1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA
2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any
3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-21571-2 ARP 22399:2008 Edition 1 ISO/PAS 22399:2007 Edition 1STANDARDS SOUTH AFRICA Recommended practice Societal security Guideline for i
4、ncident preparedness and operational continuity management This recommended practice is the identical implementation of ISO/PAS 22399:2007 and is adopted with the permission of the International Organization for Standardization. This document does not have the status of a South African National Stan
5、dard. Published by Standards South Africa 1 dr lategan road groenkloof private bag x191 pretoria 0001 tel: 012 428 7911 fax: 012 344 1568 international code +27 12 www.stansa.co.za Standards South Africa This standard may only be used and printed by approved subscription and freemailing clients of t
6、he SABS.ARP 22399:2008 Edition 1 ISO/PAS 22399:2007 Edition 1 Table of changes Change No. Date Scope National foreword This recommended practice was approved by National Committee StanSA TC 223, National disaster response, in accordance with procedures of Standards South Africa, in compliance with a
7、nnex 3 of the WTO/TBT agreement. This document was published in June 2008. This standard may only be used and printed by approved subscription and freemailing clients of the SABS. Reference number ISO 22399:2007(E) ISO 2007PUBLICLY AVAILABLE SPECIFICATION ISO/PAS 22399 First edition 2007-12-01 Socie
8、tal security Guideline for incident preparedness and operational continuity management Scurit socitale Lignes directrices pour tre prpar un incident et gestion de continuit oprationnelle ARP 22399:2008This standard may only be used and printed by approved subscription and freemailing clients of the
9、SABS.ISO 22399:2007(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
10、downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in
11、 the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the addr
12、ess given below. COPYRIGHT PROTECTED DOCUMENT ISO 2007 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO
13、 at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2007 All rights reservedARP 22399:2008This standard m
14、ay only be used and printed by approved subscription and freemailing clients of the SABS.ISO 22399:2007(E) ISO 2007 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references . 2 3 Terms and definitions. 2 4 General. 8 5 Policy . 9 5.1 Establishing the progra
15、m 9 5.2 Defining program scope 9 5.3 Management leadership and commitment. 10 5.4 Policy development 10 5.5 Policy review . 10 5.6 Organizational structure for implementation. 11 6 Planning. 11 6.1 General. 11 6.2 Legal and other requirements . 11 6.3 Risk assessment and impact analysis .12 6.4 Haza
16、rd, risk, and threat identification. 12 6.5 Risk assessment. 12 6.6 Impact analysis . 12 6.7 Incident preparedness and operational continuity management programs 13 7 Implementation and operation 17 7.1 Resources, roles, responsibility and authority . 17 7.2 Building and embedding IPOCM in the organ
17、izations culture 17 7.3 Competence, training and awareness 18 7.4 Communications and warning 18 7.5 Operational control. 19 7.6 Finance and administration . 20 8 Performance assessment 20 8.1 System evaluation 20 8.2 Performance measurement and monitoring 20 8.3 Testing and exercises 21 8.4 Correcti
18、ve and preventive action 21 8.5 Maintenance 22 8.6 Internal audits and self assessment. 22 9 Management review 23 Annex A (informative) Impact analysis procedure 24 Annex B (informative) Emergency response management program 26 Annex C (informative) Continuity management program 28 Annex D (informat
19、ive) Building an incident preparedness and operational continuity culture. 30 Bibliography . 31 ARP 22399:2008This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO 22399:2007(E) iv ISO 2007 All rights reservedForeword ISO (the International Organ
20、ization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been establish
21、ed has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
22、 International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Pu
23、blication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. In other circumstances, particularly when there is an urgent market requirement for such documents, a technical committee may decide to publish other types of normative document: an ISO Pub
24、licly Available Specification (ISO/PAS) represents an agreement between technical experts in an ISO working group and is accepted for publication if it is approved by more than 50 % of the members of the parent committee casting a vote; an ISO Technical Specification (ISO/TS) represents an agreement
25、 between the members of a technical committee and is accepted for publication if it is approved by 2/3 of the members of the committee casting a vote. An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a further three years, revised to become an In
26、ternational Standard, or withdrawn. If the ISO/PAS or ISO/TS is confirmed, it is reviewed again after a further three years, at which time it must either be transformed into an International Standard or be withdrawn. Attention is drawn to the possibility that some of the elements of this document ma
27、y be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/PAS 22399 was prepared by Technical Committee ISO/TC 223, Societal security. It includes parts of NFPA 1600:2004, BS 25999-1:2006, HB 221:2004, INS 24001:2007 and the compiled work
28、 of the Japanese Industrial Standards Committee. ARP 22399:2008This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO 22399:2007(E) ISO 2007 All rights reserved v Introduction This incident preparedness and operational continuity guideline establi
29、shes the process, principles and terminology of incident preparedness and operational (business) continuity management (IPOCM) within the context of societal security. The purpose of this guideline is to provide a basis for understanding, developing and implementing incident preparedness and operati
30、onal continuity within an organization and to provide confidence in organization-to-community, business-to-business and organization-to-customer/client dealings. The guideline is a tool to allow public or private organizations to consider the factors and steps necessary to prepare for an unintention
31、ally, intentionally, or naturally caused incident (disruption, emergency, crisis or disaster) so that it can manage and survive the incident and take the appropriate actions to help ensure the organizations continued viability. It also enables the organization to measure its IPOCM capability in a co
32、nsistent and recognized manner. This guideline provides a generic framework applicable to all types and sizes of organizations enabling consideration of diverse geographical, cultural, economic, national, political and social conditions. Interested parties and stakeholders require that organizations
33、 proactively prepare for potential incidents and disruptions in order to avoid suspension of critical operations and services, or if operations and services are disrupted, that they resume operations and services as rapidly as required by those who depend on them, as shown in Figure 1. IPOCM is a ho
34、listic management process that identifies potential impacts that threaten an organization and provides a framework for minimizing their effect. Key 1 after introduction implementation of IPOCM 2 before introduction implementation of IPOCM Figure 1 Concept of incident preparedness and IPOCM This Publ
35、icly Available Specification provides a comprehensive set of controls based on IPOCM best practice and covers the whole IPOCM lifecycle. It is intended for use by anyone with responsibility for public or private sector organization operations, from directors and executives through all levels of the
36、organization; from those with a single site to those with a global presence; from small and medium enterprises (SMEs) to organizations employing thousands of people. It is therefore applicable to anybody who holds responsibility for any ARP 22399:2008This standard may only be used and printed by app
37、roved subscription and freemailing clients of the SABS.ISO 22399:2007(E) vi ISO 2007 All rights reservedoperation, and thus the continuity of that operation. For purposes of this guide, operational continuity is the more general term for business continuity and is used to emphasize relevance to all
38、types of organizations in the public and private sectors. This guideline details integrated planning and management processes that proactively help organizations to understand the environment within which the organization operates, the existence of constraints, and threats to the organization that c
39、ould result in a significant disruption; quantify the impact of a disruption on critical operational (business) functions and processes; determine the parts of the operations and business that are critical to its short- and long-term success; identify the infrastructure and resources required to ena
40、ble the organization to continue to operate at a minimum acceptable level; document the key resources, infrastructure, tasks and responsibilities, required to support these critical operational functions in the event of a disruption; establish processes that ensure the information remains current an
41、d relevant to the changing risk and operational environments; ensure that relevant employees, customers, suppliers and other stakeholders are aware of the preparedness and continuity arrangements and, where appropriate, have confidence in their application; implement solutions accordingly and provid
42、e for their continual improvement. It is important to recognize that effective IPOCM requires a fundamental cultural change within the organization including an acceptance of uncertainty and imperfection. All levels of an organization need to appreciate that risk is inherent in every decision and ac
43、tivity, and that a proportion of this risk has the potential to create disruption. People at all levels of an organization, therefore, need to consider how they will manage such disruptions to their activities. This IPOCM guideline enables a public or private sector organization to assess and manage
44、 risk with the goal of assuring organizational resilience and long-term performance. It does not prescribe any particular model for application. There are various recognized models and methodologies which weave incident preparedness and operational continuity decision-making into the fabric of an or
45、ganizations overall operational and business practices, making the organization more efficient, more competitive, and better able to meet important challenges. This guideline provides a set of problem identification and problem-solving tools that can be implemented by any organization in many differ
46、ent ways, depending on its activities and needs. By incorporating a dynamic systematic risk-based process into incident and continuity management, organizations can make informed decisions tailored to their resources. The model chosen should instill an organizational culture that drives continual im
47、provement. Typically, management models include several common elements: policy, planning, implementation and operation, performance assessment, improvement and management review. This Publicly Available Specification provides guidance on addressing these common elements when developing and implemen
48、ting a management model that addresses the specific needs of the organization and its place in the community. Whichever management model or methodology is chosen, the full set of IPOCM actions should be adopted. IPOCM is directly linked to organizational governance and establishes good management pr
49、actice. IPOCM establishes a strategic and operational framework to implement, proactively, an organizations resilience to disruption, interruption, or loss in supplying its products and services. It should not be a purely reactive measure taken after an incident has occurred. IPOCM requires planning across many facets of an organization; therefore its resilience depends equally on its management and operational staff, as well as technology, and requires a holistic approach to be taken in establishing the IPOCM model o
