Business continuity and the ISO 22301 standard
19 May 2020
Business continuity management is dealing with the impact of disruptions in order to continue providing services or products. That is, at least to acceptable levels and time frames. A BCMS (or business continuity management system) will integrate arrangements for prevention and recovery to build resilience. The appropriate level of resilience will depend upon the context of your organization> That includes the nature of your services and products, who are your customers and other interested parties. A BCMS can help protect life and limb as well as reducing financial and reputational loss.
In the light of recent events, governments, regulators and business clients will increasingly want to be confident of resilience in their supply chains. More and more, they will seek assurance that key suppliers have implemented an appropriate level of business continuity planning. That resilience may be achieved with a BCMS and may be demonstrated by the BCMS being independently certified. Fortunately, there is an international certification standard that specifies requirements for a BCMS, and that standard is ISO 22301.
The latest (2019) version of ISO 22301 is based on the common high-level clause structure and terminology used in the current generation of ISO management system standards. These have also been applied to various other standards such as ISO 9001 (Quality), ISO 14001 (Environment), ISO 27001 (Information Security), and ISO 45001 (OH&S).
Whilst individual standards may add additional “discipline-specific” requirements, there is clearly scope for business continuity to form part of an IMS (integrated management system).
ISO 22301 and the PDCA cycle
In common with the standards mentioned above, ISO 22301 is based on the PDCA cycle of continuous improvement. The following table illustrates the clause structure of ISO 22301 in the context of the PDCA cycle.
The following is a brief summary of clauses 4-10 and their requirements.
Why do the listed clauses start at 4?
Well, naturally, the ISO 22301 standard clauses do start at 1. However, clauses 1 to 3 refer to the scope of the standard, normative references, and terms and definitions. As they don’t specify any requirements, we haven’t listed them here.
Context of the organization
4.1 Understanding the organization and its context.
4.2 Understanding the needs and expectations of interested parties.
4.3 Determining the scope of the business continuity management system.
4.4 Business continuity management system.
The context of the organization relates to the internal and external factors that can affect the ability to ensure business continuity. Understanding the context of an organization might involve some form of situational awareness or PEST/SWOT analysis.
The relevant needs and expectations of clients and other interested parties need to be understood. That would, of course, include the legal and regulatory environment, and any contractual obligations. At that point, the scope and boundaries of the BCMS may be determined more holistically, and the necessary operational and support processes can be established.
Organizations must explain any intended exclusions from the standard requirements. Typically, that is documented in a scope statement. Current legal and regulatory requirements must also be documented.
5.1 Leadership and commitment.
5.3 Roles, responsibilities and authorities.
For a BCMS to be successful, it needs to be inspired and led from the top. Top management must take accountability for it, express their commitment, give direction, and – critically – ensure that sufficient resources are made available.
Everyone in the organization should be aware of its business continuity policy, and their specific role and responsibilities. Roles and responsibilities are also referenced in section 8.4.2 Response Structure.
In larger organizations, top management may not be able to attend to the day-to-day administration of the system themselves. Of course, other people may perform those roles, but they must be given leadership, support, and adequate resources.
6.1 Actions to address risks and opportunities.
6.2 Business continuity objectives and planning to achieve them.
6.3 Planning changes to the business continuity management system.
This clause is closely linked to clause 4. Having identified factors that affect information security, the organization needs to develop strategies and actions to:
- Maintain and build on its Strengths
- Correct Weaknesses that might be barriers to meeting requirements and achieving objectives
- Grasp or maximise Opportunities
- Mitigate or manage Threats or Risks
There should be a a risk assessment process and some form of Action Plan to address the risks and opportunities identified.
The organization should put a programme in place to set measurable objectives, assign them, and monitor progress on them.
Change management processes should be implemented.
7.5 Documented information.
Determine, plan, and provide the resources and support mechanisms needed for the organization to achieve its business continuity objectives.
People with responsibilities in the BCMS must be competent to the required level. When the required level of competence is not already in place, action must be taken to acquire it e.g. by training, education, recruitment or outsourcing.
People that work for the organization must be aware of the BCMS, how they should contribute to the system, and any consequences of them not conforming to requirements.
The organization needs to determine its communication arrangements – both internally and externally – about matters relating to the BCMS.
The BCMS should be documented to the extent required for conformance to the various clauses in the standard. Documents should be maintained, and records retained.
8.1 Operational planning and control.
8.2 Business impact analysis and risk assessment.
8.3 Business continuity strategies and solutions.
8.4 Business continuity plans and procedures.
8.5 Exercise programme.
8.6 Evaluation of business continuity documentation and capabilities.
In overview, this clause requires the organization to plan, implement and maintain the necessary people, process and resources to ensure that its business activities continue during and after a disruptive event. The plan needs to consider and address the business continuity risks that have been identified.
This is one clause where ISO 22301 has significant divergence from other ISO management system standards. In the equivalent clause, ISO 45001 (OH&S) and ISO 14001 (Environment) have requirements for emergency preparedness and response, and ISO 27001 (Information Security) has requirements for risk assessment and treatment. However, clause 8 in ISO 22301 has more detailed and unique requirements. For example:
- In 8.4, the requirement to document business continuity plans and procedures is quite prescriptive in the need for documents and what must be contained in those documents.
- In 8.5, requirements are specified for an exercise and test programme. Plans should be rehearsed to ensure that their relevance and usefulness is maintained.
9.1 Monitoring, measurement, analysis and evaluation.
9.2 Internal audit.
9.3 Management review.
All systems need to be checked to verify that they are on track. A BCMS is no exception. Having established and implemented a system, organizations need to measure, monitor, analyse and evaluate performance in meeting requirements and achieving objectives. Performance evaluation requirements may broadly be divided into these areas:
- Check relevant components of the BCMS.
- Audit its conformance to requirements and effectiveness.
- Periodically review the system. This must be performed by top management.
10.1 Nonconformity and corrective action.
10.2 Continual improvement.
The organization will need to ensure that it deals with any nonconformities, determining the cause(s) and taking action to eliminate them and or to prevent recurrence in order to strive towards a continuous improvement model for the BCMS.
Continually improve the system to achieve objectives or increase the likelihood of achieving them. Also, seek opportunities to improve business continuity.
Your next step in business continuity?
The above is just a broad outline of ISO 22301 and its requirements. The full standard includes much more detail and is available from your local standards association and other sources.
Whether you are just looking to improve your business continuity management, implement a BCMS based on ISO 22301, and possibly also achieve certification, the first step is to perform a Gap Analysis. That is an examination of how well current arrangements meet the requirements of the standard. It identifies the starting point of the journey and how much needs to be done to get to the desired outcomes.
The gap analysis will at least help you find any 'low-hanging fruit' where steps can be taken to quickly improve your resilience. arrangements. From there, you may choose move on to a full business continuity management system.
So, that’s our quick introduction to the new ISO 22301 standard. We trust that you found it useful.
Contact us now to find out more.