I am an Information Security Officer in a retail industry company with hypermarkets and malls in XXXX. My company is in retail industry and our core business is providing and selling goods to our customers in these hypermarkets through Point of Sales terminals. We are also doing online E-Commerce through our website.
Our company has different department like
I am implementing ISO 22301 and I need to do the scoping of the BCMS. Can you please advice me how I should perform this tasks? What are the things that I should consider while scoping and what departments should I include in scope of BCMS?
Answer: To define the BCMS scope you first need to identify the organizational context (e.g., external and internal aspects that can be severely impacted by disruptive events, business objectives, the BCMS purpose, etc.)
After that you have to define the interested parties to your BCMS and their requirements, as well as legal and regulatory requirements that must be fulf illed by your organization.
With this information you can define your BCMS in terms of products, services, and processes that must have their continuity ensured during a disruptive event. The identification of departments to be included will depend on the previously listed elements.
Thank you Dejan for your reply.
Being a retail industry and having several malls and hypermarkets in the region, can I make the choice of BCMS in terms of services and processes only ignoring the location aspects. Because my company has several hypermarkets in the region and setting a redundant hypermarket during a disaster would not be possible as it may incur complexity and more cost.
After analyzing the interested parties and their expectations , can I define a scope which is will involve my core business process ( which is selling products through Point of Sales) and processes/dept. which support this core business process(Point of Sales). Can I take that approach?
When defining a BCMS scope you have to define the location where your business processes are performed, but you can limit them the way you wish, so there is no need to include all locations you have. An example of scope text considering your stated information is:
"The BCMS scope is the selling products process performed by the Point of Sales department in the following malls and hypermarkets: [list here the addresses of the units that will be part of the BCMS scope]."
Thanks rhandleal for the reply.
For the certification purpose can I include in scope only IT dept and its services to start with and then in future include other dept. in the BCMS scope. My limitation is that management have given me 6 months target for getting the ISO 22301 certification.
Could it be possible that initially i will take only IT dept. in BCMS scope? Please advice
First it is important to understand that the objective of continuity management is to ensure the continuity of processes and services impacted by disruptive events, which can cover one or more organizational units.
Considering that, you can define your scope to cover only the IT department, and expand the scope to other departments later, but you have to ensure that at this initial phase the services in the scope have little relation with, or dependency on, other departments.
Regarding your 6 month deadline, without more details about the size and complexity of your IT services, it is not possible to tell if this time frame is enough.
Thanks Rhandleal for the reply.
Well I have decided that I will be taking my Operation dept. in scope as this dept. handles our core business which is daily sales and revenue. The business processes within this dept. is core business processes. Now if I took this dept. in scope aloing with IT dept. , do I need to perform the BIA of IT as well ? I need to write a BCP plan for my operation dept., Do I need to write the BCP for IT dept. as well?
If my scope will be a business dept. which handles my core business process and IT dept. is just an enabler for operation dept. , do I need to perform all the activities like BIA , RA and BC Strategy and BCP for IT as well.? or BIA ,RA and BCP for operations dept. will be enough.
As mentioned in the previous answer, you have to think in terms of processes instead of organizational units. You have to perform the BIA and RA considering all elements that can impact your sales process, i.e., your operation department and the IT department (if one of these departments is down due to a disruptive event your process will be interrupted).
Regarding the BCP strategy and BCP itself, you have to consider the results of BIA and RA to define for which departments you will have to develop them (most probably you will have to elaborate BCP strategies and BCPs for both departments).
Thanks rhandleal for the great reply. I appreciate your help and support. Now I understood that I should stress on processes rather than dept. but for the matter of scope and because I have to face the cert. audit, I need to mention the dept. in scope document.
With that being said, I will perform the BIA and RA for both the dept.'s in the as a start of my enterprise BCMS , and then include other processes /dept. in scope in future.
Also can u please share ur email address so that in case i need some advice I can write to you.
U have been a great help mate. Can I ask for more advice and suggestions in future course of my project? Please advice.