TCF -59

Document Sample
TCF -59 Powered By Docstoc
					Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Corresponding Competency Unit:
This Examination Profile is used in conjunction with the RABQSA-RES Competency Unit.


How to use this document
Training Providers wishing to apply for RABQSA Training Provider and Examiner Certification Scheme (TPCES) certification to the RABQSA-RES
Competency Unit complete the following information and submit to RABQSA:

Examination Method:                             How the candidate is going to be examined.

Location in Examiners’ Guide:                   Where within the documentation does the examination appear.

Examination Day and Time:                       In a classroom training environment, it is the day on which the examination is completed. In other
                                                environments (i.e., workplace assessment), this would be where it is located among other examinations (e.g.,
                                                after examination X is successfully completed).

RABQSA Evaluation:                    RABQSA uses the completed Examination Profile to verify that the examination and methods used by the Training
                                      Providers meet RABQSA requirements for TPCES certification.



Notes:
   1. Resilience management systems address the risks of disruptive events (e.g. security, preparedness, crisis, continuity and recovery management).
       Therefore, RABQSA-RES auditors need to have competency in risk assessment and treatment methods to address risks before, during and after
       disruptive events (intentional, unintentional, and/or natural).
   2. Resilience management systems provide a comprehensive management systems approach for security, anticipation, prevention, protection,
       preparedness, response, mitigation,
       business/operational continuity, and recovery for disruptive events potentially resulting in an emergency, crisis, or disaster. Therefore, the RABQSA-RES
       Competency Unit covers the requirements of resilience standards (e.g., ANSI/ASIS.SPC.1: 2009; DS 3001:2009; NEN 7131:2010 or ISO 28002) as well
       those of discipline specific standards in business continuity management (e.g. ANSI/ASIS/BSI BCM.1:2010, BSI 25999:2007 or ISO/CD 22301) and
       security and security assurance management (e.g. ASIS/WD.PAP.1, ISO 28000:2007 or ISO/TC247 management system standards).
   3. Security management includes the fields of “security risk management”, “supply chain security management”, “security assurance management”, “physical
       asset protection”, “information security management”, “logistic security management” and “fraud, counterfeiting and countermeasures”.
   4. In this document “resilience standards” refers to management system standards addressing the assessment and treatment of risks of disruptive events.
       The term is used to include both holistic organizational and supply chain resilience standards as well as discipline specific standards in security,
       preparedness, crisis, continuity and recovery management.

                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                 Printed : 15-Jul-11
                                                                          Page 1 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)




Training Provider: Type Training Provider Name Here                                          Completion Date: 2008-01-01

Competency 1: Principles of resilience management and risk management.
Performance Criteria          Evidence Guide                    Examination Method                                      Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
1.1 Knowledge of national or             E1.1 The context of various
    international standards for             national and international
    organizational resilience               standards for organizational
    or resilience in the supply             resilience and risk
    chain (e.g.,                            management are described.
    ANSI/ASIS.SPC.1: 2009;
    DS 3001:2009; NEN
    7131:2010 or ISO 28002),
    business continuity
    management
    (ANSI/ASIS/BSI.BCM.1:2
    010, or BS 25999:2007,
    ISO/CD 23301) and
    security management
    (ISO 28000).

1.2 Knowledge of the                     E1.2 The interrelationships
    underlying concepts of a                between security,
    multi-disciplinary                      preparedness, crisis, continuity
    perspective for managing                and recovery management are
    risk.                                   accurately described in
                                            accordance with the
                                            organizational resilience
                                            standards (ASIS SPC.1-2009
                                            and ISO 28002).


                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 2 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)

Competency 1: Principles of resilience management and risk management (cont)
1.3 Develop a strategic plan             E1.3 A strategy is developed
    and programs to minimize                that includes the elements
    the likelihood and                      included in ISO 28002 or ASIS
    consequences of                         SPC.1-2009 (prevention and
    disruptive events.                      protection, mitigation,
                                            responsive, continuity, and
                                            recovery) and is shown to
                                            minimize the likelihood and
                                            consequence of disruptive
                                            events.

1.4 Understand the principles            E1.4 The principles and
    and guidelines of risk                  guidelines of risk management
    management as defined                   as defined within ISO 31000
    in ISO 31000.                           are defined and described.
                                         E1.5 The principles of a security
1.5 Understand how the
                                            and/or business continuity
    principles of a security
                                            management system in relation
    and/or business continuity
                                            to supporting an organization
    management system can
                                            and its supply chain resilience
    support and integrate with
                                            and overall risk management
    an organization’s
                                            system, are described.
    resilience and overall risk
    management system.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                 Printed : 15-Jul-11
                                                                          Page 3 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 2: Resilience management roles and responsibilities.
Performance Criteria        Evidence Guide                                                Examination Method            Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
2.1 Knowledge of the roles               E2.1 The roles and
    and responsibilities of                 responsibilities for resilience
    personnel responsible for               management are described in
    resilience management.                  accordance with the
                                            organizational resilience
                                            standards (ASIS SPC.1-2009
                                            and ISO 28002).
                                         E2.2 The resilience
2.2 Understand the
                                            management hierarchal
    relationship between the
                                            structure is applied to an
    resilience management
                                            organizational structure, using
    hierarchy and a corporate
                                            examples for specific
    organizational structure.
                                            organizational environments.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 4 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 3: Requirements of management systems.
Performance Criteria       Evidence Guide                                                 Examination Method            Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
3.1 Analyze and apply the                E3.1 The compatibility and
    interrelationships                      interrelationships among the
    between resilience                      various management system
    management standards                    standards are described. An
    (ISO/WD 22301, ISO                      integrated and consistent
    28002), business                        organization-wide risk
    continuity management                   management strategy is
    system standards                        developed while meeting the
    (ANSI/ASIS/BSI.BCM.1:2                  requirements in the various
    010, or BS 25999:2007,                  standards.
    ISO/CD 23301) and
    security management
    system standards (ISO
    28000) and other
    management system
    standards (ISO 9001, ISO
    14001, ISO 27001 and
    ISO 20000).

3.2 Knowledge of the                     E3.2 The scope and objectives
    documentation                           for an organization’s
    requirements for effective              management system for
    management systems                      resilience or security are
    according to the                        appropriately defined
    Organization Resilience                 according to ASIS.SPC.1-
    standards (ASIS SPC.1-                  2009, ISO 28002 or ISO 28000
    2009 and ISO 28002) and                 (and/or
    security management                     ANSI/ASIS/BSI.BCM.1:2010,
    system standards (ISO                   or BS 25999:2007, ISO
    28000).                                 23301).

                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 5 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 3: Requirements of management systems (cont).
Performance Criteria       Evidence Guide                                                 Examination Method            Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
3.3 Define the scope and                 E3.3 The scope and objectives
    objectives for an                       for an organization’s
    organization’s resilience               management system for
    or security management                  resilience or security are
    system.                                 appropriately defined
                                            according to ASIS.SPC.1-
                                            2009, ISO 28002 or ISO 28000
                                            (and/or
                                            ANSI/ASIS/BSI.BCM.1:2010,
                                            or BS 25999:2007, ISO
                                            23301).

3.4 Establish an                         E3.4 An organization’s internal
    organization’s internal                 and external contexts and the
    and external context and                context for risk management
    the context for the risk                process are described in
    management process                      accordance with the
    within its resilience                   organizational and supply
    management system.                      chain resilience standards
                                            (ASIS SPC.1-2009 and ISO
                                            28002) and ISO 31000.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 6 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 3: Requirements of management systems (cont).
Performance Criteria       Evidence Guide                                                 Examination Method            Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
3.5 Knowledge of the                     E3.5 The relationships among
    relationships among the                 the various levels of
    resilience and security                 documentation are described
    management systems’                     in accordance with the
    manual, procedures,                     resilience, business continuity,
    planning, policies, and                 and security management
    objectives.                             system standards’ (e.g. ASIS
                                            SPC.1-2009, ISO 28002 and
                                            ISO 28000) general
                                            requirements, policy and
                                            planning clauses. The
                                            documentation relationships
                                            are described within the
                                            context of a given
                                            business/industry sector.

3.6 Determine whether audit              E3.6 The information required
    reference documentation                 for a resilience or security
    is suitable and                         management system audit is
    appropriate according to                accurately defined. Examples
    the requirements of a                   are provided for specific
    resilience or security                  organizational environments
    management system                       (such as the auditee’s
    standard.                               organization size, activity
                                            sector and environmental
                                            factors)




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 7 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)



Competency 3: Requirements of management systems (cont).
Performance Criteria       Evidence Guide                                                 Examination Method            Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
3.7 Knowledge of                         E3.7 Organizational terms and
    organizational terms and                definitions are accurately
    definitions as defined by               defined and used appropriately
    the organizational and                  within the context of a specific
    supply chain resilience                 organization or activity sector.
    standards (e.g. ASIS
    SPC.1-2009, ISO 28002
    and ISO 31000) business
    continuity management
    system standards (e.g.
    ANSI/ASIS/BSI.BCM.1:20
    10, BS 25999:2007,
    ISO/CD 23301) and
    security management
    standards (e.g. ISO
    28000).




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 8 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 3: Requirements of management systems (cont).
Performance Criteria       Evidence Guide                                                 Examination Method            Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
3.8 Knowledge of the                     E3.8 Requirements for planning
    requirements for planning               and resourcing a management
    and resourcing a                        system are described in
    management system.                      accordance with the resilience,
                                            business continuity, and
                                            security management
                                            standards’ (e.g. ASIS SPC.1-
                                            2009, ISO 28002,
                                            ANSI/ASIS/BSI.BCM.1:2010
                                            and ISO 28000) clauses on
                                            policy,. management
                                            commitment, planning,
                                            resources and authorities, and
                                            review.

3.9 Identify the barriers to the         E3.9 The limitations/barriers to
    effective implementation                the effective implementation of
    of a management system                  resilience and security
    and implement methods                   management systems are
    used to eliminate these                 described with examples for
    barriers.                               specific organizational
                                            environments and methods
                                            used to eliminate those
                                            barriers are demonstrated.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 9 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 4: Effectiveness of a management system.
Performance Criteria        Evidence Guide                                               Examination Method             Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
4.1 Evaluate the                        E4.1 A management system is
    effectiveness of a                     evaluated and compared
    management system                      against the requirements for
    within the context of a                evaluation and review in
    given business/industry                accordance with the resilience,
    sector.                                business continuity, and
                                           security management
                                           standards’ (e.g. ASIS SPC.1-
                                           2009, ISO 28002,
                                           ANSI/ASIS/BSI.BCM.1:2010,
                                           ISO22301, and ISO 28000)
                                           clauses on checking,
                                           management review and
                                           continual improvement.

4.2 Use internal auditing   E4.2 The information required for
    and exercising and         a management system internal
    testing techniques that    audit and exercise and testing
    are appropriate for the    regime are accurately defined.
    auditee’s internal and     Appropriate examples are
    external contexts and      provided for specific
    the context for risk       organizational environments.
    management processes.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 10 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 4: Effectiveness of a management system (cont).
Performance Criteria        Evidence Guide                                               Examination Method             Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
4.3 Determine the adequacy              E4.3 The adequacy of a
    of a management                        management system is
    system in preventing,                  analyzed in accordance with the
    reducing, or eliminating               resilience, business continuity,
    risks related to                       and security management
    disruptive events.                     standards’ (e.g. ASIS SPC.1-
                                           2009, ISO 28002,
                                           ANSI/ASIS/BSI.BCM.1:2010
                                           and ISO 28000)clauses on
                                           performance measurement and
                                           monitoring and systems
                                           evaluation.

4.4 Identify omissions in a             E4.4 Critical omissions are
    management system                      defined in accordance with the
    that could affect security             review of the management
    and resilience.                        system and the resilience,
                                           business continuity, and
                                           security management
                                           standards’ (e.g. ASIS SPC.1-
                                           2009, ISO 28002,
                                           ANSI/ASIS/BSI.BCM.1:2010
                                           and ISO 28000) clauses on risk
                                           assessments and checking.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 11 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 5: Continuous improvement concepts.
Performance Criteria       Evidence Guide                                                 Examination Method            Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
5.1 Use the Plan-Do-Check-              E5.1 The benefits of using the
    Act (PDCA) process                     PDCA process approach are
    approach to develop,                   explained and the PDCA cycle
    implement and improve                  is used to develop and maintain
    the effectiveness of a                 a management system in
    management system                      accordance with the resilience,
    that addresses                         business continuity, and
    operational risks.                     security management standards
                                           (e.g. ASIS SPC.1-2009, ISO
                                           28002,
                                           ANSI/ASIS/BSI.BCM.1:2010,
                                           ISO22301, and ISO 28000).

5.2 Knowledge of                        E5.2 Continuous improvement
    continuous improvement                 methods are defined and their
    methods, the                           use within a management
    requirements for these                 system is described in
    methods in accordance                  accordance with the
    with the resilience,                   organizational resilience and
    business continuity, and               security standards. The impact
    security management                    that continuous improvement
    standards (e.g. ASIS                   methods have within a
    SPC.1-2009, ISO                        management system is
    28002,                                 explained.
    ANSI/ASIS/BSI.BCM.1:2
    010 and ISO 28000)and
    the impact that
    continuous improvement
    processes have on
    management systems.

                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 12 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 5: Continuous improvement concepts (cont).
Performance Criteria       Evidence Guide                                                 Examination Method            Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
5.3 Knowledge of the role of            E5.3 The processes used to
    corrective and                         identify corrective and
    preventive actions in                  preventive actions are
    continuous improvement                 described in accordance with
    efforts.                               the resilience, business
                                           continuity and security
                                           management standards (e.g.
                                           ASIS SPC.1-2009, ISO 28002,
                                           ISO 28000,
                                           ANSI/ASIS/BSI.BCM.1:2010
                                           and ISO 22301).




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 13 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)

Competency 6: Legislative requirements, industry codes and applicable regulations for security management (cont).
Performance Criteria        Evidence Guide                        Examination Method Location in          Examination RABQSA Use Only
                                                                                          Examiners’      Day and     Verification/remarks
                                                                                          Guide           Time
6.1 Identify applicable                 E6.1 Methods used to identify
    statutes, regulations and              legal and other requirements
    case law governing or                  applicable to security
    affecting specific                     management are demonstrated.
    industry sectors and                   The requirements of the
    understand how these                   applicable statutes, regulations
    are used in the                        and case law are described.
    protection of people,
    property and
    information.

6.2 Understand and apply                E6.2 The appropriateness and
    the controls based on                  effectiveness of controls based
    legislative requirements,              on legislative requirements,
    industry codes, and                    industry codes and other
    other technical                        technical information are
    information relevant to                described.
    risk, resilience, security,
    crisis, continuity and
    recovery management.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                 Printed : 15-Jul-11
                                                                          Page 14 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)



Competency 7: Risk management processes.
Performance Criteria     Evidence Guide                                                  Examination Method             Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
                                        E7.1 The range of contexts of risk
7.1 Knowledge of the
                                           management and methods
    requirements for
                                           used to establish these contexts
    establishing the internal,
                                           are described in accordance
    external and risk
                                           with ISO 31000 and the
    management contexts of
                                           resilience, business continuity,
    risk management
                                           and security management
    processes (including the
                                           standards’ (e.g. ASIS SPC.1-
    supply chain and
                                           2009, ISO 28002, ASIS SPC.1-
    interdependencies).
                                           2009, ISO 28002,
                                           ANSI/ASIS/BSI.BCM.1:2010,
                                           ISO 22301 and ISO
                                           28000)clauses on planning (risk
                                           assessment, objectives, targets,
                                           programs).




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 15 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)

Competency 7: Risk management processes.
Performance Criteria     Evidence Guide                                                  Examination Method             Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time

7.2 Develop risk evaluation E7.2 Methods used to develop
    criteria for risk          risk evaluation criteria are
    management processes.      described in accordance with
                               ISO 31000 and the resilience,
                               business continuity, and
                               security management
                               standards’ (e.g. ASIS SPC.1-
                               2009, ISO 28002, ASIS SPC.1-
                               2009, ISO 28002,
                               ANSI/ASIS/BSI.BCM.1:2010,
                               ISO 22301 and ISO
                               28000)clauses on planning (risk
                               assessment, objectives, targets
                               and programs).

Competency 7: Risk management processes (cont).




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 16 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)

7.3 Understand the             E7.3 The structure of risk
    structure and                 management processes is
    interrelationships of risk    described in accordance with
    management processes.         ISO 31000 and the resilience,
                                  business continuity, and
                                  security management standards
                                  (e.g. ASIS SPC.1-2009, ISO
                                  28002, ASIS SPC.1-2009, ISO
                                  28002,
                                  ANSI/ASIS/BSI.BCM.1:2010,
                                  ISO 22301 and ISO
                                  28000)clauses on planning (risk
                                  assessment, objectives, targets,
                                  programs).




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                 Printed : 15-Jul-11
                                                                          Page 17 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 8: Risk management review processes.
Performance Criteria     Evidence Guide                                                  Examination Method             Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
8.1 Determine the                       E8.1 The relationship between a
    relationship between an                documented resilience
    organization’s                         management system, security
    documented resilience                  management system and an
    management system                      organization’s resilience and
    (derived from its assets,              security requirements is
    functions activities and               accurately defined, giving
    stakeholder needs), its                examples for specific
    resilience and/or                      organizations.
    security management
    system and specific
    resilience and security
    requirements.

8.2 Knowledge of the                    E8.2 Methods used to monitor
    requirements for                       and review risks are described
    monitoring and                         in accordance with ISO 31000
    reviewing risks.                       and the resilience, business
                                           continuity, and security
                                           management standards’ (e.g.
                                           ASIS SPC.1-2009, ISO 28002,
                                           ASIS SPC.1-2009, ISO 28002,
                                           ANSI/ASIS/BSI.BCM.1:2010,
                                           ISO 22301 and ISO
                                           28000)clauses checking,
                                           maintenance and review.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 18 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 8: Risk management review processes (cont).
Performance Criteria     Evidence Guide                                                  Examination Method             Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
8.3 Knowledge of the                    E8.3 Methods used for
    requirements for risk                  communication and consultation
    communication and                      in relation to risks are described
    consultation (including                in accordance with ISO 31000
    the documentation,                     and the resilience, business
    communication and                      continuity, and security
    consultation required for              management standards’ (e.g.
    each step of the risk                  ASIS SPC.1-2009, ISO 28002,
    management process).                   ASIS SPC.1-2009, ISO 28002,
                                           ANSI/ASIS/BSI.BCM.1:2010,
                                           ISO 22301 and ISO
                                           28000)clauses on
                                           communications,
                                           documentation and records.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 19 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 9: Risk assessment and impact analysis.
Performance Criteria      Evidence Guide                                                 Examination Method             Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
9.1 Knowledge of the                    E9.1 Methods used to identify
    requirements for asset                 assets and valuation to be
    identification and                     managed, are described in
    valuation to be                        accordance with ISO 31000 and
    managed.                               the organizational resilience,
                                           security and continuity
                                           standards’ (ASIS SPC.1-2009,
                                           ISO 28000, ISO 28002,
                                           ISO/WD 22323, and the
                                           business continuity
                                           management standards
                                           ANSI/ASIS/BSI BCM.1-2010,
                                           BSI 25999, ISO 22301), clauses
                                           on risk assessment, and
                                           security risk assessment.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 20 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)

9.2 Knowledge of the                    E9.2 Methods used to identify
    requirements to identify               risks to be managed are
    risks to be managed.                   described in accordance with
                                           ISO 31000 and the
                                           organizational resilience,
                                           security and continuity
                                           standards (ASIS SPC.1-2009,
                                           ISO 28000, ISO 28002,
                                           ISO/WD 22323, and the
                                           business continuity
                                           management standards
                                           ANSI/ASIS/BSI BCM.1-2010,
                                           BSI 25999, ISO 22301))
                                           clauses on risk assessment and
                                           security risk.
Competency 9: Risk assessment and impact analysis (cont).
Performance Criteria      Evidence Guide                                                 Examination Method             Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 21 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)

9.3 Knowledge of the                    E9.3 Methods used to analyze
    requirements used to                   risks to be managed are
    analyse risks.                         described in accordance with
                                           ISO 31000 and the
                                           organizational resilience,
                                           security and continuity
                                           standards (ASIS SPC.1-2009,
                                           ISO 28000, ISO 28002,
                                           ISO/WD 22323, and the
                                           business continuity
                                           management standards
                                           ANSI/ASIS/BSI BCM.1-2010,
                                           BSI 25999, ISO 22301))
                                           clauses on risk assessment,
                                           security risk and impact
                                           analysis.

9.4 Knowledge of the                    E9.4 The requirements for
    requirements for                       evaluating risks are described in
    evaluation of risks.                   accordance with ISO 31000 and
                                           the organizational resilience,
                                           security and continuity
                                           standards (ASIS SPC.1-2009,
                                           ISO 28000, ISO 28002,
                                           ISO/WD 22301, and the
                                           Business Continuity
                                           Management Standard
                                           ANSI/ASIS/BSI BCM.1-2010)
                                           clauses on risk assessment,
                                           security and risk assessment.



Competency 9: Risk assessment and impact analysis (cont).



                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                 Printed : 15-Jul-11
                                                                          Page 22 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)

Performance Criteria                    Evidence Guide                                   Examination Method             Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
9.5 Knowledge of the                    E9.5 The requirements for
    requirements for                       conducting an impact analysis
    evaluation of impact                   are described in accordance
    analysis.                              with the organizational
                                           resilience, security and
                                           continuity standards (ASIS
                                           SPC.1-2009, ISO 28000, ISO
                                           28002, ISO/WD 22323), and the
                                           business continuity
                                           management standards
                                           ANSI/ASIS/BSI BCM.1-2010,
                                           BS 25999, ISO22301) clauses
                                           on risk impact analysis.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 23 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 10: Risk control and treatment methods.
Performance Criteria        Evidence Guide                                               Examination Method             Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
10.1 Knowledge of                       E10.1 Control methods used to
    requirements for the                   identify risks to be managed are
    treatment of risks.                    described in accordance with
                                           ISO 31000, and organizational
                                           resilience, security and
                                           continuity standards (ASIS
                                           SPC.1-2009, ISO 28000, ISO
                                           28002 ISO/WD 22323, and the
                                           business continuity
                                           management standards
                                           ANSI/ASIS/BSI BCM.1-2010,
                                           BSI 25999, ISO 22301) clauses
                                           on risk assessment and impact
                                           analysis, objectives, targets and
                                           programs.




                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 24 of 28
Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                             (Security, Preparedness, Crisis, Continuity and Recovery Management)


Competency 10: Risk control and treatment methods (cont).
Performance Criteria        Evidence Guide                                               Examination Method             Location in             Examination RABQSA Use Only
                                                                                                                        Examiners’              Day and     Verification/remarks
                                                                                                                        Guide                   Time
10.2 Evaluate the                       E10.2 Evidence is presented to
    appropriateness,                       confirm that selected risk
    effectiveness and                      treatment methods are
    efficiency of selected                 appropriate, effective, and
    risk treatment methods.                efficient based on the risks and
                                           in accordance with ISO 31000
                                           and the resilience, security and
                                           continuity standards (ASIS
                                           SPC.1-2009, ISO 28000, ISO
                                           28002, ISO/WD 22323, and the
                                           business continuity
                                           management standards
                                           ANSI/ASIS/BSI BCM.1-2010,
                                           BSI 25999, ISO 22301), clauses
                                           on risk assessment, and
                                           security risk assessment.

10.3 Identify appropriate               E10.3 Evidence is presented and
    training, exercise and                 demonstrated to show that
    review processes                       selected training, exercise and
    based on the risk                      review processes are
    assessment and                         appropriate to a resilience
    Business Impact                        management system standard
    Analysis for the                       as well as an organization’s
    purpose of the                         resilience, security and
    organization’s                         continuity objectives and
    resilience, security and               requirements.
    continuity requirements.



                                          This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                          Page 25 of 28
 Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                              (Security, Preparedness, Crisis, Continuity and Recovery Management)


 Competency 11: General requirements for incident prevention and management.
Performance Criteria        Evidence Guide                        Examination Method                                     Location in             Examination RABQSA Use Only
                                                                                                                         Examiners’              Day and     Verification/remarks
                                                                                                                         Guide                   Time
11.1 Knowledge of the                    E11.1 The major operational
    major operational                       elements encountered during
    elements that are                       an audit are described.
    encountered while
    undertaking resilience
    management system
    audits.

11.2 Knowledge of                        E11.2 The types of protection
    protection measures                     measures that can be taken to
    needed to protect assets                protect assets are described.
    (human, physical and                    Appropriate avoidance,
    intangible) and ability to              prevention, and protective
    reduce the likelihood of a              measures are demonstrated
    disruptive event.                       that will reduce the likelihood of
                                            a disruptive event..

11.3 Knowledge of the                    E11.3 The relationships an
    fundamental relationships               organization may establish with
    needed to manage                        public sector agencies,
    and/or evaluate the                     organizations and officials are
    current status of the                   described and the role they may
    physical security, fire                 play in the organization’s
    detection and emergency                 current status of physical
    and/or restoration                      security, fire detection and
    capabilities.                           emergency or restoration
                                            capabilities are explained.




                                           This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
 Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                           Page 26 of 28
 Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                              (Security, Preparedness, Crisis, Continuity and Recovery Management)


 Competency 11: General requirements for incident prevention and management (cont).
Performance Criteria        Evidence Guide                        Examination Method                                     Location in             Examination RABQSA Use Only
                                                                                                                         Examiners’              Day and     Verification/remarks
                                                                                                                         Guide                   Time
11.4 Identify ways to                    E11.4 Actions that can be taken in
    mitigate the                            response to disruptive events
    consequences of                         are described and continuity
    disruptive events by                    and recovery practices for the
    identifying and prioritizing            mitigation of potential
    potential hazards (known                consequences of disruptive
    and unknown) and risks;                 events are demonstrated by
    develop plans to prevent                identifying and prioritizing
    and manage exposure to                  potential hazards (known and
    loss, and assure                        unknown) and risks and
    continuity and recovery.                developing plans to prevent and
                                            manage exposure to loss.

11.5 Knowledge of                        E11.5 Personnel security
    personnel security                      measures and human asset
    measures and human                      protection methods are
    asset protection methods                determined and their
    used to provide a secure                implementation and
    work environment.                       management are described.
                                            Specific policies, procedures,
                                            programs and methods for the
                                            protection of human assets are
                                            evaluated.




                                           This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
 Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                           Page 27 of 28
 Examination Profile:                                 RABQSA-RES - Resilience Management Systems Auditing
                                              (Security, Preparedness, Crisis, Continuity and Recovery Management)


 Competency 11: General requirements for incident prevention and management (cont).
Performance Criteria        Evidence Guide                        Examination Method                                     Location in             Examination RABQSA Use Only
                                                                                                                         Examiners’              Day and     Verification/remarks
                                                                                                                         Guide                   Time
11.6 Develop information                 E11.6 Information security policies
    security policies and                   and procedures are developed
    procedures.                             in a way that ensures
                                            information is evaluated and
                                            protected against all forms of
                                            unauthorized/inadvertent
                                            access, use, disclosure,
                                            modification, destruction or
                                            denial.

11.7 Understand and apply                E11.7 The appropriateness and
    incident prevention and                 effectiveness of incident
    management, based on                    prevention and management,
    standards relevant to                   based on standards relevant to
    risk, resilience, security,             risk, resilience, security, crisis,
    crisis, continuity and                  continuity and recovery
    recovery management.                    management are described.




                                           This is a “controlled” document on day of printing only. Refer to the BMS online for current documents.
 Document Ref :TCF116: RABQSA RES Examination Profile                      Edition :1                                Issued 8-Mar-11                     Printed : 15-Jul-11
                                                                           Page 28 of 28

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:5
posted:7/16/2011
language:English
pages:28