ISO 22301:2019 Security and resilience - Business continuity management systems - Requirements

ISO 22301:2019 is an international standard that specifies requirements for a business continuity management system (BCMS). It is designed to help organizations prepare for, respond to, and recover from disruptive incidents, ensuring that critical business functions can continue during and after a crisis.

Key Aspects of ISO 22301:2019

  1. Objective:
    • To provide a framework for establishing, implementing, maintaining, and improving a BCMS to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents.
  2. Scope:
    • Applicable to any organization, regardless of size, type, or industry, that wants to demonstrate its ability to continue operating during disruptions.
  3. Benefits:
    • Enhances organizational resilience.
    • Reduces downtime and ensures the continuity of critical business operations.
    • Improves risk management and response capabilities.
    • Builds stakeholder confidence and trust.
    • Ensures compliance with legal and regulatory requirements.

Structure of ISO 22301:2019

The standard follows the high-level structure (HLS) common to other ISO management system standards, making it easier to integrate with other management systems. The main clauses are:

  1. Clause 1: Scope
    • Defines the scope of the standard and the intended outcomes of implementing a BCMS.
  2. Clause 2: Normative References
    • Provides references to other documents that are indispensable for the application of ISO 22301:2019.
  3. Clause 3: Terms and Definitions
    • Defines terms used in the standard to ensure a common understanding.
  4. Clause 4: Context of the Organization
    • Requires the organization to understand its context, including internal and external issues, interested parties, and the scope of the BCMS.
  5. Clause 5: Leadership
    • Emphasizes the role of top management in demonstrating leadership and commitment to the BCMS.
    • Includes requirements for establishing a business continuity policy and defining organizational roles, responsibilities, and authorities.
  6. Clause 6: Planning
    • Addresses actions to address risks and opportunities, set business continuity objectives, and plan changes to the BCMS.
  7. Clause 7: Support
    • Covers resources needed for the BCMS, including human resources, infrastructure, and environment.
    • Includes requirements for competence, awareness, communication, and documented information.

8. Clause 8: Operation

    • Deals with operational planning and control, including the processes needed to meet business continuity objectives.
    • Includes requirements for business impact analysis (BIA), risk assessment, business continuity strategies, and response plans.

9. Clause 9: Performance Evaluation

      • Requires monitoring, measurement, analysis, and evaluation of the BCMS.
      • Includes requirements for internal audit and management review.

10. Clause 10: Improvement

        • Focuses on continual improvement of the BCMS.
        • Includes requirements for managing nonconformities and taking corrective actions.

Implementation Process

  1. Preparation:
    • Understand the requirements of ISO 22301:2019 and assess the current processes and practices of your organization.
  2. Gap Analysis:
    • Conduct a gap analysis to identify areas that need improvement to meet the standard’s requirements.
  3. Implementation:
    • Develop and implement procedures and practices that align with ISO 22301:2019. Ensure all staff are trained and aware of these procedures.
  4. Documentation:
    • Create and maintain the necessary documentation, including a business continuity policy, plans, procedures, and records.
  5. Internal Audit:
    • Conduct internal audits to verify the effectiveness of the BCMS and identify areas needing improvement.
  6. Management Review:
    • Perform regular management reviews to assess the suitability, adequacy, and effectiveness of the BCMS.
  7. Certification Audit:
    • Engage an accredited certification body to perform an external audit. The audit will be conducted in two stages:
      • Stage 1: Review of documentation to ensure compliance with ISO 22301:2019.
      • Stage 2: On-site audit to verify the implementation of processes and procedures.
  8. Certification Decision:
    • Based on the audit findings, the certification body will decide whether to grant ISO 22301:2019 certification.
  9. Surveillance Audits:
    • Periodic surveillance audits are conducted to ensure ongoing compliance with ISO 22301:2019.
  10. Recertification:
    • The certification is typically valid for three years, after which a recertification audit is required.

ISO 22301:2019 Security and resilience - Business continuity management systems - Requirements

ISO 22301:2019 is an international standard that specifies requirements for a business continuity management system (BCMS). It is designed to help organizations prepare for, respond to, and recover from disruptive incidents, ensuring that critical business functions can continue during and after a crisis.

Key Aspects of ISO 22301:2019

  1. Objective:
    • To provide a framework for establishing, implementing, maintaining, and improving a BCMS to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents.
  2. Scope:
    • Applicable to any organization, regardless of size, type, or industry, that wants to demonstrate its ability to continue operating during disruptions.
  3. Benefits:
    • Enhances organizational resilience.
    • Reduces downtime and ensures the continuity of critical business operations.
    • Improves risk management and response capabilities.
    • Builds stakeholder confidence and trust.
    • Ensures compliance with legal and regulatory requirements.

Structure of ISO 22301:2019

The standard follows the high-level structure (HLS) common to other ISO management system standards, making it easier to integrate with other management systems. The main clauses are:

  1. Clause 1: Scope
    • Defines the scope of the standard and the intended outcomes of implementing a BCMS.
  2. Clause 2: Normative References
    • Provides references to other documents that are indispensable for the application of ISO 22301:2019.
  3. Clause 3: Terms and Definitions
    • Defines terms used in the standard to ensure a common understanding.
  4. Clause 4: Context of the Organization
    • Requires the organization to understand its context, including internal and external issues, interested parties, and the scope of the BCMS.
  5. Clause 5: Leadership
    • Emphasizes the role of top management in demonstrating leadership and commitment to the BCMS.
    • Includes requirements for establishing a business continuity policy and defining organizational roles, responsibilities, and authorities.
  6. Clause 6: Planning
    • Addresses actions to address risks and opportunities, set business continuity objectives, and plan changes to the BCMS.
  7. Clause 7: Support
    • Covers resources needed for the BCMS, including human resources, infrastructure, and environment.
    • Includes requirements for competence, awareness, communication, and documented information.

8. Clause 8: Operation

    • Deals with operational planning and control, including the processes needed to meet business continuity objectives.
    • Includes requirements for business impact analysis (BIA), risk assessment, business continuity strategies, and response plans.

9. Clause 9: Performance Evaluation

      • Requires monitoring, measurement, analysis, and evaluation of the BCMS.
      • Includes requirements for internal audit and management review.

10. Clause 10: Improvement

        • Focuses on continual improvement of the BCMS.
        • Includes requirements for managing nonconformities and taking corrective actions.

Implementation Process

  1. Preparation:
    • Understand the requirements of ISO 22301:2019 and assess the current processes and practices of your organization.
  2. Gap Analysis:
    • Conduct a gap analysis to identify areas that need improvement to meet the standard’s requirements.
  3. Implementation:
    • Develop and implement procedures and practices that align with ISO 22301:2019. Ensure all staff are trained and aware of these procedures.
  4. Documentation:
    • Create and maintain the necessary documentation, including a business continuity policy, plans, procedures, and records.
  5. Internal Audit:
    • Conduct internal audits to verify the effectiveness of the BCMS and identify areas needing improvement.
  6. Management Review:
    • Perform regular management reviews to assess the suitability, adequacy, and effectiveness of the BCMS.
  7. Certification Audit:
    • Engage an accredited certification body to perform an external audit. The audit will be conducted in two stages:
      • Stage 1: Review of documentation to ensure compliance with ISO 22301:2019.
      • Stage 2: On-site audit to verify the implementation of processes and procedures.
  8. Certification Decision:
    • Based on the audit findings, the certification body will decide whether to grant ISO 22301:2019 certification.
  9. Surveillance Audits:
    • Periodic surveillance audits are conducted to ensure ongoing compliance with ISO 22301:2019.
  10. Recertification:
    • The certification is typically valid for three years, after which a recertification audit is required.
Business Continuity Management (1)

Conclusion

ISO 22301:2019 provides a robust framework for establishing, implementing, maintaining, and continually improving a business continuity management system. By adhering to this standard, organizations can enhance their resilience, ensure the continuity of critical operations during disruptions, and build stakeholder confidence. This standard is applicable to any organization seeking to improve its ability to respond to and recover from disruptive incidents, ensuring long-term stability and success.

Business Continuity Management (1)

Conclusion

ISO 22301:2019 provides a robust framework for establishing, implementing, maintaining, and continually improving a business continuity management system. By adhering to this standard, organizations can enhance their resilience, ensure the continuity of critical operations during disruptions, and build stakeholder confidence. This standard is applicable to any organization seeking to improve its ability to respond to and recover from disruptive incidents, ensuring long-term stability and success.

Need help? Book a meeting at a time to suit your schedule

If you need assistance, we're here to help! You can book a call with us at a time that suits your schedule. Simply let us know your availability. Whether you have questions, need guidance, or require assistance with our services, we're committed to ensuring you receive the help you need. Contact us today to schedule your call!

Certification Milestones

  • Free strategic meeting
  • Your tailored proposal
  • Confirmation
  • Stage 1 Audit date
  • Stage 2 Audit date (Certification)
  • Obtain your Certificate

Need help? Book a meeting at a time to suit your schedule

If you need assistance, we're here to help! You can book a call with us at a time that suits your schedule. Simply let us know your availability. Whether you have questions, need guidance, or require assistance with our services, we're committed to ensuring you receive the help you need. Contact us today to schedule your call!

Certification Milestones

  • Free strategic meeting
  • Your tailored proposal
  • Confirmation
  • Stage 1 Audit date
  • Stage 2 Audit date (Certification)
  • Obtain your Certificate