Implementing ISO 22301 Business Continuity Management System (BCMS)

Implementing ISO 22301 Business Continuity Management System (BCMS)

We take a closer look at the fastest growing ISO standard, ISO 22301:2012, and explain how you can use the standard effectively.

Irrespective of what your organisation exists to do, there will be times when an unforeseen event occurs and brings normal operations to a halt. This could be the result of a natural disaster or a man-made occurrence, a deliberate act or an accident. Irrespective of the cause, what matters to your stakeholders is that ‘business as usual’ is resumed as quickly as possible.

ISO 22301 is a management systems standard for business continuity management. It is a ‘generic standard’ in that it is designed to be used by organisations regardless of size and type or nature. It specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of, prepare for, respond to, and recover from disruptive incidents.

ISO 22301 was developed and is owned by ISO Technical Committee 223. ISO/TC223 oversees a range of standards designed to protect society from incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards and technical failures.

When it was introduced in 2012, ISO 22301 was the first international standard to adopt Guide 83, the precursor to Annex SL which provides a common framework to which all management system standards must conform. As such, it contains 10 clauses plus an introduction and bibliography. The terms and definitions used are drawn from either Annex SL (as it was at that time) or ISO 22300:2012 – Societal security – Terminology.

Those familiar with the latest Annex SL standards will see clear similarities between the requirements of today’s standards and ISO 22301:2012. Clause 4 relates to Context of the Organization, requiring determination of internal and external issues which affect the ability of the business continuity management system (BCMS) to deliver its intended outcomes, as well as the determination of the needs and expectations of interested parties. Requirements are added to this, relating to maintaining legal and regulatory compliance.

Clause 5, Leadership, is a little less familiar, containing a sub-clause, 5.2 ‘Management Commitment’, which is absent from today’s standards. Clause 6, Planning, adheres to Annex SL, as does Clause 7, Support.

It is in Clause 8, Operation, however, where the body of the BCMS specific requirements are contained. There are sub-clauses relating to business impact analysis and risk assessment, the development of a business continuity strategy, establishing and implementing business continuity procedures and developing and testing business continuity plans.

Clause 9, Performance evaluation, addresses monitoring, measurement, analysis and evaluation (including the evaluation of business continuity procedures), plus internal audit and management review. Finally, Clause 10, Improvement, sets out requirements in respect of non-conformity, corrective action and continual improvement.

Organisations can obtain accredited certification against this standard and so demonstrate to legislators, regulators, customers, prospective customers and other interested parties that they are adhering to good practice in BCM.

At present there are relatively few certificates issued, some 3,133 (ISO Survey 2015), compared to ISO 9001:2015 at 1,033,000. But this number is growing quickly, up 78 per cent over the previous year, making it the fastest growing of all ISO standards at present.

Although it contains no normative references, ISO 22301 is supported by ISO 22313, which was created to provide implementation guidance. This is well worth acquiring if you are inexperienced in BCM matters. It provides suggested content for a number of the mandatory procedures, processes, strategies and plans that ISO 22301 requires as well as examples of BCM goals, objectives and metrics for evaluating the effectiveness of the BCMS.

If your organisation does not currently have BCM arrangements in place but now recognises the need to introduce these, please contact the CQI who will be happy to assist you with progressing a solution. Remember that the worst possible time to introduce a BCMS is in the middle of a crisis situation. Ensure that you are properly prepared before the event,­ for your own sake and for the sake of your stakeholders.

Attribute to original publisher/ publishing organization: Richard Green, CQP MCQI, CQI representative for ISO 17021-2, ISO 19011 and ISO 45001, and managing director of Kingsford Consultancy Services,