What is ISO22301? A short guide

This guide provides a quick overview of the ISO22301 standard and what is involved when implementing a Business Continuity Management System.

Our free resources are available to assist your BCMS implementation further, providing you with more detailed information and guidance on the subject. See the list below to download guides, sample documents and blogs from our BCMS resources library.

Free ISO22301 Resources Links:

• ISO22301 Implementation Guide
• ISO22301 Toolkit Sample Document 
• ISO22301 Requirements Checklist
• ISO22301 Blogs 

What is ISO22301?

The ISO22301 international standard for “Societal Security – Business Continuity Management Systems (BCMS) – Requirements” was published by ISO in 2012 and is based upon the earlier British standard BS25999-2.

ISO22301 specifies the requirements that your BCMS will need to meet in order for your organization to become certified to the standard. The requirements in ISO22301 are supplemented by guidance contained in ISO22313 which was also published in 2012. ISO22313 is well worth reading as it fills in some of the gaps in understanding how the requirements in ISO22301 should be met and gives more clues about what the auditor may be looking for. Even if you don’t want to certify to the standard, it is recommended to implement some of the best practise requirements into your business to prepare for unforeseen events, and to minimise the impact it has on your business.

A new version of the ISO22301 standard was released by ISO on 31st October 2019 which, although not introducing any new requirements, has been restructured to better follow ISO’s layout for a management system, and to provide clarification of some of the existing requirements.

How can implementing ISO22301 benefit your business?

Complying to the ISO22301 standard prepares your organization for the unexpected. Most importantly, it can reduce the impact and frequency of disruptions and incidents by identifying potential risks and creating contingency plans.

Other benefits include:

• It can enhance your reputation with current and potential customers showing your business has taken a proactive approach to handle the effects of a potential incident with minimal disruption.
• The process of becoming certified to the ISO22301 standard can increase management and employee engagement across the business.
• It requires regular reviews and audits to ensure continual business improvement.

What is a BCMS?

When looking at business continuity the emphasis is usually on “The Plan”. This is the document (or documents) that will tell everyone what to do in an emergency, how to handle a crisis and keep the business running. And it’s right that this should be the main focus; it is, after all, the main deliverable of the whole business continuity idea.

The function of the BCMS is to wrap itself around the plan and ensure (among other things) that:

1. The plan is based on the right information about the business (business impact analysis).
2. We have a good idea of what we need to plan for (risk assessment).
3. The plan works (exercising and testing).
4. Everybody knows about the plan and how to use it (awareness and training).
5. We update the plan when things change around it (management review).
6. The plan gets better over time (continual improvement).

What does the standard consist of?

The ISO22301 standard consists of a number of major headings which are:

1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

As with many of the standards, sections 1-3 are for reference and are well worth a read to understand the standard in more detail. Section 0 is the introduction to the standard.

Sections 4 to 10 set out the requirements of the standard and are compulsory if an organization is to be compliant. So, the (internal and external) auditing process checks whether the requirements are being met by the organization. Requirements are not optional and if they are not being met then a nonconformity will be raised by the auditor and the organization will need to address it to gain or keep their certification to the standard.

Becoming certified to ISO22301

Not all companies will choose to certify to the Standard, you may just use the requirements within the ISO22301 standard as a guide to help your business prepare for the unforeseen and limit the impact in case of an event. The standard can be used to help create a complete Business Continuity Plan. You can read more about the importance of planning ahead in our article: Planning for a pandemic.

For certification, the steps to are similar of all the ISO standards, and involve:

1. Implementing procedures and methods as requirements of the standard.
2. Perform an internal audit to highlight any nonconformities before the external audit. We advise an internal audit to be completed by an independent third-party auditor or an impartial qualified auditor within your organisation.
3. The final external audit to achieve certification is by an accredited Registered Certification Body (RCB). This is in two stages. Stage one is basically a review of how ready you are for the main event, the stage two certification audit. You may pick up a few pointers for improvement (known as nonconformities) at stage two but, if these aren’t too serious, your organization will become certified and can advertise the fact to anyone with an interest.

Once certified, you will then have an annual surveillance audit to confirm your compliance, and then every three years there will be a re-certification audit, which is when you will be re-issued certification.

ISO22301 is recommended for businesses of any size and industry that want to put a business continuity plan in place. CertiKit’s ISO22301 toolkit is compliant to the 2019 version of the standard, and includes more than 70 template documents and guides, and unlimited email support with a qualified consultant.

We also offer ISO22301 consultancy and internal auditing services to organizations in the UK, EU and +/- five hours of the UK time zone. So if you need a bit of extra help with implementation, or your internal audit requirements need meeting, click the links to see how we can help.