IT SERVICE CONTINUITY MANAGEMENT POLICY

IMPRINT

Area of application	Valid from	Title


Version	Last Review	Status
01.00	17.07.2022	Finalized

Author	Content Checked by	Released by
Service Continuity Management	Service Continuity Management


Involved	Org. Unit	Topic/Reference
…	Cross Functional Services	Service Assurance
Carl Steynvaard	OT \| IM	Services Assurance
…	Chief Security and CIO Officer	Services Assurance

Contact	Telephone	E-Mail


Brief Details

The purpose of this IT Service Continuity Management Policy (“Policy”) is to define the principles to manage all relevant Integrated Management System (“IMS”) documents and organizational knowledge which forms an integral part of the IMS under controlled conditions.

This document and any information contained in this document is proprietary to Anglo American and/or its affiliates. Any information gained from the use, viewing, reading or in any other manner becoming aware of the contents of this document must be retained as confidential and no person may disclose, publish, or use the confidential information for their own or any other persons’ gain, direct or indirect benefit or interest, or incorporate, modify and create derivative works thereof, or otherwise employ, exploit or use this document in any manner except for the purpose as may be agreed in writing by Anglo American and/or its affiliates.

VERSION HISTORY AND DISTRIBUTION LIST

Version	Date Revised	Change No.	Edited by	Changes/Comments













Distribution list (scope)
Simon Bruce Webster

Electronic copy available on Policy Portal

DOCUMENT APPROVAL

Company:		Company:	Anglo American

Position:	Business Manager	Position:	Chief Security and CIO Officer

Name:	Hennie Mey	Name:	Michael Lipp
Position:	Business Manager	Position:	Business Manager

Date:	2021-10-08	Date:	2021-10-11

TABLE OF CONTENTS

1 POLICY OBJECTIVES…………………………………………………………………………………………………………………………………………………………………. 8

2 POLICY STATEMENTS………………………………………………………………………………………………………………………………………………………………. 8

2.1 Anglo American Code of Corporate Practices and Conduct……………………………………………………………………………………………. 8

2.2 IT Services Continuity………………………………………………………………………………………………………………………………………………………. 8

3 SCOPE……………………………………………………………………………………………………………………………………………………………………………………… 8

3.1 Out of Scope……………………………………………………………………………………………………………………………………………………………………. 9

4 APPLICABILITY…………………………………………………………………………………………………………………………………………………………………………. 9

5 RATIONALE……………………………………………………………………………………………………………………………………………………………………………… 9

6 STATUTORY AND REGULATORY ENVIRONMENT………………………………………………………………………………………………………………….. 10

7 BEST PRACTICE FRAMEWORKS……………………………………………………………………………………………………………………………………………… 10

7.1 Internal Anglo American Body of Knowledge……………………………………………………………………………………………………………….. 10

7.2 External Body of Knowledge…………………………………………………………………………………………………………………………………………. 10

8 PRINCIPLES……………………………………………………………………………………………………………………………………………………………………………. 10

9 ROLES AND RESPONSIBILITIES………………………………………………………………………………………………………………………………………………. 11

9.1 Chief Security and Information Officer (CIO)………………………………………………………………………………………………………………… 11

9.2 Technical Recovery Teams…………………………………………………………………………………………………………………………………………….. 11

9.3 Incident Management…………………………………………………………………………………………………………………………………………………… 11

10 BREACH……………………………………………………………………………………………………………………………………………………………………………….. 11

11 EXEMPTION………………………………………………………………………………………………………………………………………………………………………… 11

13 REFERENCES …………………………………………………………………………………………………………………………………………………… 12

LIST OF TABLES

Table 1: Abbreviations and Acronyms ………………………………………………………………………………………………………………………… 5

Table 2: Glossary of Terms ………………………………………………………………………………………………………………………………………… 7

Table 3: Related Documents ……………………………………………………………………………………………………………………………………. 11

Table 4: References ………………………………………………………………………………………………………………………………………………… 12

ABBREVIATIONS AND ACRONYMS

Abbreviation	Explanation
POPIA	Protection of Personal Information Act
QMS	Quality Management System

Table 1: Abbreviations and Acronyms

GLOSSARY OF TERMS

Term	Explanation
Activity	A set of actions designed to achieve a particular result. Activities are usually defined as part of Processes or Plans and are documented in Procedures.
Available at points of use	This means that current versions of document/s must be accessible by the people who need them. It does not mean that everyone must have his or her own copy or computer terminal.
Business Day	Any day other than a Saturday, Sunday, or official public holiday in the Republic of South Africa, recognised as such under the Public Holiday Act, No 36 of 1994.
Contractor Employee	An employee appointed on a fixed term contract or contract to perform a specific task/activity.
Anglo American Group	Means Anglo American Group Limited (registration number 1998/021790/06), a public company duly registered and incorporated according to the company laws of the Republic of South Africa, and its wholly owned subsidiaries and associated companies.
Guideline	Non-mandatory, supplemental information about acceptable methods for implementing requirements found in Policies, Standards, Processes, Procedures, etc. Guidelines are intended to provide advice to how Objectives might be achieved.
Documents	The documents required by the various ISO standards to which an organisation subscribes, as well as documents determined as being necessary for the effective and efficient operation of an IMS and the company.
Integrated Quality Management System	A Management System that addresses several disciplines (e.g. quality, service management, Security management, environment, occupational health and safety, financial management, enterprise risk management, etc.)
Management System	A set of interrelated or interacting elements of an organisation to establish policies and objectives, and processes to achieve those objectives. Elements of an organisation include the organisation’s structure, roles, and responsibilities, planning and operation, performance evaluation and improvement.
Manager	An Employee who by responsibility or title, manages Employees, suppliers, subcontractors, agreements, budgets and/or projects and in addition has the authority to hire, discipline and dismiss Employees and to represent the employer internally and externally.
Objective	The defined purpose or aim of a Process, an Activity, or an organisation. Objectives are usually expressed as measurable targets.
Permanent Employee	An employee appointed in a position on the staff establishment of an organisation on an openended contract.
Policy	A set of principles or rules formulated and enforced by top management intended to direct and limit actions in pursuit of an agreed practice or long-term goals.
Procedure	A fixed, step-by-step sequence of Activities or cause of action (with definite start and end points) that must be followed in the same order to correctly perform a task.
Process	A structured set of Activities designed to accomplish a specific Objective. A Process takes one or more defined inputs and turns them into defined outputs. A Process may include any of the roles, responsibilities, tools, and management controls required to reliably deliver the outputs. A process may comprise of one or several Procedures.
Record	Information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction or business.
Standard	A standard specifies uniform uses of specific technologies or configurations. Here we are talking about a specific internal standard of an organization.
Term	Explanation
Strategy	A high-level approach to a subject that is designed to deliver change by implementing a Policy. For a particular subject, it shall set out where the company is now, where it is aiming to be in a given period of time, how it plans to get there, and how it will know that it has achieved its goals.
Work Instruction	Means a Document providing step-by-step instructions on how to carry out a specific Activity to ensure operations are carried out under controlled conditions. A Work Instruction contains much more detail than a Procedure and is only created if very detailed instructions are needed.

Table 2: Glossary of Terms

1 POLICY OBJECTIVES

This Policy is enacted for all, as binding, participating in the delivery of Anglo American services, and provides a structure through which a comprehensive IT Service Continuity Management Programme is designed, implemented, operated and improved.

The below targets are set to aid the ability to successfully maintain business as usual through disruptive events:

Adopt the ITIL IT Service Continuity Management best practice framework to ensure continuous improvement and evolution of the IT Service Continuity Management Programme
Ensure organisational awareness of the IT Services Continuity Management Programme
Ensure the continuous service provisioning of core business systems and information to all Interested Parties

2 POLICY STATEMENTS

2.1 Anglo American Code of Corporate Practices and Conduct

Anglo American Top Management endorses the principles of accountability, integrity and transparency underlying the Code of Corporate Practices and Conduct as contained in the King Report on Corporate Governance for South Africa, and also endorses the principles contained in the Protocol on Corporate Governance for Private Companies and State-Owned Enterprises (SOE).

2.2 IT Services Continuity

The establishment of an effective IT Service Continuity Management Programme, to ensure IT Service Continuity arrangements are considered, that are mandated by the Anglo American Corporate Governance and the Business Continuity Management Programme.

3 SCOPE

To develop, implement and operate the IT Services Continuity Management Programme based on ITIL IT Service Continuity Management, for the activities of the Programme, ensuring that the services are reliable, consistent, continually improved of quality, available, comply with laws and regulations and remained aligned with Anglo American’s business objectives of integrating with the adopted ISO/IEC 20000-1:2018 Integrated Service Management System.

3.1 Out of Scope

Determining the criticality of services, based on organization-wide continuity requirement, Customers and other Interested Parties, is key to the successful implementation of this Policy. Therefore, the following is considered out of scope, to be determined and reviewed at pre-agreed intervals:

▪ Any products and services, as well as locations, which does not reference this Policy, more detailed in the IT Services Continuity Management Programme scope

4 APPLICABILITY

This Policy applies to all Anglo American’s personnel involved in delivering Services within and on behalf of Customers, which contractually references this document, unless specifically stated otherwise within the Master Services Agreement, or Service Level Agreements. It is intended to be understood and adhered to by:

all involved in delivering Services within and on behalf of Anglo American, including Third Parties (Interns, Temporary Staff, Contractors, etc.)
external Service Providers working on behalf of Anglo American, participating in a value-creating service chain

5 RATIONALE

IT Service Continuity Management is a proactive programme to mitigate identified risks and ensures a recoverable capability in advance on how to react in case of disruption to services.

At all times and in any circumstance, Anglo American is able to provide continuous services, as mandated by Anglo American Corporate Governance. The duration of an outage or disruption to services provisioning will be minimised to a tolerable level.

6 STATUTORY AND REGULATORY ENVIRONMENT

The Programme can be influenced or controlled by the statutory and regulatory requirements of the following acts, amongst others:

Occupational Health and Safety Act; 1993 (Act 85 of 1993)
Protection of Personal Information Act; 2013 (Act 4 of 2013)
Disaster Management Act; 2002 (Act 57 of 2002)

7 BEST PRACTICE FRAMEWORKS

Anglo American’s adopted Service Management System: ISO/IEC 20000-1:2018, allows for every aspect of the Service Management System to integrate into all Anglo American’s Management Systems and Frameworks, and others if required as a body of knowledge, delivering business value to Interested Parties.

The below related information and references can be used as an integrated body of knowledge:

7.1 Internal Anglo American Body of Knowledge

Safety, Health, Environment and Quality (SHEQ)
Risk Management Policy
Busines Continuity Management Policy
Information Security Management Policy
Incident Management Policy

7.2 External Body of Knowledge

King IV Corporate Governance
ISO/IEC 27031:2011 Information Technology – Security Techniques – Guidelines for Information and Communication Technology Readiness for Business Continuity
ISO/IEC 20000:2018 Information Technology – Service Management – Part1: Service Management Requirements
ISO/IEC 22301:2019 Security and Resilience – Business Continuity Management Systems – Requirements, paragraph
ISO/IEC 22313:2020 Security and Resilience – Business Continuity Management Systems – Guidance on the use of ISO22301
BCI Good Practice Guidelines 2018
ISO 9001:2015 Quality management systems – Requirements
ISO 14001:2015 Environmental management systems – Requirements with guidance for use paragraph 7.5 Documented information
ISO 27001:2013 Information Security Management System
ISO 45001:2018 Occupational health and safety management systems – Requirements with guidance for use

8 PRINCIPLES

The IT Service Continuity Management Programme shall be governed by this Policy and aligned to meet the business needs of the Anglo American Group.

9 ROLES AND RESPONSIBILITIES

Representatives of the identified critical services are involved throughout the whole planning process and must ensure the understanding of, contribute to and comply with this Policy as part of normal business as usual.

The following roles are more detailed in the progamme documentation, and all representatives will be made aware of responsibilities, as the programme progresses.

9.1 Chief Security and Information Officer (CIO)

▪ Assign the authorities for roles relevant to the programme

9.2 Technical Recovery Teams

▪ Establish recovery procedures to facilitate effective recovery of identified critical services

9.3 Incident Management

▪ Ownership of a functional, effective and efficient Incident Management process

10 BREACH

Where a breach of this policy has occurred, appropriate disciplinary action shall be taken in line with the Anglo American Group’s relevant human resources policies and procedures.

11 EXEMPTION

The Group Chief Executive Officer has the sole right to exempt a person or application from this Policy, or part thereof. The exemption shall be null and void unless:

It is in writing
It is signed and dated by the Chief Executive Officer
The Internal Audit Department is notified of the exemption; and
A record is kept of the exemption

12 RELATED DOCUMENTATION

The table below summarises documents that are related to this Policy:

Ref	Document Title	Document Type	Reference
1	Policy Template	Template	GIJ-TEM-00146
2	BCM Policy	Policy	GIJ-POL-00134
7

Table 3: Related Documents

13	REFERENCES
	Ref	Document Title	Source
	1	BCI Good Practice Guidelines 2018	The BCI
	2	ISO 14001:2015 Environmental Management Systems	ISO
	3	ISO 27001:2013 Information Security Management System	ISO
	4	ISO 45001:2018 Occupational Health and Safety Management Systems	ISO
	5	ISO 9001:2015 Quality management systems	ISO
	6	ISO/IEC 20000:2018 Information Technology	ISO
	7	ISO/IEC 22301:2019 Security and Resilience	ISO
	8	ISO/IEC 22313:2020 Security and Resilience	ISO
	9	ISO/IEC 27031:2011 Information Technology	ISO
	10	King IV Corporate Governance	The Institute of Directors in Southern Africa
	11	Protection of Personal Information Act , 2013	Government Gazette
	12	Public Holiday Act, No 36 of 1994.	Government Gazette

Table 4: References

Continuity Policy