ISO 22301:2019

Security and Resilience — Business Continuity Management Systems

What Is ISO 22301?

 

ISO 22301:2019 is the internationally recognised standard for Business Continuity Management Systems (BCMS), published by the International Organisation for Standardization (ISO). ISO 22301 is the first ISO standard to incorporate Annex L, which provides a common framework for all new management system specifications issued by ISO.

The standard describes the measures an organisation needs to take to become more resilient to disruption. These measures for business continuity management include:

  • Developing and managing a business continuity strategy 
  • Helping reduce your risk of business interruption from a range of sources
  • Protecting your property, whether that is physical, intellectual or other valuable assets 
  • Recovering quickly from accidents and incidents

The need for organisations to become more resilient and plan for disasters has never been more necessary. Studies have show that almost 1 in 5 organisations experience significant disruptions every year. Therefore, a robust and resilient organisation is one that can change with the times, has an understanding of where its vulnerabilities are, and have plans in place to mitigate risk as well as respond in the event it needs to do so. Compliance or certification to ISO 22301 allows your organisation to achieve all of the above in a straightforward and structured manner.

ISO 22301:2012 was the first standard in this set of business continuity management system specifications. On the 31st October 2019 the highly-anticipated updated to ISO 22301:2019 was released.

 

Relationship With ISO 22301:2012

There’s not a radical difference between the 2012 and 2019 versions of ISO 22301. Both versions necessitate senior management involvement, and the updated model reflects on what is required to sustain a successful business continuity management system. That sustainability is made much easier with a technology-based BCMS such as ISMS.online.

ISO 22301:2012 Societal Security was published in May 2012 and amended in June of the same year. The requirements established in ISO 22301:2012 were meant to extend to all organisations. The degree to which the criteria is implemented depends on the operating environment and the scope of the organisation, similar to the way in which one would develop their scope for other ISO standards like ISO 27001.

While several concepts and terminology of business continuity have been revised to expand context and reflect established procedures, Clause 8, Operation, is the main area where changes have been made.

ISMS.online offers ISO 22301 frameworks within its packaged services. That means organisations who wish to migrate their existing certified business continuity management system can, as well as those embarking on ISO 22301 for the first time.

What Is Business Continuity and Why Do You Need It?

If your company was affected by a catastrophe or a crisis, would your business be able to continue? When a disaster strikes, there is little time to prepare a response, particularly when the key people, processes, networks, infrastructure and other essential services are disrupted.

A disaster has no bounds, it could impact your business internally and externally, affecting your customers and the supply chain too. Whether you are a small or a large business, you can be impacted. The main purpose of business continuity is to guarantee that the company reacts to significant disturbances that could endanger its future.

Business continuity is about responsible and effective management. It should provide a foundation for developing resilience as well as the ability to respond successfully, safeguarding the interests of your key stakeholders, reputation, and value-creating operations of your company.

A business continuity strategy should ensure that workers are mindful of their roles and responsibilities in the case of an unexpected occurrence and adapt to established processes and approved procedures.

Many of the ISMS.online customers develop simple yet effective business continuity plans within ISMS.online for meeting ISO 27001 and protecting their valuable information assets. Other customers take that even further with ISO 22301 and introduce more sophisticated resilience planning and prevention as well as response mechanisms too.

Pull Together All Your ISO 22301 and BCMS Work in One Place With Our Range of Business Continuity Management Tools

What Is a Business Continuity Risk?

As stated, business continuity (BC) helps you to better identify and prepare for disruptive events or address business continuity risks. Business continuity leads to the growth of a more stable environment, although companies with no successful business continuity will increase risks significantly. A well-developed, organised and rehearsed Business Continuity Plan (BCP) can help the business rebound from an incident as quickly as possible.

It is important that all of your procedures are up-to-date, accurate and efficient, this includes, but isn’t limited to corporate risk assessments, information security risk reviews and addressing your health and safety policies, as well as your Business Continuity Plan (BCP).

 

Examples of business continuity risks include:

 

  • Cyberattacks and data breaches
  • Unplanned IT and telecom outages
  • Interruption to utility supply
  • Adverse weather and other environmental causes
  • Acts of terrorism
  • Security incidents
  • Fire
  • Flood 
  • Loss of key personnel 
  • Physical property destruction or material loss

What Are the Benefits of Business Continuity?

Business continuity enables you to have a mechanism that assures that the key functions of your business remain, even after a crisis. As well as this, business continuity prevents large-scale damage and ensures that your organisation recovers lost business as quickly as possible. Also, business continuity allows you to achieve a marketing advantage by demonstrating the ability to maintain the delivery of your products and services, giving customers confidence your organisation can be trusted at all times.

Business continuity will also minimise the organisation’s reliance on individuals by ensuring that staff know their roles and responsibilities in the case of an unforeseen incident and adapt to established processes and accepted procedures.

Effective business continuity practice considers potential threats to a company and evaluates the effect they could have on day-to-day functions. Failure to have an appropriate continuity strategy may result in:

  • Loss of business, customers and staff
  • Damage to brand reputation
  • Loss or damage to property and premises
  • Potential fines due to non-compliance with legal or regulatory requirements

Emergency Preparedness

Business Continuity details the steps you need to take in an emergency in the form of a disaster recovery plan. A Disaster Recovery Plan (DRP) is a documented organised strategy that demonstrates how to respond to incidents.

The DRP is formed following more detailed business impact assessments (BIA) which help demonstrate where the biggest impact and consequences are from an event. ISMS.online gives you the tools you need to manage your BIAs, DRPs, and much more.

The DRP should include a short-term plan to fix and rebuild critical business systems, and a plan to address problems such as root cause identification and a long-term prevention approach. There are many options available to ensure that an organisation is set up with a contingency system that provides the best solution.

For example, the on-site recovery system would ensure that data can be retrieved more easily with data backups and other means. Your prevention measures should also protect from potential server failure and consider the risk of external contractors. You would then build contingency plans and alternative strategies for the absence of supplies that are vital to operations way before they even become a DR issue.

ISMS.online enables the easy preparation of risk management and mitigation actions and holds the necessary disaster response plans, as well as makes the delivery of those very straightforward in times of crisis.

What Are the Benefits of ISO 22301?

There are many advantages of ISO 22301, including returning the organisation to ‘business as usual’ with minimal disruption from any crisis. Other advantages of ISO 22301 include:

ISO 22301 Will Keep Critical Functions Up and Running During Times of Crises

Good Business Continuity Management (BCM) can ensure continuity of critical services and preserve the revenue stream, properties, and reduce the risk of potential losses due to an incident or catastrophe. Since its revision, the standard now better represents the current thinking in the business continuity industry, specifically the study of the business impact and the creation of recovery strategies.

ISO 22301 makes risk management from events such as cyber-attacks and natural disasters less stressful. It also means that organisations with effective BCM programmes quickly recover from any incident.

 

ISO 22301 Demonstrates Resilience to Customers, Suppliers and for Tender Requests

ISO 22301 certification shows stakeholders that your business continuity capability is appropriate for the scale and scope of your organisation. Like ISO 27001, it engenders more trust especially when certified by an independent certification body. It aids your understanding of the business need by identifying potential failures and risks. Businesses can then demonstrate to their stakeholders, consumers, vendors and regulators, that they have sound business continuity systems and processes in place.

ISO 22301 will also increase stakeholder trust in the organisation’s ability to respond to incidents and events, and to sustain critical business processes should a catastrophe occur.

ISO 22301 Identifies and Manages Current and Future Threats to Your Business

By its very definition, a continuity planning and management framework such as ISO 22301 ensures that issues can be detected before they arise. It gains an understanding of effective business process management in an enterprise by offering a systematic approach to its operation and continuous improvement. The business continuity management system allows organisations to identify the potential impacts of functional disturbance, to deploy successful BCPs and to reduce the overall impact on the business.

ISO 22301 Takes a Proactive Approach to Minimise the Impact of Incidents

ISO 22301 gives you the ability to respond appropriately in the event of a disruption and avoid waste or unnecessary loss. Through proactively assessing the effect of the disruption, BCM recognises the products and services that are essential to the organisation’s survival and seeks to determine what solutions will be required iif an incident was to occur.

Knowing the Difference Between Disaster Recovery and Business Continuity

 

An often misunderstood area is the difference between disaster recovery and business continuity. ISO 22301 addresses both of these areas. Disaster recovery activities concentrate on returning the company to ‘business as usual’ after a traumatic event and reaching complete recovery. Business continuity management is about ensuring that the enterprise can continue to function during a crisis.

Pull Together All Your ISO 22301 and BCMS Work in One Place With Our Range of Business Continuity Management Tools

Who Can Implement ISO 22301?

As stated above, the ISO 22301 business continuity management system standard extends to organisations of all sizes, across all markets and all experience levels. ISO 22301 implementation includes reviewing operational structures to identify potential shortfalls, and allowing the organisation to concentrate on its goals and business objectives.

The needs of the implementation project are specific to the company implementing the standard and ISMS.online makes that straightforward. There’s no need to concentrate on ‘how’ you’ll implement and manage ISO 22301, you can simply concentrate on the activities within the standard and focus on ‘what’ you need to do for prevention and cure.

How to Implement ISO 22301

 

When you implement ISO 22301, the first simple step is to think about addressing the primary requirements of the standard. These encourage you to take a strategic approach (hence why leadership is so important) and set the context, the scope, as well as developing a business continuity policy and objectives of the BCMS.

That will help identify your areas of risk and opportunity, then you can consider the impacts from those risks and what it might mean for consequences and the time to failure, recovery etc. Doing so will help you discover any holes or shortcomings in your current management systems and you’ll identify provide pragmatic suggestions for improving them. ISO describes this as business continuity strategies and solutions.

ISMS.online has partners that can help with your ISO 22301 implementation. From achieving a simple pragmatic BCMS approach, through to a highly sophisticated business continuity management system.

Once you’ve completed implementation it is important to undertake regular audits of the business continuity management system. Internal audits are mandatory for achieving independent certification of the BCMS too. Performance reviews also complement internal audits to make sure that your management systems are operating as expected at all times.

The ISO auditor would also expect to see a record of improvements your organisation has made over time. Having a method for addressing nonconformities, corrective actions and other improvements is a key requirement.

How to Get Started With ISO 22301 and Business Continuity Management?

 

We always encourage organisations to buy the ISO standard and digest that to fully understand the requirements. We recommend starting at the beginning (4.1 understanding the organisation and its context) and avoid jumping into developing response plans until you’ve considered the scope, risks and impacts.

ISMS.online is also preconfigured with a range of tools that helps follow the process easier and means you retain a focus on the business. It also maps into the more comprehensive tools and features set for ISO 27001. Meaning you can also achieve many of the ISO 22301 requirements like audits, performance reviews management meetings, staff education etc all at the same time. This reduces cost, simplifies learning for staff and makes the administration of the broader business management system that much easier too. External auditors also find that much more effective and take great confidence when they see consistent operating practices across the ISO standards.

What Is a Business Continuity Management System BCMS?

A business continuity management system, put very simply, is a recognised approach for ensuring an organisation can continue operations and respond effectively to disruptive events.

When based on ISO 22301, ISO itself emphasises the importance of a BCMS:

  • Showing the organisation understands the needs and necessity for business continuity policy and objectives
  • Implementation and execution of processes, response mechanisms and other interventions to ensure the organisation survives a disruption
  • Monitoring and continuous improvement of the business continuity management system

It is, therefore, not surprising that ISO 22301:2019, the internationally recognised specification for the Business Continuity Management System (BCMS), has been revised to ensure that it remains relevant. 

ISO 22301 provides a constant and established method of analysis with a framework based on recognised good practice. Anyone implementing and achieving certification for an ISO 22301 based business continuity management system will find instant recognition and understanding from powerful customers, including educated experts, auditors and other interested parties.

Demonstrating Good Practice for Business Continuity Management

Following ISO 22301 as a basis for your BCMS will provide proof that the company has taken the necessary steps to meet with regulatory requirements in addition to the recognised good practices.

A best practice in business continuity incorporates the lifecycle of business continuity management. This makes it possible to maximise the efficiency and quality of your BCMS. ISO 22301 provides a framework regarding international best practices on the well-understood concept of Plan, Do, Check, Act. This concept applies to organisations that implement, maintain and improve its BCMS, which seeks to ensure compliance with the stated policy on business continuity.

Business Continuity Policy and Disaster Recovery Planning Means You Run a Better Business

In developing business continuity plans, you will also be well placed to implement practices that reduce and prevent the risk of damage to your organisation. Not only this, but business continuity plans help you better understand your organisation and run it more effectively too.

The ISO guidance is designed to help organisations identify and manage a series of procedures. This guidance would help them plan for and rebound from disruptions in their business activities, but it is always better to avoid them entirely (although that is not always possible or feasible financially).

It is also essential to clarify priorities if an incident occurs, for example: what is the goal of recovery time? What is the highest endurable downtime? You can use the answer to these questions to prepare your disaster recovery plan. An ISO 22301-aligned BCMS will include disaster recovery and business continuity plans to help your company recover your critical operations as rapidly as possible.

How Does Business Continuity Fit Into Overall Management?

Despite business continuity management becoming more important, many organisations still do not grasp what business continuity management is, and how it can work with overall management. Some just see it as a pragmatic solution to major disasters, usually involving substantial damage to assets. However, done well ISO 22301 and business continuity management can be adopted while following other standards, such as ISO 27001, and form the foundation of how businesses can be measured for the future.

Powerful customers and other stakeholders want great products and a clear business strategy from their suppliers, but they also want them to be safe, secure, reliable and resilient. These two standards alongside (or even instead of) much more established ISO standards, like ISO 9001 for quality management, are likely to be mandated by many more organisations in future. Emerging new standards like ISO 27701 for privacy information management system (PIMS) may also take off and pull through ISO 27001, as that PIMS is derived from ISO 27001 itself.

Combining an ISMS and BCMS

ISO 22301 provides a streamlined method to business continuity that fits very well with the main requirements of ISO 27001. Annex A.17.1 of ISO 27001 addresses the continuity of information security and many other parts of Annex A controls. It goes to the heart of effective continuity and prevention of disaster before they happen. This is an integral part of the Information Security Management System (ISMS), particularly if you want to receive ISO 27001 certification.

ISO 27001 is the only information security standard that organisations can obtain through external audit certification to illustrate that their management system is compatible with internationally recognised good practice.

A BCMS compliant with ISO 22301 should ensure that your business continuity policies stay up to date and become ingrained in the organisation’s culture. It will help manage threats efficiently and reinforces a structured way to manage business continuity. With ISMS.online you can effortlessly incorporate ISO 22301 and ISO 27001 and gain certification in our powerful all-in-one platform with ease.

 

We Give You the Opportunity to Do All Your Business Continuity, Not Just Your Information Security

ISO 22301:2019 Requirements

ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management systems standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.

Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.

  • Clause 1 – Scope
  • Clause 2 – Normative references
  • Clause 3 – Terms and definitions
  • Clause 4 – Context of the Organization
  • Clause 5 – Leadership
  • Clause 6 – Planning
  • Clause 7 – Support
  • Clause 8 – Operations
  • Clause 9 – Evaluation
  • Clause 10 – Improvement

We Give You the Opportunity to Do All Your Business Continuity, Not Just Your Information Security