Setting the business continuity objectives in ISO 22301

Business continuity objectives are, along with the business impact analysis, probably one of the most difficult elements of ISO 22301 implementation. Most of the business continuity implementers have problems like these: Which types of objectives exist? What are they used for? How are they set? Let’s see…

Purpose of business continuity objectives

Peter Drucker (one of the most influential thinkers on management theory) said, “What gets measured gets managed.” The same goes for business continuity – if you don’t know how well you are doing, you’ll have a very difficult time steering your business continuity in the desired direction. And it is exactly this desired direction that is an essential part of measurement: setting the objectives.

Types of objectives

There are at least two levels for which you need to set objectives:

1) Strategic objectives – for your whole Business Continuity Management System, and

2) Tactical objectives – Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), Minimum Business Continuity Objectives (MBCOs), and exercising and testing objectives.

Of course, depending on the size and complexity of your organization, you can choose to add another layer of objectives – e.g., at the level of individual organizational units (departments, business units, etc.)

In this blog post I will focus only on objectives for your whole BCMS, while for tactical objectives please see How to implement business impact analysis (BIA) according to ISO 22301.

You can decide whether you will describe business continuity objectives and your measurement system in the Business continuity policy or in a separate document. Smaller companies will normally have these written in the Business continuity policy, while larger companies tend to have a separate document for all the business objectives (perhaps a Balanced Scorecard), and a separate procedure which describes how to manage all those objectives and measurements in such Balanced Scorecard.


Objective examples

To define good objectives, the secret lies in setting objectives that are easy to measure – you might have heard of the S.M.A.R.T. concept: objectives need to be Specific, Measurable, Achievable, Relevant, and Time-based.

So, objectives like “We want to implement business continuity” or “We want to achieve resilience” wouldn’t really help, would they? I mean, how would you know if you achieved those objectives?

On the other hand, objectives similar to this might work for you:

  • “Comply with xyz law/regulation by December 31, 2015, using ISO 22301 methodology.”
  • “Get at least 5 new customers in the next 12 months because of the ISO 22301 certificate.”
  • “During 2015, improve our recovery time by 12 hours while not incurring new costs.”

Are these measurable? Yes – what you have to do is measure if you have achieved what you planned for after the stated time period elapsed. The last objective in the bullet list can be measured through exercising and testing results.

Inputs for creating the objectives

I admit that figuring out strategic objectives for your BCMS is not an easy task. But, to make this job easier, you should begin with your company strategy – What does your company try to achieve? How does it want to achieve that – using which competences? How can business continuity help execute this strategy? Once you find this link, it will be easier to come up with BCMS objectives.

Further, you have to think about the business continuity benefits you identified – how can they be translated into objectives? See also ISO 22301 benefits: How to get your management’s approval for a business continuity project.

Deciding on relevant objectives

Since doing all this thinking is impossible for one person only, you should include your whole project team in this brainstorming; also, if someone in your company is already dealing with measurement of performance – i.e., controlling department, they could help you a lot. Your top management should give a definitive go-ahead with such objectives – you may try to discuss them with your sponsor before presenting them to your CEO.

To conclude, only if you know exactly what you want to achieve, will you be able to know how far or how close you are to actually achieving it. Equally important – you’ll be able to answer your management’s question: Did our investment in business continuity make sense?

This article is an excerpt from the book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.