图示。这些图示仅用于说明性目的,以本标准正文中的相关文本为准。 To provide further clarification and explanation of key points, this document includes several figures. The figures are for illustrative purposes only and the related text in the body of this document takes precedence.

业务连续性管理体系(BCMS)强调以下重要性: — 建立与组织目标一致的业务连续性方针和目标; — 运行和维护流程、能力、响应结构,确保组织能够在中断时生存; — 监视和评审BCMS绩效和有效性; — 基于定性和定量测量的持续改进。 A business continuity management system (BCMS) emphasizes the importance of: — establishing business continuity policy and objectives that align with the organization’s objectives; — operating and maintaining processes, capabilities and response structures for ensuring the organization will survive disruptions; — monitoring and reviewing the performance and effectiveness of the BCMS; — continual improvement based on qualitative and quantitative measurement.

业务连续性管理体系与其他管理体系类似,包括以下组成部分: a) 方针; b) 有明确责任、能胜任的人员 c) 与以下相关的管理过程:

  1. 方针;
  2. 策划;
  3. 实施和运行;
  4. 绩效评估;
  5. 管理评审; 6)持续改进; d) 支持运行控制和绩效评估的成文信息。 A BCMS, like any other management system, includes the following components: a) a policy; b) competent people with defined responsibilities; c) management processes relating to: 1)policy, 2)planning, 3)implementation and operation; 4)performance assessment; 5)management review; 6)continual improvement; d) documented information supporting operational control and enabling performance evaluation.

业务连续性对一个组织而言通常是特定的。不过它在实施中可能会涉及到更广泛的群体和第三方。一个组织很可能有它依赖的和依赖它的外部组织。因此,业务连续性有助于构建一个更具韧性的社会。 Business continuity is generally specific to an organization. However, its implementation can have far reaching implications on the wider community and other third parties. An organization is likely to have external organizations that it depends upon and there will be others that depend on it. Effective business continuity therefore contributes to a more resilient society.

0.2 业务连续性管理体系的收益 Benefits of a business continuity management system

业务连续性管理体系提高了组织在中断期间持续运营的准备水平。它还可以改进对组织内外部关系的理解,更好地与相关方沟通,并创建一个持续改进的环境。按照本标准中的建议和ISO 22301的要求,实施BCMS可能会带来许多其他的收益。 A BCMS increases the organization’s level of preparedness to continue to operate during disruptions. It also results in improved understanding of the organizations internal and external relationships, better communication with interested parties and the creation of a continual improvement environment. There are potentially many additional benefits to implementing a BCMS in accordance with the recommendations contained in this document and in accordance with the requirements of ISO 22301.

— 按照第4章(“组织环境”)中的建议,该组织: — 回顾其战略目标,以确保BCMS支持这些目标; — 重新考虑相关方的需求、期望和要求; — 了解适用的法律、法规及其它义务。 — Following the recommendations in Clause 4(“context of the organization”) involves the organization: — reviewing its strategic objectives to ensure that the BCMS supports them; — reconsidering the needs, expectations and requirements of interested parties; — being aware of applicable legal, regulatory and other obligations.

— 按照第5章(“领导力”),该组织: — 重新考虑管理的角色和责任; — 促进持续改进的文化; — 分配绩效监控和报告的责任。 — Clause 5(“leadership”) involves the organization: — reconsidering management roles and responsibilities; — promoting a culture of continual improvement; — allocating responsibility for performance monitoring and reporting.

— 按照第6章(“策划”),该组织: — 重新调查其风险和机会,并找到应对和利用它们的措施; — 建立有效的变更管理。 — Clause 6(“planning”) involves the organization: — re-examining its risks and opportunities and identifying actions to address and take advantage of them; — establishing effective change management.

— 按照第7章(“支持”),该组织: — 建立对BCMS资源(包括能力管理)的有效管理; — 提高员工对管理重要事项的认识; — 具有有效的内部和外部沟通机制; — 有效管理文档。 — Clause 7 (“support”) involves the organization: — establishing effective management of its BCMS resources, including competence management; — improving employee awareness of matters that are important to management; — having effective mechanisms for internal and external communications; — managing its documentation effectively.

— 按照第8章(“运行”),使该组织考虑: — 变化的意外后果; — 业务连续性优先顺序和要求; — 依赖关系; — 从影响角度看待脆弱性; — 中断风险,并确定最佳应对方法; — 使用受限资源运行业务的替代 解决方案 ; — 处理中断的有效结构和程序; — 对社会和其他相关方的责任。 — Clause 8(“operation”) results in the organization considering; — the unintended consequences of change; — business continuity priorities and requirements — dependence — vulnerabilities from an impact perspective; — risks of disruption and identifying how best to address them; — alternative solutions for running the business with limited resources; — effective structures and procedures for dealing with disruptions; — responsibilities to the community and other interested parties.

— 按照第9章(“绩效评估”),该组织: — 具有有效的绩效监控、测量和评估机制; — 让管理者参与监控BCMS的绩效,并为其有效性作出贡献。 — Clause 9 (“performance evaluation”)involves the organization: — having effective mechanisms for monitoring, measuring and evaluating performance; — involving management in monitoring the performance and contributing to the effectiveness of the BCMS.

— 按照第10章(“改进”),该组织: — 具有监控绩效和提高有效性的程序; — 受益于管理体系的持续改进。 — Clause 10 (“improvement”) involves the organization — having procedures for monitoring performance and improving effectiveness; — benefitting from continual improvement of its management systems.

因此,实施BCMS可以: a) 保护生命、财产和环境; b) 保护和提高组织的声誉和信誉; c) 使组织能够在中断期间运营,从而为组织的竞争优势做出贡献; d) 减少因中断产生的成本,提高组织在中断期间保持有效运营的能力; e) 有助于组织的整体韧性; f) 有助于使相关方对组织的成功更有信心; g) 减少组织的法律及财务风险; h) 证明组织管理风险和解决运营漏洞的能力。 As a result, implementation of the BCMS can: a) protect life, assets and the environment; b) protect and enhance the organization’s reputation and credibility; c) contribute to the organizations competitive advantage by enabling it to operate during disruptions; d) reduce costs arising from disruptions and improving the organization’s capability to remain effective during them; e) contribute to the organization’s overall organizational resilience; f) assist in making interested parties more confident in the organization’s success; g) reduce the organization’s legal and financial exposure; h) demonstrate the organization’s ability to manage risk and address operational vulnerabilities.

0.3策划-实施-检查-改进(PDCA)循环 Plan-Do-Check(PDCA) Cycle

本标准采用策划-实施-检查-改进(PDCA)循环来策划、建立、实施、运行、监视、评审、保持和和持续改进组织BCMS的有效性。表1给出了PDCA循环的说明。 This document applies the Plan-do-check-act (PDCA) cycle to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organization’s BCMS. An explanation of the PDCA cycle is given in Table 1.

图1说明了BCMS如何把相关方的业务连续性管理要求作为输入,并通过必要的措施和过程,产生满足这些要求的业务连续性成果(即受控的业务连续性)。 Figure 1 illustrates how the BCMS takes interested parties’ requirements as inputs for business continuity management and, through the required actions and processes, produces business continuity outcomes (i.e. managed business continuity) that meet those requirements.

表1 PDCA循环的解释(Table 1

Explanation of PDCA cycle) 策划(建立) Plan(establish) 建立与改进业务连续性相关的业务连续性方针、目标、控制、过程和程序,以实现与组织的总方针和目标相一致的结果。 Establish business continuity policy, objectives, controls, processes and procedures relevant to improving business continuity in order to deliver results that align with the organization’s overall policies and objectives. 实施(实施和运行) Do(implement and operate) 实施和运行业务连续性的方针、控制、过程和程序。 Implement and operate the business continuity policy, controls, processes and procedures. 检查(监视和评审) Check(monitor and review) 根据业务连续性方针和目标对绩效进行监视和评审,将结果报告管理者以供审核、确定并授权采取补救与改进措施。 Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement. 改进(保持和改进) Act(maintain and improve) 根据管理评审的结果和对BCMS范围、业务连续性方针和目标的重新评估,采取纠正措施,保护和持续改进BCMS。 Maintain and improve the BCMS by taking corrective actions, based on the results of management review and re-appraising the scope of the BCMS and business continuity policy and objectives.

图1 应用于BCMS过程的PDCA循环Figure 1 - PDCA cycle applied to BCMS processes

0.4 本标准中PDCA的组成部分Components of PDCA in this document

表2说明了图1内容与本标准各章之间的直接关系。 Table 2 shows the direct relationship between the content of Figure 1 and the clauses of this document.

表2 - PDCA循环与第4章到第10章之间对应关系 Table 2 -Relationship between the PDCA cycle and Clauses 4 to 10 PDCA组成部分 PDCA component 与PDCA组成部分对应的章 Clause addressing PDCA component 策划 (建立) Plan (Establish) 第4章(“组织环境”)阐述了组织 宜 做什么以确保满足BCMS要求,并考虑所有相关的外部和内部因素,包括: — 相关方的需求和期望; — 法律法规义务; — BCMS要求的范围。 Clause 4 (“context of the organization”) sets out what the organization should do in order to make sure that the BCMS meets its requirements, taking into account all relevant external and internal factors, including: — the needs and expectations of interested parties; — its legal and regulatory obligations; — the required scope of the BCMS. 第5章(“领导力”)阐述了管理者在证明承诺、确定方针、建立角色、责任和权限方面的关键作用。 Clause 5 (“leadership”) sets out the role of management in terms of demonstrating commitment, defining policy and establishing roles, responsibilities and authorities. 第6章(“策划”)描述为实施BCMS建立战略目标和指导原则的措施。 Clause 6 (“planning”) describes the actions for establishing strategic objectives and guiding principles for the implementation of the BCMS. 第7章(“支持”)确定BCMS 宜 准备好的BCMS要素,即:资源,能力,意识,沟通和成文信息。 Clause 7 (“support”) identifies the BCMS elements that should be in place, namely: resources, competence, awareness, communication and documented information. 实施(实施和运行) Do(Implement and operate) 第8章(“运行”)确定建立和保持业务连续性的过程。 Clause 8 (“operation”) identifies the processes for establishing and maintaining business continuity. 检查(监视和评审) Check(Monitor and review) 第9章(“绩效评估”)通过绩效测量和评估提供改进BCMS的基础。 Clause 9 (“performance evaluation”) provides the basis for improving the BCMS through measurement and evaluating its performance. 改进(保持和改进) Act(Maintain and improve) 第10章(“改进”)包括解决通过绩效评估发现的不符合的纠正措施。 Clause 10(“improvement”) covers the corrective action for addressing nonconformity identified through performance evaluation.

0.5本标准内容Contents of this document

本标准的目的不是暗示BCMS结构的一致性,而是让组织设计一个适合其需求并满足其相关方(尤其是客户和员工)要求的BCMS。这些需求是由法律、法规、组织和行业要求、产品和服务、所采用的流程、运营环境、组织的规模和结构以及相关方的要求决定的。 It is not the intent of this document to imply uniformity in the structure of a BCMS but for an organization to design a BCMS that is appropriate to its needs and that meets the requirements of its interested parties, particularly customers and employees. These needs are shaped by legal, regulatory, organizational and industry requirements, the products and services, the processes employed, the environment in which it operates, the size and structure of the organization and the requirements of its interested parties.

本标准不是用于评估组织满足其自身业务连续性需求、或任何客户、法律法规需求的能力。希望这样做的组织可以使用ISO 22301中的要求。 This document is not intended to be used to assess an organizations ability to meet its own business continuity needs, or any customer, legal or regulatory needs. Organizations wishing to do so can use the requirements in ISO 22301.

本标准第1章到第3章阐述适于本标准使用的范围、规范性引用文件、术语和定义。第4章到第10章包含ISO 22301中给定要求的指导。 Clauses 1 to 3 in this document set out the scope, normative references and terms and definitions that apply to the use of this document. Clauses 4 to 10 contain guidance on the requirements given in ISO 22301.

本标准中使用以下助动词形式: a) “ 宜 ”表示建议; b) “ 可以 ”表示允许; c) “ 能 ”表示可能性或能力。 In this document, the following verbal forms are used: a) ” should ” indicates a recommendation; b) ” may ” indicates a permission; c) ” can ” indicates a possibility or a capability.

0.6 业务连续性Business continuity

业务连续性是在中断事件发生后,组织在预先定义的可接受的水平上持续交付产品或服务的能力。业务连续性管理是实施和保持业务连续性(参见8.1.2和图5)的过程,以预防损失,并为中断做好准备、减轻和管理。 Business continuity is the capability of the organization to continue delivery of products or services at acceptable predefined capacities following a disruption. Business continuity management is the process of implementing and maintaining business continuity (see 8.1.2 and figure 5) in order to prevent loss and prepare for, mitigate and manage disruptions.

建立BCMS使组织能够控制、评估和持续改进其业务连续性。 Establishing a BCMS enables the organization to control, evaluate and continually improve its business continuity.

在本标准中,“业务”一词是一个包罗万象的术语,指的是组织在追求其目标、宗旨或使命时进行的业务和服务。因此,它同样适用于在工业、商业、公共和非营利部门运营的大、中和小型组织。 In this document, the word “business” is used as an all-embracing term for the operations and services performed by an organization in pursuit of its objectives, goals or mission. As such, it is equally applicable to large, medium and small organizations operating in industrial, commercial, public and not-for-profit sectors.

中断有可能打断组织的整体运营及其交付产品和服务的能力。但是,在中断发生前实施BCMS,而不是在事件发生后以非计划的方式进行响应,将使组织能够在所受影响尚未严重到不可接受之前重续运营。 Disruptions have the potential to interrupt the organizations entire operations and its ability to deliver products and services. However, implementing a BCMS before a disruption occurs, rather than responding in an unplanned manner after the incident, will enable the organization to resume operations before unacceptable levels of impact arise.

业务连续性管理包括: a) 确定组织的产品和服务以及交付这些产品和服务的活动; b) 分析不重续活动及其所依赖的资源的影响; c) 理解中断的风险; d) 确定重续产品和服务交付的优先顺序、时间范围、能力和策略; e) 制定解决方案和计划,以便在中断后要求的时间范围内重续活动; f) 确保这些安排得到定期评审和更新,从而使其在各种情况下都有效; Business continuity management involves: a) identifying the organization’s products and services and the activities that deliver them; b) analysing the impacts of not resuming the activities and the resources they depend on; c) understanding the risk of disruption; d) determining priorities, time frames, capacities and strategies for resuming the delivery of products and services; e) having solutions and plans in place to resume the activities within the required time frames following a disruption; f) making sure that these arrangements are routinely reviewed and updated so that they will be effective in all circumstances;

组织的业务连续性管理方法及其成文信息 宜 与其环境(例如,运营环境、复杂性、需求、资源)相适应。 The organization’s approach to business continuity management and its documented information should be appropriate to its context (e.g. operating environment, complexity, needs, resources).

业务连续性在处理突发中断(例如爆炸)和渐进中断(例如大流行病)时都是有效的。 Business continuity can be effective in dealing with both sudden disruptions (e.g. explosions) and gradual ones (e.g. pandemics).

能够造成活动中断的事件非常多,其中许多是难以预测和分析的。由于业务连续性关注中断带来的影响而不是其产生的原因,所以业务连续性使组织能够确定对其履行义务重要的活动。通过业务连续性,组织可以认识到中断发生前可采取哪些措施保护其资源(例如,人员,场地,技术,信息)、供应链、相关方和声誉。有了这样的认知,组织就能准备好一个响应结构,从而有信心管理中断的影响。 Activities can be disrupted by a wide variety of incidents, many of which are difficult to predict or analyse. By focusing on the impact of disruption rather than the cause, business continuity enables an organization to identify activities that are essential to it being able to meet its obligations. Through business continuity, an organization can recognize what is to be done to protect its resources (e.g. people, premises, technology, information), supply chain, interested parties and reputation before a disruption occurs. With that recognition, the organization can put in place a response structure, so that it can be confident of managing the impacts of a disruption.

图2和图3从概念上说明了在某些情况下业务连续性是如何有效地减轻影响。两图中描绘的阶段之间的相对距离并不意味着特定的时间尺度。 Figure 2 and Figure 3 illustrate conceptually how business continuity can be effective in mitigating impacts in certain situations. No particular timescales are implied by the relative distance between the stages depicted in either diagram.

图2-业务连续性对突然中断有效的图示 Figure 2 - Illustration of business continuity being effective for sudden disruption

图3 – 业务连续性对渐进中断有效的图示 Figure 3 – Illusration of business continuity being effective for gradual disruption (e.g. approaching pandemic) 安全与韧性 – 业务连续性管理体系 – ISO 22301应用指南 Security and resilience – Business continuity management systems – Guidance on the use of ISO 22301

第1章范围Scope

本标准为应用ISO 22301给出的业务连续性管理体系(BCMS)的要求提供了指导和建议。这些指导和建议基于良好的国际实践。 This document gives guidance and recommendations for applying the requirements of the business continuity management system (BCMS) given in ISO 22301. The guidance and recommendations are based on good international practice.

本标准适用于: a) 实施、保持和改进BCMS; b) 争取确保符合阐明的业务连续性方针; c) 需要能够在中断期间继续以可接受的预定义的能力交付产品和服务; d) 争取通过有效应用BCMS来提高组织的韧性。 This document is applicable to organizations that: a) implement, maintain and improve a BCMS; b) seek to ensure conformity with stated business continuity policy; c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; d) seek to enhance their resilience through the effective application of the BCMS.

本指南和建议适用于所有规模和类型的组织,包括在工业、商业、公共和非营利部门运营的大、中、小型组织。所采用的方法取决于组织的运营环境和复杂性。 The guidance and recommendations are applicable to all size and types of organizations, including large, medium and small organizations operating in industrial, commercial, public and not-for-profit sectors. The approach adopted depends on the organization’s operating environment and complexity.

第2章规范性引用文件Normative references

下列文件在正文中引用时,其部分或全部内容构成本标准的要求。凡是注明日期的引用文件,仅注明日期的版本适用于本标准。凡是不注明日期的引用文件,其最新版本(包括所有的修订)适用于本标准。 ISO 22300,安全和韧性 - 术语 ISO 22301,安全和韧性 - 业务连续性管理体系 - 要求 The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 22300, Security and resilience – Vocabulary ISO 22301, Security and resilience – Business continuity management systems – Requirements.

第3章术语和定义Terms and definitions

本标准中,ISO 22300,ISO 22301和以下术语和定义适用: ISO和IEC在下列地址维护用于标准化的术语数据库: — ISO在线浏览平台: https://www.iso.org/obp — IEC 电工百科全书: http://www.electronedia.org/ For the purposes of this document, the terms and definitions given in ISO 22300, ISO 22301 and the following apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp — IEC Electropedia: available at http://www.electropedja.org/

3.1 业务连续性管理 实施和保持业务连续性的过程 3.1 business continuity management process of implementing and maintaining business continuity

第4章组织环境Context of the organization

4.1 了解组织和组织环境Understanding the organization and its context

本章为了解与BCMS相关的组织环境提供建议。为建立和保持业务连续性的建议在8.1中提出。 This clause provides recommendations for understanding the context of the organization in relation to the BCMS. Recommendations for establishing and maintaining business continuity are addressed in 8.1.

组织 宜 评估和了解与其总体目标相关的外部和内部问题(包括考虑的积极和消极因素或条件)、产品和服务,以及它 可以 承担或不 可 承担的风险的数量和类型。组织在实施和保持其BCMS时 宜 考虑这些信息并排列优先级。 The organization should evaluate and understand the external and internal issues (including positive and negative factors or conditions for consideration) that are relevant to its overall objectives, its products and services, and the amount and type of risk that it may or may not take. This information should be taken into account when implementing and maintaining the organization’s BCMS and assigning priorities.

组织的外部相关环境(如有必要),包括: — 国际、国家、地区或本地的政治、法律和监管环境; — 社会和文化方面; — 国际、国家、地区或本地的金融、科技、经济、自然和竞争环境; — 供应链的承诺和关联关系(可参见ISO/TS 22318); — 影响组织目标和运营的驱动(如:风险,技术)和趋势; — 组织外部相关方的关系、观念和价值观; — 用于确定和形成这些关系的沟通渠道,包括社交媒体。 The organization’s external context includes, where relevant, the following: — the political, legal and regulatory environment, whether international, national, regional or local; — social and cultural aspects; — the financial, technological, economic, natural and competitive environment, whether international, national, regional or local; — supply chain commitments and relationships (see also ISO/TS 22318); — drivers (e.g. risk, technology) and trends having impact on the objectives and operation of the organization; — relationships with, and perceptions and values of, interested parties outside the organization; — communication channels, including social media, used for ascertaining and forming such relationships.

组织的内部相关环境(如有必要),包括: — 产品和服务,活动,资源,供应链以及和相关方的关系; — 在资源和知识(如资金,时间,人员,过程,系统,技术)方面的能力; — 现行的管理体系; — 信息和数据(以物理或电子形式存储),以及决策制定过程(正式或其他形式); — 组织内部的相关方,包括内部供应商[对服务水平协议(SLA)的考虑,评估的韧性和恢复安排],见ISO/TS 22318; — 方针和目标,以及实现它们的业务战略; — 未来的机会和业务优先安排; — 观念,价值观和文化; — 组织采用的标准和参考模型; — 组织架构(如治理,角色和责任); — 用于在员工之间交换信息的内部沟通渠道(如社交媒体)。 The organization’s internal context includes, where relevant, the following: — products and services, activities, resources, supply chains and relationships with interested parties; — capabilities in terms of resources and knowledge (e.g. capital, time, people, processes, systems, technologies); — existing management systems; — information and data (stored in physical or electronic form) and decision-making processes (formal and otherwise); — interested parties within the organization, including internal suppliers [consideration of service level agreements (SLAs), assessed resiliency and recovery arrangements], see ISO/TS 22318; — policies and objectives, and the business strategies that are in place to achieve them; — future opportunities and business priorities; — perceptions, values and culture; — standards and reference models adopted by the organization; — structures (e.g. governance, roles, accountabilities); — internal communication channels used for the exchange of information within the workforce (e.g. social media).

4.2 理解相关方的需求和期望Understanding the needs and expectations of interested parties

4.2.1 总则General

组织对组织内外广泛的人员负有注意义务(可参见ISO/TS 22330)。在建立BCMS时,组织 宜 确保考虑所有相关方的需求和要求。 The organization owes a duty of care to a wide range of people within and outside the organization (see also ISO/TS 22330). When establishing its BCMS, the organization should ensure that the needs and requirements of all interested parties are taken into consideration.

组织 宜 确定与其BCMS相关的所有相关方(见图4),并 宜 基于他们的需求和期望确定他们的要求。确定强制的、阐明的和隐含的要求都很重要。 The organization should identify all interested parties that are of relevance to its BCMS (see Figure 4) and, based on their needs and expectations, should determine their requirements. It is important to identify not only obligatory and stated requirements, but also any that are implied.

当策划和实施BCMS时,确定相关方适用的措施是很重要的,但要区分它们。例如,在中断发生后与所有相关方进行沟通可能是合适的,而在实施和保持业务连续性管理(见8.1.2)时与所有相关方进行沟通也许就不合。 When planning and implementing the BCMS, it is important to identify actions that are appropriate in relation to interested parties but differentiate between them. For example, while it can be appropriate to communicate with all interested parties following a disruption, it may not be appropriate to communicate with all interested parties when implementing and maintaining business continuity management (see 8.1.2).

图4 公共和私营部门相关方的例子 Figure 4 – Examples of interested parties in public and private sectors

4.2.2 法律法规要求Legal and regulatory requirements

本标准应用的前提是了解适用的法律和法规要求。 The application of this document pre-supposes an awareness of the applicable legal and regulatory requirements.

要求可以是隐含的、阐明的或强制性的。有关这些要求的信息 宜 形成文件并保持最新。新的要求或对现有要求的变更 宜 被传达给受影响的员工和其他相关方。 Requirements can be implied, stated or obligatory. The information regarding these requirements should be documented and kept up to date. New requirements or changes to existing requirements should be communicated to affected employees and other interested parties.

组织 宜 表明其可以获得与其运营相关的现行和待定的法律法规要求,以及如何满足这些要求。要求可能包括: a) 事件响应,包括应急管理和其他相关法律; b) 业务连续性,可能规定方案的范围或恢复的范围或速度; c) 风险,定义风险管理范围或方法的要求; d) 危险(如与危险品存放地点相关的运营要求)。 The organization should show that it has access to current and pending legal and regulatory requirements that are relevant to its operations and how these requirements are met. Requirements can include: a) incident response, including emergency management and other relevant legislation; b) business continuity, which can dictate the scope of the programme or the extent or speed of recovery; c) risk, requirements defining the scope or methods of risk management; d) hazards (e.g. operating requirements relating to dangerous materials stored at the location).

多地运营的组织可能需要满足不同司法管辖区的要求。 Organizations operating in multiple locations may need to satisfy requirements of different jurisdictions.

4.3 确定BCMS的范围Determining the scope of the business continuity management system

4.3.1 总则General

确定BCMS范围的目的是找出其边界和适用性,以确保覆盖所有相关的产品和服务,活动,地点,资源,供应商和其他依赖关系。 The purpose of determining the scope of the BCMS is to identify its boundaries and applicability to ensure coverage of all relevant products and services, activities, locations, resources, suppliers and other dependencies.

范围 宜 处理4.1中确定的事项,4.2中确定的相关方的要求,以及组织的使命、目标和义务。 The scope should address the issues identified in 4.1, the requirements of interested parties determined in 4.2, and the organization’s mission, goals and obligations.

组织 宜 编制一份声明,以适合组织规模,性质和复杂度的方式陈述BCMS的范围。该声明 宜 提供给相关方。 The organization should prepare a statement that sets out the scope of the BCMS in a manner and in terms appropriate to the size, nature and complexity of the organization. The statement should be available to interested parties.

4.3.2 BCMS的范围Scope of the business continuity management system

组织 宜 : a) 参考产品和服务,确定BCMS范围包含或排除组织的哪些部分,例如:

  1. 仅包含向一个国家或地区交付特定产品;
  2. 删减不再经营或对组织价值较低的产品; 3)仅包含产品和服务的子集; b) 以能够确定所有相关活动、资源和供应链的方式确定组织的产品和服务。 The organization should : a) establish, by reference to products and services, the parts of the organization that are included within or excluded from the scope of the BCMS, for example:
  3. only including delivery of a specific product to a country or region;
  4. excluding a product that is no longer viable or is of low value to the organization;
  5. only including a sub-set of products and services; b) identify the organization’s products and services in a manner that enables all related activities, resources and supply chains to be identified.

范围 可以 : — 包括BCMS将应对的事件规模或严重程度的说明; — 确定如何使BCMS融入组织的业务战略和风险管理方法。 The scope may : — include an indication of the scale or magnitude of incident that the BCMS will address; — identify how the BCMS fits into the organization’s business strategy and approach to risk management.

4.3.3 范围删减Exclusions to scope

范围确定了BCMS适用的地点、产品和服务、活动和资源。因此,即使没有在范围声明中明确确定,所有依赖关系也都在范围内。举个例子,如果一家制造公司将一款产品纳入其BCMS范围,那么在任何地点直接或间接参与向客户交付该产品的原材料供应、加工、交付和所有支持功能(诸如数据处理,采购和人力资源),都将包含在范围内。 The scope determines the locations, products and services, activities and resources to which the BCMS applies. It follows that all dependencies will be in scope even if they have not been explicitly identified in the scope statement. For example, if a manufacturing company includes a product in its BCMS scope, then the supply of raw materials, processing, delivery and any support functions (such as data processing, purchasing and human resources) at any location that are involved directly or indirectly in its delivery to the customer will be included.

删减不 宜 影响组织满足由业务影响分析(见8.2.2)确定的业务连续性要求的能力。不能删减交付范围内产品和服务必需的活动、资源和供应链。 Exclusions should not affect the organization’s ability to meet business continuity requirements as determined by the business impact analysis (see 8.2.2). Activities, resources and supply chains that are required to deliver in-scope products and services cannot be excluded.

BCMS范围的删减 宜 形成文件并解释理由。 Exclusions from the scope of the BCMS should be documented and the justification for them explained.

如果将BCMS集成到现有的管理体系中,组织 宜 确保BCMS的所有要素都包括在内。 If the BCMS is being integrated into an existing management system, the organization should ensure that all elements of the BCMS are included.

4.4 业务连续性管理体系Business continuity management system

本节的目的是强调组织实施和保持过程的必要性,包括过程之间的相互作用,以使BCMS能够满足ISO 22301的要求。 The purpose of this subclause is to emphasize the need for the organization to implement and maintain processes that will enable the BCMS to meet the requirements of ISO 22301, including interactions between the processes.

在确定过程及其在整个组织中的应用时,组织 宜 : a) 确定这些过程所需的输入和预期的输出; b) 确定这些过程的顺序和相互作用; c) 确定并应用为确保这些过程有效运行和控制所需的准则和方法(包括监视、测量和相关的绩效指标); d) 确定这些过程所需的资源并确保其可得到; e) 分配这些过程的责任和权限; f) 应对6.1中确定的风险和机会; g) 评估这些过程并实施所需的任何变更,以确保这些过程达到预期的结果; h) 改进过程和BCMS。 In determining the processes and their application throughout the organization, the organization should : a) determine the inputs required and the outputs expected from these processes; b) determine the sequence and interaction of these processes; c) determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes; d) determine the resources needed for these processes and ensure their availability; e) assign the responsibilities and authorities for these processes; f) address the risks and opportunities as determined in 6.1; g) evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results; h) improve the processes and the BCMS.

在必要时,组织 宜 : — 维护成文信息,以支持过程的运行; — 保留成文信息,以确保过程按计划进行。 To the extent necessary, the organization should : — maintain documented information to support the operation of its processes; — retain documented information to have confidence that the processes are being carried out as planned.

第5章领导力Leadership

5.1 领导力和承诺Leadership and commitment

5.1.1 总则General

整个组织的各级管理者 宜 证明他们在其职责范围内的领导力和承诺。 All levels of management throughout the organization should demonstrate leadership and commitment as applicable to their areas of responsibility.

5.1.2 最高管理者Top management

最高管理者 宜 通过以下方式证明领导力和承诺: a) 分配管理角色并确保其得到履行(见5.1.3); b) 建立业务连续性方针(见5.2); c) 任命一名或多名具有适当权限和能力的人负责BCMS,并承担其有效运行的责任(见5.3); d) 传达业务连续性和符合BCMS要求的重要性; e) 提供必要的资源,包括适宜的资金保障水平(见7.1); f) 促进持续改进(见10.2); g) 确保实现BCMS的预期结果; h) 为其他级别的管理者提供支持,使其能够证明他们在其职责范围内的领导力和承诺。 Top management should demonstrate leadership and commitment by: a) assigning managerial roles and ensuring they are fulfilled (see 5.1.3); b) establishing business continuity policy (see 5.2); c) appointing one or more persons with the appropriate authority and competencies to be responsible for the BCMS and accountable for its effective operation (see 5.3); d) communicating the importance of business continuity and conforming to BCMS requirements; e) making available the necessary resources, including appropriate levels of funding (see 7.1); f) promoting continual improvement (see 10.2); g) ensuring that the intended outcomes of the BCMS are achieved; h) providing other levels of management with support that enables them to demonstrate the leadership and commitment applicable to their areas of responsibility.

5.1.3 其它管理角色Other managerial roles

其他管理层 宜 通过以下方式证明其领导力和承诺: a) 建立与组织战略目标一致的业务连续性目标(见6. 2); b) 将BCMS要求整合到组织的业务过程中(见8.1); c) 了解适用的法律法规和其他要求(见4.2.2); d) 建立BCMS的角色,责任和能力(见5.3和7.2); e) 实现BCMS的预期结果; f) 积极参与演练方案(见8.5); g) 执行内部BCMS审核(见9.2); h) 执行有效的BCMS管理评审(见9.3); i) 指导并支持BCMS的改进(见第10章)。 Other managerial levels should demonstrate their leadership and commitment by: a) establishing business continuity objectives that are compatible with the organization’s strategic objectives (see 6.2); b) integrating BCMS requirements into the organization’s business processes (see 8.1); c) displaying awareness of applicable legal, regulatory and other requirements (see 4.2.2); d) establishing BCMS roles, responsibilities and competencies (see 5.3 and 7.2); e) achieving the intended outcomes of the BCMS; f) actively engaging in the exercise programme (see 8.5); g) conducting internal BCMS audits (see 9.2); h) conducting effective management reviews of the BCMS (see 9.3); i) directing and supporting improvement of the BCMS (see Clause 10).

也 可以 通过以下方式证明其管理承诺: — 通过指导委员会参与运营; — 将业务连续性作为管理会议的常设议题。 Management commitment may also be demonstrated by: — operational involvement through steering groups; — inclusion of business continuity as a standing item at management meetings.

5.2 方针Policy

5.2.1 建立业务连续性方针Establishing the business continuity policy

最高管理者 宜 根据组织的目标和义务确定业务连续性方针,并确保其: a) 是最高管理者对BCMS意图和方向的简明、高层声明; b) 符合组织的宗旨(与组织的规模、性质和复杂度相适应并反映组织的文化、依赖关系和运营环境); c) 为目标的制定提供框架; d) 包含遵守适用要求的明确承诺,包括法律和法规所规定的义务; e) 包含对BCMS持续改进的承诺。 Top management should define the business continuity policy in terms of the organization’s objectives and its obligations, and make sure that it: a) is a concise, high-level statement of top management’s intention and direction for the BCMS; b) is appropriate to the purpose of the organization (given its size, nature and complexity, and to reflect its culture, dependencies and operating environment); c) provides a framework for objective setting; d) includes a clear commitment to satisfying applicable requirements, including legal and regulatory obligations; e) includes commitment to continual improvement of the BCMS.

方针 宜 : — 详细说明组织业务连续性的范围和边界,包括管理范围内的部分和删减(见4.3); — 确定所有职权和所需的委托,包括负责组织BCMS的人员或人群; — 包括参考的标准、指引、法规或者BCMS 宜 考虑遵从的方针。 The policy should : — specify the scope and boundaries of the organization’s business continuity, including limitations and exclusions (see 4.3); — identify any authorities and delegations required, including the person or persons responsible for the organization’s BCMS (see 5.3); — include references to standards, guidelines, regulations or policies that the BCMS should consider or comply with.

方针 可以 包含: — 资金承诺; — 所参考的其它相关方针; — 实施业务连续性的要求; — 演练和保持业务连续性的承诺。 The policy may contain the following: — a funding commitment; — references to other related policies; — a requirement to implement business continuity; — a commitment to exercise and maintain business continuity.

对于已有管理体系的组织,可能适合将BCMS方针与其他管理体系的方针整合。 For organizations with existing management systems, it may be appropriate to integrate the BCMS policy with those relating to the other management systems.

宜 制定适当的规定来审批方针、保存相关成文信息,并定期(如每年度)和当内外部因素发生显著变化时(如最高管理者变更,引入新法规)对方针进行评审。这些规定的适用性取决于组织的规模、复杂性、性质和范围。 Suitable provisions should be made for approving the policy, retaining documented information on it, and reviewing it periodically (e.g. annually) and whenever significant changes to internal or external factors occur (e.g. a change in top management, the introduction of new legislation). The suitability of such provisions will depend on the size, complexity, nature and extent of the organization.

5.2.2传达业务连续性方针 Communicating the business continuity policy

业务连续性方针 宜 : a) 作为成文信息提供和维护; b) 在组织内部被传达、理解和应用; c) 经管理层批准后向相关方提供。 The business continuity policy should : a) be available and maintained as documented information; b) be communicated, understood and applied within the organization; c) be made available to interested parties as approved by management.

5.3 角色、责任和权限Roles, responsibilities and authorities

最高管理者 宜 确保在BCMS内对责任和权限进行分配和传达。 Top management should ensure the assignment and communication of responsibilities and authorities within the BCMS.

最高管理者中 宜 有一人负责BCMS并承担责任。最高管理者 可以 任命其他机构(如指导委员会)监督BCMS的实施和持续监控。不管他们的其他职责如何, 宜 任命代表,赋予明确角色,责任和权限以: — 确保BCMS符合业务连续性方针; — 向最高管理层汇报BCMS的绩效,以便于评审并作为改进的基础(见第9章和第10章); — 在整个组织中提升业务连续性意识(见7.3); — 确保制定的事件响应程序有效(见8.4.4.2.2)。 A member of top management should be responsible and accountable for the BCMS. Top management may appoint other bodies (e.g. a steering committee) to oversee the implementation and ongoing monitoring of the BCMS. Representatives, irrespective of their other responsibilities, should be appointed with defined roles, responsibilities and authority for: — ensuring the BCMS conforms to the business continuity policy; — reporting on the performance of the BCMS to top management for review and as the basis for improvement (see Clause 9 and 10); — promoting awareness of business continuity throughout the organization (see 7.3); — ensuring the effectiveness of procedures developed for responding to incidents (see 8.4.4.2.2).

管理代表 可以 : — 被赋予明确的头衔(如“业务连续性经理”,“业务连续官”或“韧性经理”); — 在组织中还负有其他职责; — 来自组织的任何领域。 The management representative may : — be given a specific title (e.g. “business continuity manager”, “business continuity officer” or “resilience manager”); — hold other responsibilities within the organization; — be from any area of the organization.

可 指派来自于组织每个职能或地点的代表来协助实施BCMS(如负责风险相关事务的代表)。他们的角色、当责、责任和权限 宜 写入其工作职责描述中,并通过将其纳入组织的评估、奖励和表彰政策而得到加强。表3提供了适用于BCMS角色和责任的示例。 注:适用于应对事件和重续活动的团队和可能的角色和责任的示例请见表5(见8.4.4)。 Representatives from functions or locations of the organization may be identified to assist in the implementation of the BCMS (e.g. those responsible for risk-related matters). Their roles, accountabilities, responsibilities and authorities should be integrated into job descriptions, which may be reinforced by including them in the organization’s appraisal, reward and recognition policy. Table 3 provides examples of BCMS roles and responsibilities that could be appropriate.

NOTE Examples of teams and possible roles and responsibilities that could be appropriate for responding to incidents and resuming activities are provided in see Table 5 (see 8.4.4).

根据组织的规模,可以用不同的方式设置表3中列出的角色和责任。重要的是要确保所有责任都有角色承担,并有一个责任人。 Depending on the size of the organization, the roles and responsibilities set out in Table 3 could be set up in a different way. The important thing to ensure is that all responsibilities are part of a role and have an owner.

BCMS的所有角色、责任和权限都 宜 明确、记录在案并可被审核。 All roles, responsibilities and authorities for the BCMS should be defined and documented and be subject to audit.

表3 – BCMS角色和责任示例 Table 3 – Examples of BCMS roles and responsibilities 角色 Roles 责任 Responsibilities 最高管理者代表 Top management representative — 对BCMS承担责任 — 在管理评审中代表业务连续性管理 — Be accountable for the BCMS — Represent business continuity management at management reviews 业务连续性经理 Business continuity manager — 负责BCMS — 建立和证明对业务连续性方针的承诺 — 领导所有方案活动并与其它职能协调 — 提名具有适当资历、权限和能力的团队成员 — 促进解决方案、程序和演练方案的批准 — 在管理评审会议上提出团队建议 — Be responsible for the BCMS — Establish and demonstrate commitment to business continuity policy — Lead all programme activities and coordinate with other functions — Nominate team members with appropriate seniority, authority and competence — Facilitate the approval of solutions, procedures and exercise programme — Put forward team recommendations at management review meetings 业务连续性管理团队 Business continuity management team — 在整个组织内实施业务连续性管理 — 维护文档 — 确保及时对方案进行评审 — 评估各职能部门的业务连续性能力 — 组织和协调业务连续性意识方案 — 制定演练方案,并寻求有关当局的批准 — 进行演前简报和演后汇报 — 随时向相关方通报方案情况 — 确保演练按演练计划进行 — 确保内部审核和管理评审按时进行 — 与职能部门保持关系,在中断期间与他们保持联系 — 确保及时实施纠正措施计划 — 促进职能代表/协调员的工作 — Implement business continuity management across the organization — Maintain documentation — Ensure that reviews of the programme are conducted on a timely basis — Assess the adequacy of business continuity for individual functions — Organize and coordinate business continuity awareness programmes — Create exercise programmes and seek approval from the appropriate authority — Conduct exercise briefings and debriefing — Keep interested parties informed of the programme — Ensure that exercising takes place in accordance with the exercise programme — Ensure that internal audits and management reviews are carried out on time — Maintain relationships with functions and liaise with them during disruptions — Ensure that corrective action plans are implemented in a timely manner — Facilitate the efforts of functional representatives/coordinators 功能代表 Functional representatives — 维护业务连续性程序 — 向业务连续性经理通报准备状态 — 按指示执行和报告方案活动 — 确认供应商的连续性计划得到测试和维护 — 协调人员参加演练 — 维护业务连续性演练记录 — 随时通知团队可能影响业务连续性的变更 — 向业务连续性经理通报纠正措施的进展情况 — Maintain business continuity procedures — Inform the business continuity manager of the status of preparedness — Perform and report on programme activities as directed — Confirm that suppliers’ continuity plans are tested and maintained — Coordinate the participation of personnel in exercises — Maintain records of business continuity exercises — Keep the team informed of changes that could affect business continuity — Keep the business continuity manager informed of progress on corrective actions

第6章策划Planning

6.1应对风险和机会的措施Actions to address risks and opportunities

注:本节中的指导与BCMS的有效性相关。与优先活动中断风险相关的指导在8.2.3中提供。 NOTE The guidance in this subclause relates to the effectiveness of the BCMS. Guidance relating to risk of prioritized activities being disrupted is provided in 8.2.3.

6.1.1确定风险和机会Determining risks and opportunities

确定和应对风险和机会使组织能够: a) 确保BCMS能够实现其预期结果; b) 预防或减少不良影响; c) 实现持续改进。 Determining and addressing risks and opportunities enables the organization to: a) obtain assurance that the BCMS can achieve its intended outcomes; b) prevent, or reduce, undesired effects; c) achieve continual improvement.

组织 宜 确定措施以处理4.1中确定的事项,4.2中确定的相关方的需求和期望,以及4.2.2中确定的法律法规要求。 The organization should determine actions to address the issues identified in 4.1, the needs and expectations of interested parties identified in 4.2, and the legal and regulatory requirements identified in 4.2.2.

该决定 宜 包括考虑风险和机会以及它们对BCMS有效性的可能影响。风险和机会可能来自: — 缺乏最高管理者的领导和承诺; — BCMS资金不足,导致响应不力; — 成文信息不足; — 缺乏有能力的人; — 管理评审过程不充分; — 无力进入需要业务连续性的新领域。 This determination should include consideration of risks and opportunities and their potential impact on the effectiveness of the BCMS. Risks and opportunities can arise from: — A lack of leadership and commitment from top management; — Insufficient funding of the BCMS leading to an ineffective response; — Poorly documented information; — A lack of people with demonstrated competence; — An inadequate management review process; — An inability to break into new markets where business continuity is a requirement.

6.1.2应对风险和机会Addressing risks and opportunities

组织 宜 以以下方式策划应对这些风险和机会所需的措施: — 预防意外结果; — 利用一切机会改进BCMS; — 实现与BCMS过程的整合(见8.1); — 确保成文信息可用于评估措施是否有效(见9.1)。 The organization should plan the actions needed address these risks and opportunities in a manner that: — prevents unintended outcomes; — take advantage of any opportunities to improve the BCMS; — achieves integration into the BCMS process (see 8.1); — ensures that documented information will be available to evaluate if the actions have been effective (see 9.1).

6.2 业务连续性目标和实现计划Business continuity objectives and planning to achieve them

6.2.1 确立业务连续性目标Establishing business continuity objectives

组织 宜 确立业务连续性管理的实施和保持目标(见第8章)。这些目标 宜 与组织的总体目标相一致,并 宜 包括确定责任和制定适当和现实的完成目标。计划 宜 在整个组织内传达。 宜 监测和记录计划的实施进展情况。 The organization should establish objectives for the implementation and maintenance of business continuity management (see Clause 8). These should be in line with organization’s overall objectives, and should include identifying responsibilities and setting appropriate and realistic targets for completion. Planning should be communicated throughout the organization. Progress on its implementation should be monitored and documented.

随着BCMS的发展, 宜 定期评审该计划,并在适当时予以更新。 As the BCMS evolves, this plan should be reviewed regularly and, where appropriate, updated.

6.2.2确定业务连续性目标 Determining business continuity objectives

在确定业务连续性目标时,组织 宜 确保清晰地说明: a) 将要做什么; b) 所需的资源; c) 谁来负责; d) 完成日期; e) 如何评估结果。 When determining its business continuity objectives, the organization should ensure that they specify clearly: a) What will be done; b) The resources that will be needed; c) Who will be responsible; d) Completion dates; e) How results will be evaluated.

以下业务连续性目标的例子,在某些情况下,ISO 22301中规定的要求: — “最高管理者将分配必要的资源,以确保按期为所有产品和服务建立符合ISO 22301的BCMS”; — “A总监将与XXX顾问合作,按期为指名产品和服务获得ISO 22301认证”; — “最高管理者将利用现有资源确保,我们将按期准备好符合ISO 22301的业务连续性,以履行我们对指名客户的义务”; — “IT总监将与我们的供应商合作,将支持指名产品和服务的活动恢复时间减少10%,这将按期完成”; — “在不动用额外资源的情况下,生产经理将按期准备好符合ISO 22301要求并保护指名产品和服务的业务连续性管理”。 The following examples of business continuity objective can, in certain circumstances, meet the requirements specified in ISO 22301:

  • “Top management will allocate the necessary resources to ensure that a BCMS, consistent with ISO 22301 is established by date for all products and services.”; — “Director A will engage with XXX Consultants to achieve certification against ISO 22301 by date for named products and services.”; — “Top management will use existing resources to ensure that, by date, we will have ISO 22301 compliant business continuity in place to meet our obligations to named customers.”; — “The IT Director will work with our vendors to shorten the recovery time of activities supporting named products and services by 10 %. This will be achieved by date.”; — “Without drawing on additional resources, the production manager will have in place, by date, business continuity management that meets the requirements of ISO 22301 and protects named products and services.”.

6.3业务连续性管理体系的规划变更Planning changes to the business continuity management system

变更管理是所有管理过程的重要考虑因素。 Change management is an important consideration for all management processes.

BCMS的变更(包括10.1中确定的) 宜 仔细策划,以确保充分研究和理解了预期目的。这 宜 包括深思了提议变更的后果,确保考虑到预期和非预期的后果,并确定BCMS的完整性得到保护。 Changes to the BCMS, including those identified in 10.1, should be carefully planned to ensure that the intended purpose is fully investigated and understood. This should include contemplation of the consequences of the changes proposed, ensuring that both anticipated and unintended consequences are considered, and making sure that the integrity of the BCMS is preserved.

组织还 宜 确定有适当和充足的资源,并分配了责任和权限(必要时重新分配)。 The organization should also make sure that appropriate and sufficient resources are available, and that responsibilities and authorities are allocated or reallocated as necessary.

第7章支持Support

7.1 资源Resources

7.1.1 总则General

组织 宜 确定并确保BCMS所需资源的可用性,使其: a) 实现其业务连续性方针和目标; b) 适应组织变化的要求; c) 在内部和外部,就BCMS相关事项进行有效沟通; d) 为BCMS的持续运行和持续改进提供支持。 The organization should determine and ensure availability of the resources needed for the BCMS that will: a) achieve it’s business continuity policy and objectives; b) meet the changing requirements of the organizations; c) enable effective communication on BCMS matters, internally and externally; d) provide for the on-going operation and continual improvement of the BCMS.

宜 及时有效地提供资源。 Resources should be available in a timely and efficient manner.

7.1.2 BCMS资源BCMS resources

在确定BCMS所需的资源时,组织 宜 为以下方面做好准备: a) 人员以及与人相关的资源,包括:

  1. 履行BCMS角色和责任所需的时间;
  2. 培训、教育、意识和演练;
  3. BCMS人员的管理; b) 设施,包括适当的工作地点和基础设施; c) 信息通信技术(ICT)系统,包括支持有效和高效方案管理的应用程序; d) 对所有形式的成文信息的管理和控制; e) 与相关方(见图4)进行沟通; f) 财务和资金。 When identifying the resources required for the BCMS, the organization should make adequate provision for: a) people and people-related resources, including:
  4. the time necessary to fulfil BCMS roles and responsibilities;
  5. training, education, awareness and exercising;
  6. management of BCMS personnel; b) facilities, including appropriate work locations and infrastructure; c) information and communications technology (ICT) systems, including applications that support effective and efficient programme management; d) management and control of all forms of documented information; e) communication with interested parties (see Figure 4); f) finance and funding.

资源及其分配 宜 定期评审以确保资源充足。该评审最好有最高管理者的参与。 Resources and their allocation should be reviewed periodically in order to ensure their adequacy. It may be appropriate to involve top management in this review.

7.2 能力Competence

组织 宜 建立一个适当而有效的体系来管理在该体系控制下承担BCMS工作的人员的能力。 The organization should establish an appropriate and effective system for managing competence of persons undertaking BCMS work under its control.

管理层 宜 确定所有BCMS角色和责任所需的能力以及需要达到的意识、知识、理解力、技能和经验。在组织内被分派角色的所有人员 宜 证明其具有所需的能力,并被提供了培训、教育、发展和其他所需的支持。这可被称作“能力发展方案”,该方案 可 以 包括: — 对所承担的角色进行能力评估; — 建立人员发展方案以确定达到能力所需的培训、教育、发展和其他支持; — 提供培训和辅导,包括挑选适当的方法和材料; — 绩效评估; — 知识分享; — 工作分担; — 雇佣或与能胜任人员签订工作合同; — 目标群体的培训; — 记录并监督所接受的培训; — 根据明确的培训需求和要求对所接受的培训进行评估以证明与BCMS培训要求相一致; — 根据需要对发展方案进行改进。 Management should determine the competences required for all BCMS roles and responsibilities and the awareness, knowledge, understanding, skills and experience needed to fulfil them. All persons assigned roles within the organization should demonstrate the competencies required and be provided with training, education, development and other support needed to do so. This may be referred to as a “competence development programme” and may include: — an assessment of competences for roles(s) to be undertaken; — the creation of a personal development programme that identifies training, education, development and other support needed to attain competences; — the provision of training and mentoring, including the selection of suitable methods and materials; — performance evaluation; — knowledge sharing; — job sharing; — hiring or contracting competent persons; — training of target groups; — the documentation and monitoring of training received; — the evaluation of training received against defined training needs and requirements in order to verify conformity with BCMS training requirements; — the improvement of the development programme as needed.

组织 宜 有一个过程确定和交付所有参与者的业务连续性培训需求,并评估所交付培训的有效性。 The organization should have a process for identifying and delivering the business continuity training requirements of all participants and evaluating the effectiveness of its delivery.

适用于建立、管理和保持BCMS的培训类型 可能 如下: — 业务连续性管理的建立和管理; — 进行业务影响分析; — 进行风险评估; — 沟通技能; — 项目管理; — 制定和实施业务连续性文档; — 执行演练方案。 Types of training that may be appropriate for establishing, managing and maintaining the BCMS are as follows: — setting up and managing business continuity management; — conducting a business impact analysis; — conducting a risk assessment; — communication skills; — project management; — developing and implementing business continuity documentation; — running an exercise programme.

可以通过以下方式加强能力: — 将BCMS业绩纳入组织的奖励和认可过程; — 将BCMS业绩纳入组织的绩效和评估过程; — 将BCMS的角色、当责、责任和权限纳入组织的职位描述和技能集合; — 业务人员和最高管理者积极参与演习、演练和测试。 Competence may be reinforced by any of the following: — integrating BCMS achievements into the organization’s reward and recognition process; — integrating BCMS achievements into the organization’s performance and appraisal process; — integrating BCMS roles, accountabilities, responsibilities and authority within the organization’s job descriptions and skills set; — active participation by business users and top management in rehearsals, exercises and tests.

组织 宜 要求那些为组织工作的承包商证明在其管理下工作的人员具备BCMS所要求的能力并能胜任他们所履行的响应角色。 The organization should require contractors working on it’s behalf to demonstrate that person(s) doing work under its control have the requisite competence for the BCMS and response roles that they will perform.

7.3 意识Awareness

组织 宜 确保在其管理下工作的所有人员(如员工、承包方、供应商)了解业务连续性方针和组织的业务连续性目标,以及: — 如何降低中断的可能性和他们在事件检测、缓解、自我保护、疏散、响应、连续性和恢复方面相关的角色; — 遵守业务连续性方针和程序的重要性; — 对供应商和外包合作伙伴的依赖关系,和对业务目标的所有相关风险; — 组织运营的变化所带来的影响 — 他们在BCMS有效性方面的贡献,包括改进业务连续性所带来的好处; — 他们在实现其要求方面的角色和责任。 The organization should ensure that all persons working under its control (e.g. staff, contractors, suppliers) are aware of the business continuity policy and the organization’s business continuity objectives, and: — how to reduce the likelihood of disruptions and their role with regard to incident detection, mitigation, self-protection, evacuation, response, continuity and recovery; — the importance of conformity with business continuity policy and procedures; — dependencies on suppliers and outsource partners and any associated risks to business objectives; — the implications of changes in the operation of the organization; — their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity; — their role and responsibility in achieving conformity with its requirements.

组织 宜 在组织内部建立、推动和融入业务连续性的文化,从而: — 使其成为组织核心价值观和管理的一部分; — 使相关方了解业务连续性方针以及他们在相关程序中的角色。 The organization should build, promote and embed business continuity management within the culture of the organization so that: — it becomes part of the organization’s core values and management; — interested parties become aware of the business continuity policy and their role in associated procedures.

一个把业务连续性融入其文化的组织将: — 更有效率地发展业务连续性; — 向相关方(尤其是员工和客户)灌输组织有能力处理中断的信心; — 通过确保在各级决策中都考虑了业务连续性理念逐渐增强韧性; — 使中断发生的可能性和影响降到最低。 An organization with business continuity management embedded in its culture will: — develop business continuity more efficiently; — instil confidence in its interested parties (especially staff and customers) in its ability to handle disruptions; — increase its resilience over time by ensuring business continuity implications are considered in decisions at all levels; — minimize the likelihood and impact of disruptions.

把业务连续性管理融入组织文化要依靠: — 组织全员参与; — 在整个组织中传播领导力; — 责任分配; — 基于绩效指标的衡量; — 将业务连续性融入日常管理实践; — 意识提升; — 技能培训 — 对业务连续性计划进行演练。 Embedding business continuity management within the culture of the organization is supported by: — the involvement of all personnel in the organization; — a dispersed leadership across the organization; — the assignment of responsibilities; — measurement based on performance indicators; — integrating business continuity into normal management practices; — awareness raising; — skills training; — exercising business continuity plans.

意识方案 可 以包括: — 与组织中所有员工就关于BCM建立和管理问题进行协商的过程; — 在组织的新闻通讯、简报、推介项目或刊物(包括新员工入职培训)中讨论业务连续性; — 将业务连续性纳入相关网页; — 将业务连续性管理纳入员工和管理团队会议的议题; — 对事后报告的选择性发布; — 向最高管理者做简报; — 参观选定的备用地点(如一个恢复 站点 ); — 定期和供应商沟通,以确保他们理解组织的业务连续性要求,并证明他们的能力能满足约定的连续性能力。 An awareness programme may include: — a consultation process with staff throughout the organization concerning the setup and management of business continuity management; — discussion of business continuity in the organization’s newsletters, briefings, introduction programme or journals (including new employee orientation); — inclusion of business continuity on relevant web pages; — inclusion of business continuity management as a topic in staff and management team meetings; — selective publication of post-incident reports following incidents; — briefings for top management; — visits to designated alternative location (e.g. a recovery site); — regular communications with suppliers to ensure they understand the organization’s business continuity requirements and can demonstrate their capability to meet agreed continuity capabilities.

商业环境和运营的变化会影响业务连续性活动的策划、设计和实施的方法。组织 可 以通过如积极参与行业业务连续性相关活动来证明对业务连续性管理趋势的认知,这些活动可包括: — 作为行业利益团体成员; — 作为会议筹办委员会成员; — 在会议或研讨会上进行发言; — 参加本地或国际业务连续性会议。 Changes in the business environment and operations affect the approach and way business continuity activities are planned, designed and implemented. The organization may demonstrate awareness of business continuity management trends by, for example, actively participating in industry business continuity-related activities, which may include: — being a member of an industry interest group; — being a member of a conference-organizing committee; — delivering presentations at conferences and seminars; — attending local or global business continuity conferences.

7.4 沟通Communication

组织 宜 确定与BCMS相关的沟通事宜。 The organization should determine the communications relevant to the BCMS.

BCMS相关的沟通使组织能够响应相关方的需求和期望(见4.2)。为使沟通有效,组织 宜 确定并在适当情况下制定确定下列事项的标准: a) 沟通内容:组织的性质和处境决定了是否需要BCMS相关的沟通。如,有些组织有法律法规义务进行沟通; b) 沟通时机:可能存在一旦超过组织就必须进行沟通的阈值。组织环境可能规定沟通 宜 采用的频率; c) 沟通对象:所有相关方会都需要沟通,因此重要的是对每个相关方,确定必须沟通的情况以及沟通的优先顺序; d) 沟通方式:预先确定沟通的方法、工具和渠道,包括替代方案,使组织沟通更有效; e) 沟通人员:组织 宜 确定代表组织的发言人,并指定特定人员作为沟通的联络人。 Communications relevant to the BCMS enable the organization to respond to the needs and expectations of interested parties (see 4.2). For communication to be effective, the organization should determine and, where appropriate, establish criteria for determining the following: a) On what it will communicate: Communication regarding the BCMS can be needed depending on the nature of the organization and situation. Some organizations, for example, have legal or regulatory obligations to communicate. b) When communication should take place: There can be thresholds beyond which it becomes imperative for the organization to communicate and the organization’s context can dictate how frequently communication should take place. c) With whom it will communicate: All interested parties will require communication from time to time, so it is important to determine for each interested party, the circumstances in which communication will be needed and the communication priorities. d) The means of communication: Determining in advance the methods, tools and channels of communication, including alternatives, will enable the organization to communicate effectively. e) The persons to execute the communication: The organization should identify spokespersons to represent the organization and designate specific people to be points of contact for communication.

组织 可 将其BCMS和业务连续性安排纳入对供应商和客户的新闻通讯和简报。 The organization may include references to its BCMS and business continuity arrangements in supplier and customer newsletters and briefings.

组织 宜 将有效的外部沟通作为意识方案(见7.3)的一部分,并在响应事件时提供(见8.4.4)。 The organization should provide effective external communication as part of its awareness programme (see 7.3) and when responding to an incident (see 8.4.4).

7.5 成文信息Documented information

7.5.1 总则General

ISO 22301要求的成文信息提供了符合要求和管理体系有效运行的证据。。 Documented information required by ISO 22301 provides evidence of conformity to requirements and the effective operation of the management system.

术语“程序”是指执行一项活动或过程的规定方法。“成文程序”是指该程序 宜 在合适的介质上建立并维护。 The term “procedure” means a specified way to carry out an activity or a process. A “documented procedure” means that the procedure should be established and maintained on a suitable medium.

单个文档 可 以解决一个或多个成文程序的要求。成文程序的要求可能包含在多个文档中。 A single document may address the requirements for one or more documented procedures. A requirement for a documented procedure may be covered by more than one document.

成文信息包括: — 对组织及其环境的理解(见4.1); — 法律和法规要求(见4.2.2); — BCMS的范围和任何删减(见4.3); — 方针(见5.2); — 业务连续性目标和实现计划(见6.2); — 能力(见7.2); — 业务影响分析和风险评估(见8.2); — 业务连续性策略和解决方案(见8.3); — 业务连续性计划和程序(见8.4); — 演练方案(见8.5); — 监视、测量、分析和评估(见9.1); — 内部审核(见9.2); — 管理评审(见9.3); — 不符合和纠正措施(见10.1)。 Documented information includes: — understanding the organization and its context (see 4.1); — legal and regulatory requiren1ents (see 4.2.2); — scope of the BCMS and any exclusions (see 4.3); — policy (see 5.2); — business continuity objectives and planning to achieve them (see 6.2); — competence (see 7.2); — business impact analysis and risk assessment (see 8.2); — business continuity strategies and solutions (see 8.3); — business continuity plans and procedures (see 8.4 ); — exercise programme (see 8.5); — monitoring, measurement, analysis and evaluation (see 9.1); — internal audit (see 9.2); — management review (see 9.3); — nonconformity and corrective action (see 10.1).

此外,为确保BCMS的有效性,成文信息包含以下可能要求的信息: — 客户协议和服务等级; — 业务影响分析的结果; — 风险评估的结果; — 业务连续性 解决方案 的确定和选择; — 事件响应概述; — 意识方案; — 与员工和相关方就BCMS及事件进行的沟通,如新闻通讯、会议纪要和警报; — 组织和个人的培训方案; — 演练进度计划; — 与供应商的合同和服务级别协议; — 承包商和供应商的业务连续性方针和计划,包括对其供应商风险监控的证据,以及其供应商连续性计划维护和演练的证据; — 承包商和供应商的通知和响应程序; — 检查、保持和校正的证据; — 对已发生事件和未遂事件的报告; — BCMS评审会议记录。 In addition, documented information covering the following information can be required to ensure the effectiveness of the BCMS: — customer contracts and service levels; — results of business impact analyses; — results of risk assessments; — determination and selection of business continuity solutions; — incident response overview; — awareness programme; — BCMS and incident communications with staff and interested parties, such as newsletters, meeting notes and alerts; — training programmes for the organization and individuaIs; — exercise schedule; — contracts and service level agreements with suppliers; — contractor and supplier business continuity policy and plans, including evidence of risk monitoring of their suppliers, and evidence that their suppliers’ continuity plans are maintained and exercised; — contractor and supplier notification and response procedures; — evidence of inspection, maintenance and calibration; — post-incident reports of incidents and near-misses; — BCMS review meeting minutes.

7.5.2 创建和更新Creating and updating

为了符合创建和更新成文信息的要求: — 所有成文信息 宜 清楚标识(如姓名、参考编号、描述、日期、作者、版本); — 组织 宜 详细说明可接受的格式(如语言、软件版本、图形)和可用于储存成文信息的媒介(如纸质、电子); — 使用的格式和介质 宜 经过应经过评审和批准,以确保其适宜性和充分性。 To conform to the requirements for creating and updating documented information: — all documented information should be clearly identifiable (e.g. name, reference number, description, date, author, version); — the organization should specify the formats that are acceptable (e.g. language, software version, graphics) and the media that can be used for the storage of documented information (e.g. paper, electronic); — the format and media used should be reviewed and approved for suitability and adequacy.

BCMS成文信息的范围 可以 会根据组织的以下因素而有所不同: — 组织的规模、产品和服务,以及所从事的活动类型; — 活动的复杂性及其相互依赖关系; — 人员的能力。 The extent of documented information for the BCMS may differ between organizations due to the following factors: — the size of organization, its products and services, and the type of activities that it undertakes; — the complexity of activities and their interactions; — the competence of persons.

7.5.3 成文信息的控制Control of documented information

7.5.3.1 成文信息的访问Access to documented information

所有要求的成文信息都 宜 受控。 All required documented information should be controlled.

控制文档的目的是确保组织以适当和充分的方式创建、维护和保护文档,以实施和运行BCMS。 宜 主要关注该目的,而不是建立一个复杂的文件控制系统。 The purpose of controlling documentation is to ensure that organizations create, maintain and protect documents in a manner that is appropriate and sufficient to implement and operate the BCMS. The primary focus should be on this purpose rather than establishing a complex document control system.

保护的例子包括防止文档在没有适当授权的情况下被破坏、修改和意外删除。 Examples of protection include preventing documents from being compromised or modified without appropriate authorization and from being accidentally deleted.

可以授权不同的访问等级和组合(如只读、读写和受限阅读)。组织还可以根据其敏感性(如受限、机密、保护)对其成文信息分级。如与内部劳动力中断相关的业务连续性解决方案,或包含竞争对手敏感信息的业务连续性计划和程序,可能需要这样分类。 There are various access levels and combinations that may be granted (e.g. view only, view and change, restricted view). It can also be appropriate for the organization to classify its documented information according to its sensitivity (e.g. restricted, confidential, protected). Such classification can , for example, be needed for business continuity solutions relating to internal labour disruption, or where business continuity plans and procedures contain competitor-sensitive information.

7.5.3.2 控制类型Types of control

宜 制定一个成文程序定义控制措施,用以: — 分发成文信息; — 提供成文信息访问(访问包括,例如,查看或变更成文信息的许可和授权); — 发布前审批文件的充分性; — 评审和更新以及必要时重新审批文件; — 确保文件的变更及其当前的修改状态得到确认; — 确保所有适用文件的相关版本在使用时的可用性; — 确保文件清晰易读; — 确保组织确定的为策划和运行BCMS必须的来自外部的文件得到识别,并且这些文件的分发受控; — 避免意外使用过期文件,并且如果这些文件因为某种原因需要加以保留的话则适当地标识; — 设置文件保存和归档参数; — 确保对机密信息的保护和保密 A documented procedure should be established to define the controls that are needed to: — distribute documented information; — provide access to it (access includes, for example, the permissions and authority to view or change documented information); — approve documents for adequacy prior to issue; — review and update as necessary and to re-approve documents; — ensure that changes and the current revision status of documents are identified; — ensure that relevant versions of all applicable documents are available at points of use; — ensure that documents remain legible and readily identifiable; — ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the BCMS are identified and their distribution controlled; — prevent the unintended use of obsolete documents and to apply suitable identification to them if they are retained for any purpose; — establish document retention and archival parameters; — ensure the protection and non-disclosure of confidential information.

组织 宜 确保成文信息的完整性,防止对其进行纂改,进行安全备份,仅限授权人员访问,并谨防损坏、退变和丢失。 Organizations should ensure the integrity of documented information by rendering it tamperproof, securely backed-up, accessible only to authorized personnel, and protected from damage, deterioration and loss.

组织 宜 证明知道所有关于保存成文信息的相关法律法规,并 宜 保留合规证据。 The organization should demonstrate awareness of all relevant legislation and regulations regarding the retention of documented information and should retain evidence of compliance.

第8章运行Operation

8.1 运行的策划和控制Operational planning and control

8.1.1 总则General

组织 宜 确定、策划、实施和控制所需的过程,以建立和保持满足适用要求(见第4章)的业务连续性管理,并实施6.1中确定的措施。 The organization should determine, plan, implement and control the processes needed to establish and maintain business continuity management that meets applicable requirements (see Clause 4) and implement the actions determined in 6.1.

这些过程 宜 融入到组织的业务过程,以确保它们得到适当的管理和有效的保持。 These processes should be integrated into the organization’s business processes to ensure that they are managed appropriately and their effectiveness maintained.

组织 宜 建立控制机制,包括: a) 决定 宜 如何确定、策划、实施和控制这些过程(如通过制定实施计划并就实施和保持业务连续性管理的方法达成一致); b) 确保对这些过程的控制按照所做的决定得到实施,例如,设置项目里程碑并详细说明所需的交付物; c) 保留成文信息以证明这些过程按策划实施。 The organization should establish control mechanisms that include: a) deciding how these processes should be determined, planned, implemented and controlled (e.g. by establishing an implementation plan and agreeing a suitable methodology for implementing and maintaining business continuity management); b) ensuring that controls over these processes are implemented in accordance with the decisions made by, for example, setting project milestones and specifying required deliverables; c) keeping documented information to demonstrate that the processes have been carried out as planned.

组织 宜 确保计划的变更受控,计划外变更得到评审,并采取了适当的措施。 The organization should ensure that planned changes are controlled, unintended changes are reviewed, and appropriate action is taken.

组织 宜 确保外包过程和供应链受控(见8.3.4.9)。 The organization should ensure that outsourced processes and the supply chain are controlled (see 8.3.4.9)

8.1.2 业务连续性管理Business continuity management

业务连续性管理包括以下要素,如图5所示: a) 运行的策划和控制(见8.1):有效的运行策划和控制是业务连续性管理的核心。它 宜 由最高管理者任命的负责人领导。 b) 业务影响分析和风险评估(见8.2):业务影响分析使组织能够评估活动中断对产品和服务交付的影响。这使组织能够确定重续活动的优先顺序。 了解这些优先活动的中断风险,使组织能够对其进行管理。 业务影响分析和风险评估的结果使组织能够为其业务连续策略和解决方案确定适当的参数。 c) 业务连续性策略和解决方案(见8.3):确定和评估一系列业务连续性策略,使组织能够确定解决方案以降低风险、减轻优先活动中断的影响,并处理任何发生的中断。选定的业务连续性解决方案可以在可接受的能力(生产和服务水平)和在议定的时间范围内重续产品和服务的交付。 d) 业务连续性计划和程序(见8.4):业务连续性计划和程序使组织能够根据其业务连续性要求来管理中断并继续活动。 宜 有一个明确的响应结构确定负责响应中断的团队(见8.4.2);组织 宜 建立并实施计划和程序用以预警和沟通(见8.4.3)、响应事件(见8.4.4.2.2)和恢复(返回正常运行)(见8.4.5)。 e) 演练方案(见8.5):演练方案使组织能够验证已制定的解决方案、计划和程序的有效性。演练方案还为组织提供机会以:

  1. 提升人员意识并发展能力;
  2. 确保业务连续性计划和程序是完整、最新和适当的; 3)改进业务连续性。 f) 业务连续性文件和能力评估(见8.6):组织 宜 评估其业务连续性管理,以确保其有效性,并使组织能够实现其业务连续性目标。 The elements of business continuity management,as shown in Figure 5,are as follows. a) Operational planning and control (see 8.1):Effective operational planning and control is at the heart of business continuity management. It should be led by a responsible person nominated by top management. b) Business impact analysis and risk assessment (see 8.2):Business impact analysis enables the organization to assess the impact that disruption of activities would have on delivery of its products and services. This enables the organization to prioritize the resumption of activities. Understanding the risks of disruption to these prioritized activities enables the organization to manage them. The outcome of business impact analysis and risk assessment enables the organization to determine appropriate parameters for its business continuity strategies and solutions. c) Business continuity strategies and solutions (see 8.3):The identification and evaluation of a range of business continuity strategies enables the organization to identify solutions for reducing the risk and mitigating the impact of disrupting its prioritized activities and deal with any disruptions that occur. Selected business continuity solutions will provide for the resumption of deliveries of products and services at an acceptable capacity (production or service level) and within agreed time frames. d) Business continuity plans and procedures (see 8.4):Business continuity plans and procedures enable the organization to manage a disruption and continue activities based on its business continuity requirements. There should be a defined response structure that identifies the teams responsible for responding to disruptions (see 8.4.2).The organization should establish and implement plans and procedures for warning and communication (see 8.4.3),responding to incidents (see 8.4.4.2.2),and recovery (return to business as usual) (see 8.4.5). e) Exercise programme (see 8.5):An exercise programme enables the organization to validate the effectiveness of solutions,plans and procedures that have been put in place. An exercise programme also provides opportunities for the organization to:
  3. promote personnel awareness and competency development;
  4. ensure that its business continuity plans and procedures are complete,current and appropriate;
  5. improve its business continuity. f) Evaluation of business continuity documentation and capabilities (see 8.6):The organization should evaluate its business continuity management to ensure that it is effective and enables the organization to achieve its business continuity objectives.

图5 – 业务连续性管理要素 Figure 5 – Elements of business continuity management

8.1.3 保持业务连续性Maintaining business continuity

保持有效的业务连续性包括: — 确保业务连续性的范围、角色和责任持续相关; — 在适当的情况下,促进业务连续性管理并将其融入组织和其他相关方; — 管理与业务连续性相关的成本; — 在BCMS内建立和监视变更管理和继任管理制度; — 安排或提供适当的员工培训和意识宣贯; — 维护与组织的规模和复杂度相适宜的方案文件。 Effective maintenance of business continuity includes: — ensuring the continuing relevance of the scope, roles and responsibilities for business continuity; — promoting and embedding business continuity management within the organization and other interested parties, where appropriate; — managing costs associated with business continuity; — establishing and monitoring change management and succession management regimes within the BCMS; — arranging or providing appropriate staff training and awareness; — maintaining programme documentation appropriate to the size and complexity of the organization.

组织业务连续性安排的每个组成部分,包括文件都 宜 定期评审、演练和更新。当组织的运营环境、建筑物、地点、人员、过程或技术发生重大变化,或当某次演练或事件突显不足时,也 宜 评审和更新这些安排。 Each component of an organization’s business continuity arrangements, including documentation, should be regularly reviewed, exercised and updated. These arrangements should also be reviewed and updated whenever there is a significant change in the organization’s operational environment, structure, locations, personnel, processes or technology, or when an exercise or incident highlights deficiencies.

组织 可以 采用公认的项目管理方法来确保业务连续性管理得到有效管理。 The organization may adopt a recognized project management method to ensure that business continuity management is effectively managed.

确保业务连续性保持有效的技术包括: — 实施良好实践; — 管理演练方案; — 协调业务连续性的定期评审和更新,包括复查或重做业务影响分析和风险评估; — 确保业务连续性程序持续适宜响应团队的需求。 Techniques for ensuring that business continuity stays effective, include: — implementing good practice; — administering the exercise programme; — coordinating the regular review and update of business continuity, including reviewing or reworking the analysis of business impacts and risk assessments; — ensuring that business continuity procedures remain appropriate to the needs of response teams.

8.2 业务影响分析和风险评估Business impact analysis and risk assessment

8.2.1 总则General

组织通过向客户交付产品和服务来实现其宗旨。因此,重要的是认识到随着时间的推移,产品和服务(及支持它们的活动)对组织及其相关方产生的不利影响。理解支持产品和服务的活动的相互关系和资源要求以及它们受到的威胁也很重要。 An organization achieves its purpose by delivering its products and services to customers, It is important therefore to create an understanding of the adverse impact over time that disrupting delivery of these products and services (and the activities that support them) would have on the organization and interested parties. It is also important to understand the inter-relationships and resource requirements of the activities that support products and services and the threats to them.

组织 宜 实施和维护系统地分析业务影响(见8.2.2)和评估中断风险(见8.2.3)的过程,其结果使组织能够确定业务连续性策略和解决方案(见8.3)。业务影响分析和风险评估 宜 按计划的时间间隔和在组织内部或其环境发生重大变化时进行复查。 The organization should implement and maintain processes that systematically analyse the business impacts (see 8.2.2) and assess the risks of disruption (see 8.2.3), the outcomes of which enable the organization to identify business continuity strategies and solutions (see 8.3).The analysis of business impacts and assessment of risks should be reviewed at planned intervals and when there are significant changes within the organization or the context in which it operates.

只要评估了对其优先活动的风险(见8.2.3),组织就可以确定业务影响分析和风险评估的执行顺序,。 It is for the organization to determine the order in which the analysis of business impact and the assessment of risk are performed as long as the risks to its prioritize activities (see 8.2.3) are assessed.

8.2.2 业务影响分析Business impact analysis

业务影响分析使组织能够为重续中断活动设定优先顺序。其主要目的是使组织能够确定需要紧急行动的活动,并将其归类为“优先事项”,因此如果不迅速重续这些活动,可能会造成不可接受的不利影响。除了那些需要快速恢复的活动之外,还可能需要优先考虑这些活动。例如,一项六个月内不需要重续但至少需要八个月才能重续的活动需要优先考虑。因此,优先活动也可以被视为在其中断前需要实施业务连续性 解决方案 的活动(见8,3.5)。 An analysis of business impacts enables the organization to set priorities for resuming activities that have been disrupted. Its main purpose is to enable the organization to identify and classify as “prioritized” any activities that could need urgent action when they have been disrupted because failure to resume them quickly could result in unacceptable levels of adverse impact. It is possible that activities other than those needing to be recovered quickly will need to be prioritized. For example, an activity that does not need to be resumed for six months but would take a minimum of eight months to resume would need to be prioritized. Prioritized activities can therefore also be regarded as activities that can require business continuity solutions to be implemented before they are disrupted (see 8.3.5).

本标准使用术语“优先活动”,但组织 可以 使用自己的术语、时间段或优先顺序。术语的例子包括“关键”、“基本”、“重要”和“主要”。时间段的示例包括“0-2小时”、“0-1天”和“1-3天”。优先级的例子包括“高”“中”和“低”,或“第一”“第二”和“第三”。 This document uses the term “prioritized activity” but organizations may use their own terms, time periods or orders of priority. Examples of terms include “critical”, “essential”, “vital” and “key”. Examples of time periods include “0-2 hours”,“0-1 day” and “1-3 days”. Examples of priorities include “high”, “medium” and “low”, or”1st”,“2nd”and”3rd.

每个组织都以自己的方式描述自己的运作方式。例如,一个组织 可以 将活动描述为组织为生产或交付其产品和服务而执行的任务或任务集(见图6)。其他组织可能希望将产品和服务描述为由活动组成的过程所创建的。 Every organization describes how it operates in its own way. For example, an organization may describe activities as being tasks or sets of tasks that the organization performs in order to produce or deliver its products and services (see Figure 6). Other organizations may wish to describe products and services as being created by processes made up of activities.

分析 宜 涵盖BCMS范围内的所有活动。可以对活动组(例如,与特定产品和服务相关的)进行分析(见图6)。 The analysis should cover all activities within the scope of the BCMS. It is acceptable to perform the analysis on groups of activities, for example, relating to specific products and services (see Figure 6).

在进行业务影响分析时,使用的术语 宜 反映组织描述其运营的方式。 When conducting the analysis of business impacts, the terminology used should reflect the way the organization describes its own operations.

图 6 – 理解组织 Figure 6 – Understanding the organization

ISO/TS 22317包含进行业务影响分析的进一步指导。它是一个技术规范,提出了一种满足ISO 22301要求的分阶段方法。 ISO/TS 22317 contains further guidance on conducting a business impact ana lysis. It is a Technical Specification that presents a phased approach as a way of meeting the requirements of ISO 22301.

业务影响分析使组织能够识别中断可能对其运营造成的不利影响,并编制(作为结果)一份关于业务连续性要求的声明和理由。 The analysis of business impacts enables the organization to determine the adverse impacts that disruptions would have on its operations and prepare, as an outcome, a statement and a justification of business continuity requirements.

分析还使组织能够: — 了解其产品和服务以及交付它们的活动; — 决定重续产品和服务交付的优先顺序和时间范围; — 确定连续性和恢复所需的资源; — 确定依赖关系(内部和外部)。 The analysis also enables the organization to: — obtain an understanding of its products and services and the activities that deliver them; — determine priorities and time frames for resuming delivery of products and services; — identify the resources that could be required for continuity and recovery; — identify dependencies (both internal and external).

宜 使用业务影响分析的过程来确定业务连续性优先顺序和要求。 The process for analysing business impacts should be used to determine business continuity priorities and requirements.

该过程 宜 包括明确业务影响分析的评估标准,包括要考虑的影响类型和时间范围。两者都 宜 基于组织环境、业务目标和组织目标,并 宜 考虑相关方的需求。评估标准 宜 定期复查,并在变化时期更频繁地复查。 The process should include defining evaluation criteria for the analysis of business impact, including the types of impact and time frames to be considered. Both should be based on the context, business objectives and aims of the organization and should consider the needs of interested parties. The evaluation criteria should be reviewed regularly, and more frequently during periods of change.

影响类型(可称为“影响类别”)可包括如表4所示的影响。 Types of impact (which may be referred to as “impact categories”) can include, for example, those shown in Table 4.

表4 – 影响类别示例(Table 4 – Examples of type of impact) 类型Type 描述Description 财务 Financial 罚款损失,罚金,利润损失,或市场份额减少 Losses due to fines, penalties, lost profits, or diminished market share 声誉 Reputation 负面意见或品牌损失 Negative opinion or brand damage 运营 Operational 业务运营流中断的范围和持续时间 Extent and duration of disruption to flow of business operations 法律法规 Legal and regulatory 诉讼责任和吊销营业执照 Litigatioin liability and withdrawal of license to trade 合同 Contractual 违反组织间的合同或义务 Breach of contracts or obligations between organizations 业务目标 Business objectives 未能实现目标或利用机会 Failure to deliver on objectives or take advantage of opportunities

影响变得不可接受所需的时间 可能 在几秒钟到几个月之间变化。时间范围取决于组织产品和服务的时间敏感性。例如,为了适应对时间特别敏感的产品,时间范围可能是几分钟或几小时。较长的时间范围适用于那些提供时间不敏感产品和服务的组织。 The time taken for impacts to become unacceptable can vary between seconds and several months. The time frames will depend on the time-sensitivity of the organization’s products and services. For example, to accommodate products that are very time sensitive, the time frames may need to be minutes or hours. Longer time frames would be appropriate for organizations with less time-sensitive products and services.

活动中断可能会间接影响产品和服务的交付。例如,不能向供应商付款可能会损害组织的声誉,并导致供应商拒绝供应货物,从而妨碍产品制造或服务交付。产品和服务的需求也有每天的变化,而且从本质上可能是周期性的。与每周、每月或每年的最后期限或项目交付日期相关的活动通常有季节性变化和波峰波谷。考虑到间接后果,并假设中断发生在最糟糕的时间,可确保评估最大可能的影响。 Disruption of activities can cause delivery of products and services to be impacted indirectly. For example, the loss of the ability to pay suppliers can damage the reputation of the organization and result in suppliers refusing to supply goods, which then prevents products being manufactured or services being delivered. Products and services also have daily variations in demand and can be cyclical in nature. There are often seasonal variations and higher levels of activity associated with weekly, monthly or annual deadlines or project delivery dates. Taking indirect consequences into account and making the assumption that disruption occurs at the worst time ensures that the maximum possible impacts are assessed.

由组织的最高管理者来确定组织不可接受的影响阈值。影响变得不可接受所用的时间可称为“最长可容忍中断时间(MTPD)”、“最长可容忍时间”或“最长可接受中断”。组织可接受的产品或服务的最低水平可以表示为“最小业务连续性目标(MBCO)”。 It is for the organization’s top management to determine the thresholds of impact that are unacceptable to the organization. The time it would take for impacts to become unacceptable can be referred to as “maximum tolerable period of disruption (MTPD)”, “maximum tolerable period” or “maximum acceptable outage”. The minimum level of product or service that is acceptable to the organization can be expressed as the “minimum business continuity objective (MBCO)”.

业务影响分析还 宜 包括确定优先活动的依赖关系,使组织能够确保将这些活动纳入风险评估(见8.2.3)并可用于确定业务连续性策略和解决方案(见8.3)。 The business impact analysis should also include identifying dependencies of prioritized activities, which will enable the organization to ensure that they are included in the risk assessment (see 8.2.3) and available for determination of business continuity strategy and solutions (see 8.3).

在选择连续性解决方案(见8.3.3)之前,组织 宜 谨慎确定优先活动的资源需求(见8.3.4),因为优先活动的依赖关系可能与所选的连续性解决方案无关。 The organization should be wary of determining resource requirements of prioritized activities (see 8.3.4) before selecting continuity solutions (see 8.3.3) because the dependencies of prioritized activities may not be relevant to the continuity solutions that are selected.

业务影响分析过程 宜 包括: a) 明确与组织环境相关的评估标准,包括: 1) 影响类型; 2) 时间范围; b) 确定支持组织产品和服务交付的活动; c) 使用评估标准评估这些活动中断后随时间变化造成的预期影响; d) 估算活动不重续,影响变得不可接受的时间; e) 在以上d)中确定的时间内,设定以规定的最低可接受能力重续活动的时间范围(见图2和图3); f) 确定优先活动; g) 确定优先活动的依赖关系,包括人员(见8.3.4.2)、信息和数据(见8.3.4.3)、建筑物、工作场所和相关的公用事业(见8.3.4.4)、设备和消耗品(见8.3.4.5),信息和通信技术系统(见8.3.4.6)、运输和物流(见8.3.4.7)、财务(见8.3.4.8)以及合作伙伴和供应链(见8.3.4.9); h) 确定优先活动的相互依赖关系(例如,采购依赖于财务提供资金)。 The process for analysing business impacts should include: a) defining evaluation criteria relevant to the organization’s context, including:

  1. types of impact;
  2. time frames; b) identifying activities that support the delivery of the organization’s products and services; c) using the evaluation criteria to assess the anticipated impacts over time resulting from disruption of these activities; d) estimating the time within which the impacts of not resuming activities would become unacceptable; e) setting time frames within the time identified in d) above for resuming activities at specified minimum acceptable capacities (see Figures 2 and 3.); f) identifying prioritized activities; g) identifying the dependencies of prioritized activities, including people (see 8.3.4.2), information and data (see 8.3.4.3), buildings, workplaces and associated utilities (see 8.3.4.4), equipment and consumables (see 8.3.4.5), ICT systems (see 8.3.4.6), transportation and logistics (see 8.3.4.7), finance (see 8.3.4.8), and partners and the supply chain (see 8.3.4.9); h) identifying interdependencies of prioritized activities (e.g. procurement is dependent on finance to release funds).

在本标准中,重续一项活动的时间范围(见上文e)称为活动的“恢复时间目标(RTO)”。设置活动的RTO可能还需要考虑: — 相关活动的依赖关系; — 恢复过程的复杂性。 In this document, the time frame for resuming an activity (see e) above] is referred to as the activity’s “recovery time objective (RTO)”. Setting an activity’s RTO may also need to take into account: — dependencies on related activities; — the complexity of the recovery process.

对于具有复杂恢复过程的组织来说,为一系列可接受的能力设置多个RTO可能比较合适。 It may be appropriate for organizations with complex recovery processes to set multiple RTOs for a range of acceptable capacities.

在考虑活动对信息和数据的依赖关系时,组织 宜 确保重续活动必需的信息和数据是适当的最新的。公司可以使用术语“恢复点目标(RPO)”来实现这一点。RPO是还原活动使用的信息和数据的时间点,可以使活动在重续时能够运营。RPO还可用于确定所需的备份频率,以避免不可接受的数据和信息丢失,以及其他可能妨碍活动重续的在产品。 When considering the dependency of activities on information and data, the organization should ensure that information and data required for an activity to be resumed will be appropriately current. The organization may use the term “recovery point objective (RPO)” to achieve this. The RPO is the point up to which information and data used by an activity is restored to enable the activity to operate upon resumption. The RPO can also be used to determine the frequency of backup needed to avoid unacceptable loss of data and information, and other work-in-progress that could prevent an activity from being resumed.

ISO/IEC 27031提供了有关确保电子保存数据的流通性的进一步指导。1SO/IEC 27002为确保数据的持续机密性、完整性和可用性提供了指导。 ISO/IEC 27031 provides further guidance with regard to ensuring the currency of electronically held data. 1SO/IEC 27002 provides guidance on ensuring the ongoing confidentiality, integrity and availability of data.

宜 记录业务影响分析,包括: — 识别法律、法规和合同要求(义务)及其对业务连续性要求的影响(见4.2.2); — 对组织BCMS范围的认可或修改(见4.30); — 评估随时间变化对组织的影响,作为业务连续性要求(时间和能力)的理由; — 识别产品与服务、活动与资源之间的关系; — 识别优先活动所依赖的支持资源; — 识别对其他活动、供应链、合作伙伴和其他相关方的依赖关系。 The analysis of business impacts should be documented including: — the identification of legal, regulatory, and contractual requirements (obligations) and their effect on business continuity requirements (see 4.2.2); — the endorsement or modification of the scope of the organization’s BCMS (see 4.3); — the evaluation of impacts on the organization over time as justification for business continuity requirements (time and capability); — the identification of the relationships between products and services, activities and resources; — the identification of supporting resources that are depended on by prioritized activities; — the identification of dependencies on other activities, supply chains, partners and other interested parties.

信息可以来自: — 访谈; — 调查问卷; — 研讨会; — 其它内外部来源。 Information may come from: — interviews; — questionnaires; — workshops; — other internal and external sources.

8.2.3 风险评估Risk assessment

注 本节指导与优先活动中断的风险相关。与BCMS有效性相关的风险见6.1。 Note The guidance in this subclause relates to the risks of prioritized activities being disrupted. Guidance relating to the effectiveness of the BCMS is provided in 6.1.

风险评估的目的是使组织能够评估优先活动中断的风险,以便采取适当的措施应对这些风险。 The purpose of the risk assessment is to enable the organization to assess the risks of prioritized activities being disrupted so that it can take appropriate action to address these risks.

组织 宜 实施并保持一个正式的风险评估过程,系统地识别、分析和评价组织的优先活动以及支持这些活动的过程、系统、信息、人员、资产、供应商和其他资源的风险。 The organization should implement and maintain a formal risk assessment process that systematically identifies, analyses and evaluates the risk of disrupting the organization’s prioritized activities and the processes, systems, information, people, assets, suppliers and other resources that support them.

风险评估是一个结构化的过程,用于在决定在可能需要的进一步处置之前,根据可能性和后果分析风险。这个结构化的过程试图回应一些基本的问题,比如: — 会发生什么? — 它或它们发生的可能性有多大? — 会有什么后果? — 有什么可以减轻后果或降低可能性的吗? Risk assessment is a structured process for analysing risk in terms of likelihood and consequences before deciding on further treatment that could be required. This structured process attempts to answer some fundamental questions, such as the following. — What could happen? — What is the likelihood of it or them happening? — What could be the consequences? — ls there anything that could mitigate the consequences or reduce the likelihood?

该过程 宜 考虑组织环境以及相关方的需求和期望(见4.1和4.2)。 The process should take into consideration the context of the organization and the needs and expectations of interested parties (see 4.1 and 4.2).

组织 宜 了解与组织活动所需资源相关的威胁和脆弱性,尤其是: — 识别为高优先级的活动所需的资源; — 资源更换交付周期长于活动RTO的情况。 The organization should understand the threats and vulnerabilities relevant to the resources required by the organization’s activities, particularly those: — resources required by activities identified as high priority; — where the replacement lead time for the resource is longer than the activity’s recovery time objective.

组织 宜 选择适当的方法来识别、分析和评价可能导致中断的风险。ISO 31000给出了风险管理的原则和相关指南。 宜 包含在本标准中的典型要素如下: a) 风险识别:组织的优先活动以及支持这些活动的过程、系统、数据、人员、资产、供应商和其他资源的潜在风险源,可能来自:

  1. 在某种情况下可能破坏活动和资源的具体威胁(如火灾、洪水、停电、员工流失、员工缺勤、计算机病毒、硬件故障);
  2. 由资源脆弱性(如单点故障、消防方面的缺陷、电力韧性能力不足、人员配备不足、糟糕的IT安全和韧性)引起的中断。 b) 风险分析:理解风险以便对其进行评价并确定最适宜的处置方法。 宜 包括:
  3. 考虑风险的原因和来源,积极和消极后果的可能性,以及其他因素可能对这种可能性的影响;
  4. 确定风险,主要基于其可能性和预期后果,同时考虑现有控制措施的有效性和效率。 分析中的一个关键参数是可能性,因此 宜 考虑其正确性(基于专家之间的意见分歧、不确定性、可用性、质量、数量和持续相关性,或建模限制)的可信度,并提请决策者和其他相关方注意。 分析可以是定性的、半定量的或定量的。 c) 风险评价:评价哪些中断相关的风险需要处置。 宜 侧重于具有高优先级活动必需的或有过大更换交付周期的资源。 The organization should select an appropriate method for identifying, analysing and evaluating risks that could lead to a disruption. ISO 31000 sets out the principles of risk management and associated guidelines. Typical elements that should be included in the context of this document are as follows. a) Identification of risks: Potential sources of risk to the organization’s prioritized activities and the processes, systems, data, people, assets, suppliers and other resources that support them. These can come from:
  5. specific threats that could at some point disrupt activities and resources (e.g. fire, flood, power failure, staff loss, staff absenteeism, computer viruses, hardware failure);
  6. disruptions, which could arise from vulnerabilities within resources (e.g. single points of failure, inadequacies in fire protection, lack of electrical resilience, inadequate staffing levels, poor IT security and resilience). b) Analysis of risks: An understanding of the risk so that it can be evaluated and the most appropriate treatment can be determined. This should involve:
  7. considering the causes and sources of risk, the likelihood of both positive and negative consequences, and the effect that other factors could have on the likelihood;
  8. determining the risks, based primarily on their likelihood and anticipated consequences, but also taking into account the effectiveness and efficiency of existing controls. A key parameter in the analysis is likelihood, so confidence in its validity (based on divergence of opinion among experts, uncertainty, availability, quality, quantity and ongoing relevance of information, or limitations on modelling) should be considered and brought to the attention of decision makers and other interested parties. The analysis can be qualitative, semi-quantitative or quantitative. c) Evaluation of risks: An evaluation of which disruption-related risks require treatment. This should focus on the resources required by activities with high priority or with significant replacement lead time.

组织 宜 了解要求沟通这些发现的所有财务、监管/立法或政府义务。此外,某些社会层面的要求也可能保证在适当的详细程度上共享这些信息。 The organization should be aware of any financial, regulatory/legislative or governmental obligations requiring the communication of these findings. In addition, certain societal needs can also warrant sharing of this information at an appropriate level of detail.

原文发表于公众号”业务连续性+” | 原文链接