• (0)

    The basics of ISO 22301

    What is ISO 22301?

    The full name of this standard is ISO 22301:2019 Security and resilience – Business continuity management systems – Requirements. It is an international standard published by the International Organization for Standardization (ISO), and it describes how to manage business continuity in an organization. This standard is written by leading business continuity experts and provides the best framework for managing business continuity in an organization.

    One of the features that differentiates this standard from other business continuity frameworks/standards is that an organization can become certified by an accredited certification body, and will therefore be able to prove its compliance to its customers, partners, owners, and other stakeholders.

    Relationship with ISO 22301:2012

    ISO 22301:2019 has replaced ISO 22301:2012, which was developed based on the British standard BS 25999-2. This 2019 revision does not bring big changes, but it definitely brings more flexibility and less prescriptiveness, adding more value to organizations and their customers.

    What are the benefits of business continuity?

    There are four essential business benefits that a company can achieve with the implementation of this business continuity standard:

    Comply with legal requirements. There are more and more countries defining laws and regulations requiring business continuity compliance. And beyond government interests, private businesses (e.g., financial institutions) are also requiring their suppliers and partners to implement business continuity solutions. And the good news is that ISO 22301 provides a perfect framework and methodology to support compliance with these requirements – by reducing administrative and operational effort, as well as the number of penalties to be paid. Read the article Laws and regulations on information security and business continuity to see a list of business continuity legislation worldwide.

    Achieve marketing advantage. If your company is ISO 22301 certified and your competitors aren’t, you will have an advantage over them when it comes to customers who are sensitive about keeping the continuity of their operations, and the delivery of their products and services. Additionally, such certification can help you get new customers, by making it easier to demonstrate that you are among the best in the industry, leading to increased market share and higher profits.

    Reduce dependence on individuals. More often than not, a company’s critical activities rely on just a few people who are hard to replace – a situation painfully demonstrated when these people leave the organization. Executives who are aware of this can make use of business continuity practices to become far less dependent on those individuals (either because of implemented replacement solutions or by documenting related tasks), meaning you can prevent a lot of headache when someone leaves the organization.

    Prevent large-scale damage. In a world of real-time services and transactions, every minute of down service costs money – a lot of money. And, even if your business is not so sensitive to small periods of unavailability, disruptive incidents will cost you. By implementing business continuity practices compliant with ISO 22301, you will have a sort of insurance policy. Whether by preventing disruptive incidents from happening, or by becoming capable of faster recovery – your company will save money. And, the best thing of all is that your investment in ISO 22301 is far smaller than the cost savings you’ll achieve.


    Who can implement this standard?

    Any kind of organization – large or small, for profit or non-profit, private or public – can benefit from ISO 22301. The standard is conceived in such a way that it is applicable to any size or type of organization.

    How does ISO 22301 work?

    The focus of ISO 22301 is to ensure continuity of business delivery of products and services after occurrence of disruptive events (e.g., natural disasters, man-made disasters, etc.). This is done by finding out business continuity priorities (through business impact analysis), what potential disruptive events can affect business operations (through risk assessment), defining what needs to be done to prevent such events from happening, and then defining how to recover minimal and normal operations in the shortest time possible (i.e., risk mitigation or risk treatment). Therefore, the main philosophy of ISO 22301 is based on analyzing impacts and managing risks: find out which activities are more important and which risks can affect them, and then systematically treat those risks.

    The strategies and solutions that are to be implemented are usually in the form of policies, procedures, and technical/physical implementation (e.g., facilities, software, and equipment). In most cases, organizations do not have all the facilities, hardware, and software in place – therefore, ISO 22301 implementation will involve not only setting organizational rules (i.e., writing documents) that are needed in order to prevent disruptive incidents, but also developing plans and allocating technical and other resources to make the continuity and recovery of business activities possible. Because such implementation will require a number of policies, procedures, people, assets, etc. to be managed, ISO 22301 has described how to fit all these elements together in the Business Continuity Management System (BCMS).

    How does business continuity fit into overall management?

    Business continuity is part of overall risk management in a company, with areas that overlap with information security management and IT management.

    Note: Risk management is part of overall corporate management.

    Basic terms used in the standard

    • Business Continuity Management System (BCMS) – part of an overall management system that makes sure business continuity is planned, implemented, maintained, and continually improved
    • Maximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD)
    • Recovery Time Objective (RTO) – the pre-determined time at which a product, service, or activity must be resumed, or resources must be recovered
    • Recovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data used by an activity that needs to be restored
    • Minimum Business Continuity Objective (MBCO) – the minimum level of services or products an organization needs to produce to achieve its defined objectives after resuming its business operations

    Content of ISO 22301

    ISO 22301 is split into 11 sections. Sections 0 to 3 are introductory (and are not mandatory for implementation), while sections 4 to 10 are mandatory – meaning that all their requirements must be implemented in an organization if it wants to be compliant with the standard.

    According to Annex SL of the International Organization for Standardization ISO/IEC Directives, the section titles in ISO 22301 are the same as those in ISO 27001:2013, ISO 9001:2015, and other management standards, enabling easier integration of these standards.

    The standard includes these sections:

    Introduction: explains the purpose of ISO 22301 and its compatibility with other management standards.
    0.1 General
    0.2 Benefits of a Business Continuity Management System
    0.3 Plan-Do-Check-Act (PDCA) cycle
    0.4 Contents of this document

    1. Scope: explains that this standard is applicable to any type of organization.

    2. Normative references: refers to ISO 22300 as a standard where definitions are given for some of the terms used in ISO 22301.

    3. Terms and definitions: again, refers to ISO 22300.

    4. Context of the organization: this section is part of the Plan phase in the PDCA cycle and defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the BCMS scope.
    4.1 Understanding of the organization and its context
    4.2 Understanding the needs and expectations of interested parties
    4.3 Determining the scope of the business continuity management system
    4.4 Business continuity management system

    5. Leadership: this section is part of the Plan phase in the PDCA cycle and defines top management responsibilities, setting the roles, responsibilities and authorities, and contents of the top-level business continuity policy.
    5.1 Leadership and commitment
    5.2 Policy
    5.3 Roles, responsibilities and authorities

    6. Planning: this section is part of the Plan phase in the PDCA cycle and defines requirements for addressing risks and opportunities, setting the business continuity objectives, and planning changes to the BCMS.
    6.1 Actions to address risks and opportunities
    6.2 Business continuity objectives and plans to achieve them
    6.3 Planning changes to the business continuity management system

    7. Support: this section is part of the Plan phase in the PDCA cycle and defines requirements for availability of resources, competences, awareness, communication, and control of documents and records.
    7.1 Resources
    7.2 Competence
    7.3 Awareness
    7.4 Communication
    7.5 Documented information

    8. Operation: this section is part of the Do phase in the PDCA cycle and defines the implementation of business impact analysis, risk assessment and treatment, business continuity strategies, solutions, plans and procedures, exercise program, and evaluation of business continuity documentation and capabilities to achieve business continuity objectives.
    8.1 Operational planning and control
    8.2 Business impact analysis and risk assessment
    8.3 Business continuity strategies and solutions
    8.4 Business continuity plans and procedures
    8.5 Exercise program
    8.6 Evaluation of business continuity documentation and capabilities

    9. Performance evaluation: this section is part of the Check phase in the PDCA cycle and defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
    9.1 Monitoring, measurement, analysis and evaluation
    9.2 Internal audit
    9.3 Management review

    10. Improvement: this section is part of the Act phase in the PDCA cycle and defines requirements for nonconformities, corrections, corrective actions, and continual improvement.
    10.1 Nonconformity and corrective action
    10.2 Continual improvement
    Bibliography

    See also: Has the PDCA Cycle been removed from the new ISO standards?

    How to implement ISO 22301

    To implement ISO 22301 in your company, you have to follow these 17 steps:

    1) Management support
    2) Identification of requirements
    3) Business continuity policy and objectives
    4) Support documents for management system
    5) Risk assessment and treatment
    6) Business impact analysis
    7) Business continuity strategy
    8) Business continuity plan
    9) Training and awareness
    10) Documentation maintenance
    11) Exercising & testing
    12) Post-incident reviews
    13) Communication with interested parties
    14) Measurement and evaluation
    15) Internal audit
    16) Corrective actions
    17) Management review

    For a more detailed explanation of these steps, see Project checklist for ISO 22301 implementation.

    Mandatory documentation

    If an organization wants to implement this standard, the following documentation is mandatory:

    • List of applicable legal, regulatory and other requirements
    • Scope of the BCMS
    • Business continuity policy
    • Business continuity objectives
    • Evidence of personnel competences
    • Procedure for communication with interested parties
    • Records of communication with interested parties
    • Records of disruption details, actions taken, and decisions made
    • Incident response structure Business continuity plans
    • Recovery procedures
    • Results of monitoring and measurement
    • Results of internal audit
    • Results of management review
    • Results of corrective actions

    To learn more details about mandatory documents, download this free Checklist of ISO 22301 mandatory documentation (PDF).

    Related standards

    Other standards that are helpful in implementation of business continuity are:

    ISO/IEC 27031 – Guidelines for information and communication technology readiness for business continuity
    ISO 22313, Societal security – Business continuity management systems – Guidance
    PAS 200 – Crisis management – Guidance and good practice
    PD 25666 – Guidance on exercising and testing for continuity and contingency programmes
    PD 25111 – Guidance on human aspects of business continuity
    ISO/IEC 24762 – Guidelines for information and communications technology disaster recovery services
    ISO/PAS 22399 – Guideline for incident preparedness and operational continuity management
    ISO/IEC 27001 – Information security management systems – Requirements

    To learn more about ISO 22301 implementation, please visit our ISO 22301 Free download page. You’ll find a host of helpful resources.