What will Requirement 4 of ISO 22301 help you achieve?
Before you create and implement your business continuity management system (BCMS), you need to understand exactly what it should do for you and your stakeholders.
That means being clear about what your organisation does, how it does it, what kind of regulatory environment surrounds it, what its stakeholders need from it and a range of other relevant factors.
Clause 4.1 of ISO 22301 will help you with that process. It lays down clear criteria defining what to consider and what to ignore as you scope out, create, implement and maintain your BCMS. Once you’ve defined your organisation’s unique features and needs, you’ll be able to create a unique BCMS that responds to them efficiently, constructively and securely.
4.1 Understanding your organisation and its business context
You and your team should start by identifying the key internal and external factors that define how your organisation operates. That’ll help you understand what you need to protect to maintain continuity during critical situations, and so plan and be ready for them.
External factors to look at include your operating environment, contractual requirements, and any relevant regulations and legal requirements. Internal factors include your business strategy, policies and standards. And you’ll need to take account of your products, services, overall business objectives and general attitude to risk.
Understanding how critical situations could hinder the smooth running of your organisation by impacting some or all of these will help you make sure your BCMS protects them.
4.2 Defining the needs and expectations of interested parties
4.2.1. – General
You’ll identify all parties who might have an interest in or be relevant to your organisation’s BCMS. Then you should define exactly what they need from your organisation, which usually means keeping your products and services available to them. That’ll help you make sure your organisation continues to deliver what they need in times of crisis.
4.2.2. Legal and regulatory requirements
To achieve ISO 22301 certification, your organisation will need to develop, carry out and maintain a legal and regulatory assessment process.
It should help you identify, access, evaluate and share all relevant legal and regulatory requirements. They’re the ones relating to the continuity of all the products, services, activities and resources you cover in your BCMS.
You’ll need to make sure that you take those requirements into account as your organisation adopts and manages your BCMS. And you should keep up to date documentation to help it both comply with them and prove it’s complying with them.
4.3 Deciding the scope of your BCMS
Clause 4.3.1 asks your organisation to define the broad scope of your BCMS by thinking through what it includes and when it should be applied. As you do that, you should consider:
- The external and internal challenges identified in 4.1
- Any relevant stakeholder-related, legal or regulatory criteria identified in 4.2
- Your BCMS’ purpose, objectives and external and internal goals
You should document and be ready to share your conclusions.
4.3.2 Scope of the business continuity management system
You’ve defined your organisation. You’ve thought through all the different contexts that influence it. You’ve understood the needs and requirements of interested parties. That’s given you a broad sense of when and how your BCMS should be applied.
Now you need to decide which parts of your organisation, and which of its products or services, to include in it. That means looking at your organisation’s location or locations, size, nature and complexity. You should also carry out a business impact analysis and / or any relevant risk assessments.
Then you’ll need to document and explain your decisions. That means making clear what’s within your BCMS’ scope, what you’ve decided to exclude and why you’ve excluded it. And you’ll have to show that any exclusions won’t create any continuity challenges in times of crisis.
4.4 Your business continuity management system
This clause notes that your organisation should now be ready to develop, then adopt, manage and continuously improve, a BCMS. You’ll need to think through the processes you’ll need to put in place to do that, and you should make sure they interact with each other in constructive ways.
And we’ll end with a final reminder that your BCMS should both:
- Meet the needs of your organisation
- Comply with the requirements of ISO 22301
ISO 22301:2019 Requirements
ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management system standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.
Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.