ISO 22301
CERTIFICATION
Business Continuity Management System

What is ISO 22301 (BCMS)?

ISO 22301:2019 is an international standard build to re-structre the business processes when there is a complete disruption in the business framework due to an unexpected event. Occurrences like IT failure, equipment failure, natural disaster or securty breaches sometimes result in the entire decimation of the business process. Disruption of businesses at this level needs appropriate plans in place to make it rebound from the company’s organisation.

History Of ISO 22301 (BCMS)

ISO 22301 is an internationally accepted standard that has been adjusted since its first draft was released in 2010, with the final version coming out in 2012. This standard provides organizations with guidance in responding to both internal and external threats and helps them create a successful business plan to make their company more resilient.

The latest version of 22301

ISO Standards are reviewed every five years in order to remain relevant in a rapidly changing world and to evolve alongside businesses. ISO 22301:2019 was published in October 2019 as the latest version of the International Standard for Business Continuity Management Systems ISO 22301. Following minor changes in 2014, the 2019 revision introduces minor changes to the standard, most notably more flexibility and less prescriptiveness, which adds value to organisations and their customers.

The Intent of ISO 22301

It is important to have a plan in place for responding to cyber-attacks, including measures such as regular data backups and employee training on cybersecurity best practices. Failure to properly address and mitigate the effects of a cyber-attack can result in financial losses, reputational damage, and even legal consequences.

40 to 60 percent of small businesses, according to FEMA, perish in a big disaster like a flood, hurricane, fire, etc. Additionally, it notes that 20% of businesses lack a suitable disaster recovery strategy. Most of them rely on educated guesses and spur-of-the-moment thinking.

Here are some issues that companies might encounter in the event of a catastrophic event.

  • 🢚 Supply chain management disruption
    🢚 Foundation for communications is lost
    🢚 Loss of infrastructure, such as homes, offices, factories, and roadways.
    🢚 Machinery loss
    🢚 loss of revenue
    🢚 Workforce loss

ISO 22301 Structure

Major structural changes introduced in ISO 22301 was when Annex L was introduced as the core structure for management system standards. Annex L (previously known as ISO Guide 83) was adopted to reintroduce the clause structure of ISO 22301.

Let us go through the Clauses Of ISO 22301

Annex SL comprises of mainly 10 core clauses

1. Scope

This clause comprises mainly
● Purpose of the Standard
● Different Organizations that can follow it
● Contains those sections (clauses) of the standard that an organisation need to comply with in order to get ‘certified’

2. Normative References

This clause contains information on other standards that are relevant for an organisation to determine that it is in complete compliance with the standard under discussion.

3. Terms & Definitions

In this clause there is a list of 31 terms and definitions given in ISO 22301 and there is a reference made to the most current version of ISO 22300 Security and Resilience – Vocabulary.

4. Context of the Organisation

All shapes and sizes of organisations that deploy, maintain, and enhance a BCMS are covered by the ISO 22301 framework. Any company that wants to adhere to a declared business continuity policy and is dedicated to strengthening resilience through the efficient use of business continuity management systems should adopt it as a strategic aim.

5. Leadership

It’s critical for the management team to show leadership and dedication to the BCMS in every business. According to ISO, this can be done by making sure that the organization’s strategic direction and the business continuity policy and objectives are both set. Leadership should employ channels of communication to convey to its team members and business partners the value of successful business continuity and the necessity of adhering to BCM system criteria. Additionally, the leadership approach must support ongoing development of a culture of business continuity.

6. Planning

Essentially, identifying the risks and opportunities related to business continuity management is the first step in the planning of business continuity management systems. The organisation must also set business continuity goals for the pertinent levels and functions. These goals must be followed, clearly stated, and revised as necessary.

7. Support

This clause is concerned with the resources. As much as it relates to actual resources, materials, tools, etc., it also pertains to people, infrastructure, and the environment. Also, there is a renewed emphasis on knowledge as a valuable resource within your company. The existing capacity and capability of your resources, as well as those you may need to source from external suppliers or partners, will be a key factor when designing your business continuity objectives.

8. Operation

The implementation of operational processes for event preparedness and incident response across all company functions is essential to a business continuity strategy. This entails developing criteria for the processes and putting those criteria into practise for process control. Disaster recovery is dependent on continuity preparations, from having a media and communication strategy in place to strictly monitoring site risk in the wake of disruptive situations. Keeping records of information is essential for demonstrating that procedures and BC tests were followed as intended and modified where necessary.

9. Performance Evaluation

By performance evaluation, a lot can be learned from actual situations. Knowledge is accumulated by keeping track of accomplishments and constraints. The responsibility to maintain records rests with the interested parties, who should use the findings of audits to guide their future management of business disruptions. The organisation may make sure that any essential remedial steps are implemented by implementing an audit programme. Eliminating found nonconformities and the factors that led to them is the goal.

10. Improvement

The ISO 22301 documented management system standard is built around continuous development. Any updates and enhancements to the administration of the BCMS will eventually improve the business continuity management strategy.

QUALITY PRINCIPLES OF ISO 22301

A business continuity system must constantly implement a number of fundamental principles in order to be effective. Business continuity is based on these fundamental concepts.

Responsibility

Business continuity is a responsibility that top management and the board of directors of a corporation must recognise and accept. The overall risk management process should include business continuity planning.
Lack of clearly defined responsibilities, authority, and roles might render a business continuity plan useless in the case of a disruption.

Clear Objectives

Clear business continuity objectives that account for the nature of an organization’s operations and their effects on stakeholders should be in place. This supports the business continuity process’s prioritisation and resource allocation. These goals should specify the anticipated continuity times and levels in detail.

Impact And Risk Evaluation

The difference between the business continuity standard and others is that it emphasises the “what if.” A vital component of a successful business continuity strategy is the capacity to recognise and prepare for probable business impacts and hazards.

Communication

Business continuity plans should outline how and when an organisation will communicate internally, with clients, and with other interested parties (such regulators or suppliers).

Testing

Periodic testing of the business continuity management system is recommended in order to assess its performance and make adjustments as necessary.

Know All About ISO 22301

The pandemic has heightened organizations’ interest in business continuity as a means of protecting themselves from disruption of operations. In most cases, however, there is no time to waste learning about business continuity processes, policies, procedures, and terminology.

We offer assistance in understanding the differences between the most common business continuity terms in this article, which is based primarily on the ISO 22301 glossary, the leading ISO standard for business continuity management.

Resume vs Recovery

The term “resume” refers to resuming operations with a reduced capacity and in a different environment (e.g., operations resumed at a different site), whereas “recovery” refers to restoring operations to normal operating conditions (i.e., main site is operational again). Restore, or restoration, can also be used in place of recovery.

MAO vs RTO

Consider how long your company can afford to be down after a disaster (e.g., minutes, hours, days, etc.) – this is the Maximum Acceptable Outage (MAO). Consider how quickly you want your business to resume operations following a disaster; this is the Return Time Objective (RTO). In recent years, the term MTPD (Maximum Tolerable Period of Disruption) has largely replaced the term MAO (both terms have the same meaning).

The relationship between them is that RTO can be equal to or less than MAO, but never greater – an RTO greater than MAO makes no sense because you would be resuming operations after the impact has become so severe that doing business would result in bankruptcy.

RTO vs RPO

After a disaster, the Recovery Time Objective (RTO) specifies when business operations must resume. For instance, if the RTO is two hours, you wish to restart providing goods or services or carrying out activities within two hours.

The quantity of data that the company is willing to lose is called the Recovery Point Objective (RPO), and it is measured in terms of the period of time before a disruption occurs. For instance, if the RPO is one hour, you can afford the loss of the data processed or stored during the hour leading up to a disruption.

Difference Between Crisis, Disaster And Incident

● An incident is any circumstance that could have a detrimental effect on daily operations.
● A crisis is an unstable situation that needs to be addressed right away.
● A disaster is a situation where losses are greater than the normal capacity of an organization to handle them.

In light of these definitions, a disaster may result from an occurrence, a crisis, or both. A fire is an example of an incident that might trigger a crisis or a disaster (without immediate attention and action, it can destroy assets and facilities that cannot be easily replaced). A pandemic, an earthquake, or a riot are additional instances.

BIA vs Risk Assessment

You can learn how a disaster will affect your business processes and services over time by performing a business impact analysis (BIA). In order to identify, analyse, and rank the risks to which your organisation is exposed as part of the risk management process, you must first conduct a risk assessment.

There is no required order for performing BIA and risk assessment; rather, they are utilised in tandem to assist establish business continuity and disaster recovery strategies and plans.

Business Continuity Policy vs Business Continuity Plan

The Business Continuity Plan is an operational document that specifies the steps for an immediate response, the restart of business operations following a disaster, and recovery of business operations following a disaster. The Business Continuity Policy is a top management document that specifies the high-level guidelines, objectives, and responsibilities for business continuity planning and management.

Business Continuity Plan vs Crisis Management Plan

A business continuity plan (BCP) outlines the steps to take in the event of a specific disruption as well as how to continue and recover a service or operation after the disruption.

A Crisis Management Plan, on the other hand, is a set of business-oriented procedures to be followed to ensure the overall management of critical situations that may have a negative impact on an organisation (e.g., the evaluation of business impacts, the declaration of an emergency, a crisis, or a disaster, press communication, the follow-up of an immediate response, the resume and recovery procedures, etc.). Because it applies to more than only disaster scenarios (such as public relations crises, financial crises, etc.), crisis management plans are neither a term defined by ISO 22301 nor do they have a universal meaning. Moreover, they may or may not be a component of business continuity plans.

Documentation for ISO 22301

Download PDF For Complete Documentation

Download PDF

What are the documents that are required according to ISO 22301? Please fill up the details and you will find a complete checklist of the mandatory documents. This document contains requirements that can be used by an organization to implement a BCMS and to assess conformity.

Implementation Process Of ISO 22301

Implementing ISO 22301 is not an easy task it requires an organisation to go through some mandatory steps to implement business continuity.

If the management of an organisation is willing to implement this project and has the necessary financial and human resources available to deploy then an organisation can proceed with it.

Ensure that organisation is willing to comply with everything that the stakeholders want from the organisation. Apart from the laws and regulations prepare a list of all the requirements stated in the agreements with your clients (SLAs), wishes of the company owners and the local community.

Top management must lay measurable objectives to define exactly what is required from business continuity. It is absolutely necessary in order to have a clear understanding whether business continuity has served its purpose.

There must be a set of procedures that include documents and records control, internal audit and corrective actions that must be in place to ensure that it is easier to run your system.

Identification of possible incidents which your organisation finds itself vulnerable to must be acknowledged. Find out what controls can mitigate the impact of such incidents .

An organisation has another key responsibility other than accessing risks and it is two sided. Firstly, How quickly you need to recover (before becoming bankrupt); Secondly, What is needed in order to succeed with such recovery? Therefore the purpose of business impact analysis is to define the Recovery Time Objective (RTO) and other resources.

You need to determine how to accomplish all of this with the least amount of investment given the inputs (various requirements, RTO, resources, and most probable incidents). Without this step, your company continuity would just be a house of cards, which can be quite demanding.

There are a number of different kinds of BC plans, but at the very least there are recovery plans and incident response plans (which specify how to respond to an incident initially) (what needs to be done to start the activities running). All of these must be founded on a strategy otherwise the information, technology, personnel, etc. would not be available to support such plans.

Having plans in place is not sufficient; if no one knows how to use them (or where to find them! ), you can be sure that they would not function in the event of an actual incident. Consequently, you must clarify to your staff (as well as other parties involved in your plans) not only how to carry out particular steps but also the significance of doing so.

Written documents have the unsavoury habit of rapidly becoming out of current. All of these events need to be reflected in your documentation, particularly the plans. Employees may leave the business, there may be new hires, you may change the working procedures or a technology, or you may add new products. You wouldn’t be able to carry out your plans when they are most required without such changes.

Training alone will not be sufficient; you must use the plans to see how they work in (almost) real circumstances. Otherwise, you won’t know where they fall short. Therefore, conducting regular exercises and testing is crucial. Such testing shouldn’t be limited to IT alone; it must include top management, outsourcing partners, and suppliers.

You can only ever learn from events; no matter how hard you try, you’ll never be able to prevent them from occurring. Additionally, you can learn a lot about how people respond, their level of readiness, what changes to make to the plans, etc. Most significantly, you can find out if you met your goal for recovery time.

Since this step should proceed concurrently with every other step, it isn’t technically the 13th step (though I don’t attempt to avoid it either). This is due to the fact that regulatory bodies, authorities, owners, employee families, the media, etc. are very important to business continuity, and you must keep these parties informed beginning with the writing of your policy and setting of the objectives all the way through to the point at which an incident actually occurs.

The fundamental tenet here is that it makes no sense to act until you are certain that you have succeeded in your goals or not. In the case of business continuity, the goals are established in step 3, but determining whether you reached those goals requires the use of metrics. It could be something complex like a balanced scorecard, or it could be something straightforward like tracking RTO success during exercises and tests.

Being completely unbiased when discussing your own work is difficult. An internal audit is intended to review your work and recommend improvements by someone who is less subjective than you. Internal audits are frequently viewed as expenses, but they are actually very helpful for dealing with reality.

We all constantly strive to improve what we do, but ISO 22301 wants us to do it methodically. It compels a company to determine the root cause of a problem and take steps to ensure it never occurs again. Or, as the standard instructs, “ensure that nonconformities do not reoccur”; either way, it must be carried out consistently and openly.

After completing all of these steps, top management must assess them and make some important choices, such as updating the goals, providing the funding, making more significant improvements, etc. After all, it is ultimately their duty to ensure that the business survives more serious incidents.

Benifits of ISO 22301

How Does ISO 22301 Help Your Business?

The return of the organisation to “business as usual” with the least amount of disruption from any disaster is one of the many benefits of ISO 22301.

Businesses across all industries are realising the importance of being able to carry on with operations despite any minor or major mishap. A business can prepare for these events using a business continuity management system (BCMS). As a result, businesses become more competitive and experience less working downtime in the event of the unexpected.

Businesses and organisations can react appropriately to disruptive incidents and prevent waste or needless loss thanks to ISO 22301. Business continuity management identifies the goods and services that are crucial for the organization’s survival by carefully assessing the impact of the disruption. It aims to ascertain what remedies and backup plans would be necessary in the event of a mishap.

Compliance with ISO 22301 aids in meeting company governance requirements. In essence, the standard can show that the company has made the required efforts to meet legal requirements that demand an efficient business continuity management programme.

The term “crisis management” (CM) refers to the overall coordination of a company’s timely, efficient reaction to a crisis. The objective for those in charge of crisis management is to prevent, or at the very least, minimise harm to the organization’s profitability, image, or operational capability. Passing the ISO 22301 standard verifies that the necessary precautions are taken to make this happen.

Following a stressful event, disaster recovery activities focus on getting the organisation back to “business as usual” and moving it in the direction of full recovery. It’s critical to understand that this differs from business continuity management, which focuses on ensuring that the company can continue to operate during a crisis and lessen the likelihood of natural catastrophes.

Industries Relevant To ISO 22301

Therefore, any organization is legally required to participate in contingency and planning, including utilities, transportation, health, and vital public services. Also, industries in the energy, transportation, health, and vital public services sectors, should implement and become certified to ISO 22301.

Future Contributions Of ISO 22301 To Industries

In the near future traditional BCM will find expansion and will no longer be limited to a niche or specialised department, working in isolation from the rest of the business.

Expanding The Limits of Traditional BCM

Business continuity managers no longer perform their job in a specialised or specialised department that is separate from the rest of the company. As time goes on, it will be crucial for BC Managers to collaborate more closely with the organization’s Risk, Security, ITDR, and Information Systems departments (to name just a few). Businesses are attempting to develop hybrid roles that bridge BCM and more functional areas of the company. For those in top roles, this is especially valid.

Centralized Platform As a Management System

The use of cloud-based solutions, where data and processes are integrated into a single system that everyone in the organisation can see and use, is becoming more and more essential, according to 62% of chief risk officers. Organisations simply can’t afford to operate in silos any longer, where various parts of the company can’t interact with one another or react quickly enough, in order to increase organisational resilience and better mitigate and respond to a crisis or data threat.

Rising Business Profile For BCM

Many BCM teams think that the increased focus on organisational resilience is enhancing their visibility and influence within organisations. Businesses now recognise the value of controlling disruptions and reducing threats, and they also usually acknowledge that BCM leaders have a thorough understanding of how their organisations actually operate. The requirement for adaptable cloud options is also becoming more and more apparent. Leaders in BCM are aware of the possibilities this presents.

Joining Over SIS Certifications Best ISO Certification Agency

  “We do not sell, We certify.”