| 26. BCS
02. ISO 22301 Business Continuity Standard | |
|---|
| ISO 22301 Business Continuity Standard (BCS): | | 1. Compliance with ISO 22301 Business Continuity Standard is used by the Business Continuity Manager using this Business Continuity Management Service. | | 2. Business Continuity management objectives include:- | | (1) To ensure that bespoke application services do not stop and cannot be stopped. | | (2) To ensure that no single point of failure exists in any infrastructure. | | (3) To replicate equipment so the effect of a hardware failure cannot be detected by a person using a bespoke application service. | | (3) To be comfortable that business continuity is adequate to survive any hurracane, tsunami, tornado, fire, flood, gas leak or smoke. | | (3) To ensure that bespoke application services contnue when electrical power is down, when water mains are not working and when fuel shortages make travel not practical. | | (3) To be certain that in the event of a pandemic that prevents people from coming together, bespoke application services will continue without any major issues. | | (3) To build an environment that can survive a sustained distributed denial of service (DDOS) attack. |
| 2. Glossary of Terms: | | BCM means Business Continuity Manager as the person responsible. | | BCS means Business Continuity Standard as ISO 22301 and associated family of standards. | | BCMS means Business Continuity Management Service as the documentation application that makes it all happen. |
| Business Continuity Management Service - Chapters: | | 1. Introduction to identify the nature roles of the parties involved. | | 2. Executive Summary as a summary of the key provisions deployed. | | 3. Glossary of the terms used to manage the BCMS. | | 4. Context of the Organisation to identify the parties and responsibilities. | | 5. Leadership as how qualified experts working with external auditors build and maintain compliance. | | 6. Planning to identify what can go wrong at the infrastructure and personal level. | | 7. Support to ensure that lines of communication are adequate when faced with physical disasters. | | 8. Operation to ensure that bespoke application services do not stop and cannot be stopped. | | 9. Performance Evaluation to audit with the help of the best industry experts in the world to identify areas for improvement. | | 10. Improvement to relentlessly and continually improve business continuity. |
| 2. Plan Do Check Act (PDCA): | | 1. Plan is covered by Context of the Organisation (4), Leadership (5), Scope of the EMS, Internal and External Issues, Needs and Expectations of Interested Parties to establish objectives and processes needed to deliver results in accordance with the Business Continuity policy. | | 2. Do is covered by Support (7) and Operation (8) as the implementation of the processes as planned. | | 3. Check is covered by Performance Evaluation (9) to monitor and measure processes against the Business Continuity policy, including its commitments, objective and operating criteria, and report the results. | | 4. Act is covered by Improvement (10) to take actions to continually improve. |
| 3. Business Continuity Policy: | | 1. The business is the provision of bespoke application services with continual improvements to companies in all parts of the world. The application Service Provider (ASP) is a supply chain of independent companies working in partnership who may act like and can be treated as a single company, however no one company could expect to recruit and retain the large spectrum of qualified skills and experienced knowledge that is needed to provide the bespoke application services to many companies in many countries. The business is an internet-based service to any kind of computing device without the provision of any hardware or software. Business Continuity factors apply to the multitude of data centers that provide the service and to the people who manage the service. | | 2. The Business Continuity Policy is to provide bespoke application services that do not stop and cannot be stopped. The primary business continuity principle is the use of a large number of replicated data centers where each data center houses a large number of redundant servers. In the event of a server failure, business continutes to be provided by other servers. In the event of a data center failure, business continutes to be provided by other data centers. |
| 4. Business Continuity Audit: | | 1. The quality audit to ISO 22301 standard shall only be conducted on chapters 4 to 10 of the BCMS. Chapters 1 to 3 are not audited and do not need to comply with any standard. |
| 5. Roles: | | 1. Each bespoke application service owner is responsible for their own Internet connections and all local infrastructure that may include any kind of desktop, laptop, tablet or smart phone. An owner may choose to have multiple Internet connections via different Internet Service Providers and may choose to backup using wireless mobil devices. If the ISP has a failure or power is lost, business may continue to be provided via any smart phone using the mobile network. | | 2. The application service provider is using ten distributed data centers in 2016 and expect to be using twenty replicated data centers by the end of 2017. The number of secure data centers that house racks of redundant servers will grow to one hundred before 2020. | | 3. In the event of a failure of one data center, business continues to be provided using replicated data from another data center. It is considered to be very unlikely that all distributed data centers in many countries could fail at the same time. | | 4. Business data is encrypted and replicated to each data center where the encryption means it is plausable to say that the business data does not exist on any specific place. It is considered to be very unlikely that any specific data could be lost from all data centers at the same time. | | 5. It is understood that some agencies may be able to gain access and copy any encrypted business data from any data center. It is a policy to ensure that all excessively encrypted data is always unreadable, meaningless and worthless to a criminal. It is a policy that no one person has access to the keys, methods and knowledge needed to decrypt any business data. |
| 6. Audit Planning: | | 1. Bespoke application services never stop and cannot be stopped. By design, application programs have been replaced by artificial intelligent assistant that does not have programming vulnerabilities and does not need maintenance patches. Business rules are continually improved in a knowledgebase without any downtime. | | 2. More and more secure data centers are being added and each data center houses more and more dedundant servers. While competitors consolidate servers with virtualisation, the ASP chooses to operate with a large number of highly dedicated servers that do one job and cannot be made to do anything else. Web servers run in parallel so in the event that any one web server fails, the end user will never notice as the bespoke application service continues using other web servers. Application servers run in parallel so in the event that any one application server fails, other application servers continue to provide the same bespoke application services. | | 3. All servers are powered by batteries and the batteries are continually charged by solar panels and/or wind turbines. Batteries may be topped up from mains power from time-to-time if needed. Costs are minimised by using free renewable energy for the majority of the time, but this also means a data center cannot fail if its mains power is lost. | | 4. Each data center will have at least two separate and independent high speed Internet connections. By renting space in the data centers that provide the Internet backbone, very high speed connections can be rented that eliminate ISP network issues. | | 5. Most single points of failure have been identified and redundant equipment installed to be used when needed, but no data center can be perfect. Software based networking means that people using one data center can be quickly be swithed to use another data center. All business data is replicated, so backups, recovery and restart have become obsolete. |
| 7. Disaster Planning: | | 1. In the event of a pandemnic such as the bird flu outbreak where people should not travel and congrigate in one place, then bespoke application services can continue to be provided to any kind of computer in any approved location. This could be people working from home or working in a remote office with different equipment on different networks. This may include people using their smart phones in any location to continue to access their bespoke application services. | | 2. In the event of a fuel shortage such as when fuel tanker drivers were in dispute and people could not get fuel for their cars, then business can continue from other places. Commuting can be reduced with car sharing and teams selecting alternative places of work, so long as their bespoke application services can continue to be provided. | | 3. In the event of a fire that burns the office and all equipment to the ground, then alternative equipment may be rented in a different location and business can continue using the sam bespoke application services. No constraints are placed on the computers that may be rented with any version of any operating system without the need for any software to be downloaded. | | 4. In the event of a flood where people cannot access their normal place of work, then business can continue from any other location and some people may have to work from home. An Internet connection by landline or mobile network is the only constraints on the place of work. |
| 8. What will happen: | | 1. Business continuity involves a degree of determining what changes are taking place and how will those changed impact on bespoke application service provision. By monitoring history can documenting trends, then business continuity improvements can stay one step ahead of business requirements. | | 2. The switch in retailing from physical shops to internet has have a lot of impact and will continue to impact all retailers. The switch from products to services is a more interesting evolution that has seen the reduction in manufacturing and the growth of FinTech. | | 3. Banking is evolving as cash declines to be used and payment by smart phone becomes more effective. The reduction in cash and the reduction of retail shops and the reduction of products come together with one trend influencing the others. | | 4. The reduction in the use of CD, DVD and USP storage devices is almost complete - everything is becoming online and realtime with a smart phone. The smart phone will replace the TV remote control and replace physical door keys - your smart phone is like a passport. | | 5. Physical paper documents are declining as physical signatures have been replaced with cheaper online services. In the same way as emails replaced letters, paper tickets become an icon on a smart phone and evidence is by regustered online services, rather than a signature. | | 6. The effect of these trends is very high levels of automation where business continuity is not just nice to have - its mandatory. |
| 9. Shareholders: | | 1. A large number of independent companies can act together as a big company to be many times more effective and productive. When a person has earned the right to run their own company, then they have the right skills, qualifications and experience to compete with any big company in partnership with others. | | 2. Big companies are very ineffective because of inter-department rivalry and too many meetings. Small companies are very productive because they can rapidly switch from design to developement to deployment and final inspection. | | 3. Small independent companies can provide a higher level of business continuity than a bigger company that is continually threatened by takeover. This an be deployed using the two-shareholder rule. | | 4. It is a fact that every shareholder will eventually die or may become seriously incapacitated before they die. These risks are real and business continuity measures MUST be deployed to mitigate the risks as: | | (1) The independent company shall have two shareholders as Directors each with one one-pound share so when one shareholder dies the other shareholder provides business continuity to all contracts until a new shareholder can take over. | | (2) The Directors Service Agreement shall have a clause that the agreement is automatically terminated when the shareholder dies and the shareholders share shall be bought back by the company for its face value of one pound and sold to the next shareholder. | | (3) The independent company mission shall be to reduce annual profits towards zero and to reduce fixed assets towards zero, so the company valuation does not rise above the value of the two one-pound shares issued. | | (4) A Director shall have a Last Will and Testament where it is clearly stated that the one pound share in the company shall be bought back by the company so it can be sold to the next shareholder. | | (5) A Director shall have a Power of Financial Attoney where the executor is nominated as the next shareholder in the event that the Director is incapacitated and cannot carry on their duties as a shareholder and Director. | | 5. A key clause in IR35 regulation is that the company must have the right and ability to substitute one person for another on a project. By having two Directors, one Director is able to act as a substitute for the other at any time. In fact, where both Directors sometimes work together on a project, then IR35 cannot apply. The ability to substitute one person for another is a fundamental part of business continuity for any project. | | 6. Where only one Director exists, then the company must be able to contract an alternative person to provide business continuity in the event of a health problem or death. A person should measure the effectiveness of every company with the company ability to guarantee business continuity in the event of natural risks. |
| Document Control. | | 1. Document Title: Business Continuity: ISO 22301 Standard. | | 4. Description: Business Continuity: ISO 22301 Standard. | | 3. Keywords: Business Continuity: ISO 22301 Standard. | | 6. Privacy: Shared with approved people for the benefit of humanity. | | 7. Page: 162602. | | 8. Edition: 1.1. | | 9. Issued: 2 Jan 2018. |
|
|