Developed by national and international standards committees independent of government, ISO 22301 provides a standard for a Business Continuity Management system.
The standard provides a systematic approach for senior leadership to assess Business Continuity and resilience risks and opportunities, monitor and review performance, and set objectives for continual improvement within the ‘context’ of organisational activities.
A business is not required by law to implement ISO 22301 or other comparable management standards, but they can help deliver a structured framework to ensure business continuity and resilience.
ISO 22301 applies to all organisations, regardless of size, industry, or nature of business. The standard is intended to be combined into an organisation’s current management system, with the same processes, and the same high-level structure as other ISO management system standards, such as ISO 9001, ISO 14001 or ISO 45001.
How to implement ISO 22301
If you are thinking about implementing ISO 22301, here are a few guidelines to get you started:
- Complete an analysis of your organization’s framework that is relevant to Business Continuity (such as interested parties) as well as the internal and external factors that might impact your business.
- Determine the scope of the system, considering what you would like the management system to achieve.
- Set your Business Continuity policy and objectives.
- Define the time frame in which you wish to implement your system and plan how to achieve it.
- Determine any competence and/or resource gaps that need addressing before you can implement the standard.
The 10 Clauses of ISO 22301
The ISO 22301 standard uses a structure of ten clauses and follows the Plan, Do, Check, Act, (PDCA) model.
Clause1 Scope
This section sets the intent and parameters within which the ISO 22301 Business Continuity management standard can be used to attain its intended outcome.
Clause 2 Normative References
Reference to ‘normative references’ is common across all management system standards however, in the case of ISO 22301 there are no normative references.
Clause 3 Terms and Definitions
Clause 3 of the standard provides prescriptive terms of definition to prevent the wrong interpretation.
Clause 4 Context of the Organization
Section 4 requires each organization to analyse and understand the context of its activities, both externally and internally, and understand the needs of interested parties. Among other things, this will include understanding legislation, employee, stakeholder and shareholder requirements. It will also go a long way towards defining the scope of your Business Continuity management system.
Clause 5 Leadership
The Leadership section encourages both management commitment and involvement from employees. For example, sharing tasks and responsibilities across the team can ensure that knowledge is shared, and multiple team members become proficient in running the system. This allows consolidation of the culture and reinforcing the importance of Business Continuity within the organization.
Clause 6 Planning
Implementing any management system requires planning and the establishment of objectives for the project to ensure these are achieved at every stage.
Clause 7 Support
Covers elements such as communication, competence and awareness and documented information as well as resources.
Clause 8 Operation
This is the development of the actual business continuity arrangements within the organisation from identifying the activities and operations that need to be protected, Risk Assessment and Business Impact Analysis, designing the programme utilising the appropriate business continuity strategies and then implementing arrangements such as the incident response structure and communication plans. Clause 8 is also concerned with the ongoing maintenance, testing and monitoring of the business continuity arrangements.
Clause 9 Performance Evaluation
Monitoring and measuring the Business Continuity management system performance, including compliance to legislation and internal audit results, is covered in Clause 9. This section also emphasizes that management must review the Business Continuity management system performance to ensure effective performance.
Clause 10 Improvement
The last clause sets out how an organization must ensure that continual improvement is derived from the Business Continuity management system. This can include dealing effectively with non-conformance and employing a good corrective action process.
Sections 1 to 3 of the ISO standard provide details on the scope of the standard, normative references, and explanations or terminology that help better your understanding of the standard, while sections 4 to 10 contain the requirements.
How does ISO 22301 relate to Plan-Do-Check-Act?
PDCA (Plan-Do-Check-Act) is an iterative, four-stage approach for continually improving processes, products or services, and for resolving problems. It involves systematically testing possible solutions, assessing the results, and implementing those shown to work. Its adoption in any management system should ensure that it continues to evolve and improve in its performance.
Diagram of PDCA (Plan-Do-Check-Act).
The diagram below shows how PDCA relates to the sections of IS0 22301.
Day to Day Management of ISO 22301
The design of the Management System needs to allow the organisation to comply with ISO 22301 as easily as possible otherwise its operation itself could lead to not meeting the standard. Systems such as BCarm which have PDCA at the core of their design can provide a more effective option than paper-based or electronic management systems.
What are the benefits of ISO 22301?
ISO 22301 ultimately protects the value of the organisation by minimising the likelihood and impact of if being unable to deliver its products and services to its customers and thus generating its income and profit
- Framework – By its nature Business Continuity can be a complex process when trying to address all of the risks, known and unknown, that could cause disruption, ISO 22301 provides a framework for implementing business continuity.
- Internationally Recognised Standard – This allows you to easily communicate your approach to Business Continuity and Resilience with and other parties with which your organisation engages, such as supply chains.
- Ability to meet legal and regulatory requirements – ISO 22301 can help you to establish operational controls which take into account risks and opportunities, as well as legal and other requirements.
- Leadership Commitment to Business Continuity - The standard provides a systematic approach for senior leadership to assess Business Continuity risk and opportunities, monitor and review performance and set objectives for continual improvement within the ‘context’ of organizational activities. Implementation is a demonstration and commitment from senior leadership to internal and external stakeholders of the intent to protect workers from accidents including short- and long-term ill health effects. This commitment also provides assurances to the Board of Directors, Trustees or owners that management controls regarding Business Continuity inherent within the organization.
- Resilient Environment - The standard will help you to determine causes of interruption with your activities; seeking to either eliminate them or put controls in place to minimise their effects and maintain the supply of your products and services to customers.
- Creation of a Business Continuity and resilience culture, whereby employees are encouraged to take an active role - The business continuity management system helps organizations to increase employee awareness of risks, and promotes workers to take an active role in continuity and resilience matters.
- Customers Retention – If customers fail to receive your products and services this can disrupt the relationship and cause them to seek alternatives elsewhere.
- Supply Chain participation – Supply chain resilience is critical to many organisations, so the ability to demonstrate robust business continuity arrangements can create opportunities for supply chain participation.
- Enhanced reputation - Achieving certification to this standard is a recognition that you have achieved an international benchmark, getting you noticed by customers who are concerned about their social responsibilities.
- Crisis Management – The standard will enable the business to respond to crises better which can enhance both the reputation and value of its brand.
- Opportunity - Business Continuity is not just about managing negative disruptions, it can also deal with positive disruptions, for instance having to rapidly upscale to take on an influx of work to deal with a competitors outage
A diagram to show ISO 22301: Your benefits at a glance.
Are there alternatives to ISO 22301?
There are no recognised alternatives to ISO 22301 although there may be initiatives by local authorities.
The Business Continuity Institute provides a structure and methodology for the development of Business Continuity that is aligned with ISO 22301.
More information on ISO 22301
For more advice and help on ISO 22301 please get in touch to arrange a discussion.