The ISO 27001 & ISO 22301 Blog

Dejan Kosutic

Setting the business continuity objectives in ISO 22301

Business continuity objectives are, along with the business impact analysis, probably one of the most difficult elements of ISO 22301 implementation. Most of the business continuity implementers have problems like these: Which types of objectives exist? What are they used for? How are they set? Let’s see…

Purpose of business continuity objectives


Peter Drucker (one of the most influential thinkers on management theory) said, “What gets measured gets managed.” The same goes for business continuity – if you don’t know how well you are doing, you’ll have a very difficult time steering your business continuity in the desired direction. And it is exactly this desired direction that is an essential part of measurement: setting the objectives.

Types of objectives

There are at least two levels for which you need to set objectives:

1) Strategic objectives – for your whole Business Continuity Management System, and

2) Tactical objectives – Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), Minimum Business Continuity Objectives (MBCOs), and exercising and testing objectives.

Of course, depending on the size and complexity of your organization, you can choose to add another layer of objectives – e.g., at the level of individual organizational units (departments, business units, etc.)

In this blog post I will focus only on objectives for your whole BCMS, while for tactical objectives please see How to implement business impact analysis (BIA) according to ISO 22301.

You can decide whether you will describe business continuity objectives and your measurement system in the Business continuity policy or in a separate document. Smaller companies will normally have these written in the Business continuity policy, while larger companies tend to have a separate document for all the business objectives (perhaps a Balanced Scorecard), and a separate procedure which describes how to manage all those objectives and measurements in such Balanced Scorecard.

Objective examples

To define good objectives, the secret lies in setting objectives that are easy to measure – you might have heard of the S.M.A.R.T. concept: objectives need to be Specific, Measurable, Achievable, Relevant, and Time-based.

So, objectives like “We want to implement business continuity” or “We want to achieve resilience” wouldn’t really help, would they? I mean, how would you know if you achieved those objectives?

On the other hand, objectives similar to this might work for you:

  • “Comply with xyz law/regulation by December 31, 2015, using ISO 22301 methodology.”
  • “Get at least 5 new customers in the next 12 months because of the ISO 22301 certificate.”
  • “During 2015, improve our recovery time by 12 hours while not incurring new costs.”

Are these measurable? Yes – what you have to do is measure if you have achieved what you planned for after the stated time period elapsed. The last objective in the bullet list can be measured through exercising and testing results.

Inputs for creating the objectives

I admit that figuring out strategic objectives for your BCMS is not an easy task. But, to make this job easier, you should begin with your company strategy – What does your company try to achieve? How does it want to achieve that – using which competences? How can business continuity help execute this strategy? Once you find this link, it will be easier to come up with BCMS objectives.

Further, you have to think about the business continuity benefits you identified – how can they be translated into objectives? See also ISO 22301 benefits: How to get your management’s approval for a business continuity project.

Deciding on relevant objectives

Since doing all this thinking is impossible for one person only, you should include your whole project team in this brainstorming; also, if someone in your company is already dealing with measurement of performance – i.e., controlling department, they could help you a lot. Your top management should give a definitive go-ahead with such objectives – you may try to discuss them with your sponsor before presenting them to your CEO.

To conclude, only if you know exactly what you want to achieve, will you be able to know how far or how close you are to actually achieving it. Equally important – you’ll be able to answer your management’s question: Did our investment in business continuity make sense?

This article is an excerpt from the book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

3 responses to “Setting the business continuity objectives in ISO 22301”

  1. Morgan Kisienya says:

    Thanks for this article. You have talked about a security framework, but
    I often hear of other terms e.g. security architecture and security
    program. What is the difference?

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.