ISO 22301:2019
Security and resilience — Business continuity management systems — Requirements

Let’s take a look at the requirements of ISO 22301, which are given in clauses 4 to 10.

Clause 4 - Context: Organizations must understand who they are, what they are doing, and which processes and outputs they must sustain. They must also determine who has a stake in the continuity of operations – interested parties – and what their expectations are. Also, legal and regulatory requirements must be identified and documented. With this information, the organization establishes and documents its ISO 22301 scope. When determining the scope, the organization’s locations, missions, goals, products, and services must be considered.

Clause 5 - Leadership: For successful implementation of ISO 22301, organizations need the continuous support and leadership of top management. To show their commitment, the top management of the organization should develop, document, and communicate a policy within the organization and with interested parties while making resources available, directing and leading employees to contribute to the effec
tiveness of ISO 22301. For this purpose, organizational roles must be clearly defined with responsibilities, authorities, and competencies for each role.

Clause 6 - Planning: To plan for business continuity, organizations must understand what disruptions could potentially occur and how these incidents affect the business. Organizations must consider the consequences of risks, their impact, and the benefits of opportunities regarding their context and plan actions to address them. The standard also mandates organizations to set measurable BCMS objectives to guarantee the minimum viable products or services, as well as compliance with any legal or regulatory requirements. These objectives must be documented and communicated. To achieve them, organizations must have action plans within a timeframe, with responsibilities assigned.

Clause 7 - Support: No organization can advance without resources and support. Organizations must consider resource needs and provide them to meet their BCMS objectives. These resources may include infrastructure, technology, communication, competence, awareness, and documented information. The standard requires documented evidence of competence for the defined roles, such as training records, education, and professional background.

Clause 8 - Operation: This section of the standard describes the activities that should be performed to meet BCMS objectives and return to the normal way the organization operates. Key activities include:

Conducting and documenting a business impact analysis (BIA) and risk assessment. The BIA should identify the operational, legal, and financial impacts resulting from the disruption. While conducting the BIA, the duration of the disruption is an important input for determining impacts and, later, the recovery time. The risk assessment enables the organization to analyze the likelihood of disruption to its activities, and resources. Learn more about the BIA in the article How to implement business impact analysis (BIA) according to ISO 22301.
Developing a business continuity strategy Companies are required to develop a continuity strategy using the information gathered from the risk assessment and business impact analysis. Business continuity strategy essentially means the development of options and the selection of the most appropriate actions, including mitigation, response, and recovery. You can learn more about the importance of recovery in the article Can business continuity strategy save your money?.
Establishing and implementing business continuity procedures. Organizations are required to document business continuity plans and procedures based on the outputs of their strategy. The plans and procedures should have clear and specific steps for handling disruptions, well-defined roles and resource needs, and organized communication. For more information about developing plans and procedures, read the article Business continuity plan: How to structure it according to ISO 22301.
Exercising and testing the business continuity procedures. ISO 22301 requires periodic testing of plans and procedures to see if they are appropriate and effective. Test results must be reviewed and reported for recommendations and improvements. The article How to perform business continuity exercising and testing according to ISO 22301 explains more about the purpose and ways of exercising and testing, as well as how to prepare and whom to include.

Clause 9 - Performance evaluation: Organizations need to consider performance indicators and metrics; monitor, measure, analyze, and evaluate them; and then document the results. Planned internal audits should be conducted to measure the level of conformance to the standard and the organization’s own requirements. The audit program and results must be documented. Lastly, top management should review the effectiveness of the BCMS at planned intervals and document the results of these reviews.

Clause 10 - Improvement: Organizations shall have a methodology to address non-conformities, with root causes and corrective actions, as well as strategies for improvement on a continual basis. The standard mandates documented information for the evaluation of corrective actions. The organization needs to consider the results of the analysis and evaluation, and the outputs from the management review, to determine if there are needs or opportunities.

Certification, inspection and audit solutions focused on business optimization.






WHO WE ARE           






244 Fifth Avenue, Suite 1203, New York, NY 10001 US
here are four essential business benefits that a company can achieve with the implementation of this business continuity standard:

Comply with legal requirements. There are more and more countries defining laws and regulations requiring business continuity compliance. And beyond government interests, private businesses (e.g., financial institutions) are also requiring their suppliers and partners to implement business continuity solutions. And the good news is that ISO 22301 provides a perfect framework and methodology to support compliance with these requirements – by reducing administrative and operational effort, as well as the number of penalties to be paid. Read the article Laws and regulations on information security and business continuity to see a list of business continuity legislation worldwide.

Achieve marketing advantage. If your company is ISO 22301 certified and your competitors aren’t, you will have an advantage over them when it comes to customers who are sensitive about keeping the continuity of their operations, and the delivery of their products and services. Additionally, such certification can enhance your reputation and help you get new customers, by making it easier to demonstrate that you are among the best in the industry, leading to increased market share and higher profits.

Reduce dependence on individuals. More often than not, a company’s critical activities rely on just a few people who are hard to replace – a situation painfully demonstrated when these people leave the organization. Executives who are aware of this can make use of business continuity practices to become far less dependent on those individuals (either because of implemented replacement solutions or by documenting related tasks), meaning you can prevent a lot of headache when someone leaves the organization.

Prevent large-scale damage. In a world of real-time services and transactions, every minute of down service costs money – a lot of money. And, even if your business is not so sensitive to small periods of unavailability, disruptive incidents will cost you. By implementing business continuity practices compliant with ISO 22301, you will have a sort of insurance policy. Whether by preventing disruptive incidents from happening, or by becoming capable of faster recovery – your company will save money. And, the best thing of all is that your investment in ISO 22301 is far smaller than the cost savings you’ll achieve.