How to implement ISO 22301 in 17 steps

Updated 2022-04-25.

Implementing business continuity is certainly not an easy task, so I hope this list of 17 steps will help you get an overview of the mandatory steps as required by ISO 22301. Please note – this ISO 22301 checklist covers the steps that are required to implement the standard, while additional steps will be required to maintain the system once it is in place.

Options for implementing ISO 22301:
  • Do it on your own without external help
  • Do it yourself with the help of external experts
  • Consultant is doing most of the work for you

1) Management support

It doesn’t make sense to start any kind of project (especially this one) if your management isn’t willing to invest both financial and human resources, and to do this, they have to see clear benefits – this is where your job begins: with diplomacy.

2) Identification of requirements

Before taking any concrete steps, you want to make sure you’ll be compliant with everything the stakeholders (at least the ones you consider important) want from you. Remember, it is not only the laws and regulations – it is also the requirements in the agreements with your clients (e.g., SLAs), wishes of the owners of the company and the local community, etc. You have to list all of these requirements and define how to communicate with each of the stakeholders/interested parties.

3) Business continuity policy & objectives

Top management needs to define some of the main responsibilities and rules for business continuity, and this is what a business continuity policy is used for, but top management also needs to define exactly what is expected from business continuity – by setting measurable objectives. This is not easy, but is certainly necessary if you want to measure whether business continuity has fulfilled its purpose.


4) Support documents for management system

Management systems, whether business continuity, information security, quality management, or environmental protection, all have in common a set of procedures upon which such systems rely. These procedures are: documents and records control, internal audit, and corrective actions – once you have these in place, you’ll find it much easier to run your system.

5) Risk assessment & treatment

Would you like to be prepared for disruptive incidents? Perhaps even prevent some of them? First you need to find out which incidents can happen, and then define which controls (i.e., safeguards) you can apply to mitigate them – this is basically what risk assessment and treatment is all about.

To learn more read ISO 27001 risk assessment & treatment – 6 basic steps.

6) Business impact analysis

Your analysis doesn’t finish with risk assessment – you also need to find out two basic things: (1) how quickly you need to recover (before you go bankrupt), and (2) what you need in order to succeed with such recovery. Therefore, the purpose of business impact analysis is to define the recovery time objective (RTO) and required resources.

To learn more, read Five Tips for Successful Business Impact Analysis.

7) Business continuity strategy

Given the inputs (various requirements, RTO, resources, most likely incidents) you need to figure out how to achieve all this with a minimum level of investment. This can be quite demanding, but without this step your business continuity would be simply a house of cards.

Find out how to do it here: Can business continuity strategy save you money?

8) Business continuity plan

Actually, there are several types of BC plans – at a minimum, there are incident response plans (they define the initial reaction to an incident), and recovery plans (what needs to be done to start the activities running). All of these need to be based on strategy, because otherwise they would lack the resources (information, technology, people, etc.) to enable such plans.

This article will help you write them: How to write business continuity plans.

9) Training & awareness

Having plans in place is not enough – if no one knows how to implement them (or where to find them!), you can rest assure that in case of a real incident they certainly wouldn’t work. Therefore, you need to explain to your employees (and third parties who have a role in your plans) not only how to perform certain steps in your plan, but also why this is important in the first place.

10) Documentation maintenance

Written documents have one nasty habit – they become outdated very quickly. Someone leaves the company, or new hires come in; you change the working processes or a technology, you add new products – all that needs to be reflected in your documentation, especially the plans. Without such changes you wouldn’t be able to implement your plans when they are needed the most.

11) Exercising & testing

However necessary, training is not going to be enough – if you don’t try the plans to discover how they perform in (almost) real situations, you’ll never know where they are deficient. So, performing regular exercising and testing is of paramount importance, and such testing shouldn’t be limited to IT only – everyone, including top management and outsourcing partners and suppliers, must be included.

12) Post-incident reviews

No matter how hard you try, you’ll never be able to prevent incidents from happening; what you can do, however, is learn from such incidents. And you can learn quite a lot – how people react, how ready they are, what improvements are needed in the plans, etc., and most importantly – did you achieve your recovery time objective?

13) Communication with interested parties

This is actually not a 13th step (not that I try to avoid this one), because this is a step that should run in parallel to all the other steps. This is because business continuity heavily depends on regulatory bodies, authorities, owners, employee’s families, media, etc., and you need to keep these interested parties informed as early as when you write your policy and set the objectives, all the way to when an incident actually occurs.

14) Measurement and evaluation

The basic idea here is – it doesn’t make sense to do something unless you know whether you’ve achieved what you wanted or not. In the case of business continuity, the objectives are set in step #3, while finding out if you achieved those objectives must be done through some kind of metrics. It could be something sophisticated like Balanced Scorecard, but could also be as basic as measuring the achievement of RTO during exercising & testing.

15) Internal audit

It is impossible to be 100% objective about your own work. Therefore, someone who is less subjective than you should review your work and suggest improvements – that is what an internal audit is all about. Though it is often considered as overhead, an internal audit is actually very useful when it comes to facing reality.

16) Corrective actions

All of us are making daily improvements in the things we are doing, but ISO 22301 wants us to do it systematically – it forces an organization to find out why the problem has happened, and to make sure it never happens again. Or, as the standard says, “ensure that nonconformities do not recur” – it needs to be done systematically, and in a transparent way.

17) Management review

Once all of these steps are performed, top management needs to evaluate them and reach some crucial decisions – like updating the objectives, providing the funding, making larger improvements, etc. After all, it is their ultimate responsibility that the company survives larger incidents.

ISO 22301 implementation checklist | How to implement ISO 22301

How do you implement ISO 22301?

In essence, you have three strategic options for implementing ISO 22301:

  1. Do it on your own without external help: In this option, your employees are doing all the work without using any help from consultants or tools. This is the best option if you don’t want any outsiders in your company and if your budget is really tight, but it is feasible only if you have an employee who is already experienced in ISO 22301.
  2. Do it yourself with external help: This means you implement the standard yourself (by performing all the analysis, interviews, writing the documentation, etc.), but you’re using an ISO 22301 tool and guidance from external experts to complete the project. This is the best option if you have a moderate budget, and if you want your employees to learn the most on how to manage business continuity.
  3. Consultant is doing most of the work: With this option, you hire an outside expert (i.e., ISO 22301 consultant) to do the whole job – this person will do all the work and will deliver you completed documentation. This is usually the quickest option for implementing the standard, but also the most expensive.

Regardless of the option, this ISO 22301 checklist can be used as a reference to follow-up activities.

ISO 22301 project – key success factors

Companies that want to succeed with implementing ISO 22301 need to consider at least these success factors for the project:

a) Management support: if your top executives don’t see real benefit in increasing the level of business continuity, you would be better off investing your energy in something else.

b) Get the knowledge: Unless you’ve already implemented ISO 22301 a couple of times, you’ll need to learn how it is done. ISO 22301 implementation is way too complex to understand only by reading the standard.

c) Run the implementation as a project: With clear objectives and deliverables, people responsible for them, and available resources, you will not only speed up the process – but also increase your chances of a successful outcome. (See here an example of a Project checklist for ISO 22301 implementation.)

Choose the right project manager: You have to choose a person with the proper competencies, knowledge, time, and authority to run the project, or you risk having a failed project that cost a lot of effort.

Here you can download a free  Diagram of ISO 22301 Implementation Process.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.