Guide to Understanding ISO 22301: Management system requirements for Business Continuity

  • 06 Apr 2021

As business continuity management practitioners know well, the business continuity plan (BCP), so essential to the task of identifying, quantifying, and minimizing potential business interruptions and risks, is the cornerstone of any best-practice business continuity program. To quantify its importance: three in every four organizations without a business continuity plan fail within three years of a disaster.

As dispositive as those numbers are, there is still an element missing. Companies that have developed BCPs and disaster recovery plans are not out of the woods. Having a BCP during the prevention and preparedness phases is one thing; but it is executing on that plan promptly once a disaster has taken place that is the key business survival factor.

To that end, developing an overall management system that establishes, implements, operates, monitors, reviews, maintains, and improves business continuity provides better resilience outcomes, by reinforcing the importance of implementing and operating controls and measures for managing an organization’s overall capability to handle disruptive incidents. The question the guide asks is how to build a best-practice business continuity management system?

The answer comes courtesy of the business continuity management standards available on the market today. Foremost among those standards is International Standard Organization (ISO) 22301. ISO 22301 is the sole, high-level, international business continuity management standard.

The guide gives readers a deep dive into the standard, revealing its genesis in British standard BS 25999 and before that, Publicly Available Specification 56 (PAS56). From there, the guide lays out the relevant sections and clauses of the standard, including the following:

  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement

Besides an explication of what is included in ISO 22301, the guide also offers comment on the business impact analysis process. For businesses implementing ISO 22301, the guide counsels business process owners to engage with the risk analysis part of the business impact analysis, rather than having it shunted to the side

Download the full guide below. 


More on