ISO/IEC 20000-1:2011

Titel:
Information technology — Service management — Part 1: Service management system requirements

Beschreibung:

ISO/IEC 20000 ist die Standardisierungsnorm für ITIL (IT Infrastructure Library).

Die Norm besteht aus

  • ISO/IEC20000-1 – requirements
  • ISO/IEC20000-2 – code of practice.

“ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.”

ISO 20000 beschreibt IT-Prozesse.

In der Service Delivery Group sind folgende Prozesse beschrieben:

  • Capacity Management
  • Service Continuity & Availability Management
  • Service Level Management
  • Service Reporting
  • Information Security Management
  • Budgeting & Accounting for Services.

Hier finden sich die für BCM und ITSCM relevanten Prozesse.

Zertifizierung:

Eine Zertifizierung nach ISO/IEC 20000-1:2011 ist möglich

Verweis:

ISO

ISO/IEC 24762:2008

Titel:

Guidelines for information and communications technology disaster recovery services

Herausgeber:

ISO

Veröffentlichung:

Februar 2008

Beschreibung:

ISO/IEC 24762:2008 provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management, applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.

ISO/IEC 24762:2008 specifies:

  • the requirements for implementing, operating, monitoring and maintaining ICT DR services and facilities;
  • the capabilities which outsourced ICT DR service providers should possess and the practices they should follow, so as to provide basic secure operating environments and facilitate organizations’ recovery efforts;
  • the guidance for selection of recovery site; and
  • the guidance for ICT DR service providers to continuously improve their ICT DR services.

Zertifizierung:

keine Zertifizierung

Bezug:

ISO

ISO/PAS 22399:2007

Titel:

Societal security – Guidelines for incident preparedness and operational continuity management

Herausgeber:

ISO (TC 223)

Veröffentlichung:

Dezember 2007 – zurückgezogen am 25.11.2013 (withdrawn stage 95.99)

Beschreibung:

Guidance für Incident Management

1 Scope ………………………………………………………………………………………………………………………………….. 1

2 Normative references …………………………………………………………………………………………………………… 2

3 Terms and definitions…………………………………………………………………………………………………………… 2

4 General………………………………………………………………………………………………………………………………… 8

5 Policy ………………………………………………………………………………………………………………………………….. 9

5.1 Establishing the program …………………………………………………………………………………………………….. 9

5.2 Defining program scope ………………………………………………………………………………………………………. 9

5.3 Management leadershipand commitment …………………………………………………………………………… 10

5.4 Policy development ……………………………………………………………………………………………………………. 10

5.5 Policy review ……………………………………………………………………………………………………………………… 10

5.6 Organizational structure for implementation……………………………………………………………………….. 11

6 Planning …………………………………………………………………………………………………………………………….. 11

6.1 General………………………………………………………………………………………………………………………………. 11

6.2 Legal and other requirements …………………………………………………………………………………………….. 11

6.3 Risk assessment and impact analysis …………………………………………………………………………………12

6.4 Hazard, risk, and threat identification………………………………………………………………………………….. 12

6.5 Risk assessment………………………………………………………………………………………………………………… 12

6.6 Impact analysis ………………………………………………………………………………………………………………….. 12

6.7 Incident preparedness and operational continuity management programs ………………………….. 13

7 Implementation and operation ……………………………………………………………………………………………. 17

7.1 Resources, roles, responsibility and authority ……………………………………………………………………. 17

7.2 Building and embedding IPOCM in the organization’s culture ……………………………………………… 17

7.3 Competence, training and awareness ………………………………………………………………………………….18

7.4 Communications and warning ……………………………………………………………………………………………. 18

7.5 Operational control…………………………………………………………………………………………………………….. 19

7.6 Finance and administration………………………………………………………………………………………………… 20

8 Performance assessment …………………………………………………………………………………………………… 20

8.1 System evaluation ……………………………………………………………………………………………………………… 20

8.2 Performance measurement and monitoring ………………………………………………………………………… 20

8.3 Testing and exercises ………………………………………………………………………………………………………… 21

8.4 Corrective and preventive action ………………………………………………………………………………………… 21

8.5 Maintenance ………………………………………………………………………………………………………………………. 22

8.6 Internal audits and self assessment ……………………………………………………………………………………. 22

9 Management review……………………………………………………………………………………………………………. 23

Annex A(informative) Impact analysis procedure……………………………………………………………………………. 24

Annex B(informative) Emergency response management program…………………………………………………. 26

Annex C(informative) Continuity management program …………………………………………………………………. 28

Annex D(informative) Building an incident preparedness and operational continuity culture…………… 30

Zertifizierung:

keine Zertifizierung des BCM nach ISO 22399 möglich

Bezug:

ISO

ISO/IEC 27031:2011

Titel:

Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity

Herausgeber:

ISO (JTC 1/SC 27)

Veröffentlichung:

2011

Beschreibung:

Der Standard beschreibt den ITSCM-Lifecycle aufbauen auf dem BCM-Lifecycle

Abstract (JTC 1/SC 27):

ISO/IEC 27031:2011 describes the concepts and principles of information and comunication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization’s ICT readiness to ensure business continuity. It applies to any organization (private, governmental, and non-governmental, irrespective of size) developing its ICT readiness for business continuity program (IRBC), and requiring its ICT services/infrastructures to be ready to support business operations in the event of emerging events and incidents, and related disruptions, that could affect continuity (including security) of critical business functions. It also enables an organization to measure performance parameters that correlate to its IRBC in a consistent and recognized manner.

The scope of ISO/IEC 27031:2011 encompasses all events and incidents (including security related) that could have an impact on ICT infrastructure and systems. It includes and extends the practices of information security incident handling and management and ICT readiness planning and services.

Zertifizierung:

keine Zertifizierung

Bezug:

ISO

ISO 22398:2013

Titel:

Societal security – Guidelines for exercises and tests

Herausgeber:

ISO (ISO/TC 292 Security and resilience)

Veröffentlichung:

13.09.2013

Beschreibung:

Guidance für die Durchführung von Tests und Übungen

Zertifizierung:

Zertifizierung des BCM nach ISO 22301 möglich, Nachfolger des BS 25999-2

Bezug:

ISO

ISO 22300:2012

Titel:

Societal security – Terminology

Herausgeber:

ISO (ISO/TC 292 Security and resilience)

Veröffentlichung:

2012

Beschreibung:

Begriffsdefinitionen für die Standards des TC 223

Abstract (TC 223):

ISO 22300:2012 contains terms and definitions applicable to societal security to establish a common understanding so that consistent terms are used.

Zertifizierung:

Zertifizierung des BCM nach ISO 22301 möglich, Nachfolger des BS 25999-2

Bezug:

ISO

ISO 22313:2012

Titel:

Societal security – Business continuity management systems – Guidance

Herausgeber:

ISO (ISO/TC 292 Security and resilience)

Veröffentlichung:

Dezember 2012

Beschreibung:

Guidance für den ISO 22301:2012

Abstract (TC 223):

ISO 22313:2012 for business continuity management systems provides guidance based on good international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that enables organizations to prepare for, respond to and recover from disruptive incidents when they arise.

It is not the intent of ISO 22313:2012 to imply uniformity in the structure of a BCMS but for an organization to design a BCMS that is appropriate to its needs and that meets the requirements of its interested parties. These needs are shaped by legal, regulatory, organizational and industry requirements, the products and services, the processes employed, the environment in which it operates, the size and structure of the organization and the requirements of its interested parties.

ISO 22313 is generic and applicable to all sizes and types of organizations, including large, medium and small organizations operating in industrial, commercial, public and not-for-profit sectors that wish to:

  • establish, implement, maintain and improve a BCMS;
  • ensure conformance with the organization’s business continuity policy; or
  • make a self-determination and self-declaration of compliance with this International Standard.

Zertifizierung:

Zertifizierung des BCM nach ISO 22301 möglich, Nachfolger des BS 25999-2

Bezug:

BSI, ISO

ISO 22301:2019

Titel:

Societal security – Business continuity management systems – Requirements

Herausgeber:

ISO (ISO/TC 292 Security and resilience)

Veröffentlichung:

Oktober 2019

Beschreibung:

Der internationale ISO-Standard für Business Continuity Management Systeme

Abstract (TC 292):

This document specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.

The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity.

This document is applicable to all types and sizes of organizations that:

a) implement, maintain and improve a BCMS;

b) seek to ensure conformity with stated business continuity policy;

c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption;

d) seek to enhance their resilience through the effective application of the BCMS.

This document can be used to assess an organization’s ability to meet its own business continuity needs and obligations.

Zertifizierung:

Zertifizierung des BCM nach ISO 22301 möglich, Nachfolger des BS 25999-2

Bezug:

BSI, ISO