iso

ISO 22301:2012
Societal Security Business Continuity Management System
WHITE PAPER

ISO 22301
Business Continuity
Management System

Background and
overview to the
ISO 22301:2012

BCM is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to prepare for, respond to and recover from disruptive events when they arise

The requirements specified in ISO 22301 are generic and intended to be applicable to all organizations (or parts thereof), regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity

ISO 22031 covers every phase of the implementation and operation of a business continuity management system, and provides a framework that can help organisations accomplish the following:

  • Develop an organisation policy for an effective recovery of key business functions
  • Establish targets and objectives to achieve the goals of the policy
  • Identify business / operations risks and associated business impacts (Perform Risk Assessment (RA) and Business Impact Analysis (BIA))
  • Determine Business Continuity Strategy and develop Business Continuity Plan(s)(based on the result of RA and BIA and aligning to BC Policy and Objectives)
  • Establish and implement business continuity procedures
  • Determine the resource required to ensure emergency preparedness and appropriate responses
  • Perform test and exercise on BC Plans to determine that the business continuity procedures and plans address the intended recovery objectives
  • Monitor, measure and analyse key characteristics that affect the recovery plan
  • Review the suitability, adequacy and effectiveness of the business continuity management system
  • Continually improve an organisation’s business continuity capabilities and performance

ISO 22301:2012
clauses

Key clauses of ISO 22301:2012

Following the new structure of the ISO 22301 is organized into the following main clauses:

 

Clause 4: Context of the organization Clause 5: Leadership Clause 6: Planning Clause 7: Support
Clause 8: Operation Clause 9: Performance evaluation Clause 10: Improvement

Key
Areas

ISO 22301:2012 Standard

The core elements of an ISO 22301:2012 Business Continuity Management System

Clause 4 - Context of the organization

Clause 4 involves defining and understanding the context of the organization. This awareness step helps management and those charged with performing business continuity planning define the obligations that should influence the identification of BCMS objectives.
An effective BCMS will consider the following when establishing objectives:
  • Legal, regulatory, and contractual requirements
  • All internal and external parties that have an interest in the organization’s business continuity efforts and
  • Consider legal and regulatory requirements when designing BCMS.
  • The organization’s strategic objectives, policies, priorities, and risk appetite.

 

Clause 5 - Leadership

Clause 5 establishes the requirements for leadership of the BCMS – defining the key activities that top management must perform to guide the alignment of business continuity efforts with broader organization al strategy, as well as ensuring the management system has the necessary support to be successful. Beyond providing visible support and serving as a champion for implementation and continual improvement, ISO 22301 states that top management (leadership) is responsible for establishing a business continuity policy, assigning roles and responsibilities, and promoting continual improvement. The following information provides a brief explanation of these two requirements :
  • Provide leadership for your organization's BCMS.
  • Show that leadership support your organization's BCMS.
  • Establish a suitable BCMS policy for your organization.
  • Assign responsibility and authority for your BCMS.
  • Ensuring resources needed for BCMS are available.
  • Promoting continual improvement.

 

Clause 6 - Planning

This is a critical stage as it relates to establishing strategic objectives and guiding principles for the BCMS as a whole.
  • Specify actions to adress your risks and opportunities.
  • Set business continuity objectives and develop plans to achieve them.

Clause 7 - Support

The day-to-day management of an effective business continuity management system relies on using the appropriate resources for each task. These include competent staff with relevant (and demonstrable) training and supporting services, awareness and communication. This must be supported by properly managed documented information.
  • Support BCMS by providing the necessary resources.
  • Support BCMS by making sure that people are competent.
  • Support BCMS by making people aware of their responsibilities.
  • Support BCMS by establishing communication procedures.
  • Support BCMS by managing documented information.

 

Clause 8 - Operation

After planning the BCMS, an organization must put in operations the business continuity management system. This clause includes:
  • Business Impact Analysis.
  • Risk Assessment of disruptive incidents - ISO 31000 could be used for this process.
  • Business Continuity Strategy.
  • Business Continuity Procedures.
  • Exercising and Testing.

 

Clause 9 - Performance evaluation

Once the BCMS is implemented, ISO 22301 requires permanent monitoring of the system as well as periodic reviews to improve its operation.
  • Monitor and measure the performance of your organization's BCMS.
  • Evaluate your business continuity procedures and capabilities.
  • Set up an internal audit program and use it to evaluate your BCMS.
  • Review the performance of your BCMS at planned intervals – Mgmt reviews

 

Clause 10 - Improvement

An organization shall continually improve the suitability, adequacy or effectiveness of the BCMS
  • Identify nonconformities and take corrective actions.
  • Enhance the overall performance of your BCMS.

PDCA
Cycle

ISO 22301:2012
Business Continuity
Management System

PLAN

The establishment of policies, objectives, targets, controls, processes, and procedures related to business continuity, which support the delivery of results aligned with the organization’s core business.

DO

The implementation and operation of the planned processes.

ACT

The performing of authorized actions to ensure that the BCMS delivers its results and is improved upon.

CHECK

The monitoring, measuring, evaluation, and review of results against the business continuity policy and objectives, so corrective and/or improvement actions can be determined and authorized.

ISO 22301
Links

Integration with
other management systems

Link between ISO 22301:2012 and other standards

A growing number of organizations are integrating business continuity with other risk management disciplines, which demonstrates that the industry is maturing and becoming more accepted by executive management. As a management systems standard, ISO 22301 can help organizations appropriately coordinate risk management efforts, with the end objective of mitigating a broad range of risks in the most efficient manner possible.

ISO 22301 is obviously useful as part of a certification process to ISO/IEC 27001:2005. ISO 22301 can be used to directly comply with the objective of clause A.14- Business continuity management. Additionally, regarding the implementation and execution of a risk assessment in the context of ISMS compliance, an organization could always refer to ISO/IEC 27005:2011 or, in a broader context, to ISO 31000:2009 - Risk management - Principles and guidelines or, to execute the assessment itself, to ISO 31010:2009 - Risk management - Risk assessment techniques.

In general, the effort to align management system standards has been well received from all quarters. It’s a combination of the popular Plan Do Check Act (PDCA) method used in standards such as ISO 14000 on Environment and ISO 27000 on IT Security - and the “Process Approach” used in ISO 9000 on quality. The headings in ISO 22301 include: Terminology; Understanding the organization (and its context); Leadership; Planning; Support; Operation; Performance evaluation; and Improvement. The common text accompanying the headings is clear and succinct. Because all management system standards eventually need to use this format, by being one of the first standards to adopt it, ISO 22301 can easily integrate with other standards.

Benefits

ISO 22301
What are the benefits?

Business Continuity Management System- the Business Benefits

ISO 22301 : 2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

Some of the key business benefits of adopting the ISO 22301:

  • Improving your resilience against disruption
  • Maintaining an ability to manage uninsurable risks
  • Developing a capability to manage business disruption
  • Minimising consequences of unexpected disruptions
  • Providing a method of restoring your ability to supply key products and services
  • Protecting and enhancing your reputation and brand
  • Gaining a competitive advantage by demonstrating the ability to maintain delivery of your products and services

ISO 22301
Certification

Certification
Steps

Certification of Organizations

The usual path for an organization that wishes to be certified against ISO 22301 is the following:

1. Implementation of the management system:

Before being audited, a management system must be in operation for some time. Usually, the minimum time required by the certification bodies is 3 months.

2. Internal audit and review by top management:

Before a management system can be certified, it must have had at least one internal audit report and one management review.

3. Selection of the certification body (registrar):

Each organization can select the certification body (registrar) of its choice

4. Pre-assessment audit (optional):

An organization can choose to perform a pre-audit to identify any possible gap between its current management system and the requirements of the standard

5. Stage 1 audit:

A conformity review of the design of the management system. The main objective is to verify that the management system is designed to meet the requirements of the standard(s) and the objectives of the organization. It is recommended that at least some portion of the Stage 1 audit should be performed on-site at the organization’s premises.

6. Stage 2 audit (On-site visit):

The Stage 2 audit objective is to evaluate whether the declared manage - ment system conforms to all requirements of the standard, is actually being implemented in the organi - zation and can support the organization in achieving its objectives. Stage 2 takes place at the site(s) of the organization’s sites(s) where the management system is implemented.

7. Follow-up audit (optional):

If the auditee has non-conformities that require additional audit before be - ing certified, the auditor will perform a follow-up visit to validate only the action plans linked to the non- conformities (usually one day).

8. Confirmation of registration:

If the organization is compliant with the conditions of the standard, the Registrar confirms the registration and publishes the certificate.

9. Continual improvement and surveillance audits:

Once an organization is registered, surveillance activi - ties are conducted by the Certification Body to ensure that the management system still complies with the standard. The surveillance activities must include on-site visits (at least 1 per year) that allow veri - fying the conformity of the certified client’s management system and can also include: investigations following a complaint, review of a website, a written request for follow-up, etc

STAY
IN
TOUCH

GABRIEL
REGISTRAR

Contact us to know more about
ISO 22301:2012 Business Continuity Management System