This Q&A Session covers the most frequently asked questions about ISO 22301, a standard that has been developed to protect companies against threats, reduce the likelihood of, and ensure organization’s business recovers from disruptive incidents. It is applicable to any type of organization, regardless of its size, type or nature. ISO 22301 helps organizations to develop and maintain a best practice approach to respond effectively to any disruption, by implementing continuous improvement tools and techniques.
1. How is Business Continuity Management System defined?
A Business Continuity Management System is a set of interrelated or interacting elements of an organization to establish business continuity policies, objectives, and processes to achieve those objectives.
2. What is the purpose of ISO 22301 and why is it so important?
The purpose of ISO 22301 is to set requirements for a Business Continuity Management System as well as to prepare for, provide, and maintain controls and capabilities for managing an organization`s overall ability to continue operating during disruptions. Having a certified Business Continuity Management System demonstrates an organization`s readiness for crisis situations and serves as a signal to customers and partners that the organization is secure and thoughtful.
3. What is the current applicable version of ISO 22301?
ISO 22301:2019, published on 31st October 2019.
4. Which are the most important clauses of ISO 22301?
In my opinion, the most important clauses of ISO 22301 are those that relate to business impact analysis and risk assessment and, of course, those that relate to business continuity strategies, plans, and procedures. Moreover, the testing and exercising of implemented business continuity activities are also very important.
6.1 Actions to address risks and opportunities
6.2 Business continuity objectives and planning to achieve them
8.2 Business impact analysis and risk assessment
8.3 Business continuity strategies and solutions
8.4 Business continuity plans and procedures
8.5 Exercise programme
5. How can ISO 22301 help organizations mitigate risks?
The basics of ISO 22301 are business impact analysis and risk assessment. This means that during the implementation of the Business Continuity Management System based on ISO 22301, business continuity plans, and procedures must be created and tested to be ready for disruptions.
This means that during the Business Continuity Management System implementation process, an organization can identify the most critical risks and prepare its operations and resources for those risks by establishing risk mitigation activities.
Effective maintenance and continual improvement of the Business Continuity Management System helps maintain the organization’s preparedness for crises and enables the timely identification of new potential risks, as well as accelerates the organization’s preparation for these risks.
6. What is Disaster Recovery Management (DRM)?
Disaster Recovery is part of Business Continuity. The main idea of Disaster Recovery is to recover “technology” as soon as possible after any incident. Recovery of the technology part can cost a lot. That is why organizations must understand and be aware of the potential risks. After that, organizations can identify necessary resources and understand how much it will cost “to have in stock” some resources, such as:
- “Hot” or “warm” site.
- Spare servers.
- Any other material or resources that could be used in disaster recovery activities.
Organizations must understand and determine the sequence of activities that must be undertaken during the disruption to recover the technology and document it appropriately.
Organizations should test their Disaster Recovery Plan on a regular basis to see if it is effective and good enough to recover their main technology.
7. What are some of the main critical events that should be taken into consideration by an organization?
It is impossible to identify and focus on all potential critical events that can arise in any type of operation. That is why business impact analysis and risk assessment are the key elements of the Business Continuity Management System.
Business impact analysis and risk assessment will help organizations determine which activities and resources are the most critical ones and what risks may be associated with them. This will allow organizations to focus on the risks that are most likely to occur, as well as those that are most likely to have a significant impact on their operations.
8. How did ISO 22301 help organizations during the COVID-19 pandemic?
The COVID-19 pandemic situation is also considered as a disruptive event with a high likelihood and significant impact on businesses. In the whole world, almost all organizations were and still are affected by the COVID-19 pandemic.
Those organizations who have considered it as a risk and have implemented appropriate risk mitigation activities, such as business continuity plans and procedures, are much more ready for any other COVID-19 pandemic-like situations.
9. Which industries can benefit the most from ISO 22301 and how?
A Business Continuity Management System based on ISO 22301 can be implemented and certified in organizations of any kind and size. There are no limitations.
For now, ISO 22301 is very popular and gives most benefits to technology companies and service providers (for example, telecommunication companies, financial institutions, power grid companies, etc.) that have many customers or those who deliver services to national critical infrastructure service providers (such as power grid companies, etc.).
Implementation and certification of ISO 22301 helps an organization prepare for disruptions, improve employee competence, and build trust with the partners and customers, and this is important in any service field.
10. What is the relationship between ISO 22301 and ISO/IEC 27001?
Business (Information) continuity is part of the Information Security Management System, such as redundancy and backup activities (controls from the ISO/IEC 27001 Annex A).
It is easy to implement and establish an integrated Business Continuity and Information Security Management System because both standards are based on the Annex SL structure. Many companies that have implemented an Information Security Management System (ISO/IEC 27001) decide to implement a Business Continuity Management System (ISO 22301) too, because a large part of the job is already done, and additional certification can help to improve the organization’s readiness for potential crises.
11. What other ISO standards can ISO 22301 be aligned with?
All ISO standards that are built based on the Annex SL structure are easy to integrate, for example:
- ISO/IEC 27001 Information Security Management System (ISMS);
- ISO/IEC 27701 Privacy Information Management System (PIMS);
- ISO 9001 Quality Management System (QMS); and others.
The structure for management systems requirements is mostly the same. The only part that differs is Clause 8 Operation. For example, ISO 22301 Clause 8 is mainly focused on business impact analysis and setting of Business Continuity activities, whereas ISO/IEC 27001 Clause 8 is focused on the organization’s operations and its affect to information security of the organization.
When you are implementing an integrated BCMS and ISMS you must consider all clauses of both standards and pay enough attention and effort to implementation of all requirements.
12. How does the certification audit against ISO 22301 help organizations?
An ISO 22301 certification audit is a third-party audit. It is an independent evaluation of the organization’s Business Continuity Management System by a third-party certification body.
If the organization receives an ISO 22301 conformity certificate, it is a trustable acknowledgment that the implemented Business Continuity Management System is effective. In addition, it helps to understand that the implemented Business Continuity Management System is going in the right direction, effectively.
- It is a sign for the organization`s customers and partners that this organization is reliable;
- It demonstrates the efficiency of the implemented processes and the competence of the employees involved;
- Gives documented Business Continuity plans and procedures that are tested on a regular basis;
- Commitment of the top management and the organization`s shareholders.
13. What are some tips and advice to get ready for a certification audit against ISO 22301?
Business impact analysis and risk assessment are very important for effective BCMS implementation and continual improvement. Please pay attention to that process, and if necessary, please involve qualified internal or external specialists in that.
Talk to your people and involve not only the responsible people, but also their substitutes, because there is a strong possibility that it will be their responsibility at some point of time to recover activities and come back to business as usual. That is why it is important that they are involved in the business continuity activities and have a full understanding of them. If necessary, give them additional training.
About the Responder
Viktors Trifanovs has 20 years of experience in ISO management system implementation and evaluation, and 15 years of auditing for different companies worldwide.
He is a certified Lead Auditor, Lead Implementer, Lead Risk Manager, Lead Disaster Recovery Manager, Business Continuity Manager, and Quality Manager, and also holds a MSc in TQM. Since 2017, Victors has been successfully leading many ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 20000-1, ISO 22301, ISO 9001, and ISO 14001 audits on behalf of MSECB.
MSECB is accredited by IAS to offer audit and certification services for a wide range of ISO Standards. If you are interested to certify your management systems start by getting a Free Quote.