ISO 22301, the world’s first international standard for Business Continuity Management (BCM), has been developed to help organizations minimize the risk of such disruptions. ISO has officially launched ISO 22301, “Societal security - Business continuity management systems – Requirements”, the new international standard for Business Continuity Management System (BCMS). This standard will replace the current British standard BS25999.
ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to prepare for, respond to and recover from disruptive events when they arise.
The requirements specified in ISO 22301 are generic and intended to be applicable to all organizations (or parts thereof), regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity.
- Greater emphasis on setting the objectives, monitoring performance and metrics;
- Clearer expectations on management;
- More careful planning for and preparing the resources needed for ensuring business continuity.
ISO 22301 applies to all types and sizes of organizations that wish to:
- establish, implement, maintain and improve a BCMS;
- assure conformity with the organization’s stated business continuity policy;
- demonstrate conformity to others;
- seek certification/registration of its BCMS by an accredited third party certification body; or
- make a self-determination and self-declaration of conformity with this International Standard.
Key Clauses of ISO 22301:2012
Following the new structure of the ISO guide 83, the ISO 22301 Specification is organized into the following main clauses:
Each of these key activities is listed below.
- the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident
- links between the business continuity policy and the organization’s objectives and other policies, including its overall risk management strategy;
- the organization’s risk appetite;
- the needs and expectations of relevant interested parties;
- applicable legal, regulatory and other requirements to which the organization subscribes.
Identifying the scope of the BCMS, taking into account the organization’s strategic objectives, key products and services, risk tolerance, and any regulatory, contractual or stakeholder obligations is also part of this clause.
- ensuring the BCMS is compatible with the strategic direction of the organization;
- integrating the BCMS requirements into the organization’s business processes;
- providing the necessary resources for the BCMS;
- communicating the importance of effective business continuity management;
- ensuring that the BCMS achieves its expected outcomes;
- directing and supporting continual improvement;
- establish and communicate a business continuity policy;
- ensuring that BCMS objectives and plans are established;
- ensuring that the responsibilities and authorities for relevant roles are assigned
- be consistent with the business continuity policy;
- take into account the minimum level of products and services that is acceptable to the organization to achieve its objectives;
- be measurable;
- take into account applicable requirements;
- be monitored and updated as appropriate
The day-to-day management of an effective business continuity management system relies on using the appropriate resources for each task. These include competent staff with relevant (and demonstrable) training and supporting services, awareness and communication. This must be supported by properly managed documented information.
Both internal and external communications of the organization must be considered in this area, including the format, the content and the proper timing of such communications.
The requirements on the creation, update and control of documented information are also specified in this clause.
After planning the BCMS, an organization must put in operations the business continuity management system. This clause includes:
- Business Impact Analysis (BIA): This activity enables an organization to identify the critical processes that support its key products and services, the interdependencies between processes and the resources required to operate the processes at a minimally-acceptable level.
- Risk assessment: ISO 22301 propose to refer to the ISO 31000 standard to implement that process. The goal of this requirement is to establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyzes, and evaluates the risk of disruptive incidents to the organization.
- Business continuity strategy: After requirements have been established through the BIA and the risk assessment, strategies can be developed to identify arrangements that will enable the organization to protect and recover critical activities based on organizational risk tolerance and within defined recovery time objectives. Experience and good practice clearly identify that the early provision of an organizational (Corporate) BCM Strategy will ensure BCM activities are aligned with and support the organization's overall business strategy. The Business Continuity Strategy can be an integral component of an institution’s corporate strategy.
- Business continuity procedures: The organization shall document procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive incident. The procedures have to:
- establish an appropriate internal and external communications protocol;
- be specific regarding the immediate steps that are to be taken during a disruption;
- be flexible to respond to unanticipated threats and changing internal and external conditions;
- focus on the impact of events that could potentially disrupt operations;
- be developed based on stated assumptions and an analysis of interdependencies; and
- be effective in minimizing consequences through implementation of appropriate mitigation strategies.
- Exercising and testing: to ensure that business continuity procedures are consistent with its business continuity objectives, an organization have to test them regularly. Exercising and testing are the processes of validating business continuity plans and procedures to ensure strategies are capable of providing response and recovery results within the timeframes agreed to by management.
monitoring the extent to which the organization’s business continuity policy, objectives and targets are met;
measuring the performance of the processes, procedures and functions that protect its prioritized activities;
monitoring compliance with this standard and the business continuity objectives;
monitoring historical evidence of deficient BCMS’ performance
conducting internal audits at planned intervals; and
evaluating all this in the management review at planned intervals.
Continual improvement can be defined as all the actions taken throughout the organization to increase effectiveness (reaching objectives) and efficiency (an optimal cost/benefit ratio) of security processes and controls to bring increased benefits to the organization and its stakeholders. An organization can continually improve the effectiveness of its management system through the use of the business continuity policy, objectives, audit results, analysis of monitored events, corrective and preventive actions and management review.