ISO 22301:2019
Security and resilience — Business continuity management systems — Requirements
Let’s take a look at the requirements of ISO 22301, which are given in clauses 4 to 10.
Clause 4 - Context: Organizations must understand who they are, what they are doing, and which processes and outputs they must sustain. They must also determine who has a stake in the continuity of operations – interested parties – and what their expectations are. Also, legal and regulatory requirements must be identified and documented. With this information, the organization establishes and documents its ISO 22301 scope. When determining the scope, the organization’s locations, missions, goals, products, and services must be considered.
Clause 5 - Leadership: For successful implementation of ISO 22301, organizations need the continuous support and leadership of top management. To show their commitment, the top management of the organization should develop, document, and communicate a policy within the organization and with interested parties while making resources available, directing and leading employees to contribute to the effec
tiveness of ISO 22301. For this purpose, organizational roles must be clearly defined with responsibilities, authorities, and competencies for each role.
Clause 6 - Planning: To plan for business continuity, organizations must understand what disruptions could potentially occur and how these incidents affect the business. Organizations must consider the consequences of risks, their impact, and the benefits of opportunities regarding their context and plan actions to address them. The standard also mandates organizations to set measurable BCMS objectives to guarantee the minimum viable products or services, as well as compliance with any legal or regulatory requirements. These objectives must be documented and communicated. To achieve them, organizations must have action plans within a timeframe, with responsibilities assigned.
Clause 7 - Support: No organization can advance without resources and support. Organizations must consider resource needs and provide them to meet their BCMS objectives. These resources may include infrastructure, technology, communication, competence, awareness, and documented information. The standard requires documented evidence of competence for the defined roles, such as training records, education, and professional background.
Clause 8 - Operation: This section of the standard describes the activities that should be performed to meet BCMS objectives and return to the normal way the organization operates. Key activities include:
Conducting and documenting a business impact analysis (BIA) and risk assessment. The BIA should identify the operational, legal, and financial impacts resulting from the disruption. While conducting the BIA, the duration of the disruption is an important input for determining impacts and, later, the recovery time. The risk assessment enables the organization to analyze the likelihood of disruption to its activities, and resources. Learn more about the BIA in the article How to implement business impact analysis (BIA) according to ISO 22301.
Developing a business continuity strategy Companies are required to develop a continuity strategy using the information gathered from the risk assessment and business impact analysis. Business continuity strategy essentially means the development of options and the selection of the most appropriate actions, including mitigation, response, and recovery. You can learn more about the importance of recovery in the article Can business continuity strategy save your money?.
Establishing and implementing business continuity procedures. Organizations are required to document business continuity plans and procedures based on the outputs of their strategy. The plans and procedures should have clear and specific steps for handling disruptions, well-defined roles and resource needs, and organized communication. For more information about developing plans and procedures, read the article Business continuity plan: How to structure it according to ISO 22301.
Exercising and testing the business continuity procedures. ISO 22301 requires periodic testing of plans and procedures to see if they are appropriate and effective. Test results must be reviewed and reported for recommendations and improvements. The article How to perform business continuity exercising and testing according to ISO 22301 explains more about the purpose and ways of exercising and testing, as well as how to prepare and whom to include.
Clause 9 - Performance evaluation: Organizations need to consider performance indicators and metrics; monitor, measure, analyze, and evaluate them; and then document the results. Planned internal audits should be conducted to measure the level of conformance to the standard and the organization’s own requirements. The audit program and results must be documented. Lastly, top management should review the effectiveness of the BCMS at planned intervals and document the results of these reviews.
Clause 10 - Improvement: Organizations shall have a methodology to address non-conformities, with root causes and corrective actions, as well as strategies for improvement on a continual basis. The standard mandates documented information for the evaluation of corrective actions. The organization needs to consider the results of the analysis and evaluation, and the outputs from the management review, to determine if there are needs or opportunities.