What is ISO 22301?
ISO 22301 is an international standard designed to ensure organisations achieve defined levels of security and resilience, should they experience disruptive incidents.
In a world where cyberattacks, data breaches and natural disasters can interrupt business continuity and quickly damage reputation, organisations and businesses need to implement, maintain and keep refining their business continuity management system (BCMS). ISO 22301 certification of their continuity management ensures they are doing so.
Crucially the ISO 22301 standard helps organisations identify and prioritise threats. It allows them to implement their business continuity management system effectively so they are ready to respond to and recover from incidents with the least disruption to business.
In 2012, a version of the standard was set out as ISO 22301:2012. This focused on ‘societal security’. It specified requirements to ‘plan, establish, implement, operate, monitor, review, maintain and continually improve a documented business continuity management system’. The aim of ISO 22301 2012 was to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents as and when they arise.
ISO, the International Organization for Standardization develops and publishes International Standards.
What is the latest version of ISO 22301?
On 31 October 2019 the latest version of the ISO 22301 standard was published – ISO 22301:2019. This is a revised version of ISO 22301:2012. It aims to make the standard “more streamlined and practical”, according to the ISO. According to the United Kingdom Accreditation Service (UKAS), companies will be able to transition from ISO 22301:2012 to ISO 22301:2019 up until 30 April 2023. The deadline was, as an exception, extended due to the Covid-19 situation. The 2019 version has been generally well recieved and transition from old to new versions of the standard are seen as a not overly onerous value adding exercise.
You can find the ISO 22301:2019. standard documentation on the official ISO website here: https://www.iso.org/standard/75106.html
ISO 22301:2019 provides businesses with the most up-to-date security and resilience certification to be sure their business continuity management systems meet the international standard, set out by the ISO.
What is business continuity?
Business continuity is contingency planning and disaster recovery that allows an organisation to continue its operations through disruptive incidents. Business continuity means having plans and systems in place to recover key products and services. It will help ensure minimal damage to reputation or market position. There is also a requirement to satisfy legal and regulatory obligations.
Business continuity is no longer a ‘nice to have’ element of corporate life. According to ISO, no organisation can afford to be without a comprehensive, documented, fully integrated and certified business continuity management system.
Simply put, business continuity best practice becomes possible with an ISO 22301 certified BCMS. ISO business continuity takes into account the risks faced by the organisation and the specific impacts to services should disruptive incidents occur.
What are the benefits of business continuity management?
Business continuity management helps organisations reduce the likelihood and impact of disruption and downtime, protect assets if something does go wrong, continue operating through the disruption, and recover as quickly as possible from any incidents that do occur. Having business continuity plans in place will help your organisation in the following ways:
- Comply with legal requirements
ISO 22301 is used for legal and regulatory certification of continuity management, ensuring all the required elements of a business continuity management systems are being met.
- Achieve marketing advantage
Brand reputation is precious for any organisation and should be protected at all costs. With a continuity management system it’s possible to build customer confidence and trust, reducing the likelihood of a PR disaster that could damage relationships with stakeholders including customers, clients and suppliers.
- Reduce dependence on individuals
Through planning, training, awareness programmes and testing, everyone in an organisation should understand what is expected of them. This breeds confidence that the business continuity plans will deliver in the event of a disruption.
- Prevent large-scale damage
It’s vital to keep your business trading during and after an incident. By recovering operations quickly after interruptions it’s possible to reduce the cost of damaging incidents, protect the organisation’s reputation and even save lives, if dangerous events, such as fire or flooding, occur.
- Operational Resilience
Mishaps and unplanned events vary in scale, speed and impact, possibly only hitting a single department or location. Identifying and planning for possible smaller-scale issues that could escalate into major operational difficulties for the entire organisation will keep the wheels turning.
How does ISO 22301 work?
ISO 22301 works by setting out how to build a management system that helps an organisation to plan for any type of incident that might affect its ability to operate effectively.
This standard provides a framework for an organisation to define responsibilities, and makes it possible to assess and review business continuity performance over time. With ISO 22301 you can create the documents necessary to provide auditable evidence of contingency capabilities, as part of ongoing compliance requirements.
Performance assessment, audits and improvement are central to the management system standard set out by ISO 22301:2012 and ISO 22301:2019.
Demonstrating Good Practice and Awareness
With a robust system in place to address unforeseeable threats and disruptions you can demonstrate good practice and maintain the service stakeholders expect.
With a business continuity management system based on the requirements of ISO 22301, both internal and external interested parties can be made aware that the organisation operates with good practices in business continuity management.
The ISO 22301 framework
Here we summarise the framework that is set out in ISO 22301:
The ISO 22301 framework is for all types and sizes of organisations that implement, maintain and improve a BCMS. It should be adopted as a stategic intent by any business that wants to conform with stated business continuity policy and is committed to enhancing resilience through the effective application of the BCMS.
In every industry it’s vital that the management team can demonstrate leadership and commitment to the BCMS. This can be achieved by ‘ensuring the business continuity policy and business continuity objectives are established and are compatible with the strategic direction of the organisation’ says ISO.
Leadership should use communication channels to show its people and partners the importance of effective business continuity and of conforming to the BCMS requirements. The leadership strategy must also promote continual improvement and development of a culture of business continuity.
Fundamentally, BCMS planning begins with assessing and determining the risks and opportunities regarding business continuity management.
The organisation must also establish business continuity objectives for the relevant functions and levels. These objectives must be monitored, clearly communicated, and updated as appropriate.
Business continuity strategy relies on operational processes being in place for incident preparedness and incident response across all functions of the business. That means establishing criteria for the processes, and implementing control of the processes in line with agreed criteria. From having in place a media and communication strategy to tightly managing site risk in the aftermath of disruptive incidents, disaster recovery is reliant on continuity plans.
A crucial step is keeping documented information for the purpose of proving that processes and BC testing have been carried out as planned and improved where needed.
- Performance evaluation
Performance assessment means a great deal can be learnt from incidents taking place. By monitoring successes and limitations, knowledge builds up. Interested parties have a responsibility to keep records, and use the results of audits to help them make the right decisions about how to manage business disruptions going ahead.
By establishing an audit programme the organisation can ensure that any necessary corrective actions are taken. The aim is to eliminate detected nonconformities and their causes.
Ongoing improvement is central to the management system standard set out by ISO 22301. Any revisions and improvements to the way the BCMS is managed will enhance the business continuity management plan over time.
ISO 22301 policies and procedures
Policies and procedures for a ISO 22301 business continuity management compliance project must be carefully managed.
An organisation must demonstrate compliance with the ISO business continuity standard by providing appropriate documentation. This includes a scope, a detailed business continuity policy, a formal risk assessment procedure and business continuity plans that show how the organisation will respond to and recover from disruption.
Terms and definitions
The standard talks in detail about security and resilience. It uses a wide range of either specialist technical terms, or common terms that have a specific meaning in a security and resilience context.
To help you understand them, it includes definitions of the 31 most important ones. It also points you towards “ISO 22301 Security and Resilience – Vocabulary”, which lists and defines almost 300 security and resilience terms.
There are some associated guideline documents that add more detail to the requirements in ISO 22301. Some of these are listed inside ISO 27001, standout guides are:
- ISO 22313 – Guidance on the use of ISO 22301
- ISO 22317 – Guidelines for Business Impact Analysis (BIA)
If you need to understand a term that isn’t listed here, you should check in ISO 22301 to see what it means.
You can also find terms and definitions online.
ISO and IEC maintain terminological databases for use in standardisation at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at http://www.electropedia.org/
Understanding these terms is very important. For those who are not already expert in this field, they can be a little difficult to get to grips with.
If you choose to work with us we’ll make sure you understand them. We explain them in our own support materials, and if you need more targeted help we can either answer your questions ourselves or find the right independent partner to work with you.
Who can implement this standard?
The requirements specified in the ISO 22301 international standard are generic. That means all organisations, regardless of the type, size, location and nature of the organisation can implement the standard. The extent of application of these requirements depends on the organisation’s operating environment and complexity.
How to implement ISO 22301
When you implement ISO 22301, the first simple step is to think about addressing the primary requirements of the standard. This starting point will encourage you to take a strategic approach. This is why leadership is so important. It’s vital to set the context, the scope, as well as developing a business continuity policy and objectives of the BCMS.
Developing a business continuity policy will help identify your areas of risk and opportunity. From here, you can consider the impacts from those risks and what it might mean for consequences and the time to failure, recovery etc. Doing so will help you discover any holes or shortcomings in your current management systems requirements. You will also identify and provide practical suggestions for improving them. ISO describes this as business continuity strategies and solutions.
ISMS.online has resources and partners that can help with your ISO 22301 implementation, from achieving a pragmatic and straightforward BCMS approach, through to a highly sophisticated BCMS.
Once you’ve completed your implementation, it is essential to undertake regular audits of the business continuity management system. Internal audits are mandatory for achieving independent certification of the BCMS too. Performance reviews also complement internal audits to make sure that your management systems are operating as expected at all times.
The ISO auditor would also expect to see a record of improvements your organisation has made over time. Having a method for addressing nonconformities, corrective actions and other enhancements will be a crucial requirement.
What is an ISO 22301 certificate?
The certificate is the evidence that a BCMS has been audited against and complies with the requirements of ISO 22301. Many companies have achieved an ISO 22301:2012 certificate and this can now be updated to the ISO 22301:2019 version.
Achieving the ISO business continuity standard proves that an organisation has implemented a BCMS that is compliant to the requirements of the standard. By achieving the certification, it provides reassurance that the organisation will cope when there is disruption.
What are the benefits of ISO 22301Certification?
Here are some of the benefits that organisations may see having achieved the ISO 22301 standard.
- Customer satisfaction
- Business resilience
- Legal compliance
- Improved risk management
- Proven business credentials
- Ability to win more business
- Global recognition as a reputable supplier
How does ISO 22301 help your business?
There are many advantages of ISO 22301, including returning the organisation to ‘business as usual’ with minimal disruption from any crisis.
- Operational resilience
Having the ability to continue operations regardless of any minor or major incident taking place is becoming increasingly important to businesses in all sectors.
A Business Continuity Management System (BCMS) allows a company to plan for these incidents. This leads to greater competitiveness and decreases the amount of operational down time a business will have, should the unexpected occur.
- Emergency preparedness
ISO 22301 gives businesses and organisations the ability to respond appropriately in the event of disruptive incidents and avoid waste or unnecessary loss. Through proactively assessing the effect of the disruption, business continuity management recognises the products and services that are essential to the organisation’s survival. It seeks to determine what solutions and contingency planning will be required if an incident was to occur.
- Corporate governance
Compliance with ISO 22301 helps with meet the requirements of corporate governance. Essentially the standard can provide evidence that the organisation has taken the necessary steps to comply with regulatory requirements that call for an effective business continuity management programme.
- Crisis management
Crisis Management (CM) refers to the overall coordination of an organisation’s response to a crisis, in an effective, timely manner. For those responsible for handling crisis management, the goal is to avoid or at least minimise damage to the organisation’s profitability, reputation, or ability to operate. Meeting the ISO 22301 standard confirms the appropriate measures are in place for this to happen.
- Disaster recovery
Disaster recovery activities concentrate on returning the organisation to ‘business as usual’ after a traumatic event and putting it on track towards complete recovery. It’s important to recognise that this is different from business continuity management, which is about ensuring that the enterprise can continue to reduce the likelihood of disasters and function during a crisis.
- Protection of reputation in a crisis
ISO 22301 certification shows stakeholders that your business continuity capability is appropriate for the scale and scope of your organisation. Like ISO 27001, it engenders more trust, especially when certified by an independent certification body. It aids your understanding of business needs by identifying potential failures and risks. Businesses can then demonstrate to stakeholders, consumers, vendors and regulators, that they have sound business continuity systems and processes in place.
ISO 22301 will also increase stakeholder trust in the organisation’s ability to respond to disruptive incidents and events, and to sustain critical business processes should a catastrophe occur.
- Preparation for technology failures
From telecommunications breakdown to loss of access to stored data, technology failures can be hugely damaging to an organisations profitability and reputation. ISO 22301 ensure all measure are in place to mitigate such disruption and ensure all departments are prepared for the worst case scenario.
- Reduce business interruption insurance costs
With a BCMS in place that conforms with ISO 22301, an organisation has more meaningful insights into the impacts of a potential disaster. This enables the business to better evaluate the type and value of insurance cover it requires, potentially reducing costs in the long term.
- Plan for sudden loss of critical resources
It follows that if there is proactive identification of the impact of disruption, an organisation will be a strong position to maintain business continuity. BCM helps to establish what responses will be needed if a disruption occurs and ISO 22301 further provides the capability to adequately react in case of any such disruption.