ISO 22301

Firstly, the relevant internal and external topics as well as the interested parties and their requirements must be determined, from which the scope, objectives and strategies of the BCMS can be derived.

Leadership
As with other management systems, it is essential that the top management of the organisation assumes leadership responsibility and creates a BCM policy that is appropriate, suitable and communicated for the organisation, with basic values and objectives contained therein. The definition and assignment of roles with corresponding tasks and authorisations must also be taken into account, not least for reporting to top management.

Planning
For the introduction and continuous development of the BCMS, internal and external issues that have already been identified, the requirements of interested parties and the risks and opportunities for the BCMS must be determined and addressed so that the management system can fulfil its intended purpose. Business continuity objectives must be formulated for all relevant functions and levels of the organisation, their achievement monitored and adjusted if necessary.

Support
In order to achieve the defined BCMS objectives, the organisation must identify and provide sufficient resources and ensure the necessary competencies for the human resources part.

Employees and relevant external service providers must be given an appropriate awareness of the organisation’s business continuity policy and its contribution to achieving the business continuity objectives. The communication required for business continuity management and the scope and control of the necessary documented information must also be ensured.

Operation
The processes required for the operation of the BCMS must be planned, introduced and controlled. Evidence of this must be available as documented information. Outsourced operational processes must be included. The processes for the operation of the BCMS include

• Conducting business impact analyses and risk assessments
• Identification and selection of business continuity strategies that consider options before, during and after disruptive events
• Development of business continuity plans and measures based on the selected business continuity strategies
• Creating and managing programmes for regularly planned business continuity exercises
• Regularly evaluating and updating the business impact analyses and risk assessments, the selected BCM strategies and the BCM plans and BCM solutions developed

Evaluation of the performance of the BCMS
As with other management systems, the performance of the BCMS is assessed using the following criteria

• Monitoring of established key figures for business continuity management
• Internal audits in the area of established processes for the BCMS
• Review of the BCMS by top management

Improvement of the BCMS
Continuous improvement and the correction of identified deviations are an inherent part of the Business Continuity Management System in accordance with ISO 22301.

With the state accreditation for system certifications according to ISO 22301, CIS is a pioneer in Austria and is also one of the first global players internationally to be able to carry out certifications for business continuity management systems. The certification process according to ISO 22301 conforms to the structure of certification projects according to ISO/IEC 27001 for information security and ISO/IEC 20000 for service management, so that system integration is seamlessly possible and useful synergies can be utilised through combined certification audits.

Information on the project phases and the certification process can be found here.