ISO 22301: Your framework for business continuity management

• What is ISO 22301?
• Who can benefit from ISO 22301?
• How does ISO 22301:2019 differ from ISO 22301:2012?
• What is a Business Continuity Management System (BCMS), and why do you need it?
• How does ISO 22301 work?
• How do you implement an ISO 22301 system?
• What are the ISO 22301 requirements?
• What are the benefits of implementing ISO 22301?
• How do you become ISO 22301 certified?

What is ISO 22301?

ISO 22301 is the standard for business continuity. Referred to as “ISO 22301:2019 Security and resilience – Business continuity management systems – Requirements”, the management system standard outlines mechanisms to minimise the impact of incidents. These mechanisms and requirements are designed to prevent and reduce the likelihood of disruptive incidents, as well as equip your organisation for quick recovery.

It is useful to have this certification to prove to stakeholders that you can resume daily operations with minimal impact, if your organisation is exposed to disruptive incidents. 

Who can benefit from ISO 22301?

Organisations in industries such as transport, health and other essential public services should prioritise the ISO 22301 standard, as they are legally required to plan for emergency situations. However, no organisation can be considered completely safe from incidents. These incidents can be everyday disruptions, such as technical failure, or unprecedented ones, such as flooding. 

For this reason, ISO 22301 is available to organisations of different sizes across industries; the standard can be useful for any organisation seeking risk management and improved incident response and recovery. 

How does ISO 22301:2019 differ from ISO 22301:2012?

The updated iteration of the standard is designed to be more practical and streamlined than previous versions. ISO 22301:2019 and ISO 22301:2012 do not differ very significantly, but some terminology has been expanded and defined more clearly to improve context. Clause 8 of the standard in particular has seen the most changes. 

What is a Business Continuity Management System (BCMS), and why do you need it?

A BCMS is a system that can be incorporated into existing management systems, and consists of mechanisms that ensure an effective response and the continuation of essential functions following a crisis. Crises may range from cyber attacks to natural disasters and, regardless of size or type, your organisation can be impacted both internally and externally, affecting your customers and supply chain. This is where business continuity management comes in; it protects the interests of stakeholders and the integrity of your organisation. 

BCPs and BCMS are also relevant to other ISO standards, such as ISO 27001 – which focuses on the information security aspects of business continuity management – and ISO 27031 – which covers the relationship between IT disaster recovery and business continuity. 

A strong business continuity strategy clearly defines employee roles and responsibilities, so you can fall back on established procedures in the event of disturbances. 

How does ISO 22301 work?

ISO 22301 is meant to make sure that businesses can remain operational after a disruptive incident. This is facilitated by a combination of the following actions:

• Business impact analysis, to determine business continuity priorities
• Risk assessment, to identify potential disruptive events
• Business continuity analysis, to identify preventive mechanisms
• Business continuity plan, to resume operations as soon as possible

You might find that your organisation lacks the technical resources needed to enforce ISO 22301 strategies and solutions. Therefore, ISO 22301 implementation involves allocating resources, setting organisational rules and developing plans to ensure business continuity and recovery.

ISO 22301 helps to define organisational roles and evaluate business continuity performance over time. With this standard, you can establish auditable proof of incident management and recovery capabilities to demonstrate compliance.

How do you implement an ISO 22301 system?

The first step to implementing ISO 22301 is to address its basic requirements. This entails setting context, scope and developing BCPs and BCMS objectives. Developing a BCP will help to identify areas of risk and opportunities as well as evaluate and rectify any gaps in your existing ISO management system.

Following implementation, performance evaluations and internal audits of your BCMS are necessary to ensure peak performance and accreditation. Auditors will look for effective mitigation strategies as proof of compliance. 

Let’s look at the more specific requirements of ISO 22301 certification.

What are the ISO 22301 requirements?

The requirements of the ISO 22301 standard are outlined in clauses 4 through 10 of Annex L as follows:

• Clause 4 - Context

Organisations must identify internal needs, stakeholder expectations and key players in terms of business continuity. Relevant policies, laws and regulations must be identified to establish the organisation's ISO 22301 scope, taking into account all factors, for example: its goals, products and services. 

• Clause 5 - Leadership

Top management must develop, document and communicate an agreed-upon policy that demonstrates their commitment to continuous support and leadership. They must effectively allocate resources and lead employees towards proper facilitation of ISO 22301.

• Clause 6 - Planning

Planning for business continuity requires that organisations understand the impact of potential disruptions. They must also develop a plan for addressing and mitigating risks. Furthermore, organisations must set appropriate and viable BCMS objectives to ensure compliance with relevant legal and regulatory requirements.

• Clause 7 - Support

Organisations may require additional resources to meet set BCMS objectives. Whether infrastructure or additional manpower, these needs must be considered and appropriate support must be provided. Proof of competence for designated roles, such as education history, training and professional background, must be documented.

• Clause 8 - Operation

What are the practical actions required for a functional BCMS? Evaluate the impact of potential threats and risks and how your organisation will respond to them. Use this assessment to devise a continuity management plan and continuously evaluate the effectiveness of your BCMS.

• Clause 9 - Performance evaluation

Consider and evaluate performance indicators and document these results. Audits must measure how well your organisation complies with the ISO 22301 standard as well as its own requirements. Top management should also periodically evaluate the effectiveness of the BCMS.

• Clause 10 - Improvement

Establish a method for risk mitigation and to identify root causes and solutions. Identify and document strategies for improvement on a continual basis.

Now that you have a basic understanding of the Annex L controls and what is required for ISO 22301 compliance, let’s look at the benefits of implementing the standard.

What are the benefits of implementing ISO 22301?

An ISO 22301 aligned BCMS ensures your business continuity plans (BCPs) are continuously updated and worked into your organisation's culture. Implementing ISO 22301 can benefit your organisation in multiple ways:

• A BCMS helps to estimate the consequences of operational disruptions, implement effective BCPs, and minimise the overall impact of incidents.
• ISO 22301 provides a framework for efficient incident response and recovery procedures.
• Effective business continuity management ensures your organisation's income stream and assets are protected against loss due to incidents.
• An ISO 22301 aligned BCMS demonstrates that your organisation has done what is necessary to comply with relevant regulatory requirements.
• A BCMS helps organisations manage and deploy successful BCPs, in line with organisational contingencies and capabilities. 
• BCMS implementation involves a thorough examination of existing processes. This enables you to identify areas for improvement within your organisation and refocus on objectives.
• A robust BCMS reassures customers that your organisation can maintain critical operations and respond well following an incident.
• An ISO 22301 aligned BCMS allows for a more realistic analysis of potential impact and a more accurate evaluation of insurance requirements.

Overall, a BCMS that is aligned with ISO 22301 gives your organisation a competitive edge and demonstrates a commitment to incident management and quick disaster recovery.

How do you become ISO 22301 certified?

There are four keys steps to getting the ISO 22301 certification:

• Preparation - An assessor helps you get everything you need for the first assessment.
• Stage 1 Assessment - Following the first assessment, you receive a “gap analysis” report that details the next steps towards receiving ISO 22301 certification.
• Stage 2 Assessment - You receive a same-day result which is assessed and signed-off for compliance. You can expect to receive your ISO 22301 certification not long after. 
• Annual Assessment - Annual assessments are required to renew and maintain your certification.

Strengthen your information security with DataGuard

ISO 22301 can be applied to organisations of all sizes and industries and the importance of business continuity management can be seen in other standards as well, such as ISO 27001, ISO 27031 and the UK GDPR. If you are interested in protecting your organisation by strengthening your information security setup, we'd be happy to talk.