ISO 22301: The Business Continuity StandardSecurity and Resilience with Business Continuity Management Systems
What is ISO 22301?
ISO 22301:2019 is the recognised international standard for Business Continuity Management Systems (BCMS), published by the International Organisation for Standardization (ISO). ISO 22301 is the first ISO standard to incorporate Annex L, which provides a common framework for all new management system specifications issued by ISO.
The standard describes the measures an organisation needs to take while becoming more resilient to disruption. These measures for business continuity management include:
- Developing and managing a business continuity strategy
- Helping reduce your risk of business interruption from a range of sources
- Protecting your property, whether that is physical, intellectual or other valuable assets
- Recovering quickly from accidents and disruptive incidents
The need for organisations to become more resilient using business continuity and plan for disaster recovery has never been more necessary. Studies have shown that almost 1 in 5 organisations experience significant business disruptions every year. Therefore, a robust and resilient organisation is one that can change with the times, has an understanding of where its vulnerabilities are and have plans in place to mitigate risk as well as respond if it needs to do so. Compliance or certification to ISO 22301 allows your organisation to achieve all of the above in a straightforward and structured manner.
ISO 22301:2012 was the first international standard in this set of BCMS specifications. On the 31st October 2019, the highly-anticipated update to ISO 22301:2019 arrived.
The Relationship With ISO 22301:2012
There’s not a radical difference between the ISO 22301:2012 and ISO 22301:2019. Both versions necessitate senior management involvement, and the updated model reflects on what is required to sustain a successful BCMS. That sustainability becomes much more comfortable with a technology-based BCMS such as ISMS.online.
ISO 22301:2012 Societal Security was published in May 2012 and amended in June of the same year. The management system requirements established in ISO 22301:2012 had meant to extend to all organisations. The degree to which the criteria becomes implemented depends on the operating environment and the scope of the organisation, similar to how one would develop their range for other management system standards like ISO 27001.
While several concepts and terminology of business continuity management have been revised to expand context and reflect established procedures, Clause 8; Operation, is the main area where changes have occurred.
ISMS.online offers ISO 22301 business continuity management frameworks within its packaged services. That means organisations who wish to migrate their existing BCMS can, as well as those embarking on ISO 22301 for the first time.
What Is Business Continuity Management and Why Do You Need It?
If your company was affected by a catastrophe or a crisis, would your business be able to continue? When incidents and disasters strike, there is little time to prepare a response structure, particularly when the key people, processes, networks, infrastructure and other essential services get disrupted.
A disaster has no bounds. It could impact your business continuity internally and externally, affecting your customers and the supply chain too. Whether you are a small or a large business, you can face impact. The primary purpose of business continuity management is to reduce the likelihood of threats and guarantee that the company reacts to significant disturbances that could endanger its future.
Business continuity management is about responsible and effective leadership. It should provide a foundation for developing resilience to incidents as well as the ability to respond successfully, safeguarding the interests of your key stakeholders, reputation, and value-creating operations of your company.
A business continuity strategy with a management system should ensure that workers are mindful of their roles and responsibilities. In the case of an unexpected occurrence, it is essential to be able to adapt to established processes and approved procedures.
Many of our customers develop simple yet effective business continuity plans within ISMS.online for meeting ISO 27001 and protecting their valuable information assets. Other customers take that even further with ISO 22301 and introduce more sophisticated resilience planning and prevention, as well as response mechanisms to incidents.
Pull Together All Your ISO 22301 and BCMS Work in One Place With Our Range of Business Continuity Management Tools
What is a Business Continuity Risk?
As stated, business continuity management using a well-documented management system helps you to identify better and reduce the likelihood of disruptive incidents or address business continuity risks. Business continuity management leads to the growth of a more stable environment, although companies with no successful business continuity systems will increase chances significantly. A well-developed, organised and rehearsed Business Continuity Plan (BCP) can help the business rebound from an incident as quickly as possible.
All of your procedures must be up-to-date, accurate and efficient. Methods include but are not limited to corporate risk assessments, information security risk reviews, and addressing your health and safety policies, as well as your continuity management plan.
Examples of business continuity risks include:
- Cyberattacks and data breaches
- Unplanned IT and telecom outages
- Interruption to utility supply
- Adverse weather and other environmental causes
- Pandemics and epidemics
- Acts of terrorism
- Security incidents
- Loss of key personnel
- Physical property destruction or material loss
What Are the Benefits of Business Continuity Management?
Business continuity management enables you to have a mechanism that assures that the critical functions of your business remain, even after a crisis. As well as this, business continuity prevents large-scale damage and ensures that your organisation recovers lost business as quickly as possible. Also, business continuity allows you to achieve a marketing advantage by demonstrating the ability to maintain the delivery of your products and services, giving customers confidence in your organisation’s trust at all times.
Business continuity management will also minimise the organisation’s reliance on individuals by ensuring that staff know their roles and responsibilities. Occurrences of this will be in the case of unforeseen incidents and the need to adapt to established processes and standard procedures.
Effective business continuity practice considers potential threats to a company and evaluates the effect they could have on day-to-day functions. Failure to have an appropriate business continuity strategy may result in:
- Loss of business, customers and staff
- Damage to brand reputation
- Loss or damage to property and premises
- Potential fines due to non-compliance with legal or regulatory requirements
Business continuity management details the steps you need to take in an emergency in the form of a Disaster Recovery Plan (DRP). A Disaster Recovery Plan is a documented, organised business continuity strategy that demonstrates how to respond to disruptive incidents.
The Disaster Recovery Plan begins its formation following a more detailed business impact analysis, which helps demonstrate where the most significant impact and consequences are from an event. ISMS.online gives you the tools you need to manage your business impact analysis, disaster recovery plans, and much more using information technology.
Your DRP should include a short-term arrangement to fix and rebuild critical business systems, and a plan to address problems such as root cause identification and a long-term prevention approach. There are many options available to ensure that an organisation has a setup with a contingency system that provides the best solution.
For example, the on-site recovery system would ensure that data can be retrieved more efficiently with data backups and other means. Your prevention measures should also protect from potential server failure and consider the risk of external contractors. You would then build contingency plans and alternative strategies for the absence of supplies that are vital to operations long before they even become a disaster recovery issue.
ISMS.online enables the easy preparation of risk assessment and management as well as mitigation actions. The platform also holds the necessary disaster recovery plans while making its delivery very straightforward in times of crisis.
What Are the Benefits of ISO 22301?
There are many advantages of ISO 22301, including returning the organisation to ‘business as usual’ with minimal disruption from any crisis.
ISO 22301 Will Keep Critical Functions Up and Running During Times of Crises
Good Business Continuity Management can ensure the continuation of critical services and preserve the revenue stream, properties as well as reduce the likelihood of potential losses due to an incident or catastrophe. Since its revision, the standard now better represents the current thinking in the business continuity industry, specifically the study of business impact and the creation of recovery strategies.
ISO 22301 makes risk management from events such as cyber-attacks and natural disasters less stressful. It also means that organisations with effective business continuity management programmes recover from any incident much quicker.
ISO 22301 Demonstrates Resilience to Customers, Suppliers and for Tender Requests
ISO 22301 certification shows stakeholders that your business continuity capability is appropriate for the scale and scope of your organisation. Like ISO 27001, it engenders more trust, especially when certified by an independent certification body. It aids your understanding of business needs by identifying potential failures and risks. Businesses can then demonstrate to stakeholders, consumers, vendors and regulators, that they have sound business continuity systems and processes in place.
ISO 22301 will also increase stakeholder trust in the organisation’s ability to respond to disruptive incidents and events, and to sustain critical business processes should a catastrophe occur.
ISO 22301 Identifies and Manages Current and Future Threats to Your Business
By its very definition, continuity planning and management frameworks such as ISO 22301 ensures that issues can be detected before they arise. It gains an understanding of effective business process management in an enterprise by offering a systematic approach to its operation and continuous improvement. Systems built for business continuity allow organisations to identify the potential impact of functional disturbance, deploy successful business continuity plans and to reduce the overall effect on the business.
ISO 22301 Takes a Proactive Approach to Minimise the Impact of Disruptive Incidents
ISO 22301 gives you the ability to respond appropriately in the event of disruptive incidents and avoid waste or unnecessary loss. Through proactively assessing the effect of the disruption, business continuity management recognises the products and services that are essential to the organisation’s survival. It seeks to determine what solutions will be required if an incident was to occur.
Knowing the Difference Between Disaster Recovery and Business Continuity
An often misunderstood area is the difference between disaster recovery and business continuity. ISO 22301 addresses both of these areas. Disaster recovery activities concentrate on returning the company to ‘business as usual’ after a traumatic event and reaching complete recovery. Business continuity management is about ensuring that the enterprise can continue to reduce the likelihood of disasters and function during a crisis.
Who Can Implement ISO 22301?
As stated above, the ISO 22301 BCMS standard extends to organisations of all sizes, across all markets and all experience levels. Implementing ISO 22301 includes reviewing operational structures to identify potential shortfalls and allowing the organisation to concentrate on its goals and business continuity objectives.
The business needs of the implementation project are specific to the company implementing the standard and ISMS.online makes that straightforward. There’s no need to concentrate on ‘how’ you’ll implement and manage ISO 22301, you can simply focus on the activities within the standard and focus on ‘what’ you need to do for prevention and cure.
How to Implement ISO 22301
When you implement ISO 22301, the first simple step is to think about addressing the primary requirements of the standard. This starting point will encourage you to take a strategic approach (hence why leadership is so important) and set the context, the scope, as well as developing a business continuity policy and objectives of the BCMS.
Developing a business continuity policy will help identify your areas of risk and opportunity. From here, you can consider the impacts from those risks and what it might mean for consequences and the time to failure, recovery etc. Doing so will help you discover any holes or shortcomings in your current management systems requirements. You will also identify and provide practical suggestions for improving them. ISO describes this as business continuity strategies and solutions.
ISMS.online has partners that can help with your ISO 22301 implementation, from achieving a pragmatic and straightforward BCMS approach, through to a highly sophisticated BCMS.
Once you’ve completed your implementation, it is essential to undertake regular audits of the business continuity management system. Internal audits are mandatory for achieving independent certification of the BCMS too. Performance reviews also complement internal audits to make sure that your management systems are operating as expected at all times.
The ISO auditor would also expect to see a record of improvements your organisation has made over time. Having a method for addressing nonconformities, corrective actions and other enhancements is a crucial requirement.
How to Get Started With ISO 22301 and Business Continuity Management?
We encourage organisations to buy the ISO international standard and digest that to understand the management systems requirements fully. We recommend starting at the beginning (4.1 understanding the organisation and its context) and avoid jumping into developing incident response plans until you’ve considered the scope, risks and impacts.
ISMS.online is also pre-configured with a range of tools that helps follow the process easier and means you retain a focus on the business. It also maps into the more comprehensive tools and features set for ISO 27001, meaning you can also achieve many of the ISO 22301 management systems requirements. You will be able to manage tasks like audits, performance reviews, management meetings, staff education etc. all at the same time.
You will reduce costs, simplify learning for staff and make the administration of the broader business management system that much more comfortable too. External auditors also find that much more effective and take great confidence when they see consistent operating practices across the ISO standards.
What is a BCMS?
A business continuity management system, put very simply, is a recognised approach for ensuring an organisation can continue operations and respond effectively to disruptive incidents.
ISO 22301 provides a constant and established method of analysis with a framework based on recognised good practice. Anyone implementing and achieving certification for an ISO 22301 based business continuity management system will find instant recognition and understanding from influential customers, including educated experts, auditors and other interested parties.
When based on ISO 22301, ISO itself emphasises the importance of a BCMS:
- Showing the organisation understands the needs and necessity for business continuity policy and objectives
- Implementation and execution of processes, incident response mechanisms and other interventions to ensure the organisation survives a disruption
- Monitoring and continuous improvement of the business continuity management system
Demonstrating Good Practice for Business Continuity Management
Following ISO 22301 as a basis for your BCMS will provide proof that the company has taken the necessary steps to meet with regulatory requirements in addition to the recognised good practices.
A best practice in business continuity incorporates the lifecycle of business continuity management as you can make it possible to maximise the efficiency and quality of your BCMS. ISO 22301 provides a framework regarding international best practices on the well-understood concept of Plan/Do/Check/Act. This concept applies to organisations that implement, maintain and improve its BCMS, which seeks to ensure compliance with the stated policy on business continuity.
Business Continuity Policy and Disaster Recovery Planning Means You Run a Better Business
In developing business continuity plans, you will also be well-placed to implement practices that reduce the likelihood of incidents and damage to your organisation. Not only this, but business continuity plans help you better understand your organisation and run it more effectively too.
ISO guidance helps organisations identify and manage a series of procedures. This guidance would help them plan for and rebound from disruptions in their business activities. However, it’s still better to avoid them entirely, although that is not always possible or feasible financially.
It is also essential to clarify priorities if an incident occurs, for example: what is the goal of recovery time? What is the highest endurable downtime? You can use the answer to these questions to prepare your disaster recovery plan. An ISO 22301-aligned business continuity management system will include disaster recovery and business continuity plans to help your company recover your critical operations as rapidly as possible.
How Does Business Continuity Fit Into Overall Management?
Despite business continuity management becoming more important, many organisations still do not grasp what business continuity management is, and how it can work with overall administration. Some just see it as a pragmatic solution to major incidents and disasters, usually involving substantial damage to assets. However, done well, ISO 22301 and business continuity management can be adopted while following other management system standards such as ISO 27001. It will form the foundation of how businesses become measured for the future.
Influential customers and other stakeholders want great products and a clear business strategy from their suppliers, but they also want them to be safe, secure, reliable and resilient. These two standards, whether alongside or even instead of, are much more established ISO standards, like ISO 9001 for quality management. They are likely to be mandated by many more organisations in future.
Emerging new standards like ISO 27701 for privacy information management system (PIMS) may also take off and pull through ISO 27001, as that PIMS originates from ISO 27001 itself.
Combining an ISMS and BCMS
ISO 22301 provides a streamlined method to business continuity that fits very well with the primary management systems requirements of ISO 27001. Annex A.17.1 of ISO 27001 addresses the continuity of information security and many other parts of Annex A controls. It goes to the heart of effective continuity and the prevention of incidents and disasters before they happen, making it an integral part of the Information Security Management System (ISMS), particularly if you want to receive ISO 27001 certification.
ISO 27001 is the only international standard that organisations can obtain through external audit certification to illustrate that their management system is compatible with internationally recognised good practice.
A BCMS compliant with ISO 22301 should ensure that your business continuity policies stay up to date and become ingrained in the organisation’s culture. It will help manage threats efficiently and reinforces a structured way to maintain business continuity. With ISMS.online you can effortlessly incorporate ISO 22301 and ISO 27001 and gain certification in our powerful all-in-one platform with ease.
“The platform gave us a massive head start compared with relying on cheaper libraries or – god forbid – creating all the documentation from scratch. We’ve found it incredibly easy to use and the support team has been phenomenal. I can’t recommend ISMS.online highly enough.”
Evan Harris – Co-founder, Peppy Health
ISO 22301:2012 was the first version of this standard and was revised to ISO 22301:2019 on 31 October 2019. ISO 22301:2019 is also the first ISO standard to implement Annex L, from ISO/IEC Directive 1, which offers a common foundation for all new ISO management system standards.
- retaining essential functions in times of crisis
- demonstrating resilience to consumers, suppliers and tender requests
- detecting and handling current and potential risks to your business
- taking a proactive approach to mitigating the effect of disruptive incidents
If well done, it is possible to implement ISO 22301 and business continuity management while adopting other management system standards.
- demonstrate the company recognises the importance and requirements of business continuity policies and objectives
- introduce and execute procedures for incident management strategies and other measures to ensure that the organisation effectively manages and recovers from a disruption
- track and continuously improve the business continuity system
Using a BCMS compliant with ISO 22301 communicates to stakeholders that your business continuity capability is acceptable for your organisation’s size and scope.
ISO 22301:2019 Requirements
ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management system standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.
Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.