Understanding ISO 22301 Clause 5: Leadership

What Will Requirement 5 of ISO 22301 Help Us Achieve?

Any BCMS needs senior buy-in to be truly effective. Clause 5 of ISO 22301 asks your organisation’s senior management to show clear leadership of, and ongoing commitment to, your BCMS.

It lays out how that should work in these three sub-clauses:

  • 1 Leadership and commitment
  • 2 Policy
  • 3 Roles, responsibilities and authorities

Meeting their needs will help your organisation show its customers and key stakeholders that your BCMS has strong support right from the top. That creates certainty that your BCMS will work as it should in times of crisis, safeguarding your organisation’s essential functioning.

5.1 Leadership and Commitment

This section underlines how important the functional and financial support of senior management is for business continuity. It identifies specific areas where senior managers need to show leadership and commitment in clearly defined, practical ways.

If your managers aren’t actively involved, don’t engage in performance evaluations or can’t show the auditor that they’ve taken business continuity management seriously during the audit, you’re unlikely to achieve ISO 22301 certification.

To avoid that, you’ll have to show that your senior leaders are fully supportive of your organisation’s BCMS. If you’re managing the process effectively, that’ll be very easy. You just need to document their guidance and contributions, ready to share with your auditors.

We’ve created a sample strategy to help you do that. It includes a recommended declaration of senior management activity both within and beyond the BCMS, describing all the areas where they’d usually get involved. You can either follow it precisely, or modify it according to your own needs. It’ll help you gather all the documentation your auditors will need to see.

Once completed, it will help you show that your senior management team has been closely involved with the development of your BCMS and are ready to make sure it achieves its stated objectives. It will also help you assess and illustrate how well your BCMS is likely to perform against those objectives.

That last point is very important. Maintaining your BCMS is an ongoing challenge, but you’ll only actually use the business continuity plan it maps out when the worst happens. Until then, the best you can do is test that plan out. Our tools will help you make sure those tests are as convincing and thorough as possible, creating high levels of assurance and certainty for your organisation, your customers and your other key stakeholders.

5.2 Policy

Clause 5.2 specifies that senior management must develop and document a business continuity strategy.

You’ll also need to show that you’ve applied the requirements of that strategy to your BCMS, and are confident that all interested parties know they can trust it.

Your senior managers must make sure that your business continuity strategy:

  • Is relevant to your organisation’s goals and objectives
  • Meets your organisation’s business continuity needs

Has been fully reviewed by and coordinated with your organisation and stakeholders

Again, our systems make it easy for you to gather, organise and share all the evidence you need to prove that your organisation’s business continuity policy hits those targets. Our sample framework’s easy to adopt and adapt, and will help you assure both auditors and stakeholders of the precision and thoroughness of your organisation’s planning.

See how simple it is with ISMS.online

5.3 Roles, Responsibilities and Authorities

Finally, your senior managers will need to guarantee that the roles, responsibilities and authorities of all BCMS actors are clearly defined and well understood. And once again, all relevant documentation must be both in place and seen to be in place.

That will ensure a timely, focussed and consistent response to all business crises. It also has clear practical benefits in non-critical times. Being able to demonstrate high levels of readiness will let your customers or other key stakeholders know that the right people are all ready to take the right actions at the right time, whatever challenges they’re facing.

Of course, ISMS.online makes recording, updating and sharing all the relevant information simple and easy. It lets you define and assign ownership of everything from policy activities, risks and impact assessments to specific critical actions, behaviours and responses.

And we can help you at every stage of the documentation process. Whether you’re working with senior management to define and clarify critical roles, responsibilities and authorities ahead of your audit, or setting up a control team to make sure all their planning stays relevant and ready to go long after you’ve achieved certification, we’ll be there for you.

ISO 22301:2019 Requirements

ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management system standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.

Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.