Procedures for suppliers to cover the control of External Providers
Assign topic to the user
To deal with 3rd parties that are providing products and services to your company, you need to do the following documents for the processes that are supported by those 3rd parties:
- Define RTO and the required resources for recovery by doing the business impact analysis (folder 05 from your ISO 22301 Toolkit)
- Develop the business continuity strategy which involves the preparation of solutions and resources from third parties (folder 06 from your ISO 22301 Toolkit, in particular section 5.2 of the Business continuity strategy document)
- Write the business continuity plan and recovery plans that also involves the role for 3rd parties (folder 07 from your ISO 22301 Toolkit)
To learn more about how to perform these 3 steps, see the recordings of these free webinars:
- Implementing Business Impact Analysis according to ISO 22301 https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/
- Developing the business continuity strategy according to ISO 22301 https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar/
- Writing a business continuity plan according to ISO 22301 https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
In addition to my 27th of December question, 8.6 paragraph demands
8.6 Evaluation of business continuity documentation and capabilities
c) conduct evaluations of the business continuity capabilities of relevant partners and suppliers;
Where in the package can I find a format for conducting an evaluation for partners and suppliers according to ISO 22301:2019
And another question, please
6.2.1 Establishing business continuity objectives
The organization shall establish business continuity objectives at relevant functions and levels.
The business continuity objectives shall:
*
a) be consistent with the business continuity policy;
*
b) be measurable (if practicable);
*
c) take into account applicable requirements (see 4.1 and 4.2);
*
d) be monitored;
*
e) be communicated;
*
f) be updated as appropriate.
The organization shall retain documented information on the business continuity objectives.
6.2.2 Determining business continuity objectives
When planning how to achieve its business continuity objectives, the organization shall determine:
*
a) what will be done;
*
b) what resources will be required;
*
c) who will be responsible;
*
d) when it will be completed;
*
e) how the results will be evaluated.
Where can I find a format to record business continuity objectives and actions and evaluation of them as 6.2.1 and 6.2.2 states?
Thank you once again.
And another question, please
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS.
NOTE These issues will be influenced by the organization’s overall objectives, its products and services and the amount and type of risk that it may or may not take.
Where in the package can I find a document to describe external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome such as
Pandemic in the territory
Earthquakes
risk appetite in general and according to the site territory;"
1. In addition to my 27th of December question, 8.6 paragraph demands evaluations of the business continuity capabilities of relevant partners and suppliers;
Where in the package can I find a format for conducting evaluation for partners and suppliers according to ISO 22301:2019
You can use the same procedure and checklist used for your internal audit. Both procedure and checklist can be found in folder 10 from your ISO 22301 Toolkit.
For additional information, see (the same concept applies to ISO 22301):
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/
2. And another question please. Where can i find a format to record business continuity objectives and actions and evaluation of them as 6.2.1 and 6.2.2 states
Thank you once again.
You can use your own document usually used for planning for documenting business continuity objectives and methods to measure them, and if you do not have such, then you can use the blank template provided in the root folder of your toolkit.
For further information, see:
- Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
And another question, please.
Where in the package can i find a document to describe external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome such as Pandemic in the territory, Earthquakes, and risk appetite in general and according the site territory;
The information required by ISO 22301 clause 4.1 is addressed by the following templates:
- Organization's activities (from clause 4.1 a)) and potential impact from disruptive incidents are addressed by template Business Impact Analysis Questionnaire (located at folder 04 Business Impact Analysis Methodology)
- The organization's functions (from clause 4.1 a)) are addressed in all templates when an activity to be performed is required (by means of the field [job title]). Functions related specifically to the BCMS are defined in the template Business Continuity Policy, section 3.5, (located at folder 03 Business Continuity Policy)
- Organization's product and services (from clause 4.1 a)) are addressed by template Business Continuity Policy, section 3.5, (located at folder 03 Business Continuity Policy)
- Relations with suppliers, partners, and interested parties (from clause 4.1 a)) are addressed by template Business Continuity Strategy (located at folder 05 Business Continuity Strategy)
- Relationships between the Business Continuity Policy and other organization's policies, objectives, and general risk management strategy (from clause 4.1 b)) are addressed by template Business Continuity Policy, section 2, (located at folder 03 Business Continuity Policy)
- Organization's risk appetite (from clause 4.1 c)) is addressed by template Business Impact Analysis Questionnaire, section 6 (maximum acceptable outage) (located at folder 04 Business Impact Analysis Methodology)
This article will provide you a further explanation (the same concept applies to ISO 22301):
- How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
This material will also help you regarding ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
Comment as guest or Sign in
Jan 06, 2021