The concept of business continuity involves three key elements: resilience (critical business functions and the supporting infrastructure are designed in such a way that they are not easily affected by disruptions); recovery (there are arrangements in place to recover or restore critical business functions following a disruptive event) and contingency (capability and preparedness to cope effectively with incidents).
Business continuity has become increasingly important in the last years as the business world is getting more and more complicated and interconnected and the environments in which organizations operate are getting more turbulent. The risks, that any company faces, range from the common ones, that can be identified and evaluated; to unforeseen risks, those referred to as "black swan events" - unexpected events of large magnitude and consequence that hit the organization without warning.
ISO 22301 is an international standard published in 2012 that defines the requirements for a business continuity management system.
Certification to ISO 22301 demonstrates that the organization has the arrangements in place to protect its assets and ensure critical business functions will continue to operate at an acceptable level even in case of a crisis situation.
ISO 22301 defines the requirements that must be met in order for an organization to design and implement an effective business continuity management system that can be audited and certified as evidence of conformity. Below we explain the requirements of ISO 22301:2018 with the important mention that the requirements of this standard (like in the case of any management system standard) must be understood and implemented taking into consideration the specifics of each organization, its activities and context.
CONTEXT OF THE ORGANIZATON
An organization implementing ISO 22301 is required to determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of this management system. There is no organization that is operating in isolation or in a vacuum and of course there are many internal and external factors that can affect it. Examples of internal issues include products and services that if disrupted can have a significant impact on the organization; governance and decision-making process; the risk appetite or the culture of the organization; human resources or the equipment and technologies the company is using. External issues to consider can be: environmental conditions; political climate or social aspects.
Interested parties relevant for the business continuity management system along with their requirements must be identified. Customers, partners, employees, authorities, the local community, insurance companies or suppliers are examples of typical interested parties for most organizations. Legal and regulatory requirements related to business continuity that the organization is required to comply to must be identified, kept up to date and of course taken into account in the business continuity management system. The scope of the business continuity management system shall be identified and documented. An organization can choose to include in its business continuity management system all activities and locations operated or only part of them. For a credible management system its important not to leave outside the scope of the system activities or locations that have a significant impact on the ability of the organization to deliver its key products and services.
The support of top management is vital for the business continuity management system to be taken seriously in the organization. ISO 22301 requires that senior management of the company demonstrates its commitment for the establishment, implementation and improvement of the business continuity management system. A written business continuity policy is required signed off by the top management, communicated in the organization and made available to interested parties as appropriate. A written business continuity policy is required signed off by the top management, communicated in the organization and made available to interested parties as appropriate. Top management shall ensure that responsibilities and authorities for personnel of the organization are assigned and communicated. One or several persons shall be tasked to coordinate the business continuity management system, ensure that it conforms to requirement and communicate on its performance.
In planning its Business Continuity Management System (BCMS) the organization must determine the risks and opportunities that it needs to address in order to ensure this managment system achieves its inteded results and to achieve continual improvement. Some examples of risks that can be considered: human resources related risks (e.g. lack of sufficient personnel, key employees leaving the organization); risks related to legal and regulatory requirements (e.g. frequent changes to relevant legislation) or risks related to the economic environment (e.g. difficult access to financing; lack of cashflow. Opportunities can refer to aspects like: obtaining the certification to ISO 22301 (that could help the organization gain more corporate clients) or participation in projects or organizations, for exammple. The organization is required to establish and document business continuity objectives along with who will be responsible for achieving the objectives, what will be done, what resources are needed or when the objectives shall be completed. Obviously the achievement of business continuity objectives shall be monitored.
Resources required for the implementation, maintenance and improvement of the Business Continuity Management System (BCMS) must be available. The organization is required to determine the competence needed for persons doing work under its control and ensure the persons are competent in terms of education, experience and training. As needed the company must act to ensure relevant personnel acquire needed competence. This can include: the provision of training and mentoring, recruiting of competent personnel or changing positions of employees to suit competence requirements. People doing work under the organization’s control should be aware of the provisions in the continuity policy, their contribution to this management system, their role during disruptive incidents and the consequences of not complying with requirements. Communication is key for business continuity and the organization needs to ensure that its communication processes (internal and external) are effective. The BCMS must be supported by documented information (e.g. manuals, procedures, policies, instructions, plans, etc). The documentation must be controlled in terms of its distribution, versioning, retention and disposition, retrieval and use, preservation of legibility and prevention of unintended use of obsolete documents.
ISO 22301 requires the organization to develop a process for business impact analysis. This process shall include: the identification of activities that support the provision of key products and services; evaluating the impact of not being able to perform such activities (and here the organization can use metrics like the Maximum Tolerable Period of Disruption and Recovery Time Objectives) and setting timeframes for resuming those activities at a minimum acceptable level (setting MBCOs – Minimum Business Continuity Objectives). A formal risk assessment is required to identify, analyze, evaluate the risk of disruptive events and act to treat identified risks. Two important aspect to take into consideration in the risk assessment are: Single Points of Failure and possible events or crises outside the boundaries of the organization that can have an influence. Based on the results of the business impact analysis and the risk assessment the organization shall develop its business continuity strategy. This should include an identification of the resources required for business continuity (people, infrastructure, information, transportation, finance, partners, suppliers, etc); proactive measures to address identified risks; business continuity procedures; the appointment of an emergency team (incident response structure); development of warning and communication procedures and business continuity plans (BCPs). To ensure that business continuity arrangements will work when needed the organization must test periodically its procedures and improve them as needed.
ISO 22301 asks that the organization evaluates its business continuity performance and the effectiveness of its BCMS. If and when adverse effects or trends are identified the organization shall act before a nonconformity occurs. At planned intervals the organization shall perform internal audits of its Business Continuity Management System to ensure it is effectively implemented and maintained. Top management is required to review periodically the business continuity management system to ensure it continues to be suitable, adequate and effective.
When nonconformities are identified the organization must act to correct the nonconformities and deal with the consequences. The standard requires to identify the root cause of nonconformities and implement corrective actions so that they won’t happen again. Lastly, the standard asks that the organization to improve continually the suitability, adequacy and effectiveness of its Business Continuity Management System.
This is a short presentation of the requirements that an organization shall meet to obtain conformity to ISO 22301 and obtain the certification after a succesulf certification audit.
ISO 22301 can be implemented by small or large organizations, regardless of their activities or specifics. The standard can be integrated with other management system standards like ISO 9001, ISO/IEC 20000-1 or ISO/IEC 27001, for example.
For certification purposes please contact us by e-mail at firstname.lastname@example.org.
If you're looking for an online training that details the requirements of ISO 22301 you can check out our course below.
It is a set of elements (policies, processes and procedures) used by an organization to fulfil its objectives and perform its tasks. A management system can address a single discipline (e.g. quality management system or information security management system) or several disciplines at the same time, in what is referred to as an integrated management system. It is the choice of the organization what type of management system it chooses to implement and certify.
For every discipline there are specific standards that define the requirements for a management system (e.g. ISO 9001, ISO 14001 or ISO/IEC 27001). An organization wishing to obtain the certification of its management system has to demonstrate during an initial certification audit that it fulfils the requirements of the specific standards used as reference for certification.
Regardless of the discipline all management systems generally require organizations to define roles, responsibilities and authorities for personnel, document policies, establish objectives and actions to achieve them, demonstrate operation in controlled conditions, monitor, measure, analyze and evaluate performance and act to continually improve the system.
A management system can be implemented by the organization using internal resources or with the help of external consultants . The management system needs to be maintained and continually improved.
To be useful, a management system should become an integral part of the organization’s activities and not a set of requirements separated from operational routine.
The support from top management is vital for the success of a management system in the organization.
Certification is an attestation from a third party (usually called registrar or certification body) that the management system implemented by an organization fulfills the requirements of applicable standard(s).
So, in fact, not the organization is the subject of certification but its management system.
The certification process begins with the application sent by the organization looking to obtain certification. It has to be a written application and its useful to the certification body for understanding what is required and to plan the resources needed to provide the certification services.
A contract for the certification is signed.
The certification audit is done to evaluate how the requirements of the standard(s)/ reference documents are implemented. The audit team is made of one or several members and the audit duration depends on a series of factors like the standards for certification involved, the size of the organization, its activities. locations, etc.
In case the conclusions of the audit are positive and there are no other elements that may affect the certification, the certification body issues the conformity certificate(s).
The document General rules for the certification of management systems contains detailed information about how the certification process works, what are the requirements for obtaining and maintaining certifications.
Management system certifications are valid for 3 years, with the condition that successful yearly surveillance audits are performed (in the first and second year after certification). Surveillance audits are meant to evaluate if the management system certified continues to respect applicable requirements.
The certification program is the document that specifies the planning of surveillance audits and it is communicated to the organization at certification date.
In the third year the recertification audit takes place and the organization enters another 3-year certification cycle in similar conditions as the previous.
In case surveillance audits are not performed as scheduled the certification may be suspended. During suspension the certification is temporarily invalid. If during suspension the situation is not corrected the certification is withdrawn.
Appeals refer to decisions of RIGCERT with regards to a certain certification (e.g. not granting, suspending, withdrawal, etc) while complaints may refer to a series of aspects like: the personnel working on behalf of RIGCERT, activities of the organizations certified by RIGCERT, activities of third parties connected to RIGCERT, etc.
Appeals and complaints should be sent at email@example.com and are treated confidentially.
RIGCERT personnel involved in the review and decision regarding a certain appeal or complaint have not been involved in the case being reviewed.
The review can include actions like performing special audits, request of information from the parties involved and is concluded with a formal decision communicated to the appellant and/ or complainant.
Detailed information on the appeals and complaints handling process are available in the document General rules for the certification of management systems.
Want to work with us
Complete the form below with your personal information and we will contat you as soon as possible.