17 steps for implementing ISO 22301
Implementing business continuity is certainly not an easy task, so I hope this list of 17 steps will help you get an overview of mandatory steps as required by ISO 22301. Please note – these are the steps that are required to implement the standard, while additional steps will be required to maintain the system once it is in place.
1. Management support
It doesn’t make sense to start any kind of project (especially this one) if your management isn’t willing to invest both financial and human resources, and to do this, they have to see clear benefits – this is where your job begins: with diplomacy.
2. Identification of requirements
Before taking any concrete steps you want to make sure you’ll be compliant with everything the stakeholders (at least the ones you consider important) want from you. Remember, it is not only the laws and regulations – it is also the requirements in the agreements with your clients (e.g., SLAs), wishes of the owners of the company and the local community, etc. You have to list all of these requirements and define how to communicate with each of the stakeholders/interested parties.
3. Business continuity policy & objectives
Top management needs to define some of the main responsibilities and rules for business continuity, and this is what a business continuity policy is used for, but top management also needs to define exactly what is expected from business continuity – by setting measurable objectives. This is not easy, but is certainly necessary if you want to measure whether business continuity has fulfilled its purpose.
4. Support documents for management system
Managements systems, whether business continuity, information security, quality management or environmental protection, all have in common a set of procedures upon which such systems rely. These procedures are: documents and records control, internal audit, and corrective actions – once you have these in place, you’ll find it much easier to run your system.
5. Risk assessment & treatment
Would you like to be prepared for disruptive incidents? Perhaps even prevent some of them? First you need to find out which incidents can happen, and then define which controls (i.e., safeguards) you can apply to mitigate them – this is basically what risk assessment and treatment is all about.
To learn more read ISO 27001 risk assessment & treatment – 6 basic steps.
6. Business impact analysis
Your analysis doesn’t finish with risk assessment – you also need to find out two basic things: (1) how quickly you need to recover (before you go bankrupt), and (2) what you need in order to succeed with such recovery. Therefore, the purpose of business impact analysis is to define the recovery time objective (RTO) and required resources.
To learn more, read Five Tips for Successful Business Impact Analysis.
7. Business continuity strategy
Given the inputs (various requirements, RTO, resources, most likely incidents) you need to figure out how to achieve all this with a minimum level of investment. This can be quite demanding, but without this step your business continuity would be simply a house of cards.
Find out how to do it here: Can business continuity strategy save you money?
8. Business continuity plan
Actually there are several types of BC plans – as a minimum there are incident response plans (they define the initial reaction to an incident), and recovery plans (what needs to be done to start the activities running). All of these need to be based on strategy, because otherwise they would lack the resources (information, technology, people, etc.) to enable such plans.
This article will help you write them: How to write business continuity plans.
9. Training & awareness
Having plans in place is not enough – if no one knows how to implement them (or where to find them!), you can rest assure that in case of a real incident they certainly wouldn’t work. Therefore, you need to explain to your employees (and third parties who have a role in your plans) not only how to perform certain steps in your plan, but also why this is important in the first place.
10. Documentation maintenance
Written documents have one nasty habit – they become outdated very quickly. Someone leaves the company, or new hires come in; you change the working processes or a technology, you add new products – all that needs to be reflected in your documentation, especially the plans. Without such changes you wouldn’t be able to implement your plans when they are needed the most.
11. Exercising & testing
However necessary, training is not going to be enough – if you don’t try the plans to discover how they perform in (almost) real situations, you’ll never know where they are deficient. So performing regular exercising and testing is of paramount importance, and such testing shouldn’t be limited to IT only – everyone, including top management and outsourcing partners and suppliers, must be included.
12. Post-incident reviews
No matter how hard you try, you’ll never be able to prevent incidents from happening; what you can do, however, is learn from such incidents. And you can learn quite a lot – how people react, how ready they are, what improvements are needed in the plans, etc., and most importantly – did you achieve your recovery time objective?
13. Communication with interested parties
This is actually not a 13th step (not that I try to avoid this one), because this is a step that should run in parallel to all the other steps. This is because business continuity heavily depends on regulatory bodies, authorities, owners, employee’s families, media, etc., and you need to keep these interested parties informed as early as when you write your policy and set the objectives, all the way to when an incident actually occurs.
14. Measurement and evaluation
The basic idea here is – it doesn’t make sense to do something unless you know whether you’ve achieved what you wanted or not. In the case of business continuity, the objectives are set in step #3, while finding out if you achieved those objectives must be done through some kind of metrics. It could be something sophisticated like Balanced Scorecard, but could also be as basic as measuring the achievement of RTO during exercising & testing.
15. Internal audit
It is impossible to be 100% objective about your own work. Therefore, someone who is less subjective than you should review your work and suggest improvements – that is what an internal audit is all about. Though it is often considered as overhead, an internal audit is actually very useful when it comes to facing reality.
16. Corrective actions
All of us are making daily improvements in the things we are doing, but ISO 22301 wants us to do it systematically – it forces an organization to find out why the problem has happened, and to make sure it never happens again. Or, as the standard says, “ensure that nonconformities do not recur” – it needs to be done systematically, and in a transparent way.
17. Management review
Once all of these steps are performed, top management needs to evaluate them and reach some crucial decisions – like updating the objectives, providing the funding, making larger improvements, etc. After all, it is their ultimate responsibility that the company survives larger incidents.
As mentioned in the introduction, this step is not where your business continuity management stops – you need to maintain and improve your system on an ongoing basis. However, if you need a point where you can say your ISO 22301 project is finished, and that you’re ready for the certification, this last step would be it.
Here you can download free Diagram of ISO 22301 Implementation Process.