ISO 22301 is a management systems standard for business continuity which can be used by organizations of all sizes and types. These organizations will be able to obtain certification against this standard and demonstrate to legislators, regulators, customers, prospective customers and other interested parties that they are adhering to good practices in business continuity . ISO 22301 also enables the business continuity manager to show top management that a recognized standard has been achieved.
Incidents can disrupt an organization at any time and applying ISO 22301 will ensure that organizations can respond and continue its operations. Incidents take many forms ranging from large scale natural disasters and acts of terror to technology-related accidents and environmental incidents. However, most incidents are small but can have a significant impact and that makes business continuity management relevant at all times.
ISO 22301 provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). It is expected to help organizations protect against, prepare for, respond to, and recover when disruptive incidents arise.
ISO 22301 is the first standard published which is aligned with the new ISO format for writing management systems standards. This will ease understanding and ensure consistency with other management systems, such as ISO 9001 (quality management), ISO 14001 (environmental management) and ISO/IEC 27001 (information security management).
The key benefits to ISO 22301 certification:
- Minimise organization disruption
- Increased customer satisfaction
- Sales and marketing advantages
- Continuous improvement
- Greater control over processes and internal systems
- Access new markets and clients
- Industry best practise
- Demonstrates your commitment to disaster recovery
International Certifications offer the following business continuity certification program:
ISO 22301:2012 – Business Continuity Management Systems – Requirements (www.iso.org)
The standard is divided into 10 main clauses, starting with scope, normative references, and terms and definitions. Following these are the standard’s requirements:
- Clause 4 – Context of the organization The first step involves getting to know the organization, both internal and external needs, and setting clear boundaries for the scope of the management system. In particular, this requires the organization to understand the requirements of relevant interested parties, such as regulators, customers and staff. It must in particular understand the applicable legal and regulatory requirements. This enables it to determine the scope of the business continuity management system (BCMS).
- Clause 5 – Leadership ISO 22301 places particular emphasis on the need for appropriate leadership of BCM. This is so that top management ensures appropriate resources are provided, establishes policy and appoints people to implement and maintain the BCMS.
- Clause 6 – Planning This requires the organization to identify risks to the implementation of the management system and set clear objectives and criteria that can be used to measure its success.
- Clause 7 – Support Since resources are required for implementation, Clause 7 introduces the important concept of competence. For business continuity to be successful, people with appropriate knowledge, skills and experience must be in place to both contribute to the BCMS and respond to incidents when they occur. It is also important that all staff are aware of their own role in responding to incidents and this clause deals with all of these areas. The need for communication about the BCMS – for instance in telling customers that the organization has appropriate BCM in place – and preparedness to communicate following an incident (when normal channels may be disrupted) is also covered here.
- Clause 8 – Operations This section contains the main body of business continuity-specific expertise. The organization must undertake business impact analysis to understand how its business is affected by disruption and how this changes over time. Risk assessment seeks to understand the risks to the business in a structured way and these inform the development of business continuity strategy. Steps to avoid or reduce the likelihood of incidents are developed alongside steps to be taken when incidents occur. As it is impossible to completely predict and prevent all incidents, the approach of balancing risk reduction and planning for all eventualities is complementary. It might be said, “hope for the best and plan for the worst”.
- Clause 9 – Evaluation For any management system, it is essential to evaluate performance against plan. ISO 22301 therefore requires that the organization select and measure itself against appropriate performance metrics. Internal audits must be conducted and there is a requirement that management review the BCMS and act on these reviews.
- Clause 10 – Improvement No management system is perfect at the outset, and organizations and their environments are constantly changing. Clause 10 defines actions to take to improve the BCMS over time and ensure that corrective actions arising from audits, reviews, exercises and so on are addressed.