Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Ten Steps to ISO 22301 Certification

No one knows what the future holds, and uncertainty is part of life, especially when it comes to business. However, you can be prepared by identifying potential threats to your business by implementing the ISO 22301 standard for a Business Continuity Management System (BCMS).

A BCMS helps to reduce or eliminate the potential negative effects of a disruptive incident, such as a fire, flood, cyber-attack or even a loss of services. In real terms this could save the business a significant amount of time, money, customer retention and reputational impact.

In this blog, we are going to look at 10 steps to implement a Business Continuity Management System and prepare for ISO 22301 certification. Don’t worry if you’re not planning on certifying you can still use these steps to help your implementation.

10 steps to ISO 22301 Certification blog graphic

Step 1 – Project Implementation

Before starting to prepare for ISO 22301 certification, it’s important to do the following for a successful implementation:

  • Ensure management buy-in – Without the support of senior management, this project to achieve ISO 22301 certification will never gain momentum. They need to fully support by providing resources and be a visible part of the process.
  • Buy a copy of the ISO 22301 standard – You can buy this from the ISO website or use a tool such as CertiKit’s ISO22301 Enhanced Gap Assessment Tool to ensure you are complying to the exact requirements of the standard.
  • Perform an initial gap assessment – This will allow you see what is already in place and what is missing, so you can plan the project accordingly.
  • Communicate to staff – Change can be a difficult thing within a business, especially if it is a mature business. So, an overview programme to introduce all the staff to the BCMS, why it is being implemented, the benefits of it and their potential roles within it, is essential to gain their support.

Step 2 - Scope, context and interested parties

Next, you will need to identify what areas of the business are covered by the BCMS. The scope of the management system covers:

  • Boundaries of the physical site, or sites that are to be included if situated in different geographical areas.
  • Internal and external employee groups.
  • Critical activities, internal and external processes, products, or services.
  • Key interfaces at the boundaries of the defined scope.

You will also need to identify your interested parties. These are anyone who could be affected by the activation of your Business Continuity Plans (BCP). Interested parties will be identified as you go through your process of identifying your internal and external issues.  In general these would include:

  • Customers
  • Shareholders
  • Employees
  • Suppliers
  • General public, etc

You should also identify any legal and regulatory requirements required to your business’s products or services and keep these up to date.

Once this has been done it must be documented. All the information identified during this process must be maintained within a file, or part of the BCMS manual as applicable.

Step 3 - BCMS policy, roles, and responsibilities

An important aspect is to establish and document a Business Continuity Policy.  The Policy needs to be aligned to the business’s strategic direction and reflect that the BCMS is integrated into the processes within the business, supported and adequately resourced.

There are several stipulations within the ISO 22301 standard that are required for the content of the policy. These are:

  • Be appropriate for the purpose of the business
  • Provide a framework for setting business continuity objectives
  • Include commitments to:
    • Satisfy applicable requirements
    • Continually improve the BCMS
    • Communicate within the business
    • Make available to those identified interested parties as appropriate

For the BCMS to be effective it must have people who will be responsible for it. The business will need to identify and assign responsibilities to those staff members within their roles.  These staff members will be responsible to:

  • Ensure that the BCMS conforms to the requirements of the ISO 22301 standard
  • Report on the performance of the BCMS to senior management

The BCMS must have a clear organizational structure, and this can be linked to a responsibility matrix.

Within the standard, a strong emphasis is placed upon the responsibility of senior management.  An auditor will expect to see an active involvement from the senior management, not just during implementation, but throughout the lifetime of the Business Continuity Management System.

Step 4 - BCMS Risk, opportunities, and business continuity objectives

During the planning of the BCMS the business needs to take into consideration risks and opportunities that were identified during the scoping of the BCMS. These include interested parties.  The business will need to identify which risks and opportunities need to be addressed to ensure that the BCMS can:

  • Provide assurance to achieve its intended outcomes
  • Mitigate or reduce potential undesired effects
  • Achieve continual improvement

In order to do this, the business must define a risk process. There are many risk processes out there, so evaluate some of these to find the one that works for your business model.

This is also the time to look towards identifying and setting business continuity objectives.  These objectives need to be established at relevant functions and levels within the business and can be at a senior management or departmental level.  These objectives must be:

  • In line with the Business Continuity Policy
  • SMART (Specific, Measurable, Attainable, Relevant and Time bound)
  • Communicated within the business and to interested parties as required
  • Monitored and updated or amended as necessary

The planning of objectives must include how they will be achieved. So before finalising objectives ensure that there is a clear statement on:

  • What needs to be done
  • Resources required
  • Who is responsible for the objective(s)
  • Period of time for the completion or achievement of the objective
  • How it will be measured and evaluated

As new ‘threats’ are identified, there will inevitably be changes required to the BCMS. It is important to identify how changes to the BCMS are to be carried out, implemented, and tested in a planned manner. Things to consider are:

  • Purpose of the change and potential impact
  • Integrity of the BCMS
  • Resources available to implement and maintain the change
  • Any reallocation of responsibilities and authorities

Step 5 – BCMS support

In order for the BCMS to run effectively and achieve its desired outcomes, there must be the right people with the right skillsets in the right roles.  The ISO22301 standard requires that the business has identified roles, associated responsibilities and competency levels for staff involved within the BCMS. The business must also ensure that the equipment or infrastructure needed to support the BCMS is capable and in sufficient supply. You may identify staff for roles, but don’t have the necessary skills or competencies identified for that role. A training programme should be setup to develop those staff members.  This will need to be documented as an auditor may want to see evidence of this.

There is a requirement to put into place an awareness programme for all staff, not just BCMS staff. As mentioned at the start of this blog, managing change will require staff being aware of the reasons and benefits of ISO 22301 Certification. However, as the BCMS matures, and for new staff joining, continued awareness training is required, especially if there are changes being made that could affect them, or their actions during an incident.

To ensure that processes and plans in your BCMS work effectively they will need to be communicated across the business to the relevant areas and people.

A communication plan can be defined which would include:

  • What needs to be communicated
  • When it needs to be communicated
  • To whom it needs to be communicated
  • What are the processes for communication
  • Who is responsible for communication

Much of this information may be contained in your processes or BCPs and this should satisfy an auditor. However, if they are not, then these need to be documented in the form of a table or procedure.

Step 6 - Documented information

Talking about documenting information brings us nicely onto documented information within the BCMS.  You should have a clear procedure for the creation, numbering, reviewing, updating, archiving and eventual destruction of all documented information within the BCMS.

It is a good idea to identify one person or a small team who will be responsible for ensuring that document control is maintained. They would ensure that new or modified documents are maintained as required, reviewed prior to issue, and more importantly stored in the right locations.  They would also be responsible for ensuring that superseded documents are removed from circulation and version control.

Documented information pertains to all processes, procedures, plans, forms, and reports that are associated to the BCMS. These can be in pretty much any form, for example, paper, electronic, jpeg etc. However, they must all follow the numbering system as defined in your documented information procedure.

It can be difficult to know where to start with creating documentation for your BCMS, which is where the ISO22301 toolkit can help as it is designed to provide you with all of the documents and tools needed to prepare for ISO 22301 certification.

Step 7 – Operational

Now that all the planning, risk and opportunity assessments and documented information required by the ISO22301 standard has been completed, you can now ensure the processes and actions identified to address the risks and opportunities are implemented and controlled.

The processes to ensure the effectiveness of the BCMS should be:

  • Created by documenting ‘business as usual’ activities
  • Identified business continuity risks that are relevant for each product or service
  • Communication of the set of activities that are needed to manage the associated business continuity risks
  • Defined assigned responsibilities for staff carrying out related activities
  • Allocated identified resources to enable related activities to take place as required
  • A programme of assessments to ensure consistency that each process is followed and its continued effectiveness to managing identified business continuity risks

You now need to carry out a Business Impact Assessment (BIA). The ISO22301 standard requires those who wish to be certified to implement and maintain a process for analysing business impact and assess the risk of disruption to its key activities.

This is a useful exercise as the results will enable the business to determine the appropriate strategy and solutions needed to respond to a disruptive incident.

The outcome of the BIA will allow the business to determine the correct business continuity strategy and identify the resources required to respond and manage disruptive incidents until operations can resume as normal.

Associated documented information to support the strategy are then produced. These include Business Continuity Plans (BCPs) and Procedures. BCPs can be separated out to business wide and departmental. The BCPs will have associated procedures referenced from them, all of them being created in line with the Documented Information procedure as mentioned in step 6.

Once all the documented BCPs and procedures have been produced they must be tested. A programme of business continuity exercises must be established. Before certification at least a few of your BCPs and procedures must be practiced. Any changes properly documented, and related documented information updated.

This gives the business time to assess the effectiveness of the incident response procedures and amend and update them as necessary. It will also allow the business to check that the response resources are adequate or decide if they need additional resources to ensure the procedure can achieve its expected outcome(s).

Step 8 - Performance Review

An important step prior to ISO 22301 certification is to check that the BCMS is effective and can achieve its intended outcomes.  This is done through completing some of the programmed exercise events, reviewing the documentation, internal audits, and management review meetings.

Throughout the lifetime of your management system, you will need to carry out internal audits as this is a requirement of the certification audit. This can be conducted by your own staff or outsourced to an ISO Internal Auditor. If you decide to have your own auditors, then you will require at least two. This is because an auditor cannot audit themselves. If conducting internally, staff will need to attend a course on how to conduct an audit on the required standard, this will give them a good working knowledge of the ISO22301 standard.  They don’t need to be experts in every aspect of your business, but will be expected to be able to identify, through provided evidence, if the requirements of the BCMS are being met.

Internal audits should cover all areas of the BCMS scope over a 12-month period. Results of the internal audits are one of the inputs to the management review meeting.

For a business that has just been certified, the management review meeting should be conducted at least twice a year. Within the standard itself there is a list of the required areas to be reviewed, internal audit results being one of them. Minutes of the management review must be kept as this is part of the evidence an auditor will review to ensure that you are compliant in that area of the standard.

Any nonconformities must be followed up to check that corrective actions agreed have been implemented and whether they have achieved their intended solutions.

BCMS objectives is another area that will be reviewed.  Doing the management review biannually will allow senior management to assess if the objectives are on target to achieve their intended outcome. If they aren’t there is still time before the next review to amend, change the way they are being implemented or remove them.

An internal audit could bring up nonconformities. These are areas that either partially comply or don’t comply with a requirement of the standard, business procedure or regulatory requirement.  These need to be reviewed along with any corrective actions that were agreed to put in place. This can lead to opportunities for improvements to the BCMS. These should be documented and can be either implemented as per the change procedure or as a new objective.

Step 9 - Update Gap assessment plans and actions

The end of the beginning is in sight! Having completed the management review meeting you should be well placed to decide if all is ready for certification.  To help do this we suggest reviewing your initial gap assessment to check that all the noncompliant and partially compliant areas have been checked off.  Any that are still outstanding need to be addressed before certification.

Allocate a person or persons to be responsible for closing all outstanding actions. Don’t forget to set realistic timelines for their closure and allow for assessment of the fix.

Take a final check of the ISO22301 implementation plan and update as necessary.

Step 10 - Plan your certification needs

Now it’s time to book in your ISO 22301 certification. If you haven’t already got a certification body in mind, now is the time to do some research to find a suitable Registered Certification Body (RCB). These are the people who will audit you against the requirements of the standard and can award you certification.

During your research get quotes and timelines from the potential RCB. Although they all serve the same purpose, they all have different costings, so shop around. The most expensive may not be the best choice. Our blog on choosing a Registered Certification Body will help you decide how to pick the most suitable RCB for your certification.

Leave enough time before the certification audit to do a pre-certification internal audit.  This is a final sweep to pick-up any overlooked areas and to also satisfy yourself that everything is in place.

A final thought

Any management system takes time to implement and embed. Don’t expect to gain ISO 22301 certification within 3 or 4 months of starting implementation, otherwise you are setting yourself up to have a BCMS that will not fulfil its reason for being implemented.  Allow 6-12 months to fully implement and embed the BCMS. At the end of the day a well implemented and embedded BCMS will save you time, money and allow you to recover from an incident quickly and efficiently.

Written by Ted SpillerCertiKit’s Compliance Consultant, and an expert in many ISO management systems; he is a Lead Auditor for ISO27001, ISO9001 and ISO14001 and Auditor for ISO45001 and ISO22301.

Published in September 2022 and updated in September 2024.


More ISO22301 Resources

CertiKit is a provider of ISO Toolkits, Consultancy and Internal Auditing services, and has helped more than 7000 organizations worldwide with their compliance.

For more guidance on implementing the ISO22301:2019 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free ISO22301 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

The sample documents are very rich in their scope. Our attorneys have reviewed our edits and can find no fault with what is presented.

Institute for Supply Management
USA

View all Testimonials