No one knows what the future holds, and uncertainty is part of life, especially when it comes to business. However, you can be prepared by identifying potential threats to your business by implementing the ISO 22301 standard for a Business Continuity Management System (BCMS).
A BCMS helps to reduce or eliminate the potential negative effects of a disruptive incident, such as a fire, flood, cyber-attack or even a loss of services. In real terms this could save the business a significant amount of time, money, customer retention and reputational impact.
In this blog, we are going to look at 10 steps to implement a Business Continuity Management System and prepare for ISO 22301 certification. Don’t worry if you’re not planning on certifying you can still use these steps to help your implementation.
Step 1 – Project Implementation
Before starting to prepare for ISO 22301 certification, it’s important to do the following for a successful implementation:
Ensure management buy-in – Without the support of senior management, this project to achieve ISO 22301 certification will never gain momentum. They need to fully support by providing resources and be a visible part of the process.
Buy a copy of the ISO 22301 standard – You can buy this from the ISO website or use a tool such as CertiKit’s ISO22301 Enhanced Gap Assessment Tool to ensure you are complying to the exact requirements of the standard.
Perform an initial gap assessment – This will allow you see what is already in place and what is missing, so you can plan the project accordingly.
Communicate to staff – Change can be a difficult thing within a business, especially if it is a mature business. So, an overview programme to introduce all the staff to the BCMS, why it is being implemented, the benefits of it and their potential roles within it, is essential to gain their support.
Step 2 - Scope, context and interested parties
Next, you will need to identify what areas of the business are covered by the BCMS. The scope of the management system covers:
Boundaries of the physical site, or sites that are to be included if situated in different geographical areas.
Internal and external employee groups.
Critical activities, internal and external processes, products, or services.
Key interfaces at the boundaries of the defined scope.
You will also need to identify your interested parties. These are anyone who could be affected by the activation of your Business Continuity Plans (BCP). Interested parties will be identified as you go through your process of identifying your internal and external issues. In general these would include:
Customers
Shareholders
Employees
Suppliers
General public, etc
You should also identify any legal and regulatory requirements required to your business’s products or services and keep these up to date.
Once this has been done it must be documented. All the information identified during this process must be maintained within a file, or part of the BCMS manual as applicable.
Step 3 - BCMS policy, roles, and responsibilities
An important aspect is to establish and document a Business Continuity Policy. The Policy needs to be aligned to the business’s strategic direction and reflect that the BCMS is integrated into the processes within the business, supported and adequately resourced.
There are several stipulations within the ISO 22301 standard that are required for the content of the policy. These are:
Be appropriate for the purpose of the business
Provide a framework for setting business continuity objectives
Include commitments to:
Satisfy applicable requirements
Continually improve the BCMS
Communicate within the business
Make available to those identified interested parties as appropriate
For the BCMS to be effective it must have people who will be responsible for it. The business will need to identify and assign responsibilities to those staff members within their roles. These staff members will be responsible to:
Ensure that the BCMS conforms to the requirements of the ISO 22301 standard
Report on the performance of the BCMS to senior management
The BCMS must have a clear organisational structure, and this can be linked to a responsibility matrix.
Within the standard, a strong emphasis is placed upon the responsibility of senior management. An auditor will expect to see an active involvement from the senior management, not just during implementation, but throughout the lifetime of the Business Continuity Management System.
Step 4 - BCMS Risk, opportunities, and business continuity objectives
During the planning of the BCMS the business needs to take into consideration risks and opportunities that were identified during the scoping of the BCMS. These include interested parties. The business will need to identify which risks and opportunities need to be addressed to ensure that the BCMS can:
Provide assurance to achieve its intended outcomes
Mitigate or reduce potential undesired effects
Achieve continual improvement
In order to do this, the business must define a risk process. There are many risk processes out there, so evaluate some of these to find the one that works for your business model.
This is also the time to look towards identifying and setting business continuity objectives. These objectives need to be established at relevant functions and levels within the business and can be at a senior management or departmental level. These objectives must be:
In line with the Business Continuity Policy
SMART (Specific, Measurable, Attainable, Relevant and Time bound)
Communicated within the business and to interested parties as required
Monitored and updated or amended as necessary
The planning of objectives must include how they will be achieved. So before finalising objectives ensure that there is a clear statement on:
What needs to be done
Resources required
Who is responsible for the objective(s)
Period of time for the completion or achievement of the objective
How it will be measured and evaluated
As new ‘threats’ are identified, there will inevitably be changes required to the BCMS. It is important to identify how changes to the BCMS are to be carried out, implemented, and tested in a planned manner. Things to consider are:
Purpose of the change and potential impact
Integrity of the BCMS
Resources available to implement and maintain the change
Any reallocation of responsibilities and authorities
Step 5 – BCMS support
In order for the BCMS to run effectively and achieve its desired outcomes, there must be the right people with the right skillsets in the right roles. The ISO22301 standard requires that the business has identified roles, associated responsibilities and competency levels for staff involved within the BCMS.
The business must also ensure that the equipment or infrastructure needed to support the BCMS is capable and in sufficient supply. You may identify staff for roles, but don’t have the necessary skills or competencies identified for that role. A training programme should be setup to develop those staff members. This will need to be documented as an auditor may want to see evidence of this.
There is a requirement to put into place an awareness programme for all staff, not just BCMS staff. As mentioned at the start of this blog, managing change will require staff being aware of the reasons and benefits of ISO 22301 Certification. However, as the BCMS matures, and for new staff joining, continued awareness training is required, especially if there are changes being made that could affect them, or their actions during an incident.
To ensure that processes and plans in your BCMS work effectively they will need to be communicated across the business to the relevant areas and people.
A communication plan can be defined which would include:
What needs to be communicated
When it needs to be communicated
To whom it needs to be communicated
What are the processes for communication
Who is responsible for communication
Much of this information may be contained in your processes or BCPs and this should satisfy an auditor. However, if they are not, then these need to be documented in the form of a table or procedure.
Step 6 - Documented information
Talking about documenting information brings us nicely onto documented information within the BCMS. You should have a clear procedure for the creation, numbering, reviewing, updating, archiving and eventual destruction of all documented information within the BCMS.
It is a good idea to identify one person or a small team who will be responsible for ensuring that document control is maintained. They would ensure that new or modified documents are maintained as required, reviewed prior to issue, and more importantly stored in the right locations. They would also be responsible for ensuring that superseded documents are removed from circulation and version control.
Documented information pertains to all processes, procedures, plans, forms, and reports that are associated to the BCMS. These can be in pretty much any form, for example, paper, electronic, jpeg etc. However, they must all follow the numbering system as defined in your documented information procedure.
It can be difficult to know where to start with creating documentation for your BCMS, which is where the ISO22301 toolkit can help as it is designed to provide you with all of the documents and tools needed to prepare for ISO 22301 certification.
Step 7 – Operational
Now that all the planning, risk and opportunity assessments and documented information required by the ISO22301 standard has been completed, you can now ensure the processes and actions identified to address the risks and opportunities are implemented and controlled.
The processes to ensure the effectiveness of the BCMS should be:
Created by documenting ‘business as usual’ activities
Identified business continuity risks that are relevant for each product or service
Communication of the set of activities that are needed to manage the associated business continuity risks
Defined assigned responsibilities for staff carrying out related activities
Allocated identified resources to enable related activities to take place as required
A programme of assessments to ensure consistency that each process is followed and its continued effectiveness to managing identified business continuity risks
You now need to carry out a Business Impact Assessment (BIA). The ISO22301 standard requires those who wish to be certified to implement and maintain a process for analysing business impact and assess the risk of disruption to its key activities.
This is a useful exercise as the results will enable the business to determine the appropriate strategy and solutions needed to respond to a disruptive incident.
The outcome of the BIA will allow the business to determine the correct business continuity strategy and identify the resources required to respond and manage disruptive incidents until operations can resume as normal.
Associated documented information to support the strategy are then produced. These include Business Continuity Plans (BCPs) and Procedures. BCPs can be separated out to business wide and departmental. The BCPs will have associated procedures referenced from them, all of them being created in line with the Documented Information procedure as mentioned in step 6.
Once all the documented BCPs and procedures have been produced they must be tested. A programme of business continuity exercises must be established. Before certification at least a few of your BCPs and procedures must be practiced. Any changes properly documented, and related documented information updated.
This gives the business time to assess the effectiveness of the incident response procedures and amend and update them as necessary. It will also allow the business to check that the response resources are adequate or decide if they need additional resources to ensure the procedure can achieve its expected outcome(s).
Step 8 - Performance Review
An important step prior to ISO 22301 certification is to check that the BCMS is effective and can achieve its intended outcomes. This is done through completing some of the programmed exercise events, reviewing the documentation, internal audits, and management review meetings.
Throughout the lifetime of your management system, you will need to carry out internal audits as this is a requirement of the certification audit. This can be conducted by your own staff or outsourced to an ISO Internal Auditor. If you decide to have your own auditors, then you will require at least two. This is because an auditor cannot audit themselves. If conducting internally, staff will need to attend a course on how to conduct an audit on the required standard, this will give them a good working knowledge of the ISO22301 standard. They don’t need to be experts in every aspect of your business, but will be expected to be able to identify, through provided evidence, if the requirements of the BCMS are being met.
Internal audits should cover all areas of the BCMS scope over a 12-month period. Results of the internal audits are one of the inputs to the management review meeting.
BCMS objectives is another area that will be reviewed. Doing the management review biannually will allow senior management to assess if the objectives are on target to achieve their intended outcome. If they aren’t there is still time before the next review to amend, change the way they are being implemented or remove them.
An internal audit could bring up nonconformities. These are areas that either partially comply or don’t comply with a requirement of the standard, business procedure or regulatory requirement. These need to be reviewed along with any corrective actions that were agreed to put in place. This can lead to opportunities for improvements to the BCMS. These should be documented and can be either implemented as per the change procedure or as a new objective.
Step 9 - Update Gap assessment plans and actions
The end of the beginning is in sight! Having completed the management review meeting you should be well placed to decide if all is ready for certification. To help do this we suggest reviewing your initial gap assessment to check that all the noncompliant and partially compliant areas have been checked off. Any that are still outstanding need to be addressed before certification.
Allocate a person or persons to be responsible for closing all outstanding actions. Don’t forget to set realistic timelines for their closure and allow for assessment of the fix.
Take a final check of the ISO22301 implementation plan and update as necessary.
Step 10 - Plan your certification needs
Now it’s time to book in your ISO 22301 certification. If you haven’t already got a certification body in mind, now is the time to do some research to find a suitable Registered Certification Body (RCB). These are the people who will audit you against the requirements of the standard and can award you certification.
During your research get quotes and timelines from the potential RCB. Although they all serve the same purpose, they all have different costings, so shop around. The most expensive may not be the best choice. Our blog on choosing a Registered Certification Body will help you decide how to pick the most suitable RCB for your certification.
Leave enough time before the certification audit to do a pre-certification internal audit. This is a final sweep to pick-up any overlooked areas and to also satisfy yourself that everything is in place.
A final thought
Any management system takes time to implement and embed. Don’t expect to gain ISO 22301 certification within a few months of starting implementation, otherwise you are setting yourself up to have a BCMS that will not fulfil its reason for being implemented. Allow 6-12 months to fully implement and embed the BCMS. At the end of the day a well implemented and embedded BCMS will save you time, money and allow you to recover from an incident quickly and efficiently.
