BUSINESS CONTINUITY MANAGEMENT
Links and Resources
ISO 22301 explained
ISO 22301 is the second published management systems standard that has adopted the new high-level structure and standardized text agreed in ISO. This will ensure consistency with all future and revised management system standards and make integrated use easier with, for example, ISO 9001 (quality), ISO 14001 (environmental) and ISO/IEC 27001 (information security). The standard is divided into 10 main clauses, starting with scope, normative references, and terms and definitions. Following these are the standard’s requirements,
ISO 22301 emphasizes the need for a well-defined incident response structure. This ensures that when incidents occur, responses are escalated in a timely manner and people are empowered to take the necessary actions to be effective. Life safety is emphasized and a particular point is made that the organization must communicate with external parties who may be affected, for instance if an incident poses a noxious or explosive risk to surrounding public areas.
The requirements for business continuity plans are laid out in Clause 8, too. Quickly understood, user-focused documents are more suitable than the large, unwieldy documents suited to auditors. Smaller plans are therefore more likely to be needed than one large plan.
A requirement not previously addressed in business continuity standards is the need to plan for a return to normal business. This simple requirement belies considered thought, as organizations must determine what to do once the initial emergency has been addressed.
The final subsection of section 8 covers exercises and tests, a key part of BCM. Tests are where some element of the business continuity arrangements is demonstrated to work (a pass) or not (fail). For instance, it is possible to test if the generator will run by switching it on. An exercise may include tests, but is generally a more nuanced approach that simulates some aspect of responding to an incident. This will usually include elements of training and building awareness of how to handle disruptive incidents with difficult and unusual characteristics, as well as finding out if processes work as expected.
Exercises and tests are fundamental in ISO 22301 : it is only through structured exercises – which should stretch the individuals and teams involved – that an organization can achieve objective assurance that its arrangements will work as anticipated and when required.
To work well, ISO 22301 will need organizations to have thoroughly understood its requirements. Every line and word has meaning and the relative importance is not necessarily reflected by the number of words devoted to a topic. Rather than being simply about a project or developing “a plan”, BCM is an ongoing management process requiring competent people working with appropriate support and structures that will perform when needed.
Resources for ISO 22301 Business Continuity Management
See all the resources available for ISO 22301 Business Continuity Management.
Send mail to
questions or comments about this web site.