Business Continuity
Guide to Understanding
ISO 22301: Management
system requirements for
Business Continuity
� 2
Moving toward a business continuity management system (BCMS)
As Business Continuity Management (BCM) practitioners That’s why the best business continuity programs also
know well, the business continuity plan (BCP), which helps develop business continuity management systems
ensure critical operations remain available and minimize (BCMS), defined as the overall management system that
business impacts, irrespective of the type of incident establishes, implements, operates, monitors, reviews,
or disruption, is the cornerstone of any best-practice maintains, and improves business continuity. Developing
business continuity program. The BCP is absolutely systems, rather than just plans, enables businesses to
essential to the business continuity manager’s task of better understand needs and evaluate the necessity for
identifying, quantifying, and minimizing potential business establishing business continuity management policies
interruptions and risks. and objectives. There is also growing evidence that
organizations that have not implemented a Business
Here, the data is clear. Business closure numbers are Continuity Management system are more likely to fail after
heavily weighted towards companies that fail to develop a major disruptive eventiv.
BCPs before major incidents; in fact, as many as three in
every four organizations without a business continuity plan What’s more, a BCMS reinforces the importance of
fail within three years of a disasteri. implementing and operating controls and measures for
managing an organization’s overall capability to manage
As dispositive as those numbers are, there’s still an disruptive incidents. Taking a systems-approach also
element missing; for companies that have developed BCPs helps ensure continual improvements based on objective
and disaster recovery plans aren’t out of the woods quite metrics. The question remains, though: how to build a
yet. Having a BCP during the prevention and preparedness best-practice BCMS?
phases is one thing, but executing the plan promptly once
a disaster has taken place is the key business survival
factor. After all, companies that are unable to resume
operations within 10 days of a disaster striking are unlikely
to surviveii. Further, 80 percent of companies that do not Business continuity management:
recover from a disaster within one month are likely to go the essentials
out of businessiii. Business continuity management (BCM) has been
around for some time now, roughly since the
1970s. Emerging, then, as an offshoot of crisis
management, BCM defined itself as the field
Companies that are dedicated to effectively responding to the technical
unable to resume and operational risks that threaten an organization’s
recovery from interruptions.
operations within The scope has since narrowed. BCM today is
10 days of a a holistic management process for identifying
potential threats to an organization and the
disaster striking are operational impacts those threats pose. Nowadays,
it’s the primary task of business continuity
unlikely to survive. professionals to build a durable framework for
organizational resilience, in compliance with
Further, 80% of
regulations and prevailing business standards like
ISO 22301. This core responsibility brings business
companies that continuity professionals in close contact with other
safety and security practitioners, including those
CLOSED
do not recover from in safety, risk management, disaster recovery,
emergency response, and crisis management.
a disaster within But the tools of business continuity management
1 month are likely to are fundamentally different, though. One mainstay
is the business continuity plan (BCP), a collection
go out of business. of resources, actions, procedures, and information,
designed to prepare organizations to maintain
essential functions in the event of a disaster or other
major disruption.
Sources: Brahim Herbane, Business History: The evolution of business
continuity management: A historical review of practices and drivers.
Guide to Understanding ISO 22301: Management system requirements for Business Continuity
� 3
A deep dive into ISO 22301:2012
40 to 60%
One answer comes courtesy of the BCM standards on
the market today. Those standards offer an extensive
list of best practices to help organizations design their
own business continuity management systems so as to of small businesses
achieve maximal outcomes. Chief among those standards CLOSED
is ISO (International Standard Organization) 22301:2012, never reopen
the sole, high-level, international BCM standard, using
recognized best practices. The international standard following a disaster
specifies requirements to plan, establish, implement,
operate, monitor, review, maintain, and continually improve
a documented management system to protect against,
reduce the likelihood of occurrence, prepare for, respond As for ISO 22301, in particular, the standard is flexible
to, and recover from disruptive incidents when they by design. What does that mean, exactly? The specified
arisev. So even if businesses don’t wish to achieve requirements are generic. In other words, they are
compliance with the standard itself, they can still enjoy intended to be applicable to all organizations, irrespective
the benefits of a well-implemented BCP system, namely of type, size, and nature. What governs actual application
organizational resilience. of the requirements, then, is the individual organization’s
operating environment. The opening passages of the
A little history, first. When ISO 22301 first emerged, it standard, which detail its scope, make the point explicitly:
superseded the British standard BS 25999. The national
standard had only appeared a few years prior, in its place It is not the intent of this International Standard to imply
superseding the British specification, Publicly Available uniformity in the structure of a Business Continuity
Specification 56 (PAS56). Management System (BCMS), but for an organization to
design a BCMS that is appropriate to its needs and that
BCM analysts note few differences between BS 25999 meets its interested parties’ requirements. These needs
and ISO 22301. Both standards offer methodical, are shaped by legal, regulatory, organizational and industry
systematizing approaches to business continuity, requirements, the products and services, the processes
operational resilience, and incident response. employed, the size and structure of the organization, and
By definition, though, ISO standards are management the requirements of its interested parties.
system standards; they also come with a specific format. This International Standard is applicable to all types and
That’s why the principal distinctions between the British sizes of organizations that wish to:
and international standard are those of format. It’s been
noted, also, that the international standard simplifies
requirements.
A Establish, implement, maintain and improve
a BCMS
What’s more, organizations that have previously
developed (or plan to develop) non-business continuity,
ISO-compliant management systems (e.g. for asset Ensure conformity with stated business
management, service management, quality management, B continuity policy
security management, environmental health and safety,
etc.) will find it easier to integrate those systems with an
ISO 22301-compliant BCMS. C Demonstrate conformity to others
But is ISO 22301 compliance overkill for smaller
enterprises without an international footprint? Not at all.
For starters, the risk of post-disaster business closures D Seek certification/registration of its BCMS by an
accredited third-party certification body
weighs heaviest on smaller businesses, making the need
for a best-practice BCMS particularly acute. According to
the U.S. Federal Emergency Management Agency, 40 to
60 percent of small businesses never reopen following E Make a self-determination and self-declaration
of conformity with this International Standard
a disaster.
This International Standard can be used to assess an
organization’s ability to meet its own continuity needs
and obligationsvi.
Guide to Understanding ISO 22301: Management system requirements for Business Continuity
� 4
In essence, ISO 22301 applies to any and all organizations
Plan Establish business continuity policy,
looking to establish, implement, maintain, or even just
objectives, targets, controls, processes, and
improve their BCMS. Therefore, it’s a surefire way for
procedures relevant to improving business
those companies to ensure compliance with stated
continuity in order to deliver results that
business continuity policies, whether those policies are
align with the organization’s overall policies
internally mandated or dictated by external regulators,
and objectives.
customers, or other parties. Independent of external
mandates, too, compliance with ISO 22301 also helps Do Implement and operate the business
organizations signal to prospective customers and continuity policy, controls, processes,
partners their commitment to continuity of service. But and procedures.
remember, compliance with the standard can’t just be a
box-ticking exercise, especially if organizations seek to Check Monitor and review performance against
achieve organizational resilience and build the capability to business continuity policy and objectives,
respond effectively to major disruptive events. report the results to management for review,
and determine and authorize actions for
The standard itself includes ten primary clauses, including remediation and improvement.
the introduction, scope, normative references, and
important terms and definitions sections. Like other Act Maintain and improve the BCMS by taking
international standards, ISO 22301 applies the “Plan-Do- corrective action, based on the results of
Check-Act” (PDCA) model (depicted below). The model management review and reappraising the
details the following: scope of the BCMS and business continuity
policy and objectives.
Continual Improvement of Business
Continuity Management System (BCMS)
Interested Interested
Parties Parties
Establish
(Plan)
Maintain Implement
& Improve & Operate
(Act) (Do)
Monitor
& Review
Requirements Managed
(Check)
for Business Business
Continuity Continuity
Source: International Standard Organisation
Guide to Understanding ISO 22301: Management system requirements for Business Continuity
� 5
Unpacking the remaining clauses
The structure of the standard, consistent with that of other ISO management system standards, means that compliance
entails full adherence with all specifications, not just a representative handful. To that end, the remaining sections of the
standard, as well as main components therein, are as follows:
Context of the organization. Planning.
Effective business continuity management An effective BCP begins with a thorough risk
depends on a thorough understanding of an assessment and a rigorous business impact
organization’s internal and external needs. The analysis (more below). Teams should also set out
task for business continuity professionals is clear objectives and criteria to measure
to set clear boundaries for the scope of the plan success.
eventual system, consonant with applicable legal
and regulatory requirements. Main components, here, include determining and
documenting the following:
Main components, here, include establishing and
documenting the following: • Risks and opportunities presented by the
objectives and requirements
• What the organization does, and the
potential impact of disruptions • BC objectives and plans to achieve them
• Relationship with other policies and wider • Minimum acceptable levels of output
risk management • Some form of project plan, with an
• Contractual and other requirements evaluation mechanism
• Who are the interested parties
• Scope of the management system Support.
BCM doesn’t happen in a vacuum. More than
senior management engagement, organizations
will need a stock of qualified professionals with
Leadership. relevant knowledge, skills, and experiences.
BCM is not a back-office activity. It requires Staff also needs to be apprised of their role in
serious, senior management engagement responding to incidents.
throughout the business continuity lifecycle.
Specifically, senior management engagement Main components, here, include establishing the
is necessary for ensuring adequate BCM following resources to support the BCMS:
resourcing and staffing.
• A competence system
Main components, here, include establishing and
documenting the following: • An awareness program
• Leadership and commitment with respect to • A communications plan, to include both
Business Continuity Management incident and non-incident situations
• A business continuity management policy • Documentation and its management
• Roles, responsibilities, and authorities
Guide to Understanding ISO 22301: Management system requirements for Business Continuity
� 6
Operation.
This clause lays out many of the requirements Understanding the
for the BCP, including the mandate to Business Impact Analysis (BIA)
establish disruption and continuity
management procedures. Usually undertaken by an internal governance
committee, the business impact analysis (BIA) is a
Main components, here, include planning and methodical accounting of business activities and
implementing processes to deliver the following: the effect business disruptions would have on
those activities. In the context of the BCMS and
• Business impact analysis and risk assessment
wider BCM program, the BIA is intended to help
• Strategies organizations isolate critical business functions in
tandem with the processes and resources needed to
• (Contingency) resources support them.
• Impact mitigation Why is the BIA important? Well, firms might have a
good feel for the services and products they need to
• Incident response structure and plans continue delivering in order to avoid severe revenue
loss in the event of a major disruption. But it’s not
• Exercise and test arrangements a given that senior managers have a more nuanced
understanding of the dependencies that underlie
those services.
Performance evaluation.
After all, a lot goes into moving a product: internal
Developing a business continuity management
dependencies, like employee availability, corporate
system isn’t enough. Organizations still have to
assets, and support services, as well as external
monitor, measure, and evaluate their BCMS once
dependencies, like suppliers. A good BIA will capture
it’s in place. ISO 22301 stipulates calls out the
all of those contingencies, then rank the order
necessity of internal audit programs.
of priority of services or products for continuous
Main components, here, include determining and delivery or rapid recovery.
documenting arrangements for the following: BIA findings then get fed into the BCP proper,
which typically covers the resources, services, and
• Monitoring, measurement, analysis,
activities required to ensure the continuity of critical
and evaluation
business functions.
• Internal audit For businesses’ implementing ISO 22301, it’s vitally
important that business process owners really
• Management review
engage with the risk analysis part of the BIA,
rather than having it shunted to the side,
undertaken in isolation in the Business Continuity
Improvement. Manager’s Office.
Organizations change, so too do the business
environment around them. The BCMS needs to
keep up with those changes. What’s more, BCM
teams must also identify nonconformities and
take corrective actions to continue to enhance
the overall performance of the BCMS.
Main components, here, include establishing
procedures for the following:
• Non-conformance identification, reporting,
and consequence control
• Corrective actions (system changes)
• Continual improvement
Guide to Understanding ISO 22301: Management system requirements for Business Continuity
� 7
In closing, rates of BCP adoption remain alarmingly low. As a BCM best-practice standard, ISO 22301 helps
But even for organizations who’ve successfully completed organizations identity what functions are essential.
a BCP, or have procured business continuity solutions, the Risk management, then, helps businesses prioritize and
work to prepare your business for a major disruption isn’t develop mitigating controls. Finally, trainings of accessible
done yet. Many vendors have focused their BCP solutions procedures, pre-assigning roles and responsibilities, as well
exclusively on preventing data loss and the loss of IT as exercises prepare people to know what to do during
systems. However, natural disasters and other catastrophic a disaster.
events can cause road closures, utility outages, the loss of
key staff members, and critical supply problems, all leading That’s why having a BCP is one thing, executing that plan
to business failure. To be effective, BCM programs must be during a disaster quite another. Here, crisis and
focused on broader issues than just data loss or temporary emergency management factor in heavily, i.e. during the
loss of access to IT systems. response and recovery phases. Having an integrated safety
and security system that turns your plans into actions
based on pre-defined scenarios will facilitate speedy
response and recovery.
Citations
i Logan Sisam, Utah Division of Emergency Management: 75% of companies without business plans fail within three years after facing a disaster and or
operational disruption. Available at [Link]
ii Jon Taiga: Disaster Recovery Planning: Managing Risk and Catastrophe in Information Systsems.
iii Jonathan Bernstein, Bernstein Crisis Management.
iv HP and SCORE: Impact on U.S. Small Business of Natural & Man-Made Disasters. Available at [Link]
HP_Download_ImpactofDisaster.pdf.
v Ibid.
vi Ibid.
Like what you read?
Follow Noggin on social media
@teamnoggin [Link]/teamnoggin [Link]/company/noggin-it
for Business Continuity
Meet the next-generation tool for corporate crisis and
business continuity management teams to collaborate, plan,
track their response, and share information. Built on the
Noggin Core platform, Noggin Business Continuity gives
response teams and decision makers the tools to know
what’s happening, collaborate quickly and effectively, make
better decisions, and enact the right plans to take action
To learn more, when it counts the most.
visit: [Link] The Noggin Business Continuity solution pack is backed by
the Noggin Library with hundreds of plans and best-practice
or contact: sales@[Link] workflows, out of the box, and installed in minutes.
MKT-532
