Icon-facebook Linkedin Icon-youtube-v Icon-instagram-1
Get Started
Table of Contents
ISO 22301

What is ISO 22301? A Step-by-Step Guide to Business Continuity Management

ISO 22301:2019, titled Security and resilience – Business continuity management systems – Requirements, is an international standard published by the International Organization for Standardization (ISO). It provides a framework for managing business continuity in an organization, ensuring preparedness for disruptive events. This standard is written by leading business continuity experts and offers the best practices for ensuring resilience.

Key Features of ISO 22301

One of the standout features of ISO 22301 is that organizations can become certified by an accredited certification body. This certification proves compliance to customers, partners, owners, and other stakeholders, demonstrating a commitment to maintaining operations during disruptions.

ISO 22301 integrates business continuity management into overall risk management, overlapping with information security management and IT management. It’s beneficial for proving compliance and attracting new customers by showcasing industry-leading practices.

Relationship with ISO 22301:2012

The latest revision of ISO 22301 was published in October 2019, replacing ISO 22301:2012. Although the 2019 revision doesn’t introduce major changes, it offers more flexibility and less prescriptiveness, adding value to organizations and their customers.

Benefits of ISO 22301

  1. Comply with Legal Requirements: Countries are increasingly defining laws requiring business continuity compliance. ISO 22301 provides a framework to support compliance, reducing administrative and operational effort, and minimizing penalties.

  2. Achieve Marketing Advantage: Being ISO 22301 certified gives you an edge over competitors. It enhances your reputation and helps attract customers sensitive about operational continuity, leading to increased market share and higher profits.

  3. Reduce Dependence on Individuals: Critical activities often rely on a few key individuals. ISO 22301 helps reduce this dependency through replacement solutions and task documentation, mitigating risks when key personnel leave.

  4. Prevent Large-Scale Damage: In a world of real-time services, downtime is costly. ISO 22301 helps prevent disruptive incidents and ensures faster recovery, ultimately saving money.

Who Can Implement ISO 22301?

ISO 22301 is applicable to any organization, large or small, for-profit or non-profit, private or public. It’s especially essential for companies legally required to engage in contingency planning, including those in energy, transport, health, and essential public services.

How Does ISO 22301 Work?

The focus of ISO 22301 is to ensure continuity of business delivery of products and services after disruptive events. This involves:

  • Business Impact Analysis: Identifying business continuity priorities.

  • Risk Assessment: Determining potential disruptive events affecting operations.

  • Risk Mitigation: Defining prevention and recovery plans to restore operations swiftly.

Implementation involves setting organizational rules, developing plans, and allocating resources to ensure continuity and recovery. ISO 22301 describes how to integrate these elements into a Business Continuity Management System (BCMS).

Business Continuity in Overall Management

Business continuity is part of overall risk management, overlapping with information security and IT management.

Basic Terms in ISO 22301

  • Business Continuity Management System (BCMS): Ensures business continuity is planned, implemented, maintained, and continually improved.

  • Maximum Acceptable Outage (MAO): The maximum time an activity can be disrupted without unacceptable damage.

  • Recovery Time Objective (RTO): The pre-determined time to resume a product, service, or activity.

  • Recovery Point Objective (RPO): Maximum data loss allowed.

  • Minimum Business Continuity Objective (MBCO): The minimum level of services/products needed to achieve defined objectives after resuming operations.

Content of ISO 22301

ISO 22301 is divided into 11 sections. Clauses 0 to 3 are introductory, while clauses 4 to 10 are mandatory for compliance. These mandatory clauses cover essential requirements that organizations must implement to be compliant.

ISO 22301 Requirements and Implementation Guide

Implementing ISO 22301 can be transformative for ensuring business continuity in your organization. Let’s break down the essential requirements and steps for implementation.

ISO 22301 Requirements

Clause 4 - Context

Understand who you are, what you do, and what processes you must sustain. Identify stakeholders, their expectations, and legal and regulatory requirements. Establish and document the ISO 22301 scope, considering locations, missions, goals, products, and services.

Clause 5 - Leadership

Top management’s support and leadership are crucial. Develop, document, and communicate a policy. Ensure resources are available, direct and lead employees, and clearly define organizational roles with responsibilities and competencies.

Clause 6 - Planning

Plan for potential disruptions and their impacts. Consider risks, their consequences, and opportunities. Set measurable BCMS objectives, document them, and ensure compliance with legal requirements. Develop action plans with assigned responsibilities and timeframes.

Clause 7 - Support

Provide necessary resources to meet BCMS objectives, including infrastructure, technology, communication, competence, awareness, and documented information. Document evidence of competence for defined roles.

Clause 8 - Operation

Perform activities to meet BCMS objectives and return to normal operations. Key activities include:

  • Business Impact Analysis (BIA) and Risk Assessment: Identify operational, legal, and financial impacts from disruptions and analyze the likelihood of disruption.

  • Business Continuity Strategy: Develop options and select the most appropriate actions for mitigation, response, and recovery.

  • Business Continuity Procedures: Document plans and procedures with clear steps, defined roles, resource needs, and communication.

  • Exercising and Testing: Periodically test plans and procedures for effectiveness and review test results for improvements.

Clause 9 - Performance Evaluation

Monitor, measure, analyze, and evaluate performance indicators. Conduct internal audits to measure conformance. Document audit programs and results. Top management should review BCMS effectiveness at planned intervals and document review results.

Clause 10 - Improvement

Address non-conformities with root cause analysis and corrective actions. Continuously improve using documented information from evaluations and management reviews.

Implementation Steps

To implement ISO 22301, follow these 17 steps:

  1. Management Support

  2. Identification of Requirements

  3. Business Continuity Policy and Objectives

  4. Support Documents for Management System

  5. Risk Assessment and Treatment

  6. Business Impact Analysis

  7. Business Continuity Strategy

  8. Business Continuity Plan

  9. Training and Awareness

  10. Documentation Maintenance

  11. Exercising and Testing

  12. Post-Incident Reviews

  13. Communication with Interested Parties

  14. Measurement and Evaluation

  15. Internal Audit

  16. Corrective Actions

  17. Management Review

Mandatory Documentation

To comply with ISO 22301, the following documents are mandatory:

  • List of applicable legal, regulatory, and other requirements

  • Scope of the BCMS

  • Business continuity policy

  • Business continuity objectives

  • Evidence of personnel competencies

  • Procedure for communication with interested parties

  • Records of communication with interested parties

  • Records of disruption details, actions taken, and decisions made

  • Incident response structure

  • Business continuity plans

  • Recovery procedures

  • Results of monitoring and measurement

  • Results of internal audit

  • Results of management review

  • Results of corrective actions

ISO 22301 Certification

An ISO 22301 certificate proves that a company has met the standard’s requirements and is committed to business continuity. Certification is voluntary but beneficial, especially in regulated industries like energy, finance, and public transportation.

To get certified:

  1. Select a Certification Body: Choose an accredited certification body.

  2. Submit Information: Provide details about your organization, employees, and core processes.

  3. Receive Offer and Contract: Accept the offer and sign a contract.

  4. Start Audit Program: Begin the certification process with the certification body’s audit program.

Gap Analysis and Certification Audit Stages

Before starting the official audit program for ISO 22301, an optional pre-audit called gap analysis can be conducted. This step allows the certification body to closely examine the existing Business Continuity Management System (BCMS) and compare it to ISO 22301 requirements. It helps identify areas needing more effort, saving time and money before the formal assessment.

Two Stages of the Certification Audit

Stage One: Documentation Review

  • The audit team checks if you meet ISO 22301 requirements, such as mandatory documents and records.

  • They review your business continuity management against an ISO 22301 checklist.

  • Any identified differences must be closed before the official certification readiness audit.

Stage Two: Certification Readiness Audit

  • Once you pass this audit, you receive an ISO 22301 certificate valid for three years.

  • For the next two years, you’ll have surveillance audits, which take less time, typically half the duration of the certification audit.

  • At the end of the third year, a re-certification audit is required before the certification validity ends.

Before every audit, whether it’s certification, surveillance, or re-certification, the lead auditor sends an audit plan detailing which elements of the standard will be audited and when. An audit report is submitted at the end of each audit, including a statement of conformity for the audited areas. If there are findings of nonconformity, you must take corrective actions to maintain your certificate.

Duration of ISO 22301 Certification

The time required for effective implementation varies based on the organization’s scale and complexity. It also depends on the resources and effort put in.

  • Small or Medium-Sized Companies: Typically, it takes three to six months.

  • Large Organizations with Many Sites: It can take a year or longer, especially for multinational energy companies or public sector health institutions.

Regardless of the company type, having a clear project plan for establishing ISO 22301 is essential. This timescale also includes the certification audit period before the certificate is issued by a certification body.

Get in Touch

Need some help? Contact us now. We respond quickly.

Contact Us

Management Excellence and Business Consultancy, Expert Support, Ready-made Solutions, and High-Quality Training for ISO Management Systems.

Icon-youtube-v Linkedin Icon-instagram-1 Icon-facebook Icon-twitter

Products

Resources

Standards

Help

Copyright © 2024 Exoexcellence, All rights reserved.