What is ISO 22301:2019 Business Continuity Management System?
ISO 22301:2019 is the international standard for Business Continuity Management (BCM). Published by the International Organization for Standardization, ISO 22301 is designed to help organizations prevent, prepare for, respond to and recover from unexpected and disruptive incidents. To do so, the standard provides a practical framework for establishing and managing an effective business continuity management system.
- ISO 22301 is designed to protect, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
- ISO 22301 aims to safeguard an organization from a wide range of potential threats and disruptions.
- ISO 22301 is designed to protect, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
- It has been developed to protect companies from the risks associated with downtime due to unexpected disruptions or disasters.
- Your business’s disruption can result in revenue loss; data risk breakdowns, and failure to deliver regular client services per service level agreements (SLAs).
ISO 22301 helps you with
- Operational Resilience
- Emergency Preparedness
- Corporate Governance
- Crisis Management
- disaster recovery
- Supply Chain Security
- Protection of Security
All organizations might be subject to disruptions. This may include
- Technology failure
- Fire
- Flooding
- Utility disruption
- Covid-19 Crisis
The standard is available to any organization, regardless of its size, scope, or complexity, that wishes to manage its overall business risk and develop the capability to plan for and respond to incidents and business disruption.
Quick Navigation
Development of ISO 22301
Two leading associations of experts were created in the 80s and 90s:
- The DRI International (Originally Known as Disaster Recovery Institute)
- The Business Continuity Institute (BCI)
A global standard for business continuity management began in the mid-2000s. The ISO Technical Committee 223, referred to as TC 223 or “Societal Security,” examined the existing BCM standards and created a framework for a global BCM standard. To make the new business continuity standard, ISO adapted content from its current standards, such as ISO 9000 and ISO 14000 series of standards.
However, the proliferation of business continuity standards released between 2000 and 2010 made developing a global standard more difficult for officials. Most European Commission members adopted an existing BCM standard, typically the British Standard, BS 25999, while Japan turned existing banking and finance standards into national standards.
What is ISO 22301 Certification?
ISO 22301 Certification is designed to help organizations prevent, prepare for, respond to and recover from unexpected and disruptive incidents. Whether you need to implement the standard to comply with industry regulations, pursuing ISO 22301 certification can help your organization develop resiliency and improve risk management.
ISO 22301 Certification enables you to respond effectively and promptly based on the procedures that apply before, during, and after the event.
Changes made in ISO 22301 Standard for Business Continuity Management
- The relevant references related to risk appetite in business have been eliminated.
- More focus is put on strengthening and continual improvement of the BCMS.
- The documentation requirements are manually prescribed procedures that have been minimized.
- ‘Business Continuity Strategy’ was replaced by ‘Business Continuity Strategy and Solutions.’
- Business Continuity actions should now include the teams of people within the organization responding to the disruption.
Major benefits to businesses due to the updates in ISO 22301
- Increase in their confidence and ability to continue operations throughout any disruptions.
- It provides protection of business reputation and increased marketability.
- Compliance with legislative requirements.
- It also reduced the higher costs and productivity losses due to disruptions.
- Gain a competitive advantage in the industry.
- Increase in organizational resilience.
What are the benefits of ISO 22301?
Business continuity provides a basis for planning to ensure your long-term survivability following a disruptive event. Your plans need to be clear, concise and tailored to the needs of the business. ISO 22301 identifies the fundamentals of business continuity management and provides a basis for understanding, developing, and implementing business continuity management within your organization.
1) Visible Resilience
An effective BCMS provides evidence to current and potential customers of organizational preparedness for disruption.
3) Protect Organizational Value
A BCMS helps mitigate the negative impact of a disruptive event; this can save the organization significant amounts of money and time.
5) Enhance Cyber Security and IT Failure Resilience
ISO 22301 provides a framework for addressing the broader organizational impact of IT failure. As a result, of Business Continuity Management System is well suited to be integrated with an ISO 27001 information security management system.
2) Competitive Advantage
It is being able to continue to operate during or shortly after a disruption that gives a company a competitive advantage.
4) Peace of Mind
An effectively implemented BCMS gives an organization confidence to move forward, knowing it can manage a disruption..
What are the Clauses of ISO 22301?
1. Scope
The scope section of this standard sets out:
- The purpose of the standard.
- The types of organizations it is designed to apply to.
- The sections of the standard (called Clauses) contain requirements that an organization needs to comply with for the organization to be certified as “Conforming” to it (i.e., being compliant).
2. Normative References
- In ISO 22301, only one document is listed – ISO 22301, Security and Resilience – Vocabulary.
- Some of the terms used or requirements detailed in ISO 22301 are explained further in ISO 22300.
3. Terms and Definitions
There are 31 terms and definitions given,
- Business Continuity.
- Business Continuity Plan.
- Business Impact Analysis.
- Crisis Management Team.
- Maximum Tolerable Period of Disruption (MTPD).
- Minimum Business Continuity Objective (MBCO).
- Recovery Point Objective (RPO).
- Recovery Time Objective (RTO).
4. Context of the Organization
It introduces the requirements necessary to establish the context of the BCMS and its needs, conditions, and scope.
- 4.1 Understanding of the organization and its context.
- 4.2 Understanding the needs and expectations of interested parties.
- 4.3 Determining the scope of the management system.
- 4.4 Business Continuity Management System.
5. Leadership
It summarizes the requirements specific to top management’s role in the BCMS and how leadership articulates its expectations via a policy statement.
- 5.1 General
- 5.2 Management Commitment
- 5.3 Policy
- 5.4 Organizational Roles, Responsibilities, and Authorities
6. Planning
It describes requirements related to establishing strategic and guiding principles for the BCMS as a whole.
- 6.1 Actions to address risk and opportunities.
- 6.2 Business Continuity objectives and plans to achieve them.
7. Support
It supports BCMS operations to establish competence and communication on recurring / as-needed parties while documenting, controlling, maintaining, and retaining required documentation.
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Documented Information
8. Operation
Business Impact Analysis and Risk Assessment
Risk Assessments (RA) and Business Impact Analysis (BIA) are two critical elements of a disaster recovery plan. Both involve assessing disruptive events and using the results to strengthen a disaster recovery strategy, but they are not interchangeable.
Risk Assessments analyze potential threats and their likelihood of happening. Business Impact Analysis is a structured and formal process for determining the priorities for the resumption and continuity of services/business activities following a disruption.
Business Impact Analysis
Preparation and Set-Up: Identify the activities undertaken by each unit/business area.
Dependence Assessment: Identify the resources used by each of the activities under normal operations and access the level of dependency that the action has on a given resource.
Impact Assessment: Assesses the potential business impact of a disruption to business activities, determines the max amount of time that may disrupt the activities before the effect becomes intolerable, and prioritizes the activities for recovery.
Business Continuity Strategies and Resources Requirements: Identify the strategies, Independence, and resource requirements for the continuity of priority activities.
9. Performance Evaluation
It summarizes the requirements necessary to measure business continuity management performance, BCMS compliance with this international standard, and management expectations and seeks feedback from management regarding expectations.
- 9.1 Monitoring, Measurement, Analysis, and Evaluation
- 9.2 Internal Audit
- 9.3 Management Review
10. Improvement
It identifies and acts on BCMS non-conformance through corrective action.
- 10.1 Nonconformity and Corrective Action
- 10.2 Continual Improvement
ISO 22301 Certification in Pakistan
ISO 22301 Certification in Pakistan may suit your organization if you need to demonstrate to stakeholders that your organization can rapidly overcome operational disruption to provide continued and effective service. It helps organizations to prepare for the unexpected. It also acknowledges the ability to secure data backups, minimize significant issues, and minimize the recovery time of critical functions. Getting ISO 22301 Certification in Pakistan will benefit your lot to your organization.
Some benefits are:
- Expand your knowledge on how a BCMS will help you meet business objectives.
- Gain a comprehensive understanding of the concepts, approaches, methods, and techniques used to implement a BCMS.
- Learn how to interpret and implement the requirements of ISO 22301 in the specific context of an organization.
- Understand the operation of the BCMS and its processes based on ISO 22301.
- Acquire the necessary knowledge to support an organization in effectively planning, implementing, managing, monitoring, and continually improving a BCMS.
- Gain the necessary knowledge to manage a team in implementing ISO 22301.
- Increase your customer reliability.
- Identify risks and minimize the impact of incidents.
- Improve your recovery time.
- Achieve International recognition.
What is ISO 22301 Certification Cost?
If your organization has decided they are ready to get ISO certified, there may be much thought around this cost. One of the most common questions we get asked is how much ISO 22301 certification costs. This is a great question, and every company that seeks ISO 22301 certification needs to ask themselves. The return on investment needs to be there to justify getting ISO certified. In most cases, this is a no-brainer as nine times out of 10, a customer requires ISO 22301 certification.
Many factors go into calculating the cost of an audit. These factors typically include on-site audit time, off-site time, certification fees, account maintenance fees, etc.
How to get ISO 22301 Certification?
ISO 22301 Certification provides a basis for planning to ensure your long-term survivability following a disruptive event. Your plans need to be clear, concise and tailored to the needs of the business. Implementing this standard within your organization means preparing for the unexpected. ISO 22301 standard assures that your organization will continue operating without significant impacts and losses.
You can get ISO 22301 certification by following the below steps.
Step 1
Complete a Quote Request Form to understand your company and requirements. You can do that by completing either the quick online quote or the online formal quote request form. We will use this information to define your scope of assessment accurately and provide you with a proposal for certification.
Step 2
Once you’ve agreed to your proposal, we will contact you to book your assessment with the TUV Austria Bureau of Inspection & Certification Assessor. This assessment consists of two mandatory visits that form the Initial Certification Audit. Please note that you must be able to demonstrate that your management system has been fully operational for a minimum of three months and has been subject to a management review and an entire cycle of internal audits.
Step 3
Following a successful two-stage audit, a certification decision is made, and if positive, then certification of ISO 22301 is issued by the TUV Austria Bureau of Inspection & Certification. You will receive both hard and soft copies of the certificate. Certification is valid for three years and is maintained through annual surveillance audits and a three-year recertification audit.
Why Choose Us?
This standard may suit your organization if you need to demonstrate to stakeholders that your organization can rapidly overcome operational disruption to provide continued and effective service.
Getting ISO 22301 certified requires an investment of time and resources — you must familiarize yourself with the ISO 22301 standard, implement your Business Continuity Management system and undergo auditing by an accredited certification body like the TUV Austria Bureau of Inspection & Certification. However, the benefits of ISO 22301 certification make the investment worthwhile in most cases.
At TUV Austria Bureau of Inspection & Certification, we work hard to provide value for every investment. We offer competitive and transparent rates and access to world-class technical support. We provide comprehensive services to businesses that need ISO certifications, including:
- ISO 9001 – Quality Management System
- ISO 14001 – Environmental Management System
- ISO 45001 – Occupational Health & Safety Management System
- ISO 55001 – Asset Management — Management Systems Requirements
- ISO 27001 – Information Security Management System
- ISO 20000 – IT Service Management System
- ISO 22000 – Food Safety Management System
- HACCP – Food Safety Management System
- Halal Certification
- ISO 21001 – Educational Organizations Management System
- ISO 29990 – Learning Services Management System
- ISO 20121 – Sustainability Event Management System
- ISO 37001 – Anti-Bribery Management System
- ISO 28000 – Supply Chain Security Management System
- ISO 13485 – Quality Management Systems for Medical Devices
- ISO 39001 – Road Traffic Safety Management System
- ISO 31000 – Risk Management – Guidelines
- ISO 22716 – Good Manufacturing Practices for Cosmetics
FAQS
What is Business Continuity Management?
A Business Continuity Management is a framework for organizations to update, control, and deploy an effective BCM program that helps them prepare for, respond to and recover from disruptive incidents.
Implementing a BCMS includes:
- Developing business continuity plans.
- Taking into account organizational contingencies and capabilities.
- The organization’s individual business needs.
A BCMS helps organizations cope with incidents affecting all business-critical processes and activities, from the failure of a single server to the complete loss of a significant facility. Your organization is prepared to detect and prevent threats with a Business Continuity Management System.