Business continuity draft Standard issued for public comment

A three part draft joint Australian and New Zealand Standard on 'Business continuity' (Management of disruption-related risk) was issued for public comment on 30 July 2009.

Every day, local, national, and world events remind organisations that things do not always go as expected. Sometimes this occurs with little or no warning. Even so, it's no longer acceptable for organisations – including governments – to have failed to recognise their exposure to the risks related to disruption and to have managed such risks effectively.

Draft Standard AS/NZS 5050:2009 Parts 1 to 3 explain how an organisation's management and governance systems can be adapted and, where necessary, strengthened, to achieve the goal of continuity (despite exposure to disruptive events or unanticipated change). It does so by applying the concepts and processes of the forthcoming international Standard on Risk management – to be known in Australia and New Zealand as AS/NZS/ISO 31000:2009.

Key features of draft AS/NZS 5050:2009 Parts 1 to 3 are as follows.

• Provides the world's first national business continuity management standard based on ISO 31000 – the successor to AS/ NZS 4360-2004.
• Builds upon the very successful HB-292 by incorporating latest thinking.
• Delivers resilience.
• Moves beyond other current business continuity management Standards by:
  • Contemplating a complete range of disruption risks.
  • Integrating seamlessly into risk management frameworks that are based on AS/NZS 4360:2004 and the forthcoming AS/NZS/ISO 31000-2009.
  • Enabling businesses to protect cross organisational functions and departmental structures.
  • Building flexible capability thereby allowing organisations to accommodate change, as well as unforeseen events and consequences.
  • Allowing organisations to seize opportunities.
  • Enabling organisations to prepare, respond, and adapt – in real time – to change and or disruptive events.
  • Reflecting both precedent and the present organisational environment.
• Integrates with existing management system Standards including ISO 9001 (Quality management systems), ISO 14001 (Environmental management systems), ISO 27001 (Information security management), and ISO 28000 (Supply chain security management system), and is thus efficiently implemented.
• Integrates easily into existing assurance processes without imposing separate certification regimes or an additional compliance burden.

Note: The public consultation process on this draft Standard was delayed to ensure the Standard is completely aligned with the recently released final draft of ISO 31000.

Drafts are free to download from our website: www.standards.co.nz.

Protecting electronic data – new international Standard

Summarised from an article by Maria Lazarte, Assistant Editor, ISO Focus, in ISO Focus magazine, June 2009.

To protect the confidentiality and integrity of new data being transferred or stored, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) have developed a new Standard.

Information technology – Security techniques – Authenticated encryption, ISO/IEC 19772:2009, defines authenticated encryption mechanisms. The mechanisms have been designed to maximise the level of security and provide efficient processing of data for optimum results. It specifies six encryption methods (based on a block cipher algorithm) that can be used to ensure data confidentiality, data integrity, and data origin authentication.

'ISO/IEC 19772 will give confidence to users that their data is safe,' says Professor Mitchell, Project Editor of the new Standard. 'Not only will it be useful for protecting information, but also for furthering the development of online transactions, e-businesses, and other applications involving sensitive data.'

DRAFT STANDARDS FOR COMMENT

Free to download from our website: www.standards.co.nz

Provides a structure for a business continuity management system (BCMS). The BCMS specifies requirements for developing and implementing policy, frameworks and programs to assist an organisation manage its risk to business disruption as well as build continuity and organisational resilience. Public comment on this draft closes on 10 September 2009.

May be applied to a wide range of activities, decisions or operations of any public, private, not-for profit sector, or community entity. For convenience the term 'organisation' is used throughout the Standard to denote any or all of these entities. Public comment on this draft closes on 10 September 2009.

Provides a structure and requirements for the development and implementation of a Business Continuity Management (BCM) audit and assurance programme. The described audit and assurance methodology will assist an organisation in measuring and validating the suitability of plans and procedures to identify, assess and manage disruption risks and incidents. Where such plans and procedures aim to achieve preparedness, stabilisation, continuity and recovery and contribute to organisational resilience. Public comment on this draft closes on 10 September 2009.