ISO 22301: 2019 Business Continuity Management System Standard
ISO 22301 is the International Standard for Business Continuity Management (BCM). It provides a practical framework for setting up and managing an effective business continuity management system.
- Specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.
- Specifies the requirements for the planning, establishing, implementation, monitoring, and continual improvement of a business continuity management system
- It applies the PDCA (Plan, Do Check, Act) Cycle.
- Organizations can obtain certification against this standard.
- ISO 22301 is auditable and demonstrates compliance to a standard to key stakeholders, customers, and third parties.
- The primary driver is to increase operational resilience and roadmap recovery during times of stress.
- Internal Staff is aware of their roles when an incident occurs.
Why Do You Need ISO 22301: 2019?
Emergencies and disruptive incidents are often out of an organization’s control. in these situations, the one thing you can control is how you respond.
ISO 22301 Certification will give strength to your organization when it comes to continuity when resilience is required. It gives confidence to customers and stakeholders that you can meet requirements regardless of circumstances.
ISO 22301 Helps You With
- Operational Resilience
- Emergency Preparedness
- Corporate Governance
- Crisis Management
- Disaster Recovery
- Supply Chain Security
- Protection of reputation in a crisis
- Preparation for technology failures
- Plan for the sudden loss of critical resources
- Preparation for other emergency situations
What are the Benefits of ISO 22301 Certification?
Customer Satisfaction – Deliver products that consistently meet customer requirements and a service that is dependable and can be relied on.
Business Resilience – Avoid downtime and financial losses with effective management of risk, emergency preparedness, and contingency planning.
Legal Compliance – Understand how statutory and regulatory requirements impact your organization and its customers
Improved Risk Management – Greater consistency and traceability of products and services means problems are easier to avoid and rectify.
Proven Business Credentials – Independent verification against a globally recognized industry standard speaks volumes.
Ability to Win More Business – Procurement specifications often require certification as a condition to supply, so certification opens doors.
Global Recognition as a Reputable Supplier – Certification is recognized internationally and accepted throughout industry supply chains, setting industry benchmarks for sourcing suppliers.
- ISO 22301 Strengthen your Internal Management System
- Creating New opportunities due to overall improvement
- Prevent Large scale damage
- Improve Financial Performance and reduce Disruptions
- Achieve Marketing Advantage.
ISO 22301 Before and After Covid-19
Pre-Covid BCP had created on sudden, short-term & limited capacity disruption – for e.g., is the business resilient if one location is compromised?
The Business Continuity Management had a plan of data backups, inventories, redundant locations, and distributed supplier base.
The Post-Covid business continuity plans focused majority from an office environment to a virtual environment.
The 10 Clauses of ISO 22301: 2019
The scope section of ISO 22301 sets out:
- The purpose of the standard
- The types of organizations it is designed to apply to
- The sections of the standard (called Clauses) contain requirements that an organization needs to comply with in order for the organization to be certified as “Conforming” to it (i.e. being compliant).
- In ISO 22301 only one document is listed – ISO 22301, Security and Resilience – Vocabulary.
- Some of the terms used or requirements detailed in ISO 22301 are explained further in ISO 22300.
Terms and Definitions
There are 31 terms and definitions given in ISO 22301,
- Business Continuity
- Business Continuity Plan
- Business Impact Analysis
- Crisis Management Team
- Maximum Tolerable Period of Disruption (MTPD)
- Minimum Business Continuity Objective (MBCO)
- Recovery Point Objective (RPO)
- Recovery Time Objective (RTO)
Context of the Organization
- Establish the context of the Business Continuity Management Systems for the organization
- Understand the needs of expectations of the interested parties and their requirements
- Determine the scope of BCMS
- Communicate the scope to relevant interested parties.
- Demonstrate Management Commitment
- Define Roles, Responsibilities, and Authorities.
- Ensure that the business continuity policy is established
- Communicate the importance of effective BCM.
- Ensure business continuity objectives are established.
- Ensure that the resources needed for the BCMS are available
- Ensure that the BCMS achieves its intended outcomes
- Ensure the integration of the BCMS requirements into the organizations business processes
- Promote continual improvement.
Planning to Meet Business Continuity Objectives
- Be consistent with the business continuity policy
- Be measurable
- Take into account applicable requirements
- Be monitored and updated as appropriate
- Be communicated
Planning to Address Risks
- Ensure that the BCMS can achieve its intended outcomes
- Prevent, or reduce undesired effects
- Achieve continual improvement
- Plan actions to address these risks and opportunities
- Plan how to integrate and implement the actions into its BCMS processes
- Plan how to evaluate the effectiveness of these actions.
Planning Changes to the BCMS
The organization should consider
- The purpose of the changes and their potential consequences
- The integrity of the BCMS
- The availability of resources
- The allocation or reallocation of responsibilities and authorities.
- Determine and provide competency resources needed for BCMS
- Provide awareness about BCMS
- Determine the internal and external communications relevant to the BCMS
- Creation, update, and control of documented information.
- Operational Planning and control
- Business impact analysis and risk assessment
- Business Continuity strategies and solutions
- Business Continuity plans and procedures
- Exercise Program
- Evaluation of business continuity documentation and capabilities.
Business Impact Analysis
This activity enables an organization to identify the critical processes that support its key products and services, the interdependencies between processes, and the resources required to operate the processes at a minimally acceptable level.
- Identify the time frame
- Identify prioritized activities
- Determine the resources needed to support prioritized activities.
- Determine the dependencies
- Assess the impacts over time resulting from the disruption
- Identify the activities
- Define the impact types and criteria.
Business Continuity Strategy
Determining the business continuity strategy is about the action needed to address the findings from business impact analysis and risk assessment.
- Monitoring, Measurement. Analysis and Evaluation
- Internal Audit
- Management Review
The Organization will need to continually improve the suitability, adequacy, and effectiveness of the Business Continuity Management System.
What are the Mandatory Documentation of ISO 22301: 2019?
- List of applicable legal, regulatory and other requirements
- Scope of the BCMS
- Business Continuity Policy
- Business Continuity Objectives
- Evidence of personnel Competences
- Procedures for communication with interested parties
- Incident response structure
- Business continuity plans
- Recovery Procedures
- Records of communication with interested parties
- Records of disruption details, actions taken, and decisions made
- Results of monitoring and measurement
- Results of internal audit
- Results of management review
- Results of corrective actions
Why Choose TUV Austria Bureau For Implementing ISO 22301 Requirements
Some of the leading international accreditation bodies have awarded TUV Austria Bureau of Inspection & Certification with the accreditation to offer certification to a vast range of industry sectors. For certification services, TUV Austria BIC is the preferred brand across multiple industry sectors.
Local Regulatory authorities like The Pakistan National Accreditation Council (PNAC), The Pakistan Engineering Council (PEC) also recognizes TUV Austria Bureau of Inspection & Certification as a leading certification and inspection body in Pakistan. TUV Austria BIC has earned global respect instead of its approach and service quality through its highly trained and experienced Consultants. Our professional auditors work with clients to guarantee that the requirements are successfully maintained and continuously improved to be up to customers’ expectations and the law.
In Addition, to ISO 22301: 2019 audits we also offer a range of complimentary services:
- ISO 9001: 2015 Quality Management System
- ISO 20000: 2018 IT Service Management System
- ISO 22000: 2018 Food Safety Management System
- ISO 27001: 2018 Information Security Management System
- Process improvement solutions
What is Business Continuity Management?
A business management system is a management system that bundles interrelated methods, procedures, and rules to ensure that critical business processes keep running in the event of damage or emergencies and continuously develops and improves them.
What is Disruption?
In the Dictionary: Disturbance or problem which interrupts an event, activity, or process.
In Business: The action of completely changing the traditional way that an industry or market operates by using new methods or technology.
Difference Between ISO 27001 and ISO 22301?
ISO 27001 is more information infrastructure focused and requires addressing IT assets and “support” services to business processes.
ISO 22301 requires a more all-encompassing approach and requires the identification of critical business functions.
Critical Functions are resourced accordingly and back to functionality earlier following any disruption.
IS ISO 22301 Certification Right for You?
This standard may be right for your organization can rapidly overcome operational disruption to provide continued and effective service.
“This rigor of a certified management system has spent up the process and ensured that we have been able to deliver what our clients need: an uninterrupted service.” E.L.F.S
Who Can Avail ISO 22301?
Any Organization – Large or Small, Profit or Non-Profit, Private or Public.
What are the focus points to implement ISO 22301?
- Setting up a system for Documentation and Records
- Management Information System
- Risk Assessment and Treatment
- Business Continuity Strategy
- Business Performance and Sustainability
Would you mind sending an Enquiry so we can assist you in getting certified?Send Enquiry