Safely move on from COVID-19

ISO 22301: The Business Continuity Standard

Security and Resilience with Business Continuity Management Systems

What is ISO 22301?

ISO 22301:2019 is the recognised international standard for Business Continuity Management Systems (BCMS), published by the International Organisation for Standardization (ISO). ISO 22301 is the first ISO standard to incorporate Annex L, which provides a common framework for all new management system specifications issued by ISO.

In a world where cyberattacks, data breaches and natural disasters can interrupt business continuity and quickly damage reputation, organisations and businesses need to implement, maintain and keep refining their business continuity management system (BCMS). ISO 22301 certification of their continuity management ensures they are doing so.

Crucially the ISO 22301 standard helps organisations identify and prioritise threats. It allows them to implement their business continuity management system effectively so they are ready to respond to and recover from incidents with the least disruption to business.

Studies have shown that almost 1 in 5 organisations experience significant business disruptions every year. Therefore, a robust and resilient organisation is one that can change with the times, has an understanding of where its vulnerabilities are and have plans in place to mitigate risk as well as respond if it needs to do so. Compliance or certification to ISO 22301 allows your organisation to achieve all of the above in a straightforward and structured manner.

In 2012, a version of the  standard was set out as ISO 22301:2012. This focused on ‘societal security’. It specified requirements to ‘plan, establish, implement, operate, monitor, review, maintain and continually improve a documented business continuity management system’. The aim of ISO 22301 2012 was to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents as and when they arise.

What is the latest version of ISO 22301?

On 31 October 2019 the latest version of the ISO 22301 standard was published – ISO 22301:2019. This is a revised version of ISO 22301:2012. It aims to make the standard “more streamlined and practical”, according to the ISO. According to the United Kingdom Accreditation Service (UKAS), companies will be able to transition from ISO 22301:2012  to ISO 22301:2019 up until 30 April 2023. The deadline was, as an exception, extended due to the Covid-19 situation. The 2019 version has been generally well recieved and transition from old to new versions of the standard are seen as a not overly onerous value adding exercise.

You can find the ISO 22301:2019. standard documentation on the official ISO website here: https://www.iso.org/standard/75106.html

ISO 22301:2019 provides businesses with the most up-to-date security and resilience certification to be sure their  business continuity management systems meet the international standard, set out by the ISO.

The Relationship With ISO 22301:2012

There’s not a radical difference between the ISO 22301:2012 and ISO 22301:2019. Both versions necessitate senior management involvement, and the updated model reflects on what is required to sustain a successful BCMS. That sustainability becomes much more comfortable with a technology-based BCMS such as ISMS.online.

ISO 22301:2012 Societal Security was published in May 2012 and amended in June of the same year. The management system requirements established in ISO 22301:2012 had meant to extend to all organisations. The degree to which the criteria becomes implemented depends on the operating environment and the scope of the organisation, similar to how one would develop their range for other management system standards like ISO 27001.

While several concepts and terminology of business continuity management have been revised to expand context and reflect established procedures, Clause 8; Operation, is the main area where changes have occurred.

ISMS.online offers ISO 22301 business continuity management frameworks within its packaged services. That means organisations who wish to migrate their existing BCMS can, as well as those embarking on ISO 22301 for the first time.

What Is Business Continuity Management and Why Do You Need It?

If your company was affected by a catastrophe or a crisis, would your business be able to continue? When incidents and disasters strike, there is little time to prepare a response structure, particularly when the key people, processes, networks, infrastructure and other essential services get disrupted.

A disaster has no bounds. It could impact your business continuity internally and externally, affecting your customers and the supply chain too. Whether you are a small or a large business, you can face impact. The primary purpose of business continuity management is to reduce the likelihood of threats and guarantee that the company reacts to significant disturbances that could endanger its future.

Business continuity management is about responsible and effective leadership. It should provide a foundation for developing resilience to incidents as well as the ability to respond successfully, safeguarding the interests of your key stakeholders, reputation, and value-creating operations of your company.

A business continuity strategy with a management system should ensure that workers are mindful of their roles and responsibilities. In the case of an unexpected occurrence, it is essential to be able to adapt to established processes and approved procedures.

Many of our customers develop simple yet effective business continuity plans within ISMS.online for meeting ISO 27001 and protecting their valuable information assets. Other customers take that even further with ISO 22301 and introduce more sophisticated resilience planning and prevention, as well as response mechanisms to incidents.

What are the benefits of business continuity management?

Business continuity management helps organisations reduce the likelihood and impact of disruption and downtime, protect assets if something does go wrong,  continue operating through the disruption, and recover as quickly as possible from any incidents that do occur. Having business continuity plans in place will help your organisation in the following ways:

Comply with legal requirements

ISO 22301 is used for legal and regulatory certification of continuity management, ensuring all the required elements of a business continuity management systems are being met.

Achieve marketing advantage

Brand reputation is precious for any organisation and should be protected at all costs. With a continuity management system it’s possible to build customer confidence and trust, reducing the likelihood of a PR disaster that could damage relationships with stakeholders including customers, clients and suppliers.

Reduce dependence on individuals

Through planning, training, awareness programmes and testing, everyone in an organisation should understand what is expected of them. This breeds confidence that the business continuity plans will deliver in the event of a disruption.

Prevent large-scale damage

It’s vital to keep your business trading during and after an incident. By recovering operations quickly after interruptions it’s possible to reduce the cost of damaging incidents, protect the organisation’s reputation and even save lives, if dangerous events, such as fire or flooding, occur.

Operational Resilience

Mishaps and unplanned events vary in scale, speed and impact, possibly only hitting a single department or location. Identifying and planning for possible smaller-scale issues that could escalate into major operational difficulties for the entire organisation will keep the wheels turning.

What is a Business Continuity Risk?

As stated, business continuity management using a well-documented management system helps you to identify better and reduce the likelihood of disruptive incidents or address business continuity risks. Business continuity management leads to the growth of a more stable environment, although companies with no successful business continuity systems will increase chances significantly. A well-developed, organised and rehearsed Business Continuity Plan (BCP) can help the business rebound from an incident as quickly as possible.

All of your procedures must be up-to-date, accurate and efficient. Methods include but are not limited to corporate risk assessments, information security risk reviews, and addressing your health and safety policies, as well as your continuity management plan.

Examples of business continuity risks include:

  • Cyberattacks and data breaches
  • Unplanned IT and telecom outages
  • Interruption to utility supply
  • Adverse weather and other environmental causes
  • Pandemics and epidemics 
  • Acts of terrorism
  • Security incidents
  • Fire
  • Flood
  • Loss of key personnel
  • Physical property destruction or material loss

Emergency Preparedness

Business continuity management details the steps you need to take in an emergency in the form of a Disaster Recovery Plan (DRP). A Disaster Recovery Plan is a documented, organised business continuity strategy that demonstrates how to respond to disruptive incidents.

The Disaster Recovery Plan begins its formation following a more detailed business impact analysis, which helps demonstrate where the most significant impact and consequences are from an event. ISMS.online gives you the tools you need to manage your business impact analysis, disaster recovery plans, and much more using information technology.

Your DRP should include a short-term arrangement to fix and rebuild critical business systems, and a plan to address problems such as root cause identification and a long-term prevention approach. There are many options available to ensure that an organisation has a setup with a contingency system that provides the best solution.

For example, the on-site recovery system would ensure that data can be retrieved more efficiently with data backups and other means. Your prevention measures should also protect from potential server failure and consider the risk of external contractors. You would then build contingency plans and alternative strategies for the absence of supplies that are vital to operations long before they even become a disaster recovery issue.

ISMS.online enables the easy preparation of risk assessment and management as well as mitigation actions. The platform also holds the necessary disaster recovery plans while making its delivery very straightforward in times of crisis.

What Are the Benefits of ISO 22301?

There are many advantages of ISO 22301, including returning the organisation to ‘business as usual’ with minimal disruption from any crisis.

ISO 22301 Will Keep Critical Functions Up and Running During Times of Crises

Good Business Continuity Management can ensure the continuation of critical services and preserve the revenue stream, properties as well as reduce the likelihood of potential losses due to an incident or catastrophe. Since its revision, the standard now better represents the current thinking in the business continuity industry, specifically the study of business impact and the creation of recovery strategies.

ISO 22301 makes risk management from events such as cyber-attacks and natural disasters less stressful. It also means that organisations with effective business continuity management programmes recover from any incident much quicker.

ISO 22301 Demonstrates Resilience to Customers, Suppliers and for Tender Requests

ISO 22301 certification shows stakeholders that your business continuity capability is appropriate for the scale and scope of your organisation. Like ISO 27001, it engenders more trust, especially when certified by an independent certification body. It aids your understanding of business needs by identifying potential failures and risks. Businesses can then demonstrate to stakeholders, consumers, vendors and regulators, that they have sound business continuity systems and processes in place.

ISO 22301 will also increase stakeholder trust in the organisation’s ability to respond to disruptive incidents and events, and to sustain critical business processes should a catastrophe occur.

ISO 22301 Identifies and Manages Current and Future Threats to Your Business

By its very definition, continuity planning and management frameworks such as ISO 22301 ensures that issues can be detected before they arise. It gains an understanding of effective business process management in an enterprise by offering a systematic approach to its operation and continuous improvement. Systems built for business continuity allow organisations to identify the potential impact of functional disturbance, deploy successful business continuity plans and to reduce the overall effect on the business.

ISO 22301 Takes a Proactive Approach to Minimise the Impact of Disruptive Incidents

ISO 22301 gives you the ability to respond appropriately in the event of disruptive incidents and avoid waste or unnecessary loss. Through proactively assessing the effect of the disruption, business continuity management recognises the products and services that are essential to the organisation’s survival. It seeks to determine what solutions will be required if an incident was to occur.

Knowing the Difference Between Disaster Recovery and Business Continuity

An often misunderstood area is the difference between disaster recovery and business continuity. ISO 22301 addresses both of these areas. Disaster recovery activities concentrate on returning the company to ‘business as usual’ after a traumatic event and reaching complete recovery. Business continuity management is about ensuring that the enterprise can continue to reduce the likelihood of disasters and function during a crisis.

How does ISO 22301 work?

ISO 22301 works by setting out how to build a management system that helps an organisation to plan for any type of incident that might affect its ability to operate effectively.

This standard provides a framework for an organisation to define responsibilities, and makes it possible to assess and review business continuity performance over time. With ISO 22301 you can create the documents necessary to provide auditable evidence of contingency capabilities, as part of ongoing compliance requirements.

Performance assessment, audits and improvement are central to the management system standard set out by ISO 22301:2012 and ISO 22301:2019.

Who Can Implement ISO 22301?

As stated above, the ISO 22301 BCMS standard extends to organisations of all sizes, across all markets and all experience levels. Implementing ISO 22301 includes reviewing operational structures to identify potential shortfalls and allowing the organisation to concentrate on its goals and business continuity objectives.

The business needs of the implementation project are specific to the company implementing the standard and ISMS.online makes that straightforward. There’s no need to concentrate on ‘how’ you’ll implement and manage ISO 22301, you can simply focus on the activities within the standard and focus on ‘what’ you need to do for prevention and cure.

How to Implement ISO 22301

When you implement ISO 22301, the first simple step is to think about addressing the primary requirements of the standard. This starting point will encourage you to take a strategic approach (hence why leadership is so important) and set the context, the scope, as well as developing a business continuity policy and objectives of the BCMS.

Developing a business continuity policy will help identify your areas of risk and opportunity. From here, you can consider the impacts from those risks and what it might mean for consequences and the time to failure, recovery etc. Doing so will help you discover any holes or shortcomings in your current management systems requirements. You will also identify and provide practical suggestions for improving them. ISO describes this as business continuity strategies and solutions.

ISMS.online has partners that can help with your ISO 22301 implementation, from achieving a pragmatic and straightforward BCMS approach, through to a highly sophisticated BCMS.

Once you’ve completed your implementation, it is essential to undertake regular audits of the business continuity management system. Internal audits are mandatory for achieving independent certification of the BCMS too. Performance reviews also complement internal audits to make sure that your management systems are operating as expected at all times.

The ISO auditor would also expect to see a record of improvements your organisation has made over time. Having a method for addressing nonconformities, corrective actions and other enhancements is a crucial requirement.

How to Get Started With ISO 22301 and Business Continuity Management?

We encourage organisations to buy the ISO international standard and digest that to understand the management systems requirements fully. We recommend starting at the beginning (4.1 understanding the organisation and its context) and avoid jumping into developing incident response plans until you’ve considered the scope, risks and impacts.

ISMS.online is also pre-configured with a range of tools that helps follow the process easier and means you retain a focus on the business. It also maps into the more comprehensive tools and features set for ISO 27001, meaning you can also achieve many of the ISO 22301 management systems requirements. You will be able to manage tasks like audits, performance reviews, management meetings, staff education etc. all at the same time.

You will reduce costs, simplify learning for staff and make the administration of the broader business management system that much more comfortable too. External auditors also find that much more effective and take great confidence when they see consistent operating practices across the ISO standards.

What is a BCMS?

A business continuity management system, put very simply, is a recognised approach for ensuring an organisation can continue operations and respond effectively to disruptive incidents.

ISO 22301 provides a constant and established method of analysis with a framework based on recognised good practice. Anyone implementing and achieving certification for an ISO 22301 based business continuity management system will find instant recognition and understanding from influential customers, including educated experts, auditors and other interested parties.

When based on ISO 22301, ISO itself emphasises the importance of a BCMS:

  • Showing the organisation understands the needs and necessity for business continuity policy and objectives
  • Implementation and execution of processes, incident response mechanisms and other interventions to ensure the organisation survives a disruption
  • Monitoring and continuous improvement of the business continuity management system

Demonstrating Good Practice for Business Continuity Management

Following ISO 22301 as a basis for your BCMS will provide proof that the company has taken the necessary steps to meet with regulatory requirements in addition to the recognised good practices.

A best practice in business continuity incorporates the lifecycle of business continuity management as you can make it possible to maximise the efficiency and quality of your BCMS. ISO 22301 provides a framework regarding international best practices on the well-understood concept of Plan/Do/Check/Act. This concept applies to organisations that implement, maintain and improve its BCMS, which seeks to ensure compliance with the stated policy on business continuity.

With a business continuity management system based on the requirements of ISO 22301, both internal and external interested parties can be made aware that the organisation operates with good practices in business continuity management.

The ISO 22301 framework

Here we summarise the framework that is set out in ISO 22301:

Context

The ISO 22301 framework is for all types and sizes of organisations that implement, maintain and improve a BCMS. It should be adopted as a stategic intent by any business that wants to conform with stated business continuity policy and is committed to enhancing resilience through the effective application of the BCMS.

Leadership

In every industry it’s vital that the management team can demonstrate leadership and commitment to the BCMS. This can be achieved by ‘ensuring the business continuity policy and business continuity objectives are established and are compatible with the strategic direction of the organisation’ says ISO.Leadership should use communication channels to show its people and partners the importance of effective business continuity and of conforming to the BCMS requirements. The leadership strategy must also promote continual improvement and development of a culture of business continuity.

Planning

Fundamentally, BCMS planning begins with assessing and determining the risks and opportunities regarding business continuity management.The organisation must also establish business continuity objectives for the relevant functions and levels. These objectives must be monitored, clearly communicated, and updated as appropriate.

Operation

Business continuity strategy relies on operational processes being in place for incident preparedness and incident response across all functions of the business. That means establishing criteria for the processes, and implementing control of the processes in line with agreed criteria. From having in place a media and communication strategy to tightly managing site risk in the aftermath of disruptive incidents, disaster recovery is reliant on continuity plans.A crucial step is keeping documented information for the purpose of proving that processes and BC testing have been carried out as planned and improved where needed.

Performance evaluation

Performance assessment means a great deal can be learnt from incidents taking place. By monitoring successes and limitations, knowledge builds up. Interested parties have a responsibility to keep records, and use the results of audits to help them make the right decisions about how to manage business disruptions going ahead.By establishing an audit programme the organisation can ensure that any necessary corrective actions are taken. The aim is to eliminate detected nonconformities and their causes.

Improvement

Ongoing improvement is central to the management system standard set out by ISO 22301. Any revisions and improvements to the way the BCMS is managed will enhance the business continuity management plan over time.

ISO 22301 policies and procedures

Policies and procedures for a ISO 22301 business continuity management compliance project must be carefully managed.

An organisation must demonstrate compliance with the ISO business continuity standard by providing appropriate documentation. This includes a scope, a detailed business continuity policy, a formal risk assessment procedure and business continuity plans that show how the organisation will respond to and recover from disruption.

Terms and definitions

The standard talks in detail about security and resilience. It uses a wide range of either specialist technical terms, or common terms that have a specific meaning in a security and resilience context.

To help you understand them, it includes definitions of the 31 most important ones. It also points you towards “ISO 22301 Security and Resilience – Vocabulary”, which lists and defines almost 300 security and resilience terms.

There are some associated guideline documents that add more detail to the requirements in ISO 22301. Some of these are listed inside ISO 27001, standout guides are:

  • ISO 22313 – Guidance on the use of ISO 22301
  • ISO 22317 – Guidelines for Business Impact Analysis (BIA)

If you need to understand a term that isn’t listed here, you should check in ISO 22301 to see what it means.

You can also find terms and definitions online.

ISO and IEC maintain terminological databases for use in standardisation at the following addresses:

— ISO Online browsing platform: available at https://www.iso.org/obp

— IEC Electropedia: available at http://www.electropedia.org/

Understanding these terms is very important. For those who are not already expert in this field, they can be a little difficult to get to grips with.

If you choose to work with us we’ll make sure you understand them. We explain them in our own support materials, and if you need more targeted help we can either answer your questions ourselves or find the right independent partner to work with you.

What is an ISO 22301 certificate?

The certificate is the evidence that a BCMS has been audited against and complies with the requirements of ISO 22301. Many companies have achieved an ISO 22301:2012 certificate and this can now be updated to the ISO 22301:2019 version.

Achieving the ISO business continuity standard proves that an organisation has implemented a BCMS that is compliant to the requirements of the standard. By achieving the certification, it provides reassurance that the organisation will cope when there is disruption.

What are the benefits of ISO 22301Certification?

Here are some of the benefits that organisations may see having achieved the ISO 22301 standard.

  • Customer satisfaction
  • Business resilience
  • Legal compliance
  • Improved risk management
  • Proven business credentials
  • Ability to win more business
  • Global recognition as a reputable supplier

How does ISO 22301 help your business?

There are many advantages of ISO 22301, including returning the organisation to ‘business as usual’ with minimal disruption from any crisis.

Operational resilience

Having the ability to continue operations regardless of any minor or major incident taking place is becoming increasingly important to businesses in all sectors. A Business Continuity Management System (BCMS) allows a company to plan for these incidents. This leads to greater competitiveness and decreases the amount of operational down time a business will have, should the unexpected occur.

Emergency preparedness

ISO 22301 gives businesses and organisations the ability to respond appropriately in the event of disruptive incidents and avoid waste or unnecessary loss. Through proactively assessing the effect of the disruption, business continuity management recognises the products and services that are essential to the organisation’s survival. It seeks to determine what solutions and contingency planning will be required if an incident was to occur.

Corporate governance

Compliance with ISO 22301 helps with meet the requirements of corporate governance. Essentially the standard can provide evidence that the organisation has taken the necessary steps to comply with regulatory requirements that call for an effective business continuity management programme.

Crisis management

Crisis Management (CM) refers to the overall coordination of an organisation’s response to a crisis, in an effective, timely manner. For those responsible for handling crisis management, the goal is to avoid or at least minimise damage to the organisation’s profitability, reputation, or ability to operate. Meeting the ISO 22301 standard confirms the appropriate measures are in place for this to happen.

Disaster recovery

Disaster recovery activities concentrate on returning the organisation to ‘business as usual’ after a traumatic event and putting it on track towards complete recovery. It’s important to recognise that this is different from business continuity management, which is about ensuring that the enterprise can continue to reduce the likelihood of disasters and function during a crisis.

Protection of reputation in a crisis

ISO 22301 certification shows stakeholders that your business continuity capability is appropriate for the scale and scope of your organisation. Like ISO 27001, it engenders more trust, especially when certified by an independent certification body. It aids your understanding of business needs by identifying potential failures and risks. Businesses can then demonstrate to stakeholders, consumers, vendors and regulators, that they have sound business continuity systems and processes in place.ISO 22301 will also increase stakeholder trust in the organisation’s ability to respond to disruptive incidents and events, and to sustain critical business processes should a catastrophe occur.

Preparation for technology failures

From telecommunications breakdown to loss of access to stored data, technology failures can be hugely damaging to an organisations profitability and reputation. ISO 22301 ensure all measure are in place to mitigate such disruption and ensure all departments are prepared for the worst case scenario.

Reduce business interruption insurance costs

With a BCMS in place that conforms with ISO 22301, an organisation has more meaningful insights into the impacts of a potential disaster. This enables the business to better evaluate the type and value of insurance cover it requires, potentially reducing costs in the long term.

Plan for sudden loss of critical resources

It follows that if there is proactive identification of the impact of disruption, an organisation will be a strong position to maintain business continuity. BCM helps to establish what responses will be needed if a disruption occurs and ISO 22301 further provides the capability to adequately react in case of any such disruption

What is a BCMS?

A BCMS (business continuity management system) helps organisations cope with incidents affecting their business-critical processes and activities. ISO 22301, the international standard that defines best practice for business continuity, states that there are four major components to a successful BCMS. These are management support, business impact analysis, risk assessment and having in place a Business Continuity Plan (BCP).

Disaster recovery and BCMS

In developing business continuity plans, an organisation will be well-placed to implement practices that reduce the likelihood of incidents and damage to the organisation. Not only this, but business continuity plans help you better understand your organisation and run it more effectively.

ISO guidance helps organisations identify and manage compliance, typically using a series of procedures, policies, process diagrams or similar. This guidance helps them plan for and rebound from disruptions in their business activities. However, it’s still better to avoid them entirely, although that is not always possible or feasible financially or technically. It is also essential to clarify priorities if an incident occurs, for example: what is the goal of recovery time? What is the highest endurable downtime? You can use the answer to these questions to prepare your disaster recovery plan. Speed of recovery must be a consideration. An ISO 22301-aligned business continuity management system will include disaster recovery and business continuity plans to help your company recover your critical operations as rapidly as possible.

BCMS and Cyber-Resilience

Implementing a business continuity management system (BCMS) is imperative to developing cyber resilience in today’s cyber security environment. Part of the ISO 27001 Information Security Standard contains a clause about business continuity – ISO 22301 more than satisfies this ISO 27001 requirement.

Cyberattacks routinely have hit the headlines in the last decade. For instance, the infamous global WannaCry ransomware attack in May 2017 left a trail of devastation as organisations were denied access to their own data and forced to halt business operations until large ransoms were paid.

Such incidents demonstrate the importance of ensuring your business can respond to and recover from disruptions, by implementing an effective business continuity management system (BCMS).

Assess your BCMS arrangements against ISO 22301

ISO 22301 is used for certification of continuity management, ensuring all the central elements of a business continuity management system are being met.

The Importance of Auditing the BCMS

An audit is an evidence gathering process with the purpose of evaluating how well key criteria are being met. Audits must be objective, impartial, and independent, and the audit process must be both systematic and documented.

Internal audits are a mandatory part of a certified BCMS. In addition, the chosen certification body will undertake periodic ‘external’ audits in order to firstly certify the BCMS and then ensure it remains compliant to the standard. It’s also possible to carry out combined audits. This is when two or more management systems of different disciplines are audited together at the same time.

An ISO auditor will expect to see a record of improvements your organisation has made over time. Having a method for addressing nonconformities, corrective actions and other enhancements are crucial requirements.

The Importance of Testing the BC Arrangements

There are various ways to test the documented arrangements and plans contained in the BCMS. Examples include table top exercises, full or part-scale exercises and also harnessing learning from real events. ISO 22301 mandates these processes happen regularly as appropriate to your organization’s activities and risk profile.

Compliance

Having achieved certification, you need to put in place a maintenance plan to ensure continued compliance to the ISO 22301 standard. At ISMS.online we have particular expertise in this.

We also understand that continuous improvement is an important part of maintaining an ISO 22301 certification. Clause 10 focuses on this, covering all actions taken within an organisation to:

  • Deliver business continuity goals more effectively
  • Increase the reliability of security procedures and controls
  • Create increased security benefits for the organisation and its stakeholders

How Does Business Continuity Fit Into Overall Management?

Despite business continuity management becoming more important, many organisations still do not grasp what business continuity management is, and how it can work with overall administration. Some just see it as a pragmatic solution to major incidents and disasters, usually involving substantial damage to assets. However, done well, ISO 22301 and business continuity management can be adopted while following other management system standards such as ISO 27001. It will form the foundation of how businesses become measured for the future.

Influential customers and other stakeholders want great products and a clear business strategy from their suppliers, but they also want them to be safe, secure, reliable and resilient. These two standards, whether alongside or even instead of, are much more established ISO standards, like ISO 9001 for quality management. They are likely to be mandated by many more organisations in future.

Emerging new standards like ISO 27701 for privacy information management system (PIMS) may also take off and pull through ISO 27001, as that PIMS originates from ISO 27001 itself.

Combining an ISMS and BCMS

ISO 22301 provides a streamlined method to business continuity that fits very well with the primary management systems requirements of ISO 27001. Annex A.17.1 of ISO 27001 addresses the continuity of information security and many other parts of Annex A controls. It goes to the heart of effective continuity and the prevention of incidents and disasters before they happen, making it an integral part of the Information Security Management System (ISMS), particularly if you want to receive ISO 27001 certification.

ISO 27001 is the only international standard that organisations can obtain through external audit certification to illustrate that their management system is compatible with internationally recognised good practice.

A BCMS compliant with ISO 22301 should ensure that your business continuity policies stay up to date and become ingrained in the organisation’s culture. It will help manage threats efficiently and reinforces a structured way to maintain business continuity. With ISMS.online you can effortlessly incorporate ISO 22301 and ISO 27001 and gain certification in our powerful all-in-one platform with ease.

What is ISO 22301?
ISO 22301:2019 is the recognised international standard, issued by the International Organisation for Standardization (ISO), for Business Continuity Management Systems (BCMS).

ISO 22301:2012 was the first version of this standard and was revised to ISO 22301:2019 on 31 October 2019. ISO 22301:2019 is also the first ISO standard to implement Annex L, from ISO/IEC Directive 1, which offers a common foundation for all new ISO management system standards.

Why is ISO 22301 Important?
ISO 22301 is relevant for every business because it shows stakeholders that the organisation is capable of reacting to disruptive incidents and can support vital business processes in the case of a disaster. Some of the advantages of ISO 22301 include:

  • retaining essential functions in times of crisis
  • demonstrating resilience to consumers, suppliers and tender requests
  • detecting and handling current and potential risks to your business
  • taking a proactive approach to mitigating the effect of disruptive incidents

If well done, it is possible to implement ISO 22301 and business continuity management while adopting other management system standards.

What is a Business Continuity Management System (BCMS)?
Simply put, a Business Continuity Management System (BCMS) is a proven solution to ensuring that an organisation can maintain operations and efficiently respond to disruptive incidents. For the BCMS to operate appropriately, it needs to:

  • demonstrate the company recognises the importance and requirements of business continuity policies and objectives
  • introduce and execute procedures for incident management strategies and other measures to ensure that the organisation effectively manages and recovers from a disruption
  • track and continuously improve the business continuity system

Using a BCMS compliant with ISO 22301 communicates to stakeholders that your business continuity capability is acceptable for your organisation’s size and scope.

What are business continuity risks?
Business continuity risks are any risks that could lead to a disruption to the effective operation of the organisation.

Examples of business continuity risks include:

  • Cyberattacks and data breaches
  • Unplanned IT and telecom outages
  • Interruption to utility supply
  • Adverse weather and other environmental causes
  • Pandemics and epidemics
  • Acts of terrorism
  • Security incidents
  • Fire
  • Flood
  • Loss of key personnel
  • Physical property destruction or material loss

Business continuity management using a well-documented management system helps you to identify better and reduce the likelihood of disruptive incidents or address business continuity risks. Business continuity management leads to the growth of a more stable environment, although companies with no successful business continuity systems will increase chances significantly.

A well-developed, organised and regularly-reviewed Business Continuity Plan (BCP) can help the business or organisation rebound from an incident as quickly as possible.

It’s essential for procedures to be up-to-date, accurate and efficient. Methods include but are not limited to corporate risk assessments, information security risk reviews, and addressing your health and safety policies, as well as your continuity management plan.

Are you prepared to respond to and recover from a disruptive incident?
Business continuity risks include cyber-attacks, data breaches that weaken information security, and unplanned IT and telecom outages. Business continuity risk might also take the form of adverse weather, acts of terrorism and fire.

To manage such risks, organisations need effective business continuity management plans to help them quickly recover from any event.

Organisations that invest in business continuity management systems reduce the likelihood of damage to revenues and reputations when emergencies arise.

What is an ISO 22301 certificate?
ISO 22301:2019 provides businesses with the most up-to-date certification for a business continuity management system.

The ISO 22301 standard has a ‘high-level structure’, shared with other ISO management systems standards. This creates a consistency which can help organisations integrate several management systems to meet their business continuity needs.

What is business continuity management ISO 22301?
An ISO 22301-aligned business continuity management system provides a policy and operational framework for disaster recovery and business continuity plans. Having one will help your organisation recover critical operations as quickly as possible so that you can reduce the likelihood of damage to the business.
How many key clauses are there in ISO 22301?
There are 10 key clauses in ISO 22301. These are:

  • Scope
  • Normative references
  • Terms and definitions
  • Context
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement
What is the latest version of ISO 22301?
The latest version of the ISO 22301 standard is ISO 22301:2019. This is a revised version of ISO 22301 2012.

You can find the ISO 22301:2019 standard documentation on the official ISO website here: https://www.iso.org/standard/75106.html

Why Choose ISMS.online?
ISMS.online provides a comprehensive and intuitive range of Business Continuity Management tools to help you plan for the unexpected, and then respond accordingly. Our BCM tools allow you to put all of your work relevant to ISO 22301 and Business Continuity Management System (BCMS) together. Additionally, you can easily combine ISO 22301 and ISO 27001 with ISMS.online, and obtain certification for both in our powerful all-in-one platform.

 

ISO 22301:2019 Requirements

ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management system standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.

Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.

GET IN TOUCH

Phone:   +44 (0)1273 041140
Email:    enquiries@isms.online