ISO 22301
Business Continuity Management
Your implementation guide
Build a robust and resilient organization
with ISO 22301
It’s never been more important to protect your
business from the unexpected. Whether this is from
power cuts, IT system or equipment failure, industrial
action, or natural disaster, you need to make sure your
business is not vulnerable to disruption and you can
recover as quickly as possible.
Statistics indicate that 80% of organisations that are
faced with a signifcant business discontinuity, and do
not have in place adequate and appropriate plans to
ensure business continuity, do not survive the event.
Don’t let this happen to you.
At BSI we have the experience to help make sure
you get the most from ISO 22301. In fact it was our
experts who helped shape its precursor, BS 25999-2,
in the frst place.
This guide shows you how to implement ISO 22301,
and helps you put in place the measures to protect
your business and help it thrive for the long term. We
also showcase our additional support services, which
help you to not only achieve certifcation, but also help
you to continually improve your business.
“A disaster can strike an organization at any time.
You need to have a process in place that ensures the
operation is able to mitigate the impact and return
to “business as usual” as quickly as possible. For us at
Vauxhall ISO 22301 fulflls this critical business need.”
Phil Millward, GMUK HR Director with overall
responsibility to the Board for the BCMS
Contents
• Benefts
• ISO 22301 clause by clause
• Top tips from our clients
• Your ISO 22301 journey
• BSI Training Academy
• BSI Business Improvement
Software
2
How ISO 22301 works and what it
delivers for you and your company
ISO 22301 is the international standard that helps organizations put business continuity plans in place
to protect them, and help them recover from, disruptive incidents when they happen. It also helps you to
identify potential threats to your business and to build the capacity to deal with unforeseen events.
It helps you to protect your business and your reputation, stay agile and resilient, and to minimize the
impact of unexpected interruptions. Whether your business is large or small, the ability to respond quickly
and effectively to the unexpected is the key to the survival of any organization. This is why having a robust
business continuity management system in place, such as ISO 22301, can be considered as one of the most
comprehensive approaches to organizational resilience.
Benefts of ISO 22301*
72%
82%
helps protect
our business
helps manage
business risk
73%
56%
gives trust in
our business
increases our
competitive edge
“We recognize [ISO 22301] as part of our overall
management of strategic and operational risks, nurturing
and enhancing our resilience capability and culture.”
Sanjay Verma, Head of Information Security & Compliance, D&B (Australia)
*Source: BSI Benefts survey - BSI clients were asked which benefts they obtained from ISO 22301
3
How ISO 22301 works
)
ISO 22301 is based on the high level structure (Annex SL) which is a common framework for all new
management system standards. This helps keep consistency, align different management system standards,
offer matching sub-clauses against the
in u
Organization and
ss Cont ity Manag
top-level structure and apply common
em
sine
its context (4)
Bu
en
t(
language across all standards. It makes
4
Support
&
Operation
it easier for organizations to incorporate
(7,8)
their Business Continuity Management
Plan
Do
System (BCMS), into core business
processes, make effciencies, and get more
Intended
Performance
Planning
Leadership
Outcomes
evaluation
(6)
(5)
involvement from senior management.
(9)
Plan-Do-Check-Act (PDCA) is the operating
principle of ISO 22301. It’s applied to all
processes and the BCMS as a whole for
continuous improvement. This diagram
shows how Clauses 4 to 10 of ISO 22301
can be grouped in relation to PDCA.
Act
Needs and
expectations of relevant
interested parties (4)
Check
Improvement
(10)
Some of the core concepts of ISO 22301 are:
4
Concept
Comment
Context of the
organization
The environment in which the organization operates including internal and external
factors that can have an effect on your business continuity plans.
Interested parties
A person or organization that can affect, be affected by, or perceive themselves
to be affected by a decision or activity. Examples include suppliers, customers or
competitors. You may refer to them as stakeholders.
Leadership
Requirements specifc to top management who are defned as a person or group of
people who directs and controls an organization at the highest level.
Performance evaluation
The measurement of performance and effectiveness of the BCMS, covering the
methods for monitoring, measurement, analysis and evaluation, as applicable, to
ensure valid results.
Maximum Acceptable
Outage (MAO)
The time it would take for adverse impacts to become unacceptable. This is the same
as ‘maximum tolerable period of disruption (MTPD)’.
Minimum Business
Continuity Objective
(MBCO)
The minimum level of services and/or products that is acceptable to the organization
to achieve its business objectives during a disruption.
Prioritized timeframes
Order and timing of recovery for critical activities.
Warning and
communication
Activities undertaken during an incident.
Key requirements
of ISO 22301
Clause 1: Scope
The frst clause details the scope of the standard.
Clause 2: Normative references
This clause provides the normative references
contained in the standard.
Clause 3: Terms and defnitions
Please refer to the terms and defnitions contained in
ISO 22300. This is an important document to read.
Clause 4: Context of the organization
This clause is a good starting point to approach the
standard as you need to decide on the context of your
BCMS and how your organizations’ strategy supports
this. This means that you need to identify how your
organization sits within its environment.
You will need to identify external and internal issues
that are relevant to the purpose of the BCMS and how
they relate to its expected outcomes.
Then you’ll need to identify your relevant internal and
external “interested parties” (or stakeholders) who are
relevant to the BCMS.
You’ll also need to decide what is covered by business
continuity and just as importantly what isn’t. This
means that you will need to consider your appetite
for risk and what the relevant legal and regulatory
requirements for your organization are.
You will be required to communicate this scope
to relevant interested parties both internally and
externally so they are aware of your BCMS and how it
is relevant to them.
Clause 5: Leadership
This clause focuses on the role and requirements of top
management, which is the group of people who direct
and control your organization at the highest level in
relation to the BCMS.
Top management must show their commitment to
the BCMS in a number of different ways. Firstly, by
ensuring the BCMS is compatible with the strategic
direction of the organization. Secondly, they need to
show how your BCMS requirements are integrated into
your business processes. And lastly by communicating
the importance of an effective BCMS and conforming
to the BCMS requirements.
Policy creation and communication is a really
important part of this clause. You will need to ensure
that your business continuity policy is appropriate
for your organization and that it meets relevant legal
and regulatory requirements. It should also be made
available to all interested parties you have identifed.
Top management should assign responsibility for the
establishment, implementation and monitoring of the
BCMS. And fnally, you will also need to show how you
continually improve the BCMS.
5
Clause 6: Planning
Clause 7: Support
This clause relates to establishing the strategic
objectives and guiding principles of the BCMS as a
whole. It requires you to consider the risks from your
BCMS not being successfully implemented.
This clause is all about the resources that are required
to establish, implement and maintain an effective
BCMS. You‘ll need to make sure that people are
competent in terms of education, training, awareness
and experience. You will also need to consider the
communications with interested parties and your
requirements for document management.
This means that you need to make sure you
understand both the internal culture and the
external environment in which your organization
operates and also what the likely barriers may be in
preventing your BCMS from being effective.
You will be required to clearly defne your business
continuity objectives and show that you have
plans to achieve them. Your objectives should be
measureable.
You will also need to decide on the minimum level
of products and services that will be acceptable to
your organization in order to achieve your business
objectives. (This links back to the scope that you
have defned in clause 1).
You’ll need to decide who will be responsible for
delivering the objectives, what will be done in what
timescale, what resources will be required, and how
the results will be evaluated.
6
Taking into consideration the increased use of
subcontractors in today’s business environment
this clause requires you to make sure that everyone
under the control of your BCMS understands their
contribution to its effectiveness and the implications of
not conforming to it. Critically, they must understand
their role at the time of a disruption. You will also need
to show how you respond to communications from
interested parties.
It is crucial that your organization fully documents all
elements of the BCMS and these documents must be
maintained, controlled, and stored appropriately. (How
you do this is up to you, but it must be effective for
your organization).
Clause 8: Operation
Clause 9: Performance evaluation
In this clause you must show how the processes
that you have developed to manage the risks to the
BCMS are being correctly implemented. This includes
any processes that may have been subcontracted or
outsourced.
This clause covers the maintaining and reviewing of the
BCMS so it is kept relevant and up-to-date. This is so
that you have the metrics in place to ensure that you
effectively manage the BCMS and continually improve.
You need to defne the order and timing of recovery
for critical activities that support your organizations
products and services. This includes deciding on what a
minimum acceptable level is.
You need to be aware that there may be certain fnancial
or governmental obligations that require communication
and that there may be a societal need to share certain
information in the event of a disruption. Your process
should focus on minimizing the consequences of a
disruption.
You will also need to have documented procedures
to restore and return business activities from the
temporary measures adopted to support normal
business requirements after an incident.
Although you do not need to have an approved exercise
programme in place to check the effectiveness of your
BCMS, you do need to have exercises based on an
appropriate range of scenarios. Lastly, you will need to
promote continual improvement of the BCMS.
After an internal audit, the management responsible for
the area being audited must ensure that any corrections
or corrective actions that have been identifed are carried
out without delay.
This clause also covers management review. You will
need to provide information for review on the trends in;
nonconformities and corrective actions, monitoring and
measurement evaluation results, and auditing results.
Finally, there is a requirement for your organization to
communicate the results of the management review to
relevant interested parties and take appropriate actions
relating to those results.
Clause 10: Improvement
This clause is all about making your BCMS as effective as
it can be to show how you are proactive in managing it.
You are required to show how you continually improve
and enhance the performance of your BCMS to ensure
it is robust and relevant. This may be, as a result of
identifying potential threats or risks from any internal or
external factors that are relevant to your organization.
You will also need to show how the BCMS has been
updated in response to any non-conformities or
corrective actions.
7
Top tips on making ISO 22301
effective for you
Every year we help tens of thousands of clients. Here are their top tips.
Top management commitment
is key to making this a success
“The earlier that organizations talk to senior
managers, the better it will go for them so
have those discussions early”.
John Scott, Overbury, leading UK ft-out and
refurbishment business
Keep staff informed of what’s going on, create
a team or assign a champion, as this will
increase motivation. This could include a well
communicated plan of activities and timescales.
“When we decided to implement the new
standard, we assigned an internal champion
of the standard inside the organization”.
Think about how different departments
work together to avoid silos. Make sure the
organization works as a team for the beneft of
customers and the organization.
“With ISO 22301 in place, we are all talking
the same language about the business. We all
understand what is meant by best practices and
we are better able to deliver on our customers’
expectations even during an impactful business
event”.
Ronald Tse, Ribose, Hong Kong based cloud services
provider
Dan Nickel, Ciena, US based network solutions provider
Review systems, policies, procedures and
processes you have in place – you may already
do much of what’s in the standard, and make it
work for your business.
“The BCM system is a great reassurance. It has
enabled us to make plans to mitigate problems
quickly if they occur– for example, to identify a
second water supply and provide electricity backup – things we wouldn’t have done otherwise”.
Andy Drummond, Lettergold Plastics Ltd, UK engineering
company
Speak to your customers and suppliers.
They may be able to suggest improvements and
give feedback on your service.
“They [customers] know we have a solid
framework for service continuity and ability to
restore all services to business as usual operation
in the least possible time”.
Sanjay Verma, Dunn & Bradstreet (Australia), global business
information provider
Train your staff to carry our internal audits of the
system. This can help with their understanding, but
it could also provide valuable feedback on potential
problems or opportunities for achievement.
8
And fnally, when you gain certifcation
celebrate your achievement and use the
BSI Assurance Mark on your literature,
website and promotional material.
“Staff awareness training was vital to the
success of ISO 22301 implementation project”.
Jide Orimolade, AIICO Insurance, Nigerian life insurance
provider
Your ISO 22301 Journey
Review and get
certifed
See how
ready you are
Understand
and prepare
Whether you are new to business continuity management or looking to enhance your current system, we
have the right resources and training courses to help you implement ISO 22301. But our support doesn’t
stop there. We can help make sure your system keeps on delivering the best for your business.
You
need to:
We
help you:
• Buy the standard, understand the content, your
requirements and how it will help and protect
your business
• Contact us for a proposal tailored to your
organizations needs
• Buy the standard
• Discover information on our website, including
case studies, whitepapers and webinars
visit bsigroup.com
• Attend a BSI ISO 22301 Requirements training
course
• Ensure your organization understands the
principles of ISO 22301, the roles individuals in
your business will need to play and review your
activities and processes against the standard
• Download the self-assessment checklist
• Attend a BSI Implementing ISO 22301 training
course
• Book a BSI gap assessment to see where you are
• BSI Business Improvement Software can support
your ISO 22301 implementation
• Contact us to book your certifcation assessment
• Attend a BSI ISO 22301 Internal or Lead Auditor
training course
• BSI Business Improvement Software can help
your ISO 22301 implementation
• Your BSI certifcation assessment
• Ensure the right people are available for your
audit visit(s). This is a two-stage process. The
length varies depending on the size of your
organization
Continually improve and make excellence a habit
Your journey doesn’t stop with certifcation. We can help you to fne-tune your organization so it performs at its best.
• Celebrate and promote your success – download
and use the BSI Assurance Mark to show you are
certifed.
• Book any of our additional Business Continuity
training courses which can further your knowledge.
• Your BSI Client Manager will visit you regularly
to make sure you remain compliant and
support your continual improvement.
• Consider integrating other management system
standards to maximize business benefts.
• Use BSI Business Improvement Software to help
you manage systems and drive performance.
9
BSI Training Academy
The BSI Training Academy is a world leader in helping clients develop the knowledge and skills they
need to embed excellence in their organizations. We offer a range of ISO 22301 training solutions that
can be tailored to your needs. Our training courses are developed by experts in their felds who have
been directly involved in the development of ISO 22301, so when you train with us you’ll beneft from
their expertise.
Using the latest research, our accelerated learning approach is proven to fast-track learning and
improve knowledge retention. Our experienced tutors can help you get to grips with the matters that
concern you and your organization directly, whether delivered in-house or as part of an open course
where other delegates can share their experience.
Courses that help you understand ISO 22301 include:
ISO 22301 Requirements
ISO 22301 Internal Auditor
• One-day classroom-based training course
• Two-day classroom-based training course
• Learn about the structure and key requirements
of ISO 22301
• Learn how to initiate an audit, prepare and
conduct audit activities, compile and distribute
audit reports and complete follow-up activities
• Essential for anyone involved in the planning,
implementing, maintaining, supervising or auditing
of an ISO 22301 BCMS
• Ideal for anyone involved in auditing, maintaining
or supervising an ISO 22301 BCMS
ISO 22301 Implementation
ISO 22301 Lead Auditor
• Three-day classroom based training course
• Five-day classroom based training course
• Discover how to apply a typical framework for
implementing ISO 22301 following the PDCA cycle
and using the handy resources contained in the
good practice toolkit
• Gain the skills and understanding required to
lead and successfully undertake a successful
management system audit
• Recommended for anyone involved in the
planning, implementing, maintaining, supervising
or auditing of an ISO 22301 BCMS
10
• Recommended for anyone involved in auditing,
maintaining or supervising an ISO 22301 BCMS.
BSI Business Improvement Software
Accelerate implementation time and
deliver continual improvements
It can help you to:
The decision to implement a new management
system standard is a huge opportunity to drive
business improvement, but initiating, implementing,
and maintaining this can also be a challenge. Ensuring
you get the most from your investment is a key driver
to your future success.
• Manage your document control effectively
BSI business improvement software provides a
solution that can signifcantly reduce the cost and
effort to implement an effective management
system such as ISO 22301. It can be confgured to
the requirements of ISO 22301 and provide your
organization with the tools necessary to manage
essential elements of ISO 22301 across your
organization. The start of your ISO 22301 journey is
an ideal time to implement BSI business improvement
software to support your BCMS.
• Through its customizable dashboards and
reporting tools it gives you early insight into
trends that help you make business decisions
early on and drive improvement
• Accelerate implementation time by up to 50%
• Provide company-wide visibility on
implementation of the standard so you know
exactly where you are at any one time
• You can easily and accurately input actions related
to audits, incidents/events, risk and performance
The savings are the costs you
avoid because you could not see
what was happening at
the facility level.
11
Why BSI?
BSI has been at the forefront of ISO 22301 since the original Business Continuity Standard,
BS 25999-2 was pioneered by us in 2007. And we continue to be at the forefront of
developing and evolving standards to keep organizations resilient and robust. That’s why
we’re best placed to help you understand the standard.
At BSI we create excellence by driving the success of our clients through standards. We help
organizations to embed resilience, helping them to grow sustainably, adapt to change, and
prosper for the long term. We make excellence a habit.
For over a century our experts have been challenging mediocrity and complacency to help
embed excellence into the way people and products work. With 80,000 clients in 182
countries, BSI is an organization whose standards inspire excellence across the globe.
Our products and services
Knowledge
Assurance
Compliance
The core of our business centres
on the knowledge that we
create and impart to our clients.
In the standards arena we
continue to build our reputation
as an expert body, bringing
together experts from industry
to shape standards at local,
regional and international levels.
In fact, BSI originally created
eight of the world’s top 10
management system standards.
Independent assessment of
the conformity of a process
or product to a particular
standard ensures that our clients
perform to a high level of
excellence. We train our clients
in world-class implementation
and auditing techniques to
ensure they maximize the
benefts of standards.
To experience real, long-term
benefts, our clients need to
ensure ongoing compliance to
a regulation, market need or
standard so that it becomes an
embedded habit. We provide
consultancy services and
differentiated management
tools to facilitate this process.
Find out more
Call: +44 (0)345 080 9000
Visit: bsigroup.com
© BSI group BSI/UK/844/SC/0516/EN/BLD
We provide a unique combination of complementary products and services, managed through our three
business streams; Knowledge, Assurance and Compliance.
Purchase answer to see full
attachment