ISO 22301 Business Continuity Management System (BCMS) Consultancy

Ensuring Senior Management Awareness
Top management support is of great importance in order to establish and maintain the ISO 22301 Business Continuity Management System in a way that meets the needs. For this reason, an information presentation is made to raise the awareness of senior management on business continuity. This presentation is attended by the board member responsible for business continuity, the sponsor of the BMS project, members of the business continuity governance committee, unit managers and representatives from the management levels to which unit managers report. In the first part of the presentation, why there is a need for a business continuity management system, what the ISO 22301 standard is, what it brings to business continuity management, and the reasons, dimensions and damages of large-scale business interruptions experienced in our country in the past are discussed. In the second part of the training, the method to be followed during the establishment of a business continuity management system in your business is introduced and the points that the management should take part in during the installation of BMSMS are explained.

Determining the Scope of ISO 22301 Business Continuity Management System
The scope of ISO 22301 BCMS can be a specific part of the institution or the entire institution. However, in both cases, the organization must fully and accurately define the scope and boundaries of the BCMS. The scope of BCMS is determined by taking into account the intention of the top management and the business continuity objectives of the institution. ISO 22301 and ISO 22313 standards expect products and services that directly affect the viability of the business to be included in the scope. When determining the scope, it is necessary to take into account the processes excluded from the BCMS and interactions with other institutions. The institution must be able to explain with solid justifications why those excluded from the scope were excluded. The scope document and the information that must be included in the document are prepared by BTYÖN. Requirements for determining the scope of business continuity are described in Article 4 Organizational Content of the ISO 22301 standard.

Business Continuity Management Policy
This policy provides a framework that sets goals, directs and motivates management, and determines the management scope and criteria for which products and services will be evaluated. In order for the BCMS policy to find its purpose, the management must make employees feel its determination that the items in the policy will be implemented. Expectations regarding business continuity policy are stated under the title of Article 5 Leadership of the ISO 22301 standard.
Establishing a Business Continuity Organization
In order for the pre-incident preparations of the business continuity management system to be fully carried out and to ensure recovery within the foreseen time by performing the expected level of intervention during the incident, everyone involved must embrace the management system. In this context, İSYS roles and responsibilities are created and documented by taking the opinion of the relevant units of your business. Consultancy support is provided for studies such as preparation of performance indicators, training programs, etc. to ensure ownership of roles. Expectations regarding business continuity roles and responsibilities are stated under the title of Article 5 Leadership of the ISO 22301 standard.

Business Impact analysis and Risk Assessment
Business impact analysis and risk assessment constitute the basis of the ISO 22301 business continuity management system to be established. The methodologies to be used in business impact analysis and risk assessment are created under the leadership of BTYÖN by taking the opinions of the relevant units of your business. Once the methodologies are approved by management, analysis work begins. Analysis studies are carried out together by BTYÖN and your business's business continuity coordinators. For this purpose, after determining the methodologies, business continuity coordinators are given training on the business impact analysis and risk analysis methodologies to be used. Expectations regarding Business Impact Analysis and Risk Assessment are discussed under the Made 8 Operation heading of the ISO 22301 standard.
Business Impact Analysis
Business impact analysis begins with determining the business processes that enable your business to deliver key products and services to stakeholders. General information about the relevant business processes, which key products and services it supports, the legal, operational, financial and reputational effects of a possible interruption, and the resources required to continue the process (human resources, technology resources, information resources and facilities) are determined. Based on the detected impact values, the targeted recovery time (RTO) and maximum tolerable downtime (MTPD) are determined for each process. The determined periods are used during the recovery priority study. Business impact analysis is carried out by holding meetings with the relevant units. The first meetings with the units are held by BTYÖN consultants and business continuity coordinators. After the first meetings, the business impact analysis is aimed to be carried out by business continuity representatives. All forms filled out in business impact analysis meetings are checked by BTYÖN consultants and necessary actions are taken to correct the detected errors and prevent them from recurring. After the business impact analysis is completed, the consolidation of the forms and the writing of the business impact analysis report are carried out by BTYÖN.

Risk Assessment and Processing
Risk assessment consists of identifying, leveling and reporting risks that may cause disruption in your business's critical business processes. Risks that may cause business interruption are discussed in meetings with units. Participants provide input into the risk study by considering past outages and their causes. In addition to this information, identification of threats to the safety of employees and reports on the physical security of buildings, fire, earthquake and other physical conditions, studies on occupational safety and health, internal audit findings, external audit findings, information security risks, data center evaluation reports, etc. . Business continuity risks are determined by using risk sources.
‍
The business continuity committee decides to take measures such as risk reduction, transfer or acceptance regarding the reported risks. Studies regarding the risks for which risk reduction or transfer decisions are made are initiated and monitored. All risk assessment studies are carried out together with BTYÖN and relevant business continuity representatives.
Determining Business Continuity Strategies
The study of determining business continuity strategies includes determining how the continuity needs determined in the business impact analysis and approved by management will be implemented in your business. In order to achieve the targeted recovery times determined in the business impact analysis, a suitable, predefined and documented incident response structure is needed. How each critical business process will be restored within the targeted recovery time is examined in detail, the actions to be taken are determined and the incident response structure is documented. This work is carried out jointly with BTYÖN consultants, business continuity coordinators and relevant unit managers. The determined business continuity strategies are presented to the business continuity committee and the development of business continuity plans begins after management approval. ISO 22301 expectations regarding business continuity strategies are discussed under Article 8.3 of the standard.

Business Continuity and Emergency Plans
After determining business continuity strategies, business continuity and incident response plans are prepared. Before creating the plans, the procedures and sub-plans to be referenced in the plan are determined and consultancy is provided to the relevant employees to develop the necessary documentation. At this stage, the recovery organization is also determined and stated in the business continuity plans. Template documents for all necessary documentation are customized according to the needs of your business and the documentation is unified under a common roof. Business continuity procedures and plans are discussed in Article 8.4 of the ISO 22301 standard. Business continuity plans contain at least the following information.
• Scope and purpose of the business continuity plan    
• Business continuity organization    
• Critical processes, IEA studies and services    
• Under what conditions and how the plan will be activated    
• References to detailed recovery procedures    
• Issues regarding plan exercise    
• Identifying crisis communication needs and including them in the plan    
• How to manage situations and make emergency notification
• How to maintain and update the business continuity plan
People-oriented plans within the company are reviewed and improvement suggestions are presented. Examples of these plans include evacuation plans, emergency action plans and pandemic incident plans.
Education and Awareness
The main purpose is to adopt a business continuity culture, to ensure that the personnel working within the scope of the ISO 22301 business continuity management system learn their duties, and to ensure that all employees learn how to act in emergency situations. The training plan to be implemented is prepared jointly by BTYÖN and relevant units. The training materials to be used in training are developed by BTYÖN specifically for your business. Training to be given to senior management and business continuity coordination team is provided by BTYÖN. E-learning or training-of-the-trainer techniques are used in the training to be given to all employees, ensuring that awareness training is spread throughout your business. Issues related to business continuity awareness are discussed under Article 7.3 of the ISO 22301 standard.

Exercises and Tests
The purpose of this step is to measure the effectiveness of the plans prepared within the scope of the ISO 22301 business continuity management system and to ensure that your business is prepared for real disaster situations. It is aimed that the studies carried out will meet the targeted rescue times. A drill management process specific to your business is prepared for drills. An annual exercise program is prepared within the scope of the project. Prepares the exercise program together with representatives of BTYÖN's relevant business units and presents it to the business continuity committee. According to the approved business continuity exercise program, three basic stages are carried out for each exercise: before, during and after. A detailed exercise plan is prepared before each exercise. A comprehensive business continuity exercise is carried out at least once within the scope of the project. BTYÖN carries out exercise planning with support from relevant units. BTYÖN makes the necessary measurements and observations during the exercise to be carried out within the scope of the project and reports its impressions after the exercise. BTYÖN provides consultancy support for the necessary work to close the non-conformities that arise as a result of the exercise. ISO 22301 expectations regarding drills and tests are explained under heading 8.5 of the standard.
I
Internal audit activity should be carried out as part of the implementation of the ISO 22301 business continuity management system. BTYÖN prepares the internal audit procedure, internal audit program and plan, and internal audit checklist and submits it for your approval. BTYÖN accompanies the internal audit team to be formed by your business and supports the creation of the internal audit process. BTYÖN personnel who will participate in this piece will be personnel who have not taken part in the project. BTYÖN provides consultancy services to close the findings of the internal audit. Root cause analysis and corrective action planning for all findings are carried out together by the operating personnel and BTYÖN. The internal audit obligations of the ISO 22301 standard are explained under Article 9.2. Requirements for nonconformities and corrective actions are specified in article 10.1 of the ISO 22301 standard.

Management Review
In accordance with ISO22301, senior management must periodically review the established Business Continuity Management System. The review activity is carried out in a meeting where the management is present. The inputs and possible outputs of the meeting are specified in the ISO22301 standard. BTYÖN carries out the activity of preparing the necessary information for the management review and presenting it to the management. Preparation of information is carried out together with the operating personnel. All expectations, including inputs and outputs for management review, are described under heading 9.3 of the ISO 22301 standard.
Support and Warranty for the Certification Process
Before the ISO 22301 Business Continuity Management System Audit, a workshop is organized for final checks and to answer the questions of the personnel who will be audited. If nonconformities are reported by the certification company after the certification audit, the necessary consultancy service to close the nonconformities is provided within the scope of the project. The necessary work to eliminate all non-conformities is carried out together by BTYÖN and the operating personnel.