BUSINESS CONTINUITY MANAGEMENT                  

INSTITUTE INTERNATIONAL

        BCMII

Facebook Twitter Linkedin                                                                                                                            

About Us Core Values Career Certification Membership Networking  ISO22301 Resources Conferences Media
Membership Resources News Standards Glossary Sign Up Help Anti Terrorism Planning Auditing Best Practices
BC Governance Building Security Business Continuity Management Business Continuity Planning Business Impact Analysis Command and Control Command Centre Assessment Corporate Security Corporate Security Crisis Management
Emergency Management Facility Evaluation IT Security  Threat and Risk Assessments Testing Your BCP Help        

 

Links and Resources

 

Business Recovery Managers Association

 

Canadian Centre for Emergency Preparedness

 

Contingency Planning Exchange Inc.

 

Contingency Planning & Management

 

Contingency Planning World

 

Continuity Planner

 

CPM 2003 Expo  Critical Infrastructure Protection (Information Warfare Site

 

Disaster Center

 

Disaster Forum

 

Disaster Recovery Information Exchange

 

Disaster Recovery Institute International

 

Disaster Recovery Journal

 

Disaster Resource Guide

 

DR Planning

 

Emergency Information Infrastructure Partnership

 

Emergency Preparedness Information exchange

 

Emergency Response Planning   FEMA

 

Global continuity

 

Homeland Security

 

International Association of Emergency Managers

 

Internet Disaster Information Network

 

IT Continuity New England

 

DR Info Exchange

 

Online High Tech Dictionary

 

Pacific Disaster Center

 

Phoenix Disaster

 

Recovery Strictly Business Expo

 

United Security Group

 

Critical Infrastructure Assurance Office

 

Disaster Avoidance

 

Disaster Recovery Plan Outline

 

Disaster Recovery Dictionary

 

Business Continuity Planning

 

MIT Business Continuity Plan

 

Business Continuity Duties

 

Continuity Plan Guidelines

 

Continuity Planning Guidelines - Texas

 

Disaster Recovery Guide Templates

 

Business Continuity Planning - Nortel

 

Developing a Continuity Plan

 

A Sample Disaster Recovery Plan

 

Continuity Plan Suggested Contents

 

Disaster Information Network

 

Disaster Recovery Journal

 

Disaster Resource Guide

 

Federal Emergency Management Agency

 

Phoenix Disaster Recovery

 

Business Recovery Managers Association

 

Disaster Forum

 

New Zealand Power Disruption Links

 

The Contingency Planner

 

Disaster Recovery Planning Process (Part 1)

 

Disaster Recovery Planning Process (Part 2)

 

Disaster Recovery Planning Process (Part 3)

 

Justifying the Contingency Plan

 

Legal Necessity

 

So You're the Company's New Contingency Planner

 

Business Contingency Planning Is...

 

Business Interruption 

 

 

Canadian Centre for Emergency Preparedness

 

Contingency Planning Exchange Inc.

 

Contingency Planning & Management

 

Contingency Planning World

 

Continuity Planner.com

 

CPM 2003 Expo  Critical Infrastructure Protection (Information Warfare Site

 

Disaster Center

 

Disaster Forum 2000

 

Disaster Recovery Information Exchange

 

Disaster Recovery Institute International

 

Disaster Recovery Journal

 

Disaster Resource Guide

 

DR Planning

 

Emergency Information Infrastructure Partnership

 

Emergency Preparedness Information exchange

 

Emergency Response Planning   FEMA

 

Global continuity

 

Homeland Security

 

International Association of Emergency Managers

 

Internet Disaster Information Network

 

IT Continuity New England

 

DR Info Exchange

 

Online High Tech Dictionary

 

Pacific Disaster Center

 

Phoenix Disaster

 

Recovery Strictly Business Expo

 

Survive

 

United Security Group

 

Critical Infrastructure Assurance Office

 

Disaster Avoidance

 

Disaster Recovery Plan Outline

 

Disaster Recovery Dictionary

 

Business Continuity Planning

 

MIT Business Continuity Plan

 

Business Continuity Duties

 

Continuity Plan Guidelines

 

Continuity Planning Guidelines - Texas

 

Disaster Recovery Guide Templates

 

Business Continuity Planning - Nortel

 

Developing a Continuity Plan

 

A Sample Disaster Recovery Plan

 

Continuity Plan Suggested Contents

 

Disaster Information Network

 

Disaster Recovery Journal

 

Disaster Resource Guide

 

Federal Emergency Management Agency

 

Phoenix Disaster Recovery

 

Business Recovery Managers Association

 

Disaster Forum '98

 

New Zealand Power Disruption Links

 

The Contingency Planner

 

Disaster Recovery Planning Process (Part 1)

 

Disaster Recovery Planning Process (Part 2)

 

Disaster Recovery Planning Process (Part 3)

 

Justifying the Contingency Plan

 

Legal Necessity

 

So You're the Company's New Contingency Planner

 

Business Contingency Planning Is...

 

Business Interruption 

 

 

Canadian Centre for Emergency Preparedness

 

Contingency Planning Exchange Inc.

 

Contingency Planning & Management

 

Contingency Planning World

 

ContinuityPlanner.com

 

CPM 2003 Expo  Critical Infrastructure Protection (Information Warfare Site

 

Disaster Center

 

Disaster Forum 2000

 

Disaster Recovery Information Exchange

 

Disaster Recovery Institute International

 

Disaster Recovery Journal

 

Disaster Resource Guide

 

DR Planning

 

Emergency Information Infrastructure Partnership

 

Emergency Preparedness Information exchange

 

Emergency Response Planning   FEMA

 

Global continuity

 

Homeland Security

 

International Association of Emergency Managers

 

Internet Disaster Information Network

 

IT Continuity New England

 

DR Info Exchange

 

Online High Tech Dictionary

 

Pacific Disaster Center

 

Phoenix Disaster

 

Recovery Strictly Business Expo

 

Survive

 

United Security Group

 

Critical Infrastructure Assurance Office

 

Disaster Avoidance

 

Disaster Recovery Plan Outline

 

Disaster Recovery Dictionary

 

Business Continuity Planning

 

MIT Business Continuity Plan

 

 

ISO 22301 explained

ISO 22301 is the second published management systems standard that has adopted the new high-level structure and standardized text agreed in ISO. This will ensure consistency with all future and revised management system standards and make integrated use easier with, for example, ISO 9001 (quality), ISO 14001 (environmental) and ISO/IEC 27001 (information security). The standard is divided into 10 main clauses, starting with scope, normative references, and terms and definitions. Following these are the standard’s requirements,

  • Clause 4 – Context of the organization
    The first step involves getting to know the organization, both internal and external needs, and setting clear boundaries for the scope of the management system. In particular, this requires the organization to understand the requirements of relevant interested parties, such as regulators, customers and staff. It must in particular understand the applicable legal and regulatory requirements. This enables it to determine the scope of the business continuity management system (BCMS).
  • Clause 5 – Leadership
    ISO 22301 places particular emphasis on the need for appropriate leadership of BCM. This is so that top management ensures appropriate resources are provided, establishes policy and appoints people to implement and maintain the BCMS.
  • Clause 6 – Planning
    This requires the organization to identify risks to the implementation of the management system and set clear objectives and criteria that can be used to measure its success.
  • Clause 7 – Support
    Since resources are required for implementation, Clause 7 introduces the important concept of competence. For business continuity to be successful, people with appropriate knowledge, skills and experience must be in place to both contribute to the BCMS and respond to incidents when they occur. It is also important that all staff are aware of their own role in responding to incidents and this clause deals with all of these areas. The need for communication about the BCMS – for instance in telling customers that the organization has appropriate BCM in place – and preparedness to communicate following an incident (when normal channels may be disrupted) is also covered here.
  • Clause 8 – Operations
    This section contains the main body of business continuity-specific expertise. The organization must undertake business impact analysis to understand how its business is affected by disruption and how this changes over time. Risk assessment seeks to understand the risks to the business in a structured way and these inform the development of business continuity strategy. Steps to avoid or reduce the likelihood of incidents are developed alongside steps to be taken when incidents occur. As it is impossible to completely predict and prevent all incidents, the approach of balancing risk reduction and planning for all eventualities is complementary. It might be said, “hope for the best and plan for the worst”.

ISO 22301 emphasizes the need for a well-defined incident response structure. This ensures that when incidents occur, responses are escalated in a timely manner and people are empowered to take the necessary actions to be effective. Life safety is emphasized and a particular point is made that the organization must communicate with external parties who may be affected, for instance if an incident poses a noxious or explosive risk to surrounding public areas.

The requirements for business continuity plans are laid out in Clause 8, too. Quickly understood, user-focused documents are more suitable than the large, unwieldy documents suited to auditors. Smaller plans are therefore more likely to be needed than one large plan.

A requirement not previously addressed in business continuity standards is the need to plan for a return to normal business. This simple requirement belies considered thought, as organizations must determine what to do once the initial emergency has been addressed.

The final subsection of section 8 covers exercises and tests, a key part of BCM. Tests are where some element of the business continuity arrangements is demonstrated to work (a pass) or not (fail). For instance, it is possible to test if the generator will run by switching it on. An exercise may include tests, but is generally a more nuanced approach that simulates some aspect of responding to an incident. This will usually include elements of training and building awareness of how to handle disruptive incidents with difficult and unusual characteristics, as well as finding out if processes work as expected.

Exercises and tests are fundamental in ISO 22301 : it is only through structured exercises – which should stretch the individuals and teams involved – that an organization can achieve objective assurance that its arrangements will work as anticipated and when required.

  • Clause 9 – Evaluation
    For any management system, it is essential to evaluate performance against plan. ISO 22301 therefore requires that the organization select and measure itself against appropriate performance metrics. Internal audits must be conducted and there is a requirement that management review the BCMS and act on these reviews.
  • Clause 10 – Improvement
    No management system is perfect at the outset, and organizations and their environments are constantly changing. Clause 10 defines actions to take to improve the BCMS over time and ensure that corrective actions arising from audits, reviews, exercises and so on are addressed.

Successful implementation

To work well, ISO 22301 will need organizations to have thoroughly understood its requirements. Every line and word has meaning and the relative importance is not necessarily reflected by the number of words devoted to a topic. Rather than being simply about a project or developing “a plan”, BCM is an ongoing management process requiring competent people working with appropriate support and structures that will perform when needed.

 

Resources for ISO 22301 Business Continuity Management

See all the resources available for ISO 22301 Business Continuity Management.
ISO 22301 Client manual (PDF)


BS 25999-2 to ISO 22301 transition guide (PDF)


BSI ISO 22301 Self Assesment checklist
See all available resources


 

 

Home ] Up ]

Send mail to info@bcmii.org with questions or comments about this web site.
Copyright © 2014 Business Continuity Management Institute International
Last modified: 03/21/14