iso 22301

Copyrighted by CAW Consultancy Business Soltions Ltd

ISO 22301 Societal Security – Business Continuity Management SystemsCAW CONSULTANCY BUSINESS SOLUTIONS LTD


Contents

Introduction Comparison between ISO 22301 and BS 25999-2 Basic terms used in the standard Content of ISO 22301 ISO 22301 explained Mandatory documentation Related standards Societal security content Projects under development Benefits of ISO 22301 business continuity management


Introduction

The full name of the standard is:

“ISO 22301 Societal security – Business continuity management systems – Requirements”

The standard was fashioned by leading experts on this area to deliver the best framework for business continuity management in an organisation.

Object: ISO 22301 :2012 specifies requirements to plan, establish, operate, monitor, implement, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from the disruptive incidents when they arise.

Scope: The requirements identified in ISO 22301 :2012 are generic and projected to be appropriate for all organisations, or parts thereof, regardless of type, size and nature of the organisation. The extent of application of these requirements depends on the organisation’s operating environment and complexity.

Who can implement this standard? Any organisation, with or non-profit, big or small, private or public. The standard is formulated in such a was that it is applicable to any size or type of organisation.


Comparison between ISO 22301 and BS 2599-2

The ISO 22301 has replaces 25999-2. These are quite similar standards, but the ISO 22301 is often regarded as an update.

ISO 22301 BS 25999-2

Complete name ISO 22301:2012 Societal security – Business continuity management

systems – Requirements

BS 25999-2 Business Continuity Management – Part 2: Specification

Published by International Organisation for standardisation

British standards Institution

Published date 15/05/2012 20/11/2007

Total number of minimum pages 24 28

Official recommendations Internationally accepted by standards institutes on 163 countries

Accepted only in the United Kingdom, but implemented worldwide


ISO 22301 is not that different from BS 25990-2 in most businesses continuity sections such as business impact, analysis, strategy or planning; the greatest changes are in the management areas of the standard

ISO 22301 places particular emphasis on understanding requirements, constructing objectives and measuring performance. Therefore, it will be more easily accepted by top management. In turn this will contribute to the widespread adoption of this standard like ISO 27001, ISO 9001 or ISO 14001.

Comparison between ISO 22301 and BS 2599-2 (continuation)


Basic terms used within the standard

Business Continuity Management System (BCMS) – part of an overall management system that ensures business continuity is planned, implemented, maintained, and continually improved

Maximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD)

Recovery Time Objective (RTO) – the specified time at which an activity must be resumed, or resources must me recovered

Recovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data that needs to be restored

Minimum Business Continuity Objective (MBCO) – the minimum level of services or products an organisation needs to produce after resuming it business operations.


Content of ISO 22301

Introduction 0.1 General

0.2 The Plan-Do-Check-Act (PDCA) model

0.3 Components of PDCA in this International Standard

1. Scope 2. Normative references 3. Terms and definitions 4. Context of the organisation

4.1 Understanding of the organisation and its context

4.2 Understanding the needs and expectations of the interested parties

4.3 Determining the scope of the management system

4.4 Business continuity management system

5. Leadership 5.1 General

5.2 Management commitment

5.3 Policy

5.4 Organisational roles, responsibility and authorities

6. Planning 6.1 Actions to address risks and opportunities

6.2 Business continuity objectives and plans to achieve them

7. Support 7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8. Operation 8.1 Operational planning and control

8.2 Business impact analysis and risk assessment

8.3 Business continuity strategy

8.4 Establish and implement business continuity procedures

8.5 Exercising and testing

9. Performance evaluation 9.1 Monitoring, measurement, analysis and

evaluation

9.2 Internal audit

9.3 Management review

10. Improvement 10.1 Non conformity and corrective action

10.2 Continual improvement

Bibliography


ISO 22301 explained

ISO 22301 is the second published management system standard that has recognised the new high-level structure and standardised text agreed in ISO

This will guarantee consistency with all future and revamped management system standards and make integrated use easier, for example, ISO 9001 (quality), ISO 1400 (environmental) and ISO/IEC 27001 (information security).

The standard is separated into main clauses, starting with scope, typical references, and terms and definitions. Following these are the standard’s requirements.


ISO 22301 explained

Clause 4 – Context of the organisation

The first step involves an understanding of the organisation, both the internal and external needs, and setting clear guidelines for the scope of the management system. In particular, this requires the organisation to understand the obligations of the relevant interested parties, such as regulators, customers and staff. It must in particular understand the appropriate legal and regulatory requirements. This enables it to determine the scope of the business continuity management system (BCMS).

Clause 5 – Leadership

ISO 22301 places specific emphasis on the need for suitable leadership of BCM. This is so that top management ensures appropriate resources are provided, establishes policy and appoints people to implement and maintain the BCMS.

Clause 6 – Planning

This requires the organisation to identify risks to the implementation of the management system and set clear objectives, goals and criteria that can be used to measure its success.


ISO 22301 explained

Clause 7 – Support

Resources are compulsory for implementation, Clause 7 introduces the important concept of competence. For business continuity to be successful, people with appropriate knowledge, skills and experience must be in place to both aid the BCMS and respond to incidents when they occur. It is also essential that all staff are aware of their own role in reacting to incidents and this clause deals with all of these areas. The need for communication about the BCMS – for instance in telling customers that the organisation has suitable BCM in place – and preparedness to communicate subsequent an incident (when normal channels may be disrupted) is also covered here.

Clause 8 – Operations

This section contains the main body of business continuity-specific expertise. The organisation must assume business impact analysis to comprehend how its business is affected by disruption and how this changes over time. Risk assessment sorts to understand the risks to the business in a structured way and these form the progress and expansion of business continuity strategy. Steps to avoid or reduce the likelihood of incidents are advanced alongside a guideline of steps to be taken when incidents occur. As it is impossible to completely predict and prevent all incidents, the approach of balancing risk reduction and planning for all eventualities is complementary. It might be said “hope for the best, plan for the worst”


ISO 22301 explained

Clause 9 – Evaluation

For any management system, it is crucial to evaluate performance against plan. ISO 22301 therefore involves the organisation selecting and measuring itself against appropriate performance metrics. Internal audits must be carried out and there is a requirement that management review the BCMS and act upon these reviews.

Clause 10 – Improvement

No management system is perfect initially, organisations and their environments are constantly transforming. Clause 10 defines actions to take to improve the BCMS over time and confirm that corrective actions arising from audits, reviews, exercise and so on are tackled.


Mandatory documentation

If an organisation wants to implement this standard, the following documentation is mandatory:

List of applicable legal, regulatory and other requirements

Scope of the BCMS Business Continuity Policy Business continuity objectives Evidence of

personnel competences Records of communication with interested

parties Business impact analysis Risk assessment, including risk appetite

Incident response structure Business continuity plan Recovery procedures Results of preventative actions Results of monitoring and measurement Results of internal audit Results of Management review Results of corrective actions


Related standards

Other standards that are helpful in implementation of business continuity are: ISO/IEC 27031 – Guidelines for information and communication technology readiness for business

continuity PAS 200 – Crisis management – guidance and good practice PD 25666 – Guidance on exercising and testing for continuity and contingency programs PD 25111 – Guidance on human aspects of business continuity ISO/IEC 24762 – Guidelines for information and communications technology disaster recovery

services ISO/PAS 22399 – Guidelines for incident preparedness and operational continuity management ISO/IEC 27001 – Information security management systems - Requirements


Societal security context

ISO 22301 has been developed by ISO/TC 223, societal security

The committee has previously published the following standards and other documents: ISO 22300:2012, Societal security – Terminology ISO 22300:2012, Societal security – Emergency management –

requirements for incident response ISO/TR 22312:2011, Societal security – Technological capabilities ISO/PAS 22399:2007, Societal security – Guideline for incident

preparedness and operational continuity management


Projects under development

ISO 22311, Societal security – Video-surveillance – Export interoperability ISO 22313, Societal security – Business continuity management systems - Guidance ISO 22315, Societal security – Mass evacuation ISO 22322, Societal security – Emergency management – Public warning ISO 22323, Organisational resilience management systems – Requirements with guidance for use ISO 22325, Societal security – Guidelines for emergency capability assessment for organisations ISO 22351, Societal security – Emergency management – Shared situation awareness ISO 22397, Societal security – Public Private Partnership – Guidelines to set up partnership agreements ISO 22398, Societal security – Guidelines for exercising and testing ISO 22324, Societal security – Emergency management – Color-coded alert.


The benefits of ISO 22301 business continuity management

What are the benefits of ISO 22301 business continuity management? Identify and manage current and future threats to your business Take a proactive approach to minimizing the impact of incidents Keep critical sections of the business up and running during times of crisis Minimise interruption during incidents and improve recovery time Exhibit resilience to customers, suppliers and for tender requests


Do you have any questions?

Thank you for listening

Get in touch now on 07427535662 or email [email protected]