ISO 22301 Business Continuity Management System

ISO 22301:2019, Security and resilience – Business Continuity Management Systems – Requirements, has replaced the previous ISO 22301:2012, Societal Security — Business Continuity Management Systems — Requirements.

ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

Organizations that implement a Business Continuity Management System (BCMS) based on the requirements of ISO 22301 can undergo a formal assessment process through which they can obtain accredited certification against this standard. A certified BCMS demonstrates to internal and external stakeholders that the organization is adhering to good practices in business continuity management. 

ISO/IEC 22301:2019 is intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity.

This standard is applicable to all types and sizes of organizations that:

1. Implement, maintain and improve a BCMS;
2. Seek to ensure conformity with stated business continuity policy;
3. Need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption;
4. Seek to enhance their resilience through the effective application of the BCMS.

This document can be used to assess an organization’s ability to meet its own business continuity needs and obligations.

The objectives of ISO/IEC 22301 standard:

• Defines business continuity as a corporate capability and identifies its essential components and processes;
• Identifies the drivers that make business continuity management a vital corporate and management competency in the 21st Century;
• Establishes and defines the roles and responsibilities that corporate managers and boards fulfil in developing effective BCM practices;
• Presents a step-by-step framework for developing and maintaining effective business continuity management processes;
• Provides an overview of the software applications available to support BCM planning and execution processes;
• Presents example of sound business continuity management capabilities in practice.

Our approach has been covered in a 5 phases. These include: 

Phase 1: Understand Business Process
Understanding the environment and management’s expectations along with the policies and procedures.

Phase 2: Identify Risks and Controls
Identify target processes and understand the process flow, risk, information assets and controls pertaining to processes. 

Phase 3: Controls Design Testing
Identify controls based of ISO 22301 and prepare the issue and opportunity registers, test the control design and identify deficiencies. Prepare risk mitigation plan and calculate the residual risks.

Phase 4: Controls Evaluation
Perform internal audit and identify the control weaknesses and impact of deficiencies. 

Phase 5: Certification
Invite certification agency for the certification audit