Since its release in 2012, ISO 22301 (Societal security – Business continuity management system – Requirements) has made a dramatic impact on how business continuity programs are designed, managed, and improved.
The standard provided a unifying approach to developing business continuity management systems. Using simple, straightforward language, ISO 22301 summarizes minimum requirements for effective business continuity and enables coordinated preparedness among diverse organizations regardless of size, location, or sector.
It is safe to say that ISO 22301 has successfully guided many organizations in developing and improving effective business continuity programs, and it has introduced a common language for organizations to discuss business continuity planning process and capability. Overall, ISO 22301 offers a unique value proposition that will drive higher levels of business continuity performance in years to come.
In 2019, seven years after its initial publication and in compliance with ISO requirements for updating previously issued standards, the ISO technical committee with responsibility for ISO 22301 (ISO/TC 292) issued its second edition.
The revisions to the original standard are generally focused on simplifying the original language to help organizations understand the requirements and enable more effective attestations (for those seeking certification), as well as removing repetitive content.
The most significant changes are:
Organizations with a strong understanding of management systems realize the most value from ISO 22301, but we recognize that not everyone is familiar with management systems and their related processes.
As such, this page is organized into three sections:
Section 1: Introduction to ISO 22301
This section provides an overview of the standard, including its scope, audience, and value proposition.
Section 2: What is a Management System?
This section introduces key management system concepts that all business continuity professionals should understand before moving forward with the implementation of ISO 22301.
Section 3: Understanding ISO 22301’s Structure and Content
This section focuses solely on ISO 22301, introducing practical, pragmatic guidance to successfully implement the standard and take advantage of each element of the business continuity management system.
Download our white paper Implementing ISO 22301 to gain full access to the content in section three.
Avalution has been a longtime proponent of aligning to management systems standards, and, if a business case exists, proceeding toward organizational certification.
If you’re looking for assistance with aligning your program to ISO 22301, please book a meeting with our team. As an ISO 22301 certified firm, we’d love to learn about your goals and discuss how we can help you successfully align to the standard.
As stated in ISO 22301 Clause 1, the intended purpose of the standard is to enable organizations to “protect against, reduce the likelihood of the occurrence of, prepare for, respond to, and recover from a disruption when they arise” by establishing, operating, and continuously improving a business continuity management system (BCMS).
The official title of ISO 22301 reflects that it is a “requirements” document, but what exactly does that mean? Essentially, standards are structured in one of two ways:
Again, ISO 22301 is a requirements standard, written to enable auditability, as well as organizational certification for entities seeking such third-party, independent attestation. Certification, while optional, is a value-adding differentiator for many organizations, particularly those engaged in business-to-business transactions, as it provides third-party validation of the effectiveness of the organization’s business continuity management system. However, first and foremost, ISO 22301 was written to enable higher levels of business continuity performance, and Avalution expects that the vast majority of organizations will continue to align to the spirit and intent of the standard for that reason.
The business continuity community has some fairly high expectations for the second edition of ISO 22301. Avalution believes that the actual reaction will be positive, as organizations will appreciate the organized, straightforward, and clarified language – especially for Clause 8 (Operation). Additionally, this version of ISO 22301 includes ISO’s evolved approach for management system standards. Many business continuity professionals focused on aligning with ISO 22301 will appreciate the clarity and organization.
Overall, as you read ISO 22301, remember it is written in a manner that introduces topics so the wording is applicable to everyone – regardless of geography, size, structure, or purpose – including not-for-profit entities and those in the public and private sectors. In other words, the content is high-level and describes the what, not the how.
ISO 22301 describes business continuity planning concepts using clear, straightforward language that can be used by anyone in any organization to plan for, implement, and continually improve a business continuity management system. Regardless of experience or job title, ISO 22301 enables those charged with leading the business continuity planning effort to understand business continuity concepts with significantly less jargon and using descriptions in lieu of acronyms.
Ultimately, any entity and or person (including business continuity professionals, program sponsors, and executive management) charged with preparing for disruptions will benefit from ISO 22301 if they intend to:
To be clear, this standard is not just for those new to the business continuity profession, nor is it strictly for the most experienced professionals. This standard is written for everyone with a role in mitigating risk associated with disruptions.
Standards exist to improve organizational performance in a specific discipline. As an extension of performance improvement, ISO designs its standards to offer approaches and solutions to address the most common challenges facing an organization. ISO 22301 is no different.
As the first international standard focused exclusively on business continuity planning, ISO 22301 offers content to address the most common challenges facing the organization as a whole, as well as its business continuity professional(s) and executive sponsors. In addition, the standard provides a framework to build the capability necessary to respond to, recover from, and operate effectively during the most challenging and unexpected circumstances.
Avalution identified seven key challenges that ISO 22301 is well-positioned to address:
If done correctly, organizations will assess risk in terms of an inability to recover the activities and resources that deliver the organization’s most important products and services, which is a powerful presentation for an executive management audience.
Since this standard involved input from over 60 countries, as well as multiple observer organizations over a number of years, it is safe to say that ISO 22301 summarizes best practices applicable to all entities, regardless of location, purpose, or size.
For those struggling with selling certain business continuity planning approaches or techniques, ISO 22301 can serve as a form of benchmarking, summarizing the core planning activities necessary to ensure successful preparedness outcomes. Overall, ISO 22301 describes planning approaches and outcomes that lead to better uniformity and coordination with other interested parties, including government, customers, and suppliers.
This revised standard also focuses on response and recovery solutions performance (e.g., how fast and to what capability an organization can recover its most important activities and resources), not just how good the organization is at performing the business continuity planning lifecycle. If done correctly, organizations will assess risk in terms of an inability to recover the activities and resources that deliver the organization’s most important products and services, which is a powerful presentation for an executive management audience.
As a strong proponent of standards in general, and especially management systems standards, Avalution believes that ISO 22301 offers unprecedented value because of:
Overall, this standard was developed to address some of the most significant, recurring obstacles that often lead to business continuity performance issues, specifically clarity of purpose and management engagement.
Since its adoption in 2012, a number of Technical Specifications have been published to provide additional guidance for implementing ISO 22301. These include:
|General||Terminology||Significant improvements were made to terminology, as listed in Clause 3 (Terms and Definitions). Definitions can also be found in ISO 22300.|
|General||Redundant Verbiage||Modifications have been made to improve readability and comprehension, as well as removing redundant verbiage. Additionally, the term risk appetite has been replaced with a new definition clarifying risk tolerance by “the amount and type of risk the organization may or may not take.”|
|General||Align to Risk Standards||ISO 22301 is better aligned to established risk standards (ISO 31000). For example, Clause 8.2.3 states, “an organization shall implement and maintain a risk assessment process,” with direct reference to ISO 31000.|
|Clause 8.1||Operational Planning and Control||Added the term supply chain to the organizational changes that need to be controlled.|
|Clause 8.2.1||BIA and Risk Assessment||Requirements for conducting a business impact analysis and risk assessment have been clarified to remove duplication. Simply stated, organizations are required to “implement and maintain systemic processes” for conducting a BIA and risk assessment and review results “at planned intervals” and when there is an organizational change.|
|Clause 8.2.2||BIA Process||This clause, providing guidance on the business impact analysis process, has added three more requirements, including: (1) defining impact types and criteria relevant to the organization’s context; (2) using impact types and criteria for assessing impacts over time; and (3) using the analysis results to identify prioritized activities.|
Business Continuity Strategies and Solutions
|In the past, this clause focused on business continuity strategies, following the BIA and risk assessment. “Solutions” has been added to the requirements. This is significant, as an organization is required to not only identify strategies, but to also define solutions implemented for each strategy.|
|Clause 8.4||Business Continuity Plans and Procedures||Originally, this clause addressed developing business continuity procedures; the revised section calls for the implementation of plans and procedures. The distinction appropriately notes that there are different types of procedures that comprise a plan.|
|Clause 8.5||Exercise Program||This clause goes further than the original version in not only requiring that an organization exercise its business continuity procedures, but to also develop an exercise program to ensure ongoing validation and modification of strategies and plans.|
|Clause 8.6||Evaluation||The requirement for evaluating business continuity documentation and capabilities has moved from Clause 9 into Clause 8 to emphasize the need to regularly evaluate business continuity documentation and capabilities rather than “periodically.”|
Although widely used in other professional disciplines for many years (i.e., quality, environmental, health and safety, and information security management), the term management system remains a relatively new concept to business continuity professionals. First introduced to business continuity professionals through British Standard (BS) 25999-2 as a business continuity management system, the management systems concept continues to gain traction in our profession through the ISO standards development effort, as well as new and updated standards from the National Fire Protection Association (NFPA) and ASIS International.
A management system is defined as the framework of processes and procedures used to ensure that an organization can fulfill all tasks required to achieve a set of related business objectives (see Clause 3.16). Management system standards provide a model for establishing, operating, maintaining, and improving a management system and executing capabilities that align to management’s expectations. The scope of the management system the entire organization, or specific identified sections or functions within the organization.
Understanding management system principles is a key success factor in achieving the most value from ISO 22301. Even more importantly, many executive leadership teams may already be familiar with management system concepts and understand their role in operating within a management system. As discussed throughout this web page, a management system is not only a great way to capture leadership support, but it’s also a great way to keep it.
A management system exists to continuously improve key processes and outcomes to meet core business objectives. But, what are some of the key characteristics of a management system, regardless of its focus?
All management systems standards include ten key components. In the case of ISO 22301, each component is designed to provide value to the organization as described in the following list:
Organizations struggling to capture and keep senior leadership’s attention will quickly realize value when implementing management system concepts – positive input and feedback will increase, as will the resources necessary to meet management expectations.
Those familiar with management systems often equate them to something known as a “Plan, Do, Check, Act” systems methodology, or PDCA. This iterative, flexible methodology and its general concepts originated with Total Quality Management (TQM). It was made popular by Dr. W. Edwards Deming, who is considered by many to be the father of modern quality assurance.
PDCA weaves decision making into the fabric of an organization’s overall operational capability and business practices, and often makes the organization more efficient and better positioned to meet important challenges. PDCA provides a problem identification and problem-solving method that can be implemented by an organization, with the implementation approach based on its unique activities and needs. Executing the cycle over time extends knowledge about the PDCA process. As such, repeating the PDCA cycle continuously can bring an organization closer to its goals, usually ideal operational capability and high-quality outputs.
By incorporating PDCA into business continuity management, organizations can assess their unique needs to make informed decisions. As has been demonstrated with environmental and quality management standards, the PDCA approach creates an organizational culture that drives continual improvement through repetitive performance measurement and feedback.
The following graphic maps ISO 22301’s ten clauses to the PDCA model:
Risk management efforts are greatly enhanced with management-oriented models that avoid professional jargon and focus on organizational outcomes. As described above, PDCA is a simple method apply a proven, and widely accepted means of engaging management and driving continual improvement. Further, it lends itself to multi-disciplinary application and coordination. Management systems offer a series of processes wrapped around a common objective, and, in the case of business continuity, the objective is mitigating business continuity-related risk, which includes protecting the activities and resources that deliver the organization’s most important products and services.
Management systems add value because, by design, they enable an organization to address multiple standards, regulatory requirements, and other obligations using a single management system. In the case of business continuity, organizations often have multiple sources of requirements influencing the execution of planning activities. Because management systems standards such as ISO 22301 can help implement an “umbrella” management system, it is well-positioned to flexibly serve every organization’s unique business continuity needs, as they are free to add planning activities and solutions to the business continuity management system.
Many managers and business continuity professionals see little difference between a business continuity program and management system. In reality, the subtle differences can lead to major performance improvements.
A program is a planned sequence and combination of activities designed to achieve specific goals. A program normally involves organizing resources to perform a finite, recurring set of activities to meet a set of specific objectives (sometimes performed alone and without coordination with other processes, activities, or disciplines). However, this approach often does little to continually evaluate, incorporate, and address the wider organizational obligations, needs, and expectations.
In comparison, a management system refers to what the organization does to define and manage its processes and activities so its products and services meet the objectives it has set for itself, such as:
Management systems offer a proven, discipline-neutral framework for managing and continually improving an organization’s policies, processes, and activities, as well as the outcomes specific to the discipline.
It is a common misconception that an organization must use one or the other – either a program or a management system. Interestingly, what many business continuity professionals view as program approaches for preparedness (risk assessments, business impact analyses, plan documentation, exercises, and maintenance processes), ISO 22301 includes (essentially Clause 8 of the standard); however, these aspects are just part of the overall approach, making up the DO of PDCA. The remaining management system concepts drive management connection, strategic alignment, continuous improvement, and repeatability.
A number of resources are available to further describe management systems. Consider purchasing a copy of ISO Guide 72, which offers considerable information on key management system components and characteristics. Also, review other management systems-oriented standards (ISO 9001, ISO 14001, ISO 27001), or consult with Quality, EHS, or Information Security professionals that have experience developing, implementing, or operating management systems. Lastly, review the numerous management system case studies posted online in order to further understand the value of the concept and how organizations have achieved success.
Overall, management systems are now part of the business continuity profession, and Avalution believes the industry is fortunate that these concepts are now becoming the status quo within industry standards. Organizations struggling to capture and keep senior leadership’s attention will quickly realize value when implementing management system concepts – positive input and feedback will increase, as will the resources necessary to meet management expectations
The first three clauses of the standard provide background information regarding ISO 22301. Clauses four through ten define the business continuity management system. The following graphic shows how the clauses align to the Plan-Do-Check-Act model in granular detail:
|BUSINESS CONTINUITY MANAGEMENT SYSTEM|
CLAUSE 4: CONTEXT OF THE ORGANIZATION
CLAUSE 5: LEADERSHIP
CLAUSE 6: PLANNING
CLAUSE 7: SUPPORT
CLAUSE 8: SUPPORT
CLAUSE 9: PERFORMANCE EVALUATION
CLAUSE 10: IMPROVEMENT
This section focuses solely on ISO 22301: 2019, introducing practical, pragmatic guidance to successfully implement the standard and take advantage of each element of the business continuity management system. Starting with Clause 4, Avalution structured the summary of each clause by focusing on four topics:
Download our free white paper – Implementing ISO 22301 – to gain full access to the detailed content covered in section three.