ISO 22301 2012 is the world’s first international business continuity management standard. It can be used to ensure that business operations continue and that products and services are delivered at acceptable levels following a disruptive incident and that brands and value-creating activities are protected. This means that that the interests of key stakeholders are safeguarded. The standard replaces the old business continuity standard, BS25999, which is now obsolete.
The Clauses of ISO 22301
The requirements of ISO 22301 can be found in clauses 4 – 10 of the standard
The above clauses of ISO 22301 show you how to set up and manage a Business Continuity Management System (BCMS). A BCMS is a set of interrelated policies, procedures, plans and records that you can use to govern and maintain your business continuity capabilities.
The PDCA Cycle
ISO 22301 uses what is called the Plan-Do-Check-Act (PDCA) Model. It uses this model to organise the standard in the following way:
1. PLAN. Clauses 4, 5, 6, and 7 expect you to plan the establishment of your organisation’s BCMS.
2. DO. Clause 8 expects you to establish your BCMS.
3. CHECK. Clause 9 expects you to evaluate your BCMS.
4. ACT. Clause 10 expects you to improve your BCMS.
Scope of ISO 22301
ISO 22301 is a generic business continuity management standard. It can be used by any size or type of organisation, or any part of the organisation. However, exactly how you apply ISO 22301 is up to you and will depend on your organisation’s unique business continuity needs, priorities and the expectations of interested parties. It will also be greatly influenced by the level of complexity in the operating environment. Exactly how you apply ISO 22301 will depend upon your organisation’s structure and its legal and regulatory obligations.
Overview of the Clauses of ISO 22301
Clause 4. Context
Clause 4 asks you to start by understanding your organisation and its context before you develop your organisation’s BCMS. You will need to identify who your organisation’s interested parties are and to clarify what their needs and expectations are. It asks you to consider all relevant legal and regulatory requirements and to clearly define a scope for the BCMS.
Clause 5. Leadership
Clause 5 asks your top management to provide leadership for the BCMS. It requires that they demonstrate support by assigning responsibility and authority for the BCMS, and by establishing a business continuity policy.
Clause 6. Planning
Clause 6 asks you to prepare plans to address the risks and opportunities that could affect your BCMS and to establish specific business continuity objectives and plans to achieve them.
Clause 7. Support
Clause 7 asks your organisation to support its BCMS by providing resources. It asks you to make sure that people are competent and that they know what their responsibilities are. It also asks you to establish procedures for communication.
Clause 8. Operation
Clause 8 asks you to plan, implement, and control your organisation’s BCMS processes. You need to assess risks, set recovery priorities, and identify risk treatment options. It then asks you to carry out an impact analysis, develop a business continuity strategy, and to establish business continuity plans and procedures. Once established, it asks you to conduct exercises and to test your business continuity plans and procedures.
Clause 9. Evaluation
Clause 9 asks you to monitor, measure, audit, and evaluate your BCMS and to review its performance at planned intervals.
Clause 10. Improvement
Clause 10 asks you to identify nonconformities, to take corrective actions, and to enhance the overall performance of your organisation’s BCMS.
ISO 22301 Certification
ISO 22301 is designed to be used for certification purposes. Once you’ve established a BCMS that meets the requirements of both your organisation and ISO 22301, you can ask certification body to audit your system. If you pass the audit, your certification body will issue an official certificate that states that your BCMS meets the ISO 22301 requirements.
While ISO 22301 is designed to be used for certification purposes, you don’t have to become certified. You can comply with the standard without being formally registered by an accredited certification body. Many organisations take this approach.