Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends July 18, 2024
Use promo code:

How to define activities when implementing business continuity according to ISO 22301

In several places in ISO 22301, it is required to define the activities within the company; not only this, activities are a basic unit upon which the business impact analysis is made. So what are these activities?

Unfortunately, activity is not a very well-chosen word because it is very often misunderstood. In any case, ISO 22301 says that an activity is “a process or set of processes undertaken by an organization (or on its behalf) that produces or supports one or more products and services.”

Actually, when starting your ISO 22301 implementation project, you have to figure out first how to divide the business continuity job between your different processes, business units, departments, etc. – even if you have only 50 employees, it would be quite difficult to do a single business impact analysis at once for your whole company, or write a single business continuity plan that would cover the detailed recovery steps for both your IT department and marketing department. And this is exactly the reason why ISO 22301 requires you to divide your company into such activities.

Two options for defining activities

In reality, you can divide your company into activities using one of these two approaches:

a) Determine your activities based on processes, or

b) Determine your activities based on organizational units (departments).

Process-based activities. With this option you have to list your processes, and each of these processes becomes an activity in terms of BCMS – e.g. if you are a law firm, the process of representing your clients in divorce cases is considered an activity. Such a process probably includes not only the lawyers who work on such cases, but also your couriers who handle the mail, administrative personnel who handle the phone calls and correspondence, etc. For each such process you have to perform business impact analysis and risk assessment, develop the strategy, and write the recovery plan.

You can also consider a set of related processes as a single activity: using again the law firm as an example, a single activity could include processes related to all types of law practice – not only family law, but also intellectual property law, tax law, corporate law, etc.

The advantage of this process-based approach is that it is easier to understand activities in terms of the ISO 22301 definition of an activity, and if you already have such processes documented, it might be easier to analyze them.

However, there is one problem with this approach: let’s take our law firm again as an example – you would have to write a separate recovery plan for law process(es), a separate recovery plan for your accounts receivable process, a separate plan for payroll process, etc. So, where is the problem? The problem is, e.g. in your courier – instead of having one plan on what he has to do in an emergency, he has three plans in his hand: how to handle mail for lawyer cases, how to handle mail for accounts receivables, and how to handle mail for payroll process. And since every person in a company is usually part of several processes, chances are that with this approach, in a very confusing situation like a disaster, your employees will be even more confused because they will have to read three plans in parallel instead of a single plan.

This is why I like department-based activities better – the approach where the activities are divided based on organizational units. This is how you ensure that every employee will read only a single plan when it’s needed. In a law firm, this means that the department that consists of lawyers would be one activity, the finance department would be another activity, the general affairs department (which includes couriers and administrative personnel) another activity, etc.

The main disadvantage of this approach is that it is difficult to assess all the impacts during a business impact analysis (BIA) if you don’t know where your process begins and where it ends – this is why during BIA you need to have much cross-departmental communication and coordination. The second problem is that recovery plans cover only segments of multiple processes, which means you need to specify exactly which inputs you need to get and from whom, and when and to whom you need to send your outputs, because otherwise your plans won’t work.

This department-based approach to activities is acceptable from an ISO 22301 perspective, because it does allow activities to be a set of processes, and departments are very often nothing else but sets of smaller processes. This is also confirmed in practice, where certification bodies allow this kind of approach.

The size of an activity

There is also one more controversy – how large should an activity be? There is no magic formula for this, but I would say the following:

  • If your activity is smaller than 5 to 7 employees, you should probably merge it with another activity that uses the same location and has very similar resources and processes – this way you will avoid wasting too much time and energy on small activities.
  • If your activity is larger than 75 employees and you have very different processes within it, you should probably break such an activity into two or three separate activities – this way you will be better able to focus on the specifics of each activity.

I’ve seen too many companies make their BCM project too complicated because they didn’t define their activities correctly at the very beginning of their project – don’t be one of them.

This article is an excerpt from the book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation. Click here to see what’s included in the book…

Click here to download the free Checklist of ISO 22301 Mandatory Documentation.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.