Measuring up to the ISO 22301 business continuity management standard is no small feat. This 30-page document developed by the ISO Technical Committee in 2012 is considered the touchstone of business continuity standards for all types of companies (although there are specialized guidelines such as the FFIEC business continuity program standard for financial institutions or NIST 800 for information technology). If your business continuity program is performing at this level, first of all—congratulations, it’s quite an achievement! More importantly, though, the strength of your program almost guarantees your business will survive a crisis should one ever occur.
The purpose of ISO 22301 is to provide guidelines on how to set up and manage a high-performing business continuity management system (BCMS). It essentially dictates how all the elements of a program should work together to ensure your business can continue operating at its normal level following a disruption, so that you can protect your brand as well as the interests of your key stakeholders (including your customers).
It is one standard among many; in fact, it’s smart for companies to use more than one. (The various standards are somewhat different; the National Fire Protection Act 1600, for example, puts forth more nuts-and-bolts directives than ISO 22301, which measures at a more strategic level.) And how you apply the standard is totally up to you: either use it at its highest level or determine a more moderate approach that still provides an adequate level of protection for your business. That decision will be determined in part by the nature of your business: If your industry is governed by strict legal or regulatory requirements for business continuity, then implement the standard at the highest level you possibly can.
But no matter how you choose to implement ISO 22301 as your preferred business continuity management standard, do so by formally adopting it and making it the basis for the operation of your BCMS. Having a clear understanding among all stakeholders ensures a greater level of commitment—and makes it more difficult to veer off course.
Let’s take a closer look at the 10 main sections of ISO 22301, in layman’s terms.
The first three sections of ISO 22301 mainly serve to provide context about the standard itself and its overall purpose. Briefly, they are as follows:
The standard really begins here, with how to start evaluating your program. The purpose of this section is to get you thinking about your business and understand—realistically—what it might need in the event of a disruption.
A business continuity program is only as good as the level of management support it receives. This section calls your attention to the necessary elements that govern a program and ensures it has the support it needs to succeed.
This section requires you to revisit the issues identified in section four. Understanding your company as a whole is necessary for planning the appropriate strategies and actions.
This section outlines the building blocks a plan needs in order to work. Something as simple as making sure people know about the plan could make or break its success.
Section 8 is where much of the “meat” of ISO 22301 lies—it tells what you need to do to create a working program.
Evaluating your business continuity program is the only way to truly know if it will work; are you doing what’s required to measure its performance?
You must demonstrate a commitment to continually improving your plan over time, both in resolving outstanding issues and in keeping it up-to-date as your business changes.
Meeting the ISO 22301 business continuity management standard takes discipline, time, and resources—as well as the ability to accurately develop and evaluate effective strategies. The BCMMetrics™ suite of business continuity software can help.
The BIA On-Demand (BIAOD) tool gives you everything you need to conduct a complete business impact analysis at the company, division, or department level. Compliance Confidence (C2) measures your business continuity program with a series of comprehensive questions and a clear, FICO-like scoring system. And the Residual Risk (R2) tool can help quantitatively identify your residual risk and evaluate it. Each of these tools are aligned with multiple major industry standards—including ISO 22301. They’re easy to use and give you the opportunity to perform unlimited self-assessments of your enterprise BCM program. To find out more about how it works, schedule a demo today.
To ensure consistency and completeness as you develop your program, we’ve designed an ISO 22301 checklist. If you can verify that your program has each of the following elements associated with Sections 5-10 of the standard, your company does indeed have the organized and thorough continuity program outlined in ISO 22301. You can also use it as an ISO 22301 audit checklist if your company is preparing to undergo an official certification process. *The starred items are where most companies fall short, in our experience, so pay special attention to your efforts in those areas.
You have a management oversight committee in place, along with a process that dictates how the committee will oversee the program from the time of creation all the way through implementation, maintenance, and the actual carrying out of plans.
Your policies and objectives align with the requirements of your organization. If you have more intense legal/regulatory requirements, or customer and stakeholder requirements, then your policies must match your obligations.
You have documentation showing that you understand your company’s requirements for a business continuity plan. It should define the following and note how each contributes to the development of your business continuity management system:
You have a document management system that includes all the supporting documents related to every stage of your business continuity management system, from training to practice exercises. The system you use manages and organizes relevant documents, makes it easy to refer to them, and makes them accessible to the right people.
You have a good documentation maintenance program that provides a schedule for updating key components of the program, such as the Business Impact Analysis, recovery plans, and policies and objectives.
*You have a training program in place as well as global awareness of the program and its recovery processes. (Global awareness includes employees at all levels of your company—not just senior-level personnel or those who are actively involved in implementing the processes.)
You have a communication system in place that ensures ongoing communication with interested parties and stakeholders, before, during, and after an event. This process should also include communication as your program is developing (not just when an event occurs), for instance, interaction or consultation with regulatory bodies.
*You have performed and documented a risk and threat assessment to determine the risks associated with your business and your controls to protect them.
You have performed a complete Business Impact Analysis (BIA) to determine the criticality of your business operations based on the processes they perform, and to identify the dependencies that must be in place for those processes to run. (Use our comprehensive Business Impact Analysis (BIAOD) tool for a simple yet thorough way to identify your critical business processes and their system/resource requirements.)
*You have designed appropriate business continuity strategies and the requirements for each based on what you need to recover and when you need to recover it, and you’ve documented them (i.e., outsourcing, alternate sites, splitting up call centers, etc.). Each strategy is based on your BIA and your risk/threat assessment.
You have created the following business recovery plans depending on the requirements of your company, the strategy requirements, and the BIA:
You have a program of regularly scheduled testing that is appropriate based on the requirements of the company and the findings of the BIA. You also have a process to document test results.
You have documented management reviews to confirm ongoing management review and appraisal of the program.
You have documented results of regularly scheduled internal or external audits of your program. (Internal audits tend to be less effective because of a lack of objectivity; an external third-party review of your program every two years is recommended.)
You have processes in place to measure and evaluate the performance of the program, including specific metrics for compliance and residual risk. You know the ROI of your program and whether it’s getting the intended results. (To easily assess your program compliance against industry standards, try the cloud-based self-assessment tool Compliance Confidence (C2). To assess residual risk try our Residual Risk (R2) tool.)
*You have a process designed to identify weaknesses in your program (either through testing or measuring) and take corrective action to address them; you also have those processes and actions documented.
You have a post-incident review process in place. You add your findings to a knowledge base and use them to improve your future plans.
All of our BCMMetrics™ tools were designed with standards like the ISO 22301 in mind. Because they’re intuitive self-assessment tools, you can use each of them—Business Impact Analysis (BIAOD), Residual Risk (R2), and Compliance Confidence (C2)—to do your own due diligence so you know where you stand in preparation for an ISO 22301 or related audit of your BCM program. All of our tools are regularly reviewed and updated in response to changes in the industry and regulatory landscape.
Schedule a free demo to see the tools in action, and find out where your program stands today.