ISO 22301 Clause 6: Planning

What will Requirement 6 of ISO 22301 help you achieve?

Requirement 6 shows you how to think through risks and opportunities, plan your response to them and set your business continuity objectives. It also asks you to define how you’ll make any changes to your BCMS itself.

6.1 Actions to address risks and opportunities

This section of the ISO 22301 specification helps think through the risks or opportunities that might hinder or help you as you make sure that your BCMS:

  • Works as it should
  • Doesn’t create any unexpected outcomes
  • Will continually evolve and improve

To successfully work through this part of the ISO process, you must draw on your earlier thinking in clause 4. You’re now going to clarify the risks and opportunities emerging from the legal and regulatory requirements, interested party issues and BCMS scope you defined there.

You’ll need to plan how you’ll identify, assess and treat these risks and opportunities. Then you’ll have to think through how you’ll integrate any resulting actions into your BCMS. And you must also look ahead, specifying how you’ll evaluate the effectiveness of those actions and monitor them over time.

We advise documenting your risk identification, assessment and treatment processes to show how you’ll manage each new risk as it comes up. You must plan to either tolerate each risk, terminate it or transfer it to another party. You’ll also need to prove that your risk assessments are consistent, valid and produce ‘comparable results,’ which means being clear about your risk methodology.

You must also assign each risk to a risk owner within your organisation. They’ll need to determine its level, estimate a ‘realistic likelihood’ of it happening and assess the possible consequences if it actually becomes a reality. Once that’s done, each risk must be prioritised for risk treatment and managed according to your documented processes.

See how simple it is with

6.2 Business continuity objectives and planning to achieve them

You probably already know why you want to develop your BCMS and have some top-level strategic objectives that tell you what success looks like.

Now you need to set your organisation’s business continuity objectives and make sure that they align with its business continuity policy. Those objectives must also be measurable (where possible), monitored, communicated and understood, and always kept up to date. And of course you have to fully document them.

Your business continuity goals must also take into account the requirements set out in clauses 4.1 and 4.2. That means:

  • Being clear about your organisation’s definition, structure and business context
  • Defining your stakeholders’ business continuity needs and expectations
  • At least starting to carry out your risk assessment and treatment.

Once you’ve finalised your business continuity goals, you’ll need to decide what actions to take and what tools to use to achieve them. You’ll also need to assign responsibility and set timings for, and decide how you’ll evaluate, each objective.

4.4 Your business continuity management system

You need to plan out how you’ll make changes to your BCMS, then be sure to follow that plan whenever your organisation needs to change it. You must follow your plan when making any or all changes, including those mentioned in clause 10 of the ISO definitions.

You’ll also have to think through:

  • The purpose and possible consequences of any changes
  • How they could impact the integrity of your BCMS
  • To whom you’ll allocate any new responsibilities / authorities
  • Whether you need to reallocate any existing responsibilities / authorities
  • What resources you’ll need to deploy to support them

ISO 22301:2019 Requirements

ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management system standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.

Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.