Business Continuity Management (ISO 22301:2012)
ISO 22301:2012 addresses Business Continuity Management Systems – Requirements. These standards can be used by organizations of all sizes and types. These organizations will be able to obtain accredited certification against this standard and so demonstrate to legislators, regulators, customers, prospective customers and other interested parties that they are adhering to good practice in Business Continuity Management.
While ISO 22301 may be used for certification and therefore includes rather short and concise requirements describing the central elements of BCM, a more extensive guidance standard (ISO 22313) is being developed to provide greater detail on each requirement in ISO 22301.
Business continuity requirements include:
- Business continuity policy
- Business impact analysis
- Risk assessment
- Business continuity strategy.
Implementing steps of an ISO 22301 BCMS
- Management support & Identification of requirements
Management willing to invest both financial and human resources effort, the effort will depend on requirements of the business in terms of operational continuity. The requirements can be from clients, regulations / law, investors etc.
- Business continuity policy & objectives
Top management definition and approval of main responsibilities and rules for business continuity and business continuity policy. Policy has to be supported by measurable objectives.
- Documents for Business continuity management system
Managements systems, whether business continuity, information security, quality management or environmental protection, all have in common a set of procedures upon which such systems rely.
- Risk assessment & treatment
To be prepared for disruptive incidents and prevent some of them to the degree possible these need to be identified. First one needs to find out which incidents can happen, and then define which controls (i.e., safeguards) can be applied to mitigate them. This is the basis for risk assessment and treatment .
- Business impact analysis
The purpose of business impact analysis is to define the recovery time objective (RTO) and Recovery Point Objective from impacts resulting out of different scenarios. It then specifies the contingency plan(s) for these scenarios.
- Business continuity plan
Business continuity plans and its types will depend on the nature and complexity of operations of the company. These address incident response plans and recovery plans
- Training & awareness
Awareness and training of identified staff is required to ensure how to implement the plans.
- Exercising & testing
Training is not going to be enough unless testing of plans are carried out. Testing can be from mock drills to full scale simulated environment including top management and outsourcing partners and suppliers.
Benefits of Business Continuity Management
When implemented properly, business continuity management will decrease the possibility of a disruptive incident as a result of building redundancies and if such incident occurs an organization will be ready to respond in an appropriate way, and thus drastically decrease the potential damage of such incident.