Does Your Business Continuity Management System Have “Issues”?

Brian Zawada, FBCI Brian Zawada, FBCI | May 28, 2013

Part of Avalution’s Conforming to ISO 22301 Series

ISO 22301 is the first standard to employ the new ISO format for management systems standards, which involves a considerable amount of “templatized” management system content across ten clauses.  Because this format, language, and many of the requirements are new to most business continuity professionals, it’s important to review and consider the intent associated with some of the content and concepts.

This perspective is the first in a series to discuss key elements of the ISO 22301 business continuity management system, including value-adding elements of the standard or requirements that could “trip up” an organization during the certification process.

Today we’re going to take a look at one element of Clause 4, primarily because of a recent discussion we had during our internal certification audit.

Avalution recently completed its ISO 22301 certification successfully, and during the course of the audit, we had an interesting discussion regarding one of the requirements in Clause 4:

Clause 4 – Context of the organization
Section 4.1:  The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intend outcome(s) of its BCMS.  These issues shall be taken into account when establishing, implementing and maintaining the organization’s BCMS.

But, what does the phrase “internal and external issues” mean as it relates to a business continuity management system?  In exploring the concept during the audit, as well as afterwards with a number of business continuity professionals, here’s what we came up with.

The short answer is simple – in the context of ISO 22301 and a business continuity management system, “issues” is analogous to “Why invest in business continuity?” or “What are the sources of requirements for the business continuity management system?” As such, the following table summarizes many of the common internal and external “issues” that drive investment in business continuity.

So internal issues are basically internal requirements, procedures, standards, and reference models adopted by the organization as part of, or related to, the business continuity management system.

Avalution Quick Tip: A third-party auditor will inquire as to how the organization identified internal issues and how they are applied to the business continuity management system design and outcomes. Be prepared to answer these questions.

Evaluating the organization’s external issues should include, where relevant:

  • Legal and regulatory requirements whether international, national, regional, or local
  • Supply chain commitments and relationships
  • Key drivers and trends (metrics) having an impact on the objectives and operation of the organization and relationships with, and perceptions and values of, interested parties outside the organization

Avalution Quick Tip: A third-party auditor will also look at how the organization identifies and considers regulatory and/or contractual requirements plus any external data that the organization’s relies upon to make decisions or impacts the organizations business continuity management system. Be prepared to provide and discuss this information as well.

Continue to visit our business continuity and IT disaster recovery blog for more posts in Avalution’s Conforming to ISO 22301 series.

In the meantime, don’t hesitate to reach out to us to discuss aligning to the standard or pursuing certification. We look forward to hearing from you!

Additional Resource:
Implementing ISO 22301: The Business Continuity Management Systems Standard


Brian Zawada
Avalution Consulting: Business Continuity Consulting