What is ISO 22301?
The full name of this standard is ISO 22301:2012 Societal security – Business continuity management systems. This standard is written by leading business continuity experts and provides the best framework for managing business continuity in an organization.
One of the features that differentiates this standard from other business continuity frameworks/standards is that an organization can become certified by an accredited certification body, and will therefore be able to prove its compliance to its customers, partners, owners and other stakeholders .
ISO 22301 is a management systems standard for BCM which can be used by organizations of all sizes and types. These organizations will be able to obtain accredited certification against this standard and so demonstrate to legislators, regulators, customers, prospective customers and other interested parties that they are adhering to good practice in BCM. ISO 22301 also enables the business continuity manager to show top management that a recognized standard has been achieved.
While ISO 22301 may be used for certification and therefore includes rather short and concise requirements describing the central elements of BCM, a more extensive guidance standard (ISO 22313) is being developed to provide greater detail on each requirement in ISO 22301.
ISO 22301 may also be used within an organization to measure itself against good practice, and by auditors wishing to report to management. The influence of the standard will therefore be much greater than those who simply choose to be certified against the standard.
ISO 22301 2012 is the world’s first international business continuity management standard. It was developed by ISO Technical Committee 223. ISO/TC 223 is responsible for the development of societal security standards. ISO published this standard on June 15, 2012. It cancels and replaces the old BS25999 business continuity standard.
The official name of this new standard is ISO 22301:2012 Societal security – Business continuity management systems – Requirements. These requirements can be found in the following seven sections:
The purpose of ISO 22301 2012 is to show people how to set up and manage a Business Continuity Management System (BCMS). A BCMS is a set of interrelated elements that organizations use to establish, implement, operate, monitor, review, maintain, and improve their business continuity capabilities. These elements include people, policies, plans, procedures, processes, structures, and resources.
All of these elements are used to ensure that operations continue and that products and services are delivered at predefined levels, that brands and value-creating activities are protected, and that the reputations and interests of key stakeholders are safeguarded whenever disruptive incidents occur.
SCOPE OF ISO 22301
ISO 22301 is a generic business continuity management standard. It can be used by any organization, or any part of an organization, no matter what size it is or what it does. However, exactly how you apply ISO 22301 is up to you and will depend on your organization’s unique business continuity needs and obligations and the particular expectations and requirements of interested parties. It will also be influenced by its inherent complexity and its operating environment. Exactly how you apply ISO 22301 will depend upon your organization’s unique structure, its legal and regulatory obligations, and the processes it uses to support and deliver its products and services.
OVERVIEW OF ISO 22301
As previously indicated, the standard’s business continuity requirements are described in ISO 22301 parts 4 to 10. The following material will briefly introduce these seven sections.
Part 4. Context
Asks you to start by understanding your organization and its context before you develop your organization’s business continuity management system (BCMS). It asks you to identify who your organization’s interested parties are and to clarify what their needs and expectations are; and it asks you to consider all relevant legal and regulatory requirements. It then asks you to figure out what your BCMS should apply to and to formally define its scope.
Part 5. Leadership
Asks your top management to provide leadership for its BCMS by showing they support it, by assigning responsibility and authority for it, and by establishing a business continuity policy.
Part 6. Planning
Asks you to prepare plans to address the risks and opportunities that could affect your BCMS and to establish business continuity objectives and plans to achieve them.
Part 7. Support
Asks your organization to support its BCMS by providing resources. It asks you to make sure that people are competent and that they are aware of their responsibilities. And it asks you to manage information and to establish communication procedures.
Part 8. Operation
Asks you to plan, implement, and control your organization’s BCMS processes. It then asks you to study disruptions and assess risks, to set recovery priorities, and to identify risk treatment options. It then asks you to carry out an impact analysis, to develop a business continuity strategy, and to establish business continuity plans and procedures. And, finally, it asks you to conduct exercises and to test your business continuity plans and procedures.
Part 9. Evaluation
Asks you to monitor, measure, audit, and evaluate your BCMS and to review its performance at planned intervals.
Part 10. Improvement
Asks you to identify nonconformities, to take corrective actions, and to enhance the overall performance of your organization’s BCMS.