My key takeaways
- Presentation of BSI-Standard 200-4 today, min 6 month RFC
- BSI since 30 years, IT-Grundschutz since 27 years
- Business continuity controls are often costly e.g. redundancy, … so BCM strategy should match business needs
- Combining ISMS and BCM
- ISMS: focussing of confidentiality, integrety and availability
- BCM: availability highest priority
- Combining the duty for BCM in the role of an ISO:
- Advantage: synergies
- Disadvantages: additional workload, so additional ressources required
- Managing crisis ad hoc is a daunting task, stressful and may waste precious time to react. Implementing a BCMS might reduce stress and response times.
- No BCMS will reflect all possible scenarios. This is no reason to not implement any BCM strategies, as it will at least cover the basics and the most probable risks.
- The renewed standard 200-4 will provide a step model to match as many organizations as possible
- Objective: increase the "Organizational resilience"
Organizational Resilience is the organization’s ability to anticipate, respond and adapt to unexpected disruptions. (https://pecb.com/en/education-and-certification-for-individuals/iso-22316)
- The ISO 22301 is normative, describing the what now how. The BSI 200-4 complies with ISO 22301 but gives also more advice on how to implement. Addtional tools will be provided to support implementation.
- BSI 100-4 is compatible with 200-4; there will be a migration concept
- In RL a lot of companies used colloboration tools and messanger apps during COVID-19 for crisis communication
- good results and additional features (live stream on site) now easy possible
- great acceptance from the BCM users as a well known tool in daily usage
- data protection and privacy concerns are second priority in crisis situations where protecting humans or survival of an organization is first priority
Env
- Provided by HiSolutions AG
- Presenter
- Holger Schildt, BSI
- Daniel Gilles, BSI
- Cäcilia Jung, BSI
- Marcel Lehmann, HiSolutions
- Claudia Krüger, DZ Bank Gruppe
- Thorsten Scheibel, DZ Bank Gruppe
- Uwe Grams, HiSolutions
- Sandro Amendola, BSI
- Göran Thälker, Fiege Logistik
- Jan Trulley, Fiege Logistik
- Thomas Jager, Stadtwerke Saarbrücken
- Jürgen Neuhuber, Zalando
- Moderator Stefan Nees, Hisolutions AG
- Slides:
- Vom IT-Grundschutz zum BCMS – BSI – Bund.de
- Vorstellung des modernisierten BSI-Standards 200-4 BCM
- Vom IT-Grundschutz zur organisatorischen Resilienz
- Operative Widerstandsfähigkeit – Impulsvortrag zu Anforderungen, Stand und Handlungsbedarf ; DZ Bank Gruppe
- Cyber Incident Response Erfahrungsbericht
- Krisenstabsübung remote – Lehren aus der Corona-Krise
- Agilität & Resilienz – Krisenmanagement bei Zalando
additional links
- http://www.bsi.bund.de/gs-standard200-4
- recordings: