What is ISO 22301:2019 Business Continuity Management System?

ISO 22301:2019 is the International Standard for Business Continuity Management (BCM). It provides a practical framework for establishing and managing an effective business continuity management system.

ISO 22301 Business Continuity Management System

  • Specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of, prepare for, respond to and recover from disruptions when they arise.
  • Specifies the requirements for a business continuity management system’s planning, establishing, monitoring, and continual improvement.
  • It applies the PDCA (Plan, Do Check, Act) Cycle.
  • Organizations can obtain certification against this standard.
  • This Standard is auditable and demonstrates compliance to a standard to key stakeholders, customers, and third parties.
  • The primary driver is to increase operational resilience and roadmap recovery during times of stress.
  • Internal Staff is aware of their roles when an incident occurs.

ISO 22301 Helps You With

  • Operational Resilience.
  • Emergency Preparedness.
  • Corporate Governance.
  • Crisis Management.
  • Disaster Recovery.
  • Supply Chain Security.
  • Protection of reputation in a crisis.
  • Preparation for technology failures.
  • Plan for the sudden loss of critical resources.
  • Preparation for other emergency situations.

What are the Benefits of ISO 22301 Certification?

Emergencies and disruptive incidents are often out of an organization’s control. In these situations, the one thing you can control is how you respond.

ISO 22301 Certification will strengthen your organization regarding continuity when resilience is required. In addition, it gives confidence to customers and stakeholders that you can meet requirements regardless of circumstances.

Benefits of ISO 22301 Certification

Customer Satisfaction – Deliver products that consistently meet customer requirements and dependable service, and can be relied on.

Business Resilience – Avoid downtime and financial losses with effective risk management, emergency preparedness, and contingency planning.

Legal Compliance – Understand how statutory and regulatory requirements impact your organization and its customers.

Improved Risk Management – Greater consistency and traceability of products and services means problems are easier to avoid and rectify.

Proven Business Credentials – Independent verification against a globally recognized industry standard speaks volumes.

Ability to Win More Business – Procurement specifications often require certification as a condition to supply, so certification opens doors.

Global Recognition as a Reputable Supplier – Certification is recognized internationally and accepted throughout industry supply chains, setting industry benchmarks for sourcing suppliers.

  • Strengthen your Internal Management System.
  • Creating New opportunities due to overall improvement.
  • Prevent Large scale damage.
  • Improve Financial Performance and reduce Disruptions.
  • Achieve Marketing Advantage.

ISO 22301 Before and After Covid-19

Pre-Covid BCP had created sudden, short-term & limited capacity disruption – e.g., is the business resilient if one location is compromised?

The Business Continuity Management had a plan of data backups, inventories, redundant locations, and distributed supplier base.

Post-Covid business continuity plans focused the majority from an office environment to a virtual environment.

What are the 10 Clauses of ISO 22301:2019?

1). Scope

The scope section of this standard sets out:

  • The purpose of the standard.
  • The types of organizations it is designed to apply to.
  • The sections of the standard (called Clauses) contain requirements that an organization needs to comply with for the organization to be certified as “Conforming” to it (i.e., being compliant).

2). Normative References

  • In ISO 22301, only one document is listed – ISO 22301, Security and Resilience – Vocabulary.
  • Some of the terms used or requirements detailed in ISO 22301 are explained further in ISO 22300.

3). Terms and Definitions

There are 31 terms and definitions given,

  • Business Continuity.
  • Business Continuity Plan.
  • Business Impact Analysis.
  • Crisis Management Team.
  • Disruption.
  • Maximum Tolerable Period of Disruption (MTPD).
  • Minimum Business Continuity Objective (MBCO).
  • Recovery Point Objective (RPO).
  • Recovery Time Objective (RTO).

4). Context of the Organization

  • Establish the context of the Business Continuity Management Systems for the organization.
  • Understand the needs of expectations of the interested parties and their requirements.
  • Determine the scope of ISO 22301.
  • Communicate the scope to relevant interested parties.

5). Leadership

  • Demonstrate Management Commitment.
  • Policy.
  • Define Roles, Responsibilities, and Authorities.
  • Ensure that the business continuity policy is established.
  • Communicate the importance of effective BCM.
  • Ensure business continuity objectives are established.
  • Ensure that the resources needed for the ISO 22301 are available.
  • Ensure that the BCMS achieves its intended outcomes.
  • Ensure the integration of the BCMS requirements into the organization’s business processes.
  • Promote continual improvement.

6). Planning

6.1 Planning to Meet Business Continuity Objectives

  • Be consistent with the business continuity policy.
  • Be measurable.
  • Take into account applicable requirements.
  • Be monitored and updated as appropriate.
  • Be communicated.

6.2 Planning to Address Risks

  • Ensure that ISO 22301 can achieve its intended outcomes.
  • Prevent, or reduce undesired effects.
  • Achieve continual improvement.
  • Plan actions to address these risks and opportunities.
  • Plan how to integrate and implement the actions into its ISO 22301 processes.
  • Plan how to evaluate the effectiveness of these actions.

6.3 Planning Changes to the BCMS

The organization should consider

  • The purpose of the changes and their potential consequences.
  • The integrity of the BCMS.
  • The availability of resources.
  • The allocation or reallocation of responsibilities and authorities.

7). Support

  • Determine and provide competency resources needed for BCMS.
  • Provide awareness about ISO 22301.
  • Determine the internal and external communications relevant to the BCMS.
  • Creation, update, and control of documented information.

8). Operation

  • Operational Planning and control.
  • Business impact analysis and risk assessment.
  • Business Continuity strategies and solutions.
  • Business Continuity plans and procedures.
  • Exercise Program.
  • Evaluation of business continuity documentation and capabilities.

8.1 Business Impact Analysis

This activity enables an organization to identify the critical processes that support its key products and services, the interdependencies between processes, and the resources required to operate the processes at a minimally acceptable level.

  • Identify the time frame.
  • Identify prioritized activities.
  • Determine the resources needed to support prioritized activities.
  • Determine the dependencies.
  • Assess the impacts over time resulting from the disruption.
  • Identify the activities.
  • Define the impact types and criteria.

8.2 Business Continuity Strategy

Determining the business continuity strategy is about addressing the findings from business impact analysis and risk assessment.

9). Performance Evaluation

  • Monitoring, Measurement. Analysis and Evaluation.
  • Internal Audit.
  • Management Review.

10). Improvement

The Organization will need to continually improve the suitability, adequacy, and effectiveness of the Business Continuity Management System.

What is the Mandatory Documentation of ISO 22301:2019?

  • List of applicable legal, regulatory, and other requirements.
  • Scope of the ISO 22301.
  • Business Continuity Policy.
  • Business Continuity Objectives.
  • Evidence of personnel Competencies.
  • Procedures for communication with interested parties.
  • Incident response structure.
  • Business continuity plans.
  • Recovery Procedures.
  • Records of communication with interested parties.
  • Records of disruption details, actions taken, and decisions made.
  • Results of monitoring and measurement.
  • Results of internal audit.
  • Results of management review.
  • Results of corrective actions.

In Addition, to ISO 22301:2019 audits also offer a range of complimentary services:

  • ISO Certifications
  • ISO 9001 – Quality Management System
  • ISO 14001 – Environmental Management System
  • ISO 45001 – Occupational Health & Safety Management System
  • ISO 50001 – Energy Management System
  • ISO 27001 – Information Security Management System
  • ISO 20000 – IT Service Management System
  • ISO 22000 – Food Safety Management System
  • FSSC 22000 – Food Safety System Certification
  • HACCP – Food Safety Management System
  • ISO 21001 – Educational Organizations Management System
  • ISO 29990 – Learning Services Management System
  • ISO 20121 – Sustainability Event Management System
  • ISO 37001 – Anti-Bribery Management System
  • ISO 28000 – Supply Chain Security Management System
  • ISO 13485 – Quality Management Systems for Medical Devices
  • ISO 39001 – Road Traffic Safety Management System
  • ISO 31000 – Risk Management – Guidelines
  • ISO 22716 – Good Manufacturing Practices for Cosmetics
  • ISO 3834 – Quality Requirements for Fusion Welding of Metallic Materials
  • Halal Certification
  • “Covid-Shield” Certification
  • GlobalG.A.P. Certification
  • IFS Certification Services

FAQ’s

What is Business Continuity Management?

It is a management system that bundles interrelated methods, procedures, and rules to ensure that critical business processes keep running in the event of damage or emergencies and continuously develop and improves them.

What is Disruption?

In the Dictionary: Disturbance or problem interrupting an event, activity, or process.

In Business: The action of completely changing the traditional way an industry or market operates using new methods or technology.

What is the difference Between ISO 27001 and ISO 22301?

ISO 27001 is more information infrastructure-focused and requires addressing IT assets and “support” services to business processes.

ISO 22301 requires a more all-encompassing approach and requires the identification of critical business functions.

Critical Functions are resourced accordingly and back to functionality earlier following any disruption.

IS ISO 22301 Certification Right for You?

This standard may be right for your organization to overcome operational disruption and provide continued and effective service rapidly.

“This rigor of a certified management system has spent up the process and ensured that we have been able to deliver what our clients need: an uninterrupted service.” E.L.F.S

Who Can Avail ISO 22301?       

Any Organization – Large or Small, Profit or Non-Profit, Private or Public.

What are the focus points for implementing ISO 22301?

  • Setting up a system for Documentation and Records.
  • Management Information System.
  • Risk Assessment and Treatment.
  • Business Continuity Strategy.
  • Business Performance and Sustainability.