This course specifies the structure and requirements for implementing and maintaining a business continuity management system (BCMS) that develops business continuity appropriate to the amount and type of impact that the organization may or may not accept following a disruption.
The outcomes of maintaining a BCMS are shaped by the organization’s legal, regulatory, organizational, and industry requirements, products and services provided, processes employed, the size and structure of the organization, and the requirements of its interested parties.
A BCMS emphasizes the importance of:
- — understanding the organization’s needs and the necessity for establishing business continuity policies and objectives;
- — operating and maintaining processes, capabilities, and response structures for ensuring the organization will survive disruptions;
- — monitoring and reviewing the performance and effectiveness of the BCMS;
- — continual improvement based on qualitative and quantitative measures.
A BCMS, like any other management system, includes the following components:
- a) a policy;
- b) competent people with defined responsibilities;
- c) management processes relating to:
- 1) policy;
- 2) planning;
- 3) implementation and operation;
- 4) performance assessment;
- 5) management review;
- 6) continual improvement;
- d) documented information supporting operational control and enabling performance evaluation.
0.2 Benefits of a business continuity management system
The purpose of a BCMS is to prepare for, provide and maintain controls and capabilities for managing an organization’s overall ability to continue to operate during disruptions. In achieving this, the organization is:
- a) from a business perspective:
- 1) supporting its strategic objectives;
- 2) creating a competitive advantage;
- 3) protecting and enhancing its reputation and credibility;
- 4) contributing to organizational resilience;
- b) from a financial perspective:
- 1) reducing legal and financial exposure;
- 2) reducing direct and indirect costs of disruptions;
- c) from the perspective of interested parties:
- 1) protecting life, property, and the environment;
- 2) considering the expectations of interested parties;
- 3) providing confidence in the organization’s ability to succeed;
- d) from an internal processes perspective:
- 1) improving its capability to remain effective during disruptions;
- 2) demonstrating proactive control of risks effectively and efficiently;
- 3) addressing operational vulnerabilities.
0.3 Plan-Do-Check-Act (PDCA) cycle
This course applies the Plan (establish), Do (implement and operate), Check (monitor and review) and Act (maintain and improve) (PDCA) cycle to implement, maintain and continually improve the effectiveness of an organization’s BCMS.
This ensures a degree of consistency with other management systems standards, such as ISO 9001, ISO 14001, ISO/IEC 20000-1, ISO/IEC 27001, and ISO 28000, thereby supporting consistent and integrated implementation and operation with related management systems.
In accordance with the PDCA cycle, Clauses 4 to 10 cover the following components.
- — Clause 4 introduces the requirements necessary to establish the context of the BCMS applicable to the organization, as well as needs, requirements, and scope.
- — Clause 5 summarizes the requirements specific to top management’s role in the BCMS, and how leadership articulates its expectations to the organization via a policy statement.
- — Clause 6 describes the requirements for establishing strategic objectives and guiding principles for the BCMS as a whole.
- — Clause 7 supports BCMS operations related to establishing competence and communication on a recurring/as-needed basis with interested parties while documenting, controlling, maintaining, and retaining required documented information.
- — Clause 8 defines business continuity needs, determines how to address them, and develops procedures to manage the organization during a disruption.
- — Clause 9 summarizes the requirements necessary to measure business continuity performance, BCMS conformity with this course, and to conduct a management review.
- — Clause 10 identifies and acts on BCMS nonconformity and continual improvement through corrective action.
0.5 Contents of this course
This course conforms to ISO’s requirements for management system standards. These requirements include a high-level structure, identical core text, and common terms with core definitions, designed to benefit users implementing multiple ISO management system standards.
This course does not include requirements specific to other management systems, though its elements can be aligned or integrated with those of other management systems.
This course contains requirements that can be used by an organization to implement a BCMS and to assess conformity. An organization that wishes to demonstrate conformity to this course can do so by:
- — making a self-determination and self-declaration; or
- — seeking confirmation of its conformity by parties having an interest in the organization, such as customers; or
- — seeking confirmation of its self-declaration by a party external to the organization; or
- — seeking certification/registration of its BCMS by an external organization.
Clauses 1 to 3 in this course set out the scope, normative references, and terms and definitions that apply to the use of this course. Clauses 4 to 10 contain the requirements to be used to assess conformity to this course.
In this course, the following verbal forms are used:
- a) “shall” indicates a requirement;
- b) “should” indicates a recommendation;
- c) “may” indicates permission;
- d) “can” indicates a possibility or a capability.
Information marked as “NOTE” is for guidance in understanding or clarifying the associated requirement. “Notes to entry” used in Clause 3 provide additional information that supplements the terminological data and can contain provisions relating to the use of a term.