ISO 22301:2019

  1. Home
  2. ISO 22301:2019

ISO 22301:2019

ISO 22301

As an international standard for Business Continuity Management System, the ISO 22301 is designed to protect, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. With a Business Continuity Management System, your organization is prepared to detect and prevent threats.

ISO 22301 enables you to respond effectively and promptly based on the procedures that apply before, during and after the event. Implementing a Business Continuity plan within your organization means that you are prepared for the unexpected. Business Continuity Plan assures you that your organization will continue to operate without any major impacts and losses.

ISO 22301 REQUIREMENTS

Let’s take a look at the requirements of ISO 22301, which are given in clauses 4 to 10.

Clause 4 - Context: Organizations must understand who they are, what they are doing, and which processes and outputs they must sustain. They must also determine who has a stake in the continuity of operations – interested parties – and what their expectations are. Also, legal and regulatory requirements must be identified and documented. With this information, the organization establishes and documents its ISO 22301 scope. When determining the scope, the organization’s locations, missions, goals, products, and services must be considered.

Clause 5 - Leadership: For successful implementation of ISO 22301, organizations need the continuous support and leadership of top management. To show their commitment, the top management of the organization should develop, document, and communicate a policy within the organization and with interested parties while making resources available, directing and leading employees to contribute to the effectiveness of ISO 22301. For this purpose, organizational roles must be clearly defined with responsibilities, authorities, and competencies for each role.

Clause 6 - Planning: To plan for business continuity, organizations must understand what disruptions could potentially occur and how these incidents affect the business. Organizations must consider the consequences of risks, their impact, and the benefits of opportunities regarding their context and plan actions to address them. The standard also mandates organizations to set measurable BCMS objectives to guarantee the minimum viable products or services, as well as compliance with any legal or regulatory requirements. These objectives must be documented and communicated. To achieve them, organizations must have action plans within a timeframe, with responsibilities assigned.

Clause 7 - Support: No organization can advance without resources and support. Organizations must consider resource needs and provide them to meet their BCMS objectives. These resources may include infrastructure, technology, communication, competence, awareness, and documented information. The standard requires documented evidence of competence for the defined roles, such as training records, education, and professional background.

Clause 8 - Operation: This section of the standard describes the activities that should be performed to meet BCMS objectives and return to the normal way the organization operates. Key activities include:

  • Conducting and documenting a business impact analysis (BIA) and risk assessment. The BIA should identify the operational, legal, and financial impacts resulting from the disruption. While conducting the BIA, the duration of the disruption is an important input for determining impacts and, later, the recovery time. The risk assessment enables the organization to analyze the likelihood of disruption to its activities, and resources. Learn more about the BIA in the article
  • Developing a business continuity strategy Companies are required to develop a continuity strategy using the information gathered from the risk assessment and business impact analysis. Business continuity strategy essentially means the development of options and the selection of the most appropriate actions, including mitigation, response, and recovery. You can learn more about the importance of recovery in the article 
  • Establishing and implementing business continuity procedures. Organizations are required to document business continuity plans and procedures based on the outputs of their strategy. The plans and procedures should have clear and specific steps for handling disruptions, well-defined roles and resource needs, and organized communication. For more information about developing plans and procedures, read the article 
  • Exercising and testing the business continuity procedures. ISO 22301 requires periodic testing of plans and procedures to see if they are appropriate and effective. Test results must be reviewed and reported for recommendations and improvements.

Clause 9 - Performance evaluation: Organizations need to consider performance indicators and metrics; monitor, measure, analyze, and evaluate them; and then document the results. Planned internal audits should be conducted to measure the level of conformance to the standard and the organization’s own requirements. The audit program and results must be documented. Lastly, top management should review the effectiveness of the BCMS at planned intervals and document the results of these reviews.

Clause 10 - Improvement: Organizations shall have a methodology to address non-conformities, with root causes and corrective actions, as well as strategies for improvement on a continual basis. The standard mandates documented information for the evaluation of corrective actions. The organization needs to consider the results of the analysis and evaluation, and the outputs from the management review, to determine if there are needs or opportunities.

HOW TO IMPLEMENT ISO 22301

To implement ISO 22301 in your company, you have to follow these 17 steps:

      1) Management support
      2) Identification of requirements
      3) Business continuity policy and objectives
      4) Support documents for management system
      5) Risk assessment and treatment
      6) Business impact analysis
      7) Business continuity strategy
      8) Business continuity plan
      9) Training and awareness
     10) Documentation maintenance
     11) Exercising & testing
     12) Post-incident reviews
     13) Communication with interested parties
     14) Measurement and evaluation
     15) Internal audit
     16) Corrective actions
     17) Management review

 

MANDATORY DOCUMENTATION

If an organization wants to implement this standard, the following documentation is mandatory:

  • List of applicable legal, regulatory and other requirements
  • Scope of the BCMS
  • Business continuity policy
  • Business continuity objectives
  • Evidence of personnel competences
  • Procedure for communication with interested parties
  • Records of communication with interested parties
  • Records of disruption details, actions taken, and decisions made
  • Incident response structure Business continuity plans
  • Recovery procedures
  • Results of monitoring and measurement
  • Results of internal audit
  • Results of management review
  • Results of corrective actions

 

FAQ

The full name of this standard is ISO 22301:2019 Security and resilience – Business continuity management systems – Requirements. It is an international standard published by the International Organization for Standardization (ISO), and it describes how to manage business continuity in an organization.
ISO 22301 is used for legal and regulatory certification of continuity management, ensuring all the required elements of a business continuity management system are being met.
ISO 22301 certificate is valid for three years from the date of receiving it. However, in order to maintain the certificate, you must undertake annual surveillance audits.
There is no predefined cost for ISO 22301 certification. It depends upon several factors, such as complexity of your business, total workforce, number of office branches, branch location, etc. Once you have made up your mind for the certificate, you must contact the Ralcare Certification Pvt Ltd through mail at realcertgroup@gmail.com or call on 9667269214.
ISO 22301 can be applied to any type of organization, regardless of its size or sector. Any organization that aims to build its business for a long haul should implement the requirements of ISO 22301.
Gaining an ISO 22301 certification allows your organization to rest easy knowing that plans are in place to secure critical business functions in times of need.
The standard was conceived in such a way that it is applicable to any size or type of organization. ISO 22301 implementation and certification can be considered essential to any company legally required to engage in contingency planning, including energy, transport, health, and essential public services.
• Meet strategic business objectives • Gain competitive advantage • Increase reputation and credibility • Improve operations, supply chain and information resilience • Ensure the ability to continue business with maximum output/results despite the disruptions • Eliminate operational glitches and vulnerabilities • Establish robust response and recovery procedures • Reduce dependence on individuals • Enhance corporate reputation • Abide to the legal and regulatory requirements • Improve process and organizational focus
• List of legal, regulatory and other requirements (clause 4.2.2) • Scope of the BCMS and explanation of exclusions (clause 4.3 • Business continuity policy (clause 5.2) • Business continuity objectives (clause 6.2) • Competencies of personnel (clause 7.2)

ISO Certification List

Download Brochures

Quick Contact