ISO 22301 Clause 7: Support
What will Requirement 7 of ISO 22301 help us achieve?
Managing an extensive, effective BCMS creates some very practical challenges. To overcome them, you need to make sure that your organisation’s made the right resources available.
They include a competent business continuity team, equipped with the right training and support, and effective communications that drive awareness of your business continuity policies and controls. Of course, you also need to document your policies and actions, and be ready to share that documentation as and when needed.
This clause asks you to make sure you’ve assigned the right resources to the development, implementation, maintenance and continuous improvement of your BCMS. That’s a very wide-ranging challenge, because those resources can include people, premises, technologies, information, suppliers and partners.
If you run into any capacity or capability problems as you do that, we’ll be very happy to help. We can draw on a wide network of specialist support partners. Just let us know what sort of issue you’re facing and we’ll match you up with the right person to help you deal with it.
To achieve ISO 22301 certification, you’ll need to carefully evaluate the competence of the employees who play a part in maintaining your BCMS and carrying out your business continuity plan. If they already have the right skills or experience, then you just have to document that. If they don’t, you’ll need to either train them up, or refocus their responsibilities to match their capabilities and find someone else to fill the gap.
You must record all that with a general statement about your people and their competencies. It should describe each one’s role within your BCMS and show their suitability for it, noting any relevant experience, training or education.
We recommend laying this information laid out in table form, summarising the right details in a clear, simple way. That makes it easy to show that you have the right teams in place to deal with challenging times.
It’s also worth noting that the competence evaluation process can be very challenging. It can cover a very wide spectrum of skills and experience, and create a need for you to train existing employees or even recruit new ones. As ever, if you need help with that, we can recommend a partner who’ll be an excellent match for your organisation.
Pull Together All Your ISO 22301 and BCMS Work in One Place With Our Range of Business Continuity Management Tools
If your organisation’s people don’t know about or understand your BCMS they can’t act on it. So you must make sure that each of them has clear, specific knowledge of their business continuity roles and responsibilities.
They must also have a good sense of the bigger picture, understanding:
- Your business continuity policy
- How they contribute to its effectiveness and why that’s good for your organisation
- What not conforming with it means for them and for the organisation
Effective communication’s a big part of a successful BCMS. You’ll need to have all communications relevant to your BCMS clearly planned out. That means defining what you’re going to say, who you’re talking to and how you plan to reach them.
You’ll probably be looking to reach a wide range of internal and external audiences in a variety of different ways. You must also be very clear about exactly who’s responsible for which communications.
Our platform can help you and your people effortlessly share the right information with the right people at the right time. Its Groups function lets you organise your comms audiences and instantly share the right data or content with them. With Notes you can host and manage clear and transparent discussions, so individuals or teams can come together to review, understand, improve and even execute your business continuity plans.
7.5 Documented information
Documentation is a key aspect of ISO 22301 compliance. To achieve certification for your organisation you need to document the details that are both:
- Required by the standard itself
- Defined as essential for your organisation’s BCMS effectiveness
That second requirement means that different organisations can have very different BCMS documentation needs. Your own organisation’s needs will be a function of its general scope, activities and relationships, and its specific business practises, policies, services, products and assets.
7.5.2 Creating and updating
Effective document control is a very important part of achieving and maintaining your ISO 22301 certification.
You have to make sure that all of your documents are clearly titled and described. They must be stored in a format that makes accessing, reading and updating them easy. Each document will need to be reviewed and approved to make sure it holds the right information and shares it in the right way.
7.5.3 Control of documented information
When the right information’s in the right place it can have a very powerful impact. But if nobody can find it, or the wrong people read it, or it just gets deleted, it can create big problems.
ISO 22301 asks you to bear that in mind as you create your BCMS. You’ll need to make sure that the documented information it requires is securely stored in the right place, ready to be read by the right people and nobody else.
That’s a simple set of outcomes, but achieving them needs careful thought. You’ll have to carefully plan document distribution, access and use. You’ll need to securely store and preserve documents using the appropriate media, and control any changes made to them. You’ll need to be clear about when you retain or dispose of individual documents.
You’ll also have to identify and – where necessary – control access to any external documents needed to operate your BCMS.
We, of course, want to make all of that as easy as possible. So we offer an easy-to-use documentation system. It:
- Follows the format of the ISO 22301 specification, so you, your auditor and any other interested parties can quickly and easily access whatever data’s needed
- Has clearly established roles and permissions, so you’re always in full control of how people can access, update, approve or share information
- Automates version control and revision reminders, removing complexity and potential confusion from the document creation process
Includes comprehensive, easily customisable policy and control documents you can start using from the moment you log on
We Give You the Opportunity to Do All Your Business Continuity, Not Just Your Information Security
ISO 22301:2019 Requirements
ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management system standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.
Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.