WIXLIB

ISO 22301:2019BUSINESS CONTINUITY STANDARD IMPLEMENTATION GUIDE50,000CERTIFICATESGLOBALLYTRANSPARENT90

ISO 22301:2019IMPLEMENTATION GUIDE2ISO 22301:2019 IMPLEMENTATION GUIDE

ContentsIntroduction to the standardP04Benefits of implementationP06Key principles and terminologyP08PDCA cycleP09Risk based thinking / auditsP10Process based thinking / auditP11Annex SLP12CLAUSE 1: ScopeP13CLAUSE 2: Normative referencesP14CLAUSE 3: Terms and definitionsP15CLAUSE 4: Context of the organizationP16CLAUSE 5: LeadershipP18CLAUSE 6: PlanningP20CLAUSE 7: SupportP22CLAUSE 8: OperationP24CLAUSE 9: Performance evaluationP26CLAUSE 10: ImprovementP27Get the most from your managementP28Next steps once implementedP29ISO 22301:2019 IMPLEMENTATION GUIDE3

INTRODUCTIONTO THE STANDARDISO 22301:2019 is the latest version of the international standard for Business ContinuityManagement Systems. This standard provides a best practice framework to supportorganizations to effectively manage the impact of a disruption to its normal operation.The purpose of the standard is not necessarily to achieve total mitigation of impact from disruption. It isto support an organization to understand the amount and type of impact it is willing to accept following adisruption. Following which the organization develops a business continuity system sized correctly for theorganizational need.Many organizations will at some point experience a business disruption. The cause and nature of disruptiveevents is ever-changing. Organizations need to be able to think dynamically about this changing threatlandscape and put in place appropriate plans to mitigate impacts.The ISO 22300 FamilyOrigin of the ISO 22301 standard heralds back to the ISOtechnical committee ISO/TC 23, which focussed on addressingconcerns related to societal security. The standard is nowmanaged by ISO/TC 292 - Security and Resilience. The firstiteration of the ISO 22301 standard was published in 2012. Thesecond edition was published in October 2019 and is the focusof this implementation guide.There are currently 11 standards in the ISO 22300 series.The other standards in the series provide more detailedguidance and requirements for specific issues related tobusiness continuity. This ranges from emergency responsemanagement through to mass evacuations.Regular Reviews and UpdatesThe 2019 version of the standard is reflective of the broadermovement of ISO standards towards the application of riskbased thinking, understanding organizational context andsatisfying the needs of interested parties. The 2019 versioncontains less prescriptive requirements and is more flexiblein its approach to documented information. The 2019 versionadditionally includes the new requirement to effectively planchanges to the Business Continuity Management System(BCMS).Within the series, the most importantstandards for an organization seeking toimplement an effective Business ContinuityManagement System are: ISO 22300:2018 - Security and resilience– VocabularyISO standards are subject to review approximatelyevery five years to assess whether an update isrequired. ISO 22301:2019 - Security and resilience– Business Continuity Management Systems– RequirementsThe most recent update to the ISO 22301 standard in 2019brought about a number of changes. Whilst previous edition(2012) was one of the forerunner standards in adoptingan Annex SL type format, the new edition firmly aligns thestandard with Annex SL.4ISO 22301:2019 IMPLEMENTATION GUIDE ISO 22313:2020 - Security and resilience– Business Continuity Management Systems– Guidance. Provides helpful direction in support ofthe practical implementation and operation of abusiness continuity system

ISO 22301:2019 IMPLEMENTATION GUIDE5

BENEFITS OFIMPLEMENTATIONIt has been demonstrated in recent times that a company’s ability to manage disruptiveevents is becoming central to its survival. The variety of threats which can cause businessdisruption is ever-increasing. From cyber-attacks and global pandemics to natural disasters;an organization needs a toolset to manage itself through uncertain times.In the past, business continuity planning tended to be reserved for critical national infrastructure and major corporations.Today, business continuity is an issue that affects practically all organizations to some degree. A correctly implementedBusiness Continuity Management System should be scaled to the size and complexity of the organization – making itsuitable for SME and large corporation alike.The core purpose of a Business Continuity Management System is to enable the mitigation of a disruption. Depending onthe organization the benefits this will work in support of its goals; whether that is to save lives in a hospital or to reducefinancial impact to a manufacturing company.VISIBLE RESILIENCEPEACE OF MINDAn effective BCMS provides evidence to currentand potential customers of organizationalpreparedness for disruption. This is particularlyimportant in sectors where disruption can havesignificant impacts on people’s lives as wellas financial impacts; including government,healthcare, financial, defence, social services.The future is uncertain. An effectivelyimplemented BCMS gives an organizationconfidence to move forward knowing it canmanage a disruption. This peace of mind spansthe organization from personnel operationsteams to board membership.COMPETITIVE ADVANTAGEENHANCE CYBER SECURITY AND ITFAILURE RESILIENCEBeing able to continue to operate during orshortly after a disruption gives a company acompetitive advantage. In the short term itmay be able to win business from competitorswhich are unable to operate or are doing soin a diminished capacity. In the longer term, acompany can generate reputational benefitsthat will attract customers as well as benefit fromstronger financial capabilities.Cyber security and IT disaster planning ishigh on the agenda of many organizations. Abusiness continuity plan supports a companyto manage the impact of the IT disruption. Thiscan be by malicious action or from infrastructurefailure. Crypto viruses, DDoS attacks and datacentre failures can create deep and long lastingdisruption to all functions of an organization.In addition, a Business Continuity ManagementSystem supports an organization to bid or tendermore effectively.PROTECT ORGANIZATIONAL VALUEA BCMS helps to mitigate the negative impactof a disruptive event. Practically speaking, thiscan save the organization significant amounts ofmoney, time and reputational impact.6ISO 22301:2019 IMPLEMENTATION GUIDECyber security certifications such as ISO 27001and Cyber Essentials do not fully addresscontinuity challenges in the event of a disruption.The ISO 27001 attempts to address continuitywithin the IT function itself but this does notextend to the rest of the organization. ISO 22301provides a framework for addressing the widerorganizational impact of IT failure. As a result, aBusiness Continuity Management System(ISO 22301) is well suited to be integratedwith an ISO 27001 information securitymanagement system.

High Level ViewA Business Continuity Management System operateson similar principles to other management systems. Thesystem is built on the Plan-Do-Check-Act model. Determine the organizational needs andunderstand the rationale for business continuityplans: What is important to continue in the event of adisruption Why is that important and to whom? What level of disruption is the organization and itsstakeholders prepared to accept?One of the practical challenges with BCMS is that it comesinto action infrequently. Whilst quality management systemsare implemented into the company’s day to day operation,business continuity systems are only fully brought into actionwhen a disruption occurs. This means there needs to be agreater emphasis on: Business continuity plan (BCP) testing or drills Retaining and refreshing organizational capabilities tosupport business continuity Periodic reviews of the system, its processes and rationaleto ensure it remains aligned to a changing organization. Putting in place a framework for achieving themitigation of the disruption. This can include: Processes Capabilities Response structures Check the performance and effectiveness of thesystem through monitoring. Practically speakingthis will involve testing BC plans through variousmeans. Improve the system based on measuresestablished, revisit the rationale for the businesscontinuity plans and their alignment to what hasbeen implemented.ISO 22301:2019 IMPLEMENTATION GUIDE7

KEY PRINCIPLESOF BUSINESSCONTINUITYBusiness continuity is grounded in a number of key principles which need to be consistentlyapplied to a business continuity system for it to be effective.Clear ObjectivesAn organization’s senior managementand board of directors are responsiblefor business continuity, thisresponsibility must be understoodand accepted. Business continuitymanagement should be an integralcomponent of overall risk management.An organization should have in placeclear business continuity objectivesthat reflect the nature of their activitiesand their impact on stakeholders. Thissupports the prioritisation and resourceallocation to the business continuityprocess. These objectives should clearlydefine the expected continuity levels andcontinuity times.In the event of a disruption, the absenceof clearly defined responsibilities,authorities and roles can cause abusiness continuity plan to becomeineffective.CommunicationOrganizations should include withintheir business continuity plans howand when they will communicate withintheir organizations, with customers andinterested parties (such as regulatorsor suppliers).8Impact andRisk EvaluationResponsibilityISO 22301:2019 IMPLEMENTATION GUIDEThe business continuity standard isdifferent from others in that it focusseson the “what if”. The ability to identifyand plan for potential business impactsand risks is key to an effective businesscontinuity system.TestingThe Business Continuity ManagementSystem should be periodically tested inorder to evaluate its effectiveness andmake changes as required.

PDCA CYCLEISO 22031 is based on the Plan-Do-Check-Act (PDCA) cycle, also known as the Demingwheel or the Shewhart cycle. The PDCA cycle can be applied not only to the managementsystem as a whole but to each individual element to provide an ongoing focus oncontinuing improvement. In brief:Plan:Do:Check:Act:Understand externalcontext and needsof interested parties.Identify risk andopportunity. Establishobjectives and resourcesrequired.Implement what hasbeen planned. From anew Business ContinuityManagement Systemdown to small processchanges.Monitor and measurethe effectiveness of thebusiness continuity.Test business continuityplans and monitoroutcomes.Take action wherenecessary based onmonitoring, measuringand other drivers foraction.PDCA Model ISO 22301NEEDS OFINTERESTEDPARTIESESTABLISHBCMSPlanDoMAINTAINAND IMPROVEBCMSBCMSREQUIREMENTSANDEXPECTATIONSNEEDS OFINTERESTEDPARTIES METIMPLEMENTAND OPERATEBCMSActCheckTEST,MONITORAND REVIEWBCMSBUSINESSCONTINUITYPlan-Do-Check-Act is an example of a closed-loop system. This ensures the learning from the ‘do’ and ‘check’ stages areused to inform the ‘act’ and subsequent ‘plan’ stages. In theory this is cyclical, however it’s more of an upward spiral as thelearning moves you on each time you go through the process.ISO 22301:2019 IMPLEMENTATION GUIDE9