BCM BSI Assessor Course Presentation Slides Evidence of Conformity Requrements of 8S 28999-22007 bse 1 Febuary 2008 BCH-BSI Azsesxor Course raising stains Evidence Demonstrating Conformity to Clause 3 + Documents relating to clauses 3.2 through 3.4 « No exclusions Inclusion of functions, departments and suppliers that are deemed essential to citical products and services in scope of BCMS Top management commitment to BCM policy Documented roles, responsibilities, competencies and authorities (in job descriptions etc.) o uh raising Staiciards wand Issue 1 - February 2008 BCM-BSI Assessor Course ©The British Standards Institution 2008 1BCM BSI Assessor Course Presentation Slides Evidence Demonstrating Conformity to Clause 3 + Interviews of employees at all levels = Can they explain BCM and their role in it? * Do they know what do to if threats materialize? + Interviews of senior managers and critical BCM employees professionals: * Can they explain their role in an incident? = Is their contact list readily at hand andis it up to date? « Are their batteries charged? standards w Evidence Demonstrating Conformity to Clause 3 * Evidence of planning and assigning resources to BCM. including budget, equipment, facilities and people with appropriate skills in understanding the organization, as well as business continuity Records of awareness training, awareness campaigns, and exercises BCM documents that are available to first responders and incident managers in the event of an incident Documented procedure for control of records alsing standards ¥ Issue 1 — February 2008 BCM-BSI Assessor Course ©The British Standards Institution 2008 2BOM BSI Assessor Course issue 4 February 2008 Clause 3 Documented: + Scope BEM objectives Policy Resources and competency + BIA + Risk assessment method + BC strategy + Incident response strueture raising ste Presentation Slides Evidence Demonstrating Conformity to + BCPs + IMPS: BOM exercises Maintenance and review of BCM arrangements * Internal audit results + Management review records * Preventive and corrective action procedures * Continual improvement actions sae p= Clause 4 organization changes over time minimum activity levels BCM-BSI Assessor Course Evidence Demonstrating Conformity to + BIA approach that is defined, docurnented and proportionate to the size and complexity of the A list of activities (or processes) that support the organizations key products and services. A list of activities and the impacts to the business (e.g. unable to meet important commitment to customers, bankruptcy, loss of reputation, etc.). and how the impact Priaritized list of activities ta recover, MTPoDs. and ©The Brilish Standards Institution 2008 3BCM BS| Assessor Course Presentation Slides Evidence Demonstrating Conformity to Clause 4 + A list of dependencies that support critical activities. | including 3rd party suppliers and outsource partners and how they are to meet the recovery requirements of the critical activity Appropriate and documented risk assessment : methodology has been used for the organization in line with the organization's scope and policy Evidence of analysis of impacts (revenues, cash flow, brand or organization reputation, and future sales) to the business should a critical activity become an incident indiardls worldwide” Evidence Demonstrating Conformity to Clause 4 List of critical activities with risk treatments (strategies or high level plans) that; reduce the likelihood, shorten the period, or limit the impact of a disruption to critical products and services Documented incident response structure Documented IMPs and BCPs Awareness and competence of the people concerned with the IMP Evidence of supplies, suppliers, equipment and facilities the plan(s) reference Issue 1— February 2008 BCM-BSI Assessor Course ©The British Standards Institution 2008 4~BCM BSI Assessor Course Issue 1 Evidence Demonstrating Conformity to Clause 4 + Reports of exercises + Evidence of outcome, feedback and required actions for improvement after exercises + Evidence that exercising the BCP has taken place and determining whether RTO's are met raising standards worldwide™ Presentation Slides Evidence Demonstrating Conformity to Clause 5 + Evidence of an audit process or procedure + Audit records + Management review records, probably at least annually or after a major incident February 2008 BCM-BSI Assessor Course ©The British Standards Institution 2008 =BCM BSI Assessor Course Issue 1 Presentation Slides Evidence Demonstrating Conformity to Clause 6 + Documented procedures for preventive actions and corrective actions Evidence of the links between processes and follow through, for example from an incident through revision of policy and BCP’s 50 as to better deal with the incident should it occur again Evidence could include records of reviews, reports of incidents, and revised incident management plans which take account of lessons learned dards vroridlvaide™ - February 2008 BCM-BSI Assessor Course ©The British Standards Institution 2008 6