What is ISO 22301, and why do you need it?
In a world where cyberattacks, data breaches and natural disasters can interrupt business continuity and quickly damage reputation, organisations and businesses need to implement, maintain and keep refining their business continuity management system (BCMS). ISO 22301 certification of their continuity management ensures they are doing so.
ISO 22301 helps organisations identify and prioritise threats. It allows them to implement their business continuity management system effectively so they are ready to respond to and recover from incidents with the least disruption to business.
Studies have shown that almost 1 in 5 organisations experience significant business disruptions every year. Therefore, a robust and resilient organisation is one that can change with the times, has an understanding of where its vulnerabilities are and have plans in place to mitigate risk as well as respond if it needs to do so. Compliance or certification to ISO 22301 business continuity management allows your organisation to achieve all of the above in a straightforward and structured manner.
The latest version of the standard
On 31 October 2019 the latest version of the ISO 22301 standard was published – ISO 22301:2019. This is a revised version of ISO 22301:2012. It aims to make the standard “more streamlined and practical”, according to the ISO. According to the United Kingdom Accreditation Service (UKAS), companies will be able to transition from ISO 22301:2012 to ISO 22301:2019 up until 30 April 2023. The deadline was, as an exception, extended due to the Covid-19 situation. The 2019 version has been generally well received and transitions from old to new versions of the standard are seen as a not overly onerous value adding exercise.
You can find the ISO 22301 business continuity management standard documentation on the official ISO website.
ISO 22301:2019 provides businesses with the most up-to-date security and resilience certification to be sure their business continuity management systems meet the international standard, set out by the ISO.
The Relationship With ISO 22301:2012
There’s not a radical difference between ISO 22301:2012 and ISO 22301:2019. Both versions necessitate senior management involvement, and the updated model reflects on what is required to sustain a successful BCMS.
That sustainability becomes much more comfortable with a technology-based business continuity management systems such as ISMS.online.
ISO 22301:2012 was published in May 2012 and amended in June of the same year. The management system requirements established in ISO 22301 business continuity management had meant to extend to all organisations. The degree to which the criteria becomes implemented depends on the operating environment and the scope of the organisation, similar to how one would develop their range for other management system standards like ISO 27001.
While several concepts and terminology of business continuity management have been revised to expand context and reflect established procedures, Clause 8; Operation, is the main area where changes have occurred.
ISMS.online offers ISO 22301 business continuity management frameworks within its packaged services. That means organisations who wish to migrate their existing business continuity management systems can, as well as those embarking on ISO 22301 for the first time.
What is Business Continuity Management?
If your company was affected by a catastrophe or a crisis, would your business be able to continue? When incidents and natural disasters strike, there is little time to prepare a response structure, particularly when the key people, processes, networks, infrastructure and other essential services get disrupted.
A disaster has no bounds. It could impact your business continuity internally and externally, affecting your customers and the supply chain too. Whether you are a small or a large business, you can face impact. The primary purpose of business continuity management is to reduce the likelihood of threats and guarantee that the company reacts to significant disturbances that could endanger its future.
Business continuity management is about responsible and effective leadership. It should provide a foundation for developing resilience to incidents as well as the ability to respond successfully, safeguarding the interests of your key stakeholders, reputation, and value-creating operations of your company.
A business continuity strategy with a documented management system should ensure that workers are mindful of their roles and responsibilities. In the case of an unexpected occurrence, it is essential to be able to adapt to established processes and approved procedures.
Business continuity plans within ISMS.online
Many of our customers develop simple yet effective business continuity plans within ISMS.online for meeting ISO 27001 and protecting their valuable information assets. Other customers take that even further with ISO 22301 and introduce more sophisticated resilience planning and prevention, as well as response mechanisms to incidents.
Book a platform demoThe benefits of Business Continuity Management
Business continuity management helps organisations reduce the likelihood and impact of disruption and downtime, protect assets if something does go wrong, continue operating through the disruption, and recover as quickly as possible from any incidents that do occur. Having business continuity plans in place will help your organisation in the following ways:
Comply with legal requirements
ISO 22301 is used for legal and regulatory certification of continuity management, ensuring all the required elements of a business continuity management system are being met.
Achieve marketing advantage
Brand reputation is precious for any organisation and should be protected at all costs. With a continuity management system, it’s possible to build customer confidence and trust, reducing the likelihood of a PR disaster that could damage relationships with stakeholders including customers, clients and suppliers.
Reduce dependence on individuals
Through planning, training, awareness programmes and testing, everyone in an organisation should understand what is expected of them. This breeds confidence that the business continuity plans will deliver in the event of a disruption.
Prevent large-scale damage
It’s vital to keep your business trading during and after an incident. By recovering business operations quickly after interruptions, it’s possible to reduce the cost of damaging incidents, protect the organisation’s reputation and even save lives, if dangerous events, such as fire or flooding, occur.
Operational resilience
Mishaps and unplanned events vary in scale, speed and impact, possibly only hitting a single department or location. Identifying and planning for possible smaller-scale issues that could escalate into major operational difficulties for the entire organisation will keep the wheels turning.
Manage all your compliance in one place
ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.
Business Continuity Risk
Business continuity management using a well-documented management system helps you to identify better and reduce the likelihood of disruptive incidents or address business continuity risks. Business continuity management leads to the growth of a more stable environment, although companies with no successful business continuity management systems will increase chances significantly. A well-developed, organised and rehearsed Business Continuity Plan (BCP) can help the business rebound from an incident as quickly as possible.
All of your procedures must be up-to-date, accurate and efficient. Methods include but are not limited to corporate risk assessments, information security risk reviews, and addressing your health and safety policies, as well as your continuity management plan.
Examples of business continuity risks include:
- Cyberattacks and data breaches
- Unplanned IT and telecom outages
- Interruption to utility supply
- Adverse weather and other environmental causes
- Pandemics and epidemics
- Acts of terrorism
- Security incidents
- Fire
- Flood
- Loss of key personnel
- Physical property destruction or material loss
Emergency preparedness
Business continuity management details the steps you need to take in an emergency in the form of a Disaster Recovery Plan (DRP). A Disaster Recovery Plan is a documented, organised business continuity strategy that demonstrates how to respond to disruptive incidents.
The Disaster Recovery Plan begins its formation following a more detailed business impact analysis, which helps demonstrate where the most significant impact and consequences are from an event. ISMS.online gives you the tools you need to manage your business impact analysis, disaster recovery plans, and much more using information technology.
Your DRP should include a short-term arrangement to fix and rebuild critical business systems, and a plan to address problems such as root cause identification and a long-term prevention approach. There are many options available to ensure that an organisation has a setup with a contingency system that provides the best solution.
For example, the on-site recovery system would ensure that data can be retrieved more efficiently with data backups and other means. Your prevention measures should also protect from potential server failure and consider the risk of external contractors. You would then build contingency plans and alternative business continuity strategies for the absence of supplies that are vital to business operations long before they even become a disaster recovery issue.
What is a BCMS?
A business continuity management system, put very simply, is a recognised approach for ensuring an organisation can continue business operations and respond effectively to disruptive incidents.
ISO 22301 provides a constant and established method of business impact analysis with a framework based on recognised good practice. Anyone implementing and achieving certification for an ISO 22301 based business continuity management system will find instant recognition and understanding from influential customers, including educated experts, auditors and other interested parties.
When based on ISO 22301, ISO itself emphasises the importance of business continuity management systems:
- Showing the organisation understands the needs and necessity for a stated business continuity policy and objectives
- Implementation and execution of processes, incident response mechanisms and other interventions to ensure the organisation survives a disruption
- Monitoring and continuous improvement of the business continuity management system
Demonstrating good practice for business continuity management
Following ISO 22301 as a basis for your BCMS will provide proof that the company has taken the necessary steps to meet regulatory requirements in addition to the recognised good practices.
A best practice in business continuity incorporates the lifecycle of business continuity management as you can make it possible to maximise the efficiency and quality of your business continuity management systems. ISO 22301 provides a framework regarding international best practices on the well-understood concept of Plan/Do/Check/Act. This concept applies to organisations that implement, maintain and improve their business continuity management systems, which seeks to ensure compliance with the stated policy on business continuity.
With a business continuity management system based on the requirements of ISO 22301, both internal and external interested parties can be made aware that the organisation operates with good practices in business continuity management.
Disaster recovery and BCMS
In developing effective business continuity plans, an organisation will be well-placed to implement practices that reduce the likelihood of incidents and damage to the organisation. Not only this, but effective business continuity plans help you better understand your organisation and run it more effectively.
ISO guidance helps organisations identify and manage compliance, typically using a series of procedures, policies, process diagrams or similar. This guidance helps them plan for and rebound from disruptions in their business activities. However, it’s still better to avoid them entirely, although that is not always possible or feasible financially or technically. It is also essential to clarify priorities if an incident occurs, for example: what is the goal of recovery time? What is the highest endurable downtime? You can use the answer to these questions to prepare your disaster recovery plan. Speed of recovery must be a consideration. An ISO 22301-aligned business continuity management system will include disaster recovery and effective business continuity plans to help your company recover your critical operations as rapidly as possible.
BCMS and cyber-resilience
Implementing a business continuity management system (BCMS) is imperative to developing cyber resilience in today’s cyber security environment. Part of the ISO 27001 Information Security Standard contains a clause about business continuity – ISO 22301 more than satisfies this ISO 27001 requirement.
Cyberattacks routinely have hit the headlines in the last decade. For instance, the infamous global WannaCry ransomware attack in May 2017 left a trail of devastation as organisations were denied access to their own data and forced to halt business operations until large ransoms were paid.
Such incidents demonstrate the importance of ensuring your business can respond to and recover from disruptions, by implementing an effective business continuity management system (BCMS).
The benefits of ISO 22301
There are many advantages of ISO 22301, including returning the organisation to ‘business as usual’ with minimal disruption from any crisis.
Operational resilience
Having the ability to continue business operations regardless of any minor or major incident taking place is becoming increasingly important to businesses in all sectors. A Business Continuity Management System (BCMS) allows a company to plan for these incidents. This leads to greater competitiveness and decreases the amount of operational down time a business will have, should the unexpected occur.
Emergency preparedness
ISO 22301 gives businesses and organisations the ability to respond appropriately in the event of disruptive incidents and avoid waste or unnecessary loss. Through proactively assessing the effect of the disruption, business continuity management recognises the products and services that are essential to the organisation’s survival. It seeks to determine what solutions and contingency planning will be required if an incident was to occur.
Corporate governance
Compliance with ISO 22301 helps with meet the requirements of corporate governance. Essentially the standard can provide evidence that the organisation has taken the necessary steps to comply with regulatory requirements that call for an effective business continuity management programme.
Crisis management
Crisis Management (CM) refers to the overall coordination of an organisation’s response to a crisis, in an effective, timely manner. For those responsible for handling crisis management, the goal is to avoid or at least minimise damage to the organisation’s profitability, reputation, or ability to operate. Meeting the ISO 22301 standard confirms the appropriate measures are in place for this to happen.
Disaster recovery
Disaster recovery activities concentrate on returning the organisation to “business as usual” after a traumatic event and putting it on track towards complete recovery. It’s important to recognise that this is different from business continuity management, which is about ensuring that the enterprise can continue to reduce the likelihood of natural disasters and function during a crisis.
Protection of reputation in a crisis
ISO 22301 certification shows stakeholders that your business continuity capability is appropriate for the scale and scope of your organisation. Like ISO 27001, it engenders more trust, especially when certified by an independent certification body. It aids your understanding of business needs by identifying potential failures and risks. Businesses can then demonstrate to stakeholders, consumers, vendors and regulators, that they have a robust business continuity management system and processes in place.ISO 22301 will also increase stakeholder trust in the organisation’s ability to respond to disruptive incidents and events, and to sustain critical business processes should a catastrophe occur.
Preparation for technology failures
From telecommunications breakdown to loss of access to stored data, technology failures can be hugely damaging to an organisations profitability and reputation. ISO 22301 ensure all measurements are in place to mitigate such disruption and ensure all departments are prepared for the worst-case scenario.
Reduce business interruption insurance costs
With a BCMS in place that conforms with ISO 22301, an organisation has more meaningful insights into the impacts of a potential disaster. This enables the business to better evaluate the type and value of insurance cover it requires, potentially reducing costs in the long term.
Plan for the sudden loss of critical resources
It follows that if there is proactive identification of the impact of disruption, an organisation will be a strong position to maintain business continuity. Business continuity management systems help to establish what responses will be needed if a disruption occurs and ISO 22301 further provides the capability to adequately react in case of any such disruption.
How does ISO 22301 work?
ISO 22301 works by setting out how to build a management system that helps an organisation to plan for any type of incident that might affect its ability to operate effectively.
This standard provides a framework for an organisation to define responsibilities and makes it possible to assess and review business continuity performance over time. With ISO 22301 you can create the documents necessary to provide auditable evidence of contingency capabilities, as part of ongoing compliance requirements.
Performance assessment, audits and continual improvement are central to the management system standard set out by ISO 22301:2012 and ISO 22301:2019.
Who can implement ISO 22301?
The ISO/IEC 22301 BCMS standard extends to organisations of all sizes, across all markets and all experience levels. Implementing ISO 22301 business continuity management includes reviewing operational structures to identify potential shortfalls and allowing the organisation to concentrate on its goals and business continuity objectives.
The business needs of the implementation project are specific to the company implementing the standard and ISMS.online makes that straightforward. There’s no need to concentrate on ‘how’ you’ll implement and manage ISO 22301, you can simply focus on the activities within the standard and focus on ‘what’ you need to do for prevention and cure.
How to Implement ISO 22301?
When you implement ISO 22301 business continuity management, the first simple step is to think about addressing the primary requirements of the standard. This starting point will encourage you to take a strategic approach (hence why leadership is so important) and set the context, the scope, as well as develop a stated business continuity policy and objectives of the business continuity management systems.
Developing a business continuity policy will help identify your areas of risk and opportunity. From here, you can consider the impacts of those risks and what it might mean for consequences and the time to failure, recovery etc. Doing so will help you discover any holes or shortcomings in your current ISO management systems standards requirements. You will also identify and provide practical suggestions for improving them. ISO describes this as business continuity strategies and solutions.
Get help with implementation
ISMS.online has partners that can help with your ISO 22301 implementation, from achieving a pragmatic and straightforward business continuity management systems approach to a highly sophisticated BCMS.
Book a demo today to explore available options
Book a platform demoOnce you’ve completed your implementation, it is essential to undertake regular audits of the business continuity management system. Internal audits are mandatory for achieving independent certification of the BCMS too. Performance reviews also complement internal audits to make sure that your management systems are operating as expected at all times.
The ISO auditor would also expect to see a record of improvements your organisation has made over time. Having a method for addressing nonconformities, corrective actions and other enhancements is a crucial requirement.
Getting started with ISO 22301
We encourage organisations to buy the ISO international standard and digest that to understand the ISO management system standards requirements fully. We recommend starting at the beginning (4.1 understanding the organisation and its context) and avoid jumping into developing incident response plans until you’ve considered the scope, risks and impacts.
ISMS.online is also pre-configured with a range of tools that helps follow the process easier and means you retain a focus on the business. It also maps into the more comprehensive tools and features set for ISO 27001, meaning you can also achieve many of the ISO 22301 management systems requirements. You will be able to manage tasks like audits, performance reviews, management meetings, staff education etc. all at the same time.
You will reduce costs, simplify learning for staff and make the administration of the broader business management system that much more comfortable too. External auditors also find that much more effective and take great confidence when they see consistent operating practices across the ISO standards.
Compliance doesn’t have to be complicated.
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.
The ISO 22301 framework
Here we summarise the framework that is set out in ISO 22301:
Context
The ISO 22301 framework is for all types and sizes of organisations that implement, maintain and improve a BCMS. It should be adopted as a strategic intent by any business that wants to conform with stated business continuity policy and is committed to enhancing resilience through the effective application of the business continuity management systems.
Planning
Fundamentally, business continuity management systems planning begins with assessing and determining the risks and opportunities regarding business continuity management. The organisation must also establish business continuity objectives for the relevant functions and levels. These objectives must be monitored, clearly communicated, and updated as appropriate.
Leadership
In every industry, it’s vital that the management team can demonstrate leadership and commitment to the BCMS. This can be achieved by ‘ensuring the business continuity policy and business continuity objectives are established and are compatible with the strategic direction of the organisation’ says ISO. Leadership should use communication channels to show its people and partners the importance of effective business continuity and of conforming to the business continuity management systems requirements. The leadership strategy must also promote continual improvement and development of a culture of business continuity.
Operation
Business continuity strategy relies on operational processes being in place for incident preparedness and incident response across all functions of the business. That means establishing criteria for the processes and implementing control of the processes in line with agreed criteria. From having in place a media and communication strategy to tightly managing site risk in the aftermath of disruptive incidents, disaster recovery is reliant on continuity plans. A crucial step is keeping documented information for the purpose of proving that processes and BC testing have been carried out as planned and improved where needed.
Performance evaluation
Performance assessment means a great deal can be learnt from incidents taking place. By monitoring successes and limitations, knowledge builds up. Interested parties have a responsibility to keep records, and use the results of audits to help them make the right decisions about how to manage business disruptions going ahead. By establishing an audit programme the organisation can ensure that any necessary corrective actions are taken. The aim is to eliminate detected nonconformities and their causes.
Improvement
Continual improvement is central to the documented management system standard set out by ISO 22301. Any revisions and improvements to the way the BCMS is managed will enhance the business continuity management plan over time.
ISO 22301 policies and procedures
Policies and procedures for an ISO 22301 business continuity management compliance project must be carefully managed.
An organisation must demonstrate compliance with the ISO business continuity standard by providing appropriate documentation. This includes a scope, a detailed business continuity policy, a formal risk assessment procedure and business continuity plans that show how the organisation will respond to and recover from disruption.
Terms and definitions
The standard talks in detail about security and resilience. It uses a wide range of either specialist technical terms, or common terms that have a specific meaning in a security and resilience context.
To help you understand them, it includes definitions of the 31 most important ones. It also points you towards “ISO 22301 Security and Resilience – Vocabulary”, which lists and defines almost 300 security and resilience terms.
There are some associated guideline documents that add more detail to the requirements in ISO 22301. Some of these are listed inside ISO 27001, standout guides are:
ISO 22313 – Guidance on the use of ISO 22301
ISO 22317 – Guidelines for Business Impact Analysis (BIA)
If you need to understand a term that isn’t listed here, you should check in ISO 22301 to see what it means.
You can also find terms and definitions online.
ISO and IEC maintain terminological databases for use in standardisation at the following addresses:
Understanding these terms is very important. For those who are not already expert in this field, they can be a little difficult to get to grips with.
If you choose to work with us we’ll make sure you understand them. We explain them in our own support materials, and if you need more targeted help we can either answer your questions ourselves or find the right independent partner to work with you.
Auditing & Compliance
An audit is an evidence gathering process with the purpose of evaluating how well key criteria are being met. Audits must be objective, impartial, and independent, and the audit process must be both systematic and documented.
Internal audits are a mandatory part of a certified BCMS. In addition, the chosen certification body will undertake periodic ‘external’ audits in order to firstly certify the BCMS and then ensure it remains compliant to the standard. It’s also possible to carry out combined audits. This is when two or more documented management systems of different disciplines are audited together at the same time.
An ISO auditor will expect to see a record of improvements your organisation has made over time. Having a method for addressing nonconformities, corrective actions and other enhancements are crucial requirements.
The importance of testing the BC arrangements
There are various ways to test the documented arrangements and plans contained in the BCMS. Examples include tabletop exercises, full or part-scale exercises and also harnessing learning from real events. ISO 22301 mandates these processes happen regularly as appropriate to your organization’s activities and risk profile.
Compliance
Having achieved certification, you need to put in place a maintenance plan to ensure continued compliance to the ISO 22301 standard. At ISMS.online we have particular expertise in this.
We also understand that continuous improvement is an important part of maintaining an ISO 22301 certification. Clause 10 focuses on this, covering all actions taken within an organisation to:
Deliver business continuity goals more effectively
Increase the reliability of security procedures and controls
Create increased security benefits for the organisation and its stakeholders
ISO 22301 Requirements
ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management system standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.
Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.
FAQs
What is ISO 22301?
ISO 22301:2012 was the first version of this standard and was revised to ISO 22301:2019 on 31 October 2019. ISO 22301:2019 is also the first ISO standard to implement Annex L, from ISO/IEC Directive 1, which offers a common foundation for all new ISO management system standards.
Why is ISO 22301 Important?
- retaining essential functions in times of crisis
- demonstrating resilience to consumers, suppliers and tender requests
- detecting and handling current and potential risks to your business
- taking a proactive approach to mitigating the effect of disruptive incidents
If well done, it is possible to implement ISO 22301 and business continuity management while adopting other management system standards.
What is a Business Continuity Management System (BCMS)?
- demonstrate the company recognises the importance and requirements of business continuity policies and objectives
- introduce and execute procedures for incident management strategies and other measures to ensure that the organisation effectively manages and recovers from a disruption
- track and continuously improve the business continuity system
Using a BCMS compliant with ISO 22301 communicates to stakeholders that your business continuity capability is acceptable for your organisation’s size and scope.
What are business continuity risks?
Examples of business continuity risks include:
- Cyberattacks and data breaches
- Unplanned IT and telecom outages
- Interruption to utility supply
- Adverse weather and other environmental causes
- Pandemics and epidemics
- Acts of terrorism
- Security incidents
- Fire
- Flood
- Loss of key personnel
- Physical property destruction or material loss
Business continuity management using a well-documented management system helps you to identify better and reduce the likelihood of disruptive incidents or address business continuity risks. Business continuity management leads to the growth of a more stable environment, although companies with no successful business continuity systems will increase chances significantly.
A well-developed, organised and regularly-reviewed Business Continuity Plan (BCP) can help the business or organisation rebound from an incident as quickly as possible.
It’s essential for procedures to be up-to-date, accurate and efficient. Methods include but are not limited to corporate risk assessments, information security risk reviews, and addressing your health and safety policies, as well as your continuity management plan.
Are you prepared to respond to and recover from a disruptive incident?
To manage such risks, organisations need effective business continuity management plans to help them quickly recover from any event.
Organisations that invest in business continuity management systems reduce the likelihood of damage to revenues and reputations when emergencies arise.
What is an ISO 22301 certificate?
The ISO 22301 standard has a ‘high-level structure’, shared with other ISO management systems standards. This creates a consistency which can help organisations integrate several management systems to meet their business continuity needs.
What is business continuity management ISO 22301?
How many key clauses are there in ISO 22301?
- Scope
- Normative references
- Terms and definitions
- Context
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
What is the latest version of ISO 22301?
You can find the ISO 22301:2019 standard documentation on the official ISO website here: https://www.iso.org/standard/75106.html
Why Choose ISMS.online?
ISMS.online provides a comprehensive and intuitive range of Business Continuity Management tools to help you plan for the unexpected, and then respond accordingly. Our BCM tools allow you to put all of your work relevant to ISO 22301 and Business Continuity Management System (BCMS) together. Additionally, you can easily combine ISO 22301 and ISO 27001 with ISMS.online, and obtain certification for both in our powerful all-in-one platform.