ISO 22301 Clause 8: Operation

What will Annex L 8 of ISO 22301:2019 help you achieve?

Once you’ve planned out your BCMS, you need to think through how it’ll work in practice. Clause 8 highlights all the practical actions you’ll need to take to make sure that your BCMS functions as it should. It’s one of the most detailed and important sections of the standard.

It asks you to work through potential business threats and hazards in some detail. You’ll have to consider how they might disrupt your organisation and use that thinking to flesh out a wide range of continuity management details. Then it describes how to regularly test your BCMS and evaluate its ongoing effectiveness.

8.1 Operational planning and control

You’ll need to define, execute, track and document the processes that make sure your BCMS:

  • Meets the needs of ISO 22301
  • Achieves all the outcomes it needs to
  • Avoids any negative side effects
  • Is continually improving

You must carefully monitor any planned changes to your ISMS and watch out for any unplanned ones, so you can act fast to prevent any problems they might cause. You need to do so globally, keeping an eye on your supply chain and any outsourced processes as well as your organisation’s internal ones.

See how simple it is with

8.2 Business impact analysis and risk assessment

You’ll need to understand exactly how business disruption could affect and create risks for your organisation. That means setting up and running comprehensive business impact analysis and risk assessment procedures. You’re free to choose which to carry out first. Your business impact analysis will help you establish business continuity priorities and requirements. You must start by defining the impacts that could cause problems for your organisation. Then you’ll need to think through the specific activities they could hit and map out a timescale for the problems they could cause. That timescale will help you assess exactly when those problems become unacceptable.

The period up to that moment is the maximum tolerable period of disruption, or MTPD. That’s the time beyond which no recovery is possible. You might have one MTPD for your whole organisation, or several for different products or services. Once that’s defined you can set a specific recovery time objective (RTO). That’s the point in the future at which you are up and running again. You’ll also need to define your recovery point objective, or RPO. That’s the point in the past to which you want to recover, or (to put it another way) your last confirmed state with integrity. Again, you might have one or several RTOs and RPOs, depending on the nature of your organisation and its products and services.

The standard points you towards ISO 31000 for guidance on risk management. You’ll need to understand the risks that disruption could create for your organisation’s most important activities and resources. Once you’ve analysed and evaluated them, you’ll be able to decide which ones to take action against. Of course, our business continuity management tools can help you analyse and assess the challenges your organisation faces and simplify sharing and justifying your conclusions.

8.3 Business continuity strategies and solutions

You’ve looked at how a crisis could impact and create risks for your organisation. You’ve understood the nature of those impacts and risks, and you’ve mapped out a timeline for dealing with them. Now you need to plan out exactly what to do before the crisis hits, while you’re in the middle of it and after it’s over.

You must explore possible strategies and solutions for dealing with it. They shall:
Protect your organisation

  • Help it continue the activities you’ve prioritised
  • Reduce the likelihood and length of any disruption
  • Limit its impact on your organisation
  • Make sure all the necessary resources are ready for deployment

Then make your choice, looking for one that best helps you continue or restart the key activities you’ve identified within the timeframes you’ve set. It also has to take account of the risk levels your organisation’s happy with, plus any other relevant costs or benefits.

And of course, you’ll need the right resources to implement the solutions you choose. Individual organisations can have very different needs. You must start by defining the people you’ll need to draw on. Once you know that, you can plan out:

  • The information and data they’ll need
  • Any physical infrastructure relevant to their work
  • What kinds of equipment or consumables they’ll need
  • What their ICT, transportation and logistics needs will be
  • How your organisation will finance their operations
  • Which partners and suppliers they’ll need to engage with
Read our free guide to achieving ISO 27001 first time

8.4 Business continuity plans and procedures

You’re now ready to implement and maintain your business continuity solution, ready for immediate deployment in times of crisis.

That means planning out all your organisation’s disruption management processes and setting clear criteria for triggering them. Those processes must match up with the strategic thinking and solution development you’ve already done. They’ll also need a response framework to make sure your organisation shares timely warnings and feedback with all relevant stakeholders.

Your business continuity solution must:

  • Define immediate actions to resolve the situation
  • Adapt quickly to changing internal and external factors
  • Home in on incidents that can lead to disruption
  • Mitigate their impact with effective solutions
  • Delegate specific duties and responsibilities

Your disruption management teams must be ready to go too. They must all be made up of clearly identified personnel, supported by fully documented procedures. That’ll help them assess the nature, size and potential consequences of any crisis, then act accordingly by:

  • Activating existing solutions and plan specific details of their deployment
  • Establishing priorities within them (with preserving life the most important goal)
  • Monitoring both the ongoing situation and the impact of their responses to it
  • Staying in touch with all relevant parties and authorities, and the media

Good communications are a key to effective crisis response. You must think through how you’ll communicate in challenging situations, mapping out both internal and external comms routes, and making sure all the right equipment’s available to support them.

You’ll also need to make sure that all ingoing and outgoing communications are properly logged and – where relevant – responded to. Your broader comms strategy must include everything from engaging with emergency responders to dealing with the media. You might also have to make sure coms between any responding organisations are properly managed.

And of course, you’ll have to include all of this and more in your organisation’s business continuity plans and procedures. The ISO 22301 standard goes into considerable detail about exactly what they must contain, in clauses 8.4.4 and 8.4.5. We’d recommend going through their requirements as carefully as possible to make sure that your plans match up with their very clear and specific expectations.

8.5 Exercise programme

The standard asks you to set up and run a regular evaluation and testing programme to confirm the reliability of your business continuity plans and solutions. That means conducting activities and assessments that align with your business continuity goals and focus on well structured, realistic scenarios with clearly defined priorities and goals.

They need to have a positive impact on your BCMS. They must build the relationships, knowhow and competence of all teams involved with it, and lead to constructive, thorough evaluations and feedback that improve it. Over time, they should both validate your BCMS in its current state and help you improve and evolve it. That last point is crucial – you must make sure you record and act on anything you learn from the exercises you run.

8.6 Evaluation of business continuity documentation and capabilities

This clause builds out from the last one, describing how you should evaluate every aspect of your BCMS and every factor that could possibly affect it.

It gives you a template for a thorough, regular re-evaluation of all the work you’ve done. You’ll need to look at every aspect of your BCMS’ response to your organisation’s needs and issues, its relationship with any external partners and suppliers and its compliance with all relevant policies, regulations and industry norms. As ever, it also advises you to keep a close eye on your documentation and procedures, updating them promptly and efficiently.

You must plan to do that on a regular basis. You should also re-evaluate your BCMS after any incidents or activations, or when significant changes to your organisation or business environment occur.

ISO 22301:2019 Requirements

ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management system standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.

Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.