ISO 22301 – Business Continuity Management
Emergency and Disaster Recovery Plans can be of utmost importance for continuing operations in case of a disruption. However, this is only possible if these plans cover actual needs, are up-to-date, and regularly reviewed for effectiveness; an implemented Business Continuity Management System (BCMS) in accordance with ISO 22301 ensures all this.
Awareness among the leaders and managers is increasing - certifications for Business Continuity Management are emerging as a trend worldwide. After the publication of the first edition of the international standard ISO 22301, the second edition is now available since 2019.
The current second edition of the BCM standard has become more precise, with 21 pages compared to 34 pages of the first edition, which had been published as an ÖNORM. This consolidated version of the Standard specifies the requirements for planning, establishing, implementing, operating, reviewing, maintaining and continually improving a documented Business Continuity Management System.
The authors of the ISO 22301 Standard have deliberately kept the requirements generic so that organizations of all sizes and sectors can put them to use. The process improvement model Plan-Do-Check-Act, which has stood the test in both quality management and information security, also is a central element for operating BCM systems.
- Preparation for business interrupting events
- Avoidance of production loss and stoppages
- Demonstration of protective measures to maintain business processes as a competitive advantage
First, the relevant internal and external issues, and the needs and expectations of interested parties shall be determined, from which then the scope, objectives and strategies of the BCMS can be derived.
As with other management systems, assuming the responsibility for leadership, and establishing an appropriate, suitable and communicated BCM policy by top management of the organization is essential; the fundamental values and objectives should also be contained in the BCM policy. The definition and assignment of roles with corresponding tasks and authorities must be taken into account, and reported to top management.
When implementing and continually improving the BCMS, the organization shall consider the identified internal and external issues and the requirements of interested parties, and determine the risks and opportunities that need to be addressed to give assurance that the BCMS can achieve its intended outcome(s).
Business continuity objectives shall be established at relevant functions and levels of the organization, and their achievement shall be monitored and updated, as appropriate.
The organization shall determine and provide the resources and competence needed for the achievement of its determined business continuity objectives. The employees and relevant external service providers shall be aware of the business continuity policy and their contribution to the effectiveness of the BCMS and achievement of BCM objectives. The communication relevant to the Business Continuity Management as well as the extent and control of documented information required shall be ensured.
The processes needed for the operation of the BCMS shall be planned, implemented and controlled. Documented information shall be retained as evidence. Outsourced processes of the operation shall also be controlled. The processes needed for the operation of the BCMS shall include:
- carrying out Business Impact Analysis and risk assessment;
- identifying and selecting business continuity strategies that consider options for before, during and after disruption;
- determining business continuity plans and procedures on basis of the selected business continuity strategies;
- preparing and controlling the programs of business continuity exercises and tests at regular intervals;
- evaluating and updating the business impact analysis, risk assessment, selected BCM strategies and plans, procedures and BCM solutions.
BCMS Performance evaluation
As with other management systems, evaluation of the BCMS performance is carried out by:
- monitoring the established key figures for Business Continuity Management;
- internal audits in the area of established BCMS processes;
- review of the BCMS by top management.
Improvement of the BCMS
Continual improvement and correction of identified nonconformities are an essential part of a Business Continuity Management System according to ISO 22301.
With the state accreditation for system certifications according to ISO 22301, CIS is a pioneer in Austria and is also one of the first global players internationally to be able to carry out certifications for Business Continuity Management systems. The process of a certification according to ISO 22301 conforms to the structure of certification projects according to ISO/IEC 27001 for information security and ISO/IEC 20000 for service management, so that system integration is seamless and combined certification audits allow useful synergies to be exploited.
Information on the project phases and the certification process can be found here.