ISO 22301:2019 Business Continuity Mgmt. System

Business Continuity Management System (BCMS) Policy

NBU-DIT Management is committed to:

•    Ensure the business continuity policy and the objectives are established and are compatible with the strategic direction of the organization
•    Ensure the integration of the BCMS requirements into the organization’s processes
•    Ensure that the resources needed for the BCMS are available
•    Ensure that the BCMS achieves its intended outcome(s)
•    Direct and support persons to contribute to the effectiveness of the BCMS
•    Continual improvement of the BCMS
•    Compliance with applicable business continuity relevant legal and regulatory requirements

NBU-DIT Management acknowledges:

•    The importance of ensuring business continuity and being committed to supporting the business goals and principles defined within BCMS
•    It the importance of ensuring IT Services are provided continuously.
•    The adopted approach in BCMS will be based on ISO 22301 and globally accepted best practices
•    A risk-driven methodology to minimize the risk level for its processes and services, including (but not limited to) data, facilities, technology, application systems, and people should be adopted.
•    A comprehensive approach to implementing an appropriate level of business continuity derived from established requirements within ISO22301:2019 Standard should be developed.
•    Policies that provide management directions and guidelines for the implementation and operation of business continuity should be developed and followed

NBU-DIT Management Directions:

•    Coordination between representatives from different departments/functions of NBU-DIT with relevant business continuity roles and responsibilities should be established.
•    Employees within the recovery team's business continuity roles and responsibilities should be defined and documented as part of their job description.
•    A comprehensive Business Impact Analysis(BIA) must be completed every three years for NBU-DIT products and services, as well as when significant changes occur, to identify and develop strategies to reduce the likelihood and impact of a business interruption.
•    An annual Risk Analysis (RA) of the NBU-DIT business services/facilities must be conducted to identify risks that could impact NBU-DIT products and services which may cause its interruption, and then apply effective risk mitigation treatments to reduce the likelihood and impact
•    NBU-DIT will use the results of the RA and BIA to develop a priority ranking of essential services, or operations, and develop appropriate risk mitigation and recovery strategies.
•    NBU-DIT should identify internal and external dependencies involved in the delivery of NBU-DIT products and services and develop mutually supportive business continuity strategies.
•    NBU-DIT must develop business continuity strategies, plans, and procedures to support NBU-DIT’s business objectives and availability of essential services. Plans must include updated lists of key resources required for the recovery and resumption of essential services. Resources include personnel, facilities, critical infrastructure and IT assets(software and hardware), data, materials and office equipment/furniture, and communications.
•    Business continuity plans must be exercised at least annually to the extent necessary to confirm plan effectiveness and to ensure personnel are prepared and trained
•    Employees and key stakeholders must be aware of the NBU-DIT BCM plans and understand its contents and be aware of their roles and responsibilities.
•    NBU-DIT must review business continuity plans on monthly basis to ensure they are current, valid, and readily accessible during a business interruption
•    All employees, contractors, and third parties must comply with relevant policies, standards, procedures, and guidelines.