You are on page 1of 13

White Paper: ISO 22301 Business Continuity Management An Overview

ISO 22301 Business


Continuity Management
An Overview

Introduction
As incidents such as malicious activism, terrorist attacks and environmental disasters among others garner
increased attention, so does the need for appropriate business continuity planning within organisations. Aside from
overall business closure, further motivation is gained from considering consequences of business continuity
disasters. These include decreased employee productivity, data loss, reductions in revenues and profits, and
overall damage to corporate reputation and customer relationships.
This paper provides an introduction to the Business Continuity Management (BCM) discipline and the critical
process steps involved in developing a continuity initiative throughout your organisation. This includes defining
what BCM is, discussing historical and emerging standards (particularly key changes in the new ISO 22301
standard versus predecessors) and the steps in planning and executing BCM initiatives. The impacts of emerging
technologies on business continuity planning are also highlighted.
The key guardians of BCM initiatives are also identified in this paper giving a high-level overview of typical
requirements for CEOs and other board-level executives, IT and Risk professionals, as well as project managers,
consultants, or other line managers potentially involved in endorsing and driving BCM initiatives.

So what is Business Continuity Management?


Officially known as Societal Security, Business
Continuity Management Systems - Requirements,
ISO 22301 is a standard for implementing a business
continuity management system and continuously
improving business continuity capabilities based on
management priorities and feedback. ISO 22301 was
officially approved for publication as an international
standard on 2 April 2012, and ISO published the final
version of the standard on 15 May 2012.

BCM Key Business Failure


Outcomes By Numbers
40% of businesses experiencing a major
failure or disaster event will go out of
business within five years. Source: Gartner
30% of businesses experiencing a disaster
event never reopen, while 29% go out of
business within two years. Source: Meta Insurance

BCM is often considered as part of overlapping


disciplines such as security management, emergency
management and risk management, but while
overlapping concerns exist there also are significant
differences. For example, risk management focuses
on identifying probabilities and causes of adverse
events, whereas business continuity focuses on the
impact of a potential event, and what can be done
should that event happen.

80% of businesses without pre-emptive


Business Continuity Plans will go out of
business within 13 months of a major
incident. Source: Business Continuity Institute

Also, BCM has a more holistic and cross-functional


focus, involving personnel within disciplines of IT,
security, HR, and individual business lines, meaning
that ownership of BCM should ultimately sit at the
CEO level. In contrast, management of the other
mentioned disciplines tend to exist at a department
level, for example within Compliance or IT Department
management roles.

2) Provides a rehearsed method of restoring an


organisations ability to apply its business
critical products and services after a
disruption.

ISO 22301 Business Continuity Management An Overview

Why BCM?
1) Proactively improves an organisations
resilience against the disruption of its ability to
achieve its key objectives.

3) Delivers a proven capability to manage a


business disruption and protects the
organisations reputation and brand.

Page | 1

Implementing an organisational BCM strategy has many advantages, supporting improvements such as:
A predictable and effective response to future crises
Protection of individuals
Maintenance of vital activities of the organisation
A better overall understanding of the organisation
Cost reduction
Respect of the interested parties
Protection of companys reputation and brand
Ensuring client confidence in the organisation
Increased competitive advantage
Better support for legal and regulatory compliance
Better assurance that various contractual obligations are met

Business Continuity Standards History and Context


Development of the BCM global standard began in the mid-2000s, where the ISO Technical Committee No. 223
examined existing BCM standards and created a framework for a global BCM standard. The ISO adapted content
from many existing standards such as ISO 9000 and ISO 14000 into the new BCM standard. An important
standard, which heavily influenced ISO 22301, was the British Standards Associations BS 25999 standard which
was first released in December 2006 and updated in November 2007. Prior to ISO 22301, this standard also
influenced a number of BCM standards for other EU member states.

(Source PECB www.pecb.org).


ISO 22301 Business Continuity Management An Overview

Page | 2

There are a number of key differences between the present ISO 22301 and its predecessors. ISO 22301 places
greater emphasis on setting objectives, developing metrics and measuring performance, therefore placing further
emphasis on making top management levels accountable for Business Continuity processes. It also places
emphasis on defining necessary resources for ensuring business continuity, and as it is an international standard,
certification bodies are more likely to buy-in and push the standard, and should lead to greater popularity and
certification among implementers. Other overlapping standards in the BCM arena include ISO 22399, ISO 24762
(ICT disaster recovery focus), ISO 27031, NIST 800-34 and NFPA 1600.

ISO 22301 versus its predecessors Key Changes


Much greater emphasis on setting objectives and monitoring performance via metrics
Clearer expectations and responsibilities placed on top management
Increased focus placed on planning and preparing necessary resources
As ISO22301 is a global standard, certification against standard will be pushed more strongly by certification
bodies.
There is also significant overlap between ISOs 27001 Information Security standard and ISO 22301. Firstly, ISO
27001s section A.14.1 already covers information security aspects of business continuity management, so
compliance with ISO 22301 will already ensure coverage of this. Also, both imply use of the same Plan, Do,
Check, Act (PDCA) management framework, so certification in either standard will immediately place the other on
the right track.

Implementing BCM
The first stage towards implementing Business Continuity processes in an organisation is to set up an appropriate
management system. Like other management systems, a Business Continuity policy needs to be defined alongside
identification of key people and their relevant responsibilities, and definition of appropriate management processes
for planning, implementing, assessing, reviewing and improving Business Continuity efforts. Provision for relevant
documentation to support auditing is also necessary, as well as identification of the business continuity
management processes that are relevant to the organisation.
As with other ISO standards, ISO 22301 standard adopts the Plan-Do-Check-Act (PCDA) approach that is
applied to the structure of all processes in a management system. Stakeholder requirements and expectations are
fed to the cycle as input, leading to the necessary BCM actions and processes as output. Key elements of the
PDCA cycle in relation to BCM include:

Plan: Establish and agree the scope, identify within scope the information assets, roles and
responsibilities of staff members and conduct a Business Impact Analysis for the agreed scope.
Do: Implement and operate the policy, controls, processes and procedures of the management system.
Check: Assess and measure (where applicable) the process performances and report findings to
management for review.
Act: Undertake corrective and preventive actions on the basis of the overall process review, driving
continual improvement of the Business Continuity System.

ISO 22301 Business Continuity Management An Overview

Page | 3

BCP 22301 Implementation Methodology

'Plan'
Setup BCMS and Agree/Update
Scope

'Plan'
Ensure BCP is signed off by senior
management/board before
proceeding.

Act
External Certification audit, Stage 1 &
Stage 2 is required for ISO 22301
certification.

'Plan'
Identify key roles and responsibilities

Act
Feedback Improvements and
changes into BCP

'Plan'
Indentify all information assets in
scope

ISO 22301 BCP


Implementation Methodology

Check
Review and monitor the BCP.
Conduct Internal audit, management
reviews and measurements and
metrics

'Plan'
Conduct business impact analysis/
risk assessment exercise for the
scope agreed

'Do'
Implement BCP Testing

'Plan'
Analyse and evaluate the risks to
determine unacceptable risks.

'Do'
Implement BCP training and
awareness for ISMS

'Plan'
Identify appropriate controls to
mitigate these risks and obtain
management approval.

'Do'
Implement Physical controls*

'Plan'
Define BCP framework, objectives,
methodology

'Do'
Develop of BC and DR strategy,
policies, procedures and plan, and
other administrative controls

'Do'
Implement Technical controls *

* Completed in parallel
PDCA diagram Author Karn G.
Bulsuk

ISO 22301 Business Continuity Management An Overview

Page | 4

Planning for Business Continuity


As part of the planning stage, initial steps need to be taken to understand the organisation and its context, obtain
leadership and management buy-in, and established business continuity scope.
Firstly, an organisation needs to itemise the various facets that might be affected by a disruptive incident, both
internal and external. This could include facets such as activities, services, products, partnerships, supply chains,
and existing and potential relationships with interested parties. This might include crucial information assets, goods
and services produced, critical business processes, and identification of infrastructure elements such as hardware,
software, networks or sites. It should also include a definition of the links between the BCM policy and other
organisation objectives such as any existing risk management strategies, general business vision, as well as
consideration of the organisations appetite for risk.
The next important step is to establish leadership buy-in. As already mentioned the raising of responsibility for BCM
to the board level is necessary for the success of the plan. Steps towards achieving this buy-in include:
Presenting a rational business case
Establishing a project team
Establishing a steering committee
Assembling the necessary resource requirements
By achieving buy-in, management commit to:
Ensuring that adequate policies and objectives are established
Making policy compatible with business objectives
Integrating effectively with existing processes
Making the necessary resources available
Communicating the importance of BCM strongly across the organisation
From here, business continuity scope needs to be established and determining what needs to be included in the
plan. Key areas to be scoped include establishing the parts of the organisation to be included in the initiative,
products and services within scope, and the external stakeholders to be included and prioritised, aligning with their
importance, expectations and interest in relation to the organisation. As part of this scoping exercise it is also
important to explain and justify any scope exclusions.
At a minimum, the Business Continuity Management System (BCMS) should contain the following documentation:
1.
2.
3.
4.
5.
6.
7.
8.
9.

Scope and objectives of the BCMS


Business Continuity Policy
Description of roles and responsibilities
Risk assessment and Business Impact Analysis (BIA) report
Business Continuity Plan
Communication, Training and Awareness Plan
Exercise and test procedure
Evaluation, management review and audit procedures
Preventative and corrective actions

ISO 22301 Business Continuity Management An Overview

Page | 5

Business Impact Analysis and Risk Assessment


Following the initial planning steps above, a Business Impact Analysis (BIA) should be carried out. In line with ISO
22301 Section 8.2.2, the organisation should establish, implement and maintain a formal documented evaluation
process for determining continuity and recovery priorities, objectives and targets. More specifically, the aim of BIA
is to identify the key activities that need to be performed in order to deliver business critical products and services,
in order to meet the most important, time-critical objectives. By extension, the resources supporting those key
activities also need to be identified, be they people, premises, technology, information, supplies and stakeholders.
The criticality of some activities can fluctuate depending on timing, for example a company offering an online tax
return service would have a most critical uptime for the period immediately prior to tax return dates compared to
other time periods.
Examples of resources examined and recorded in a BIA include:
Process Stages - e.g. R&D, Sales, Design, Production, Accounting
Information - e.g. patents, customer data, market research reports, financial statements, and source code
Hardware - e.g. servers, laptops, external drives, networks, printers
Software - CRM, word processing, Excel, accounting packages, production simulation tools
Personnel - defined company roles relevant to the organisations structure
Identification of critical points of failure in critical business processes or other activities is another crucial part of a
BIA - particularly single points that will prevent an entire system or subsystem from working if they fail. Outside
services such as electricity, water, gas, transport and communications supply are the most common examples. A
summary output of this stage would be a business impact matrix indicating impact thresholds (limited, important,
serious, critical) in relation to different impact categories, such as financial risk, functionality impact, impact on
public image, engagement of responsibility, and economic, human or social impacts.
Another key step in the continuity planning stage is to identify, analyse and evaluate the risk of disruptive incidents
occurring to the organisation. This process ties heavily with the standard for risk management (ISO 31000) and a
wide range of techniques can apply depending on the specific context. Risk scenarios might include a building
being made unavailable due to a disaster such as a fire, flood, bomb alert, worker strike or other incident. Once
individual scenarios are defined, potential consequences of such events in relation to that scenario can be defined,
and an overall risk level rating applied (i.e. impact x probability = risk level).

Key Steps in Implementing BCM


Once the planning and organisational understanding stage is completed, next steps can be taken towards
implementing the continuity process, or executing the Do step in the PDCA process. The first step towards
implementation is to determine the correct BCM strategy, based on prior assessment of maximum tolerable
disruption periods, costs involved, and consequences of inaction. Depending on the scenario, strategies may be
required for people, premises, technology, information, supplies and stakeholders - for example:
People - how do we maintain core skills and knowledge?
Premises - how do we reduce the impact of a normal worksite not being available?
Technology - how do we maintain availability and uptime of key technology assets when disasters occur?
Information - how do we protect and recover vital information?
Supplies - how do we maintain key supplies and inventory to minimise supply chain impact upon an
unexpected event?

ISO 22301 Business Continuity Management An Overview

Page | 6

Cost-benefit analysis is a crucial component of developing this strategy, in particular weighing the cost of being
without a given service at various points in time versus the cost of the continuity solution. Various ways of
introducing backup redundancy support for business critical operations should be considered, and appropriate
approaches identified. This can include having dedicated backup sites that become active when primary sites are
compromised, or having two active sites that can failover onto each other if needed. Several hybrid variants of
these two options are also possible depending on scenario and business needs.
Developing a continuity strategy around the organisations business-critical technology elements is a crucial part of
any plan, and for most organisations, there will be both internal and external technology-based assets and services
that need consideration. Strategies for handling continuity might involve spreading technology geographically so
that a disaster event is less likely to affect entire infrastructures, holding older equipment as emergency
replacement or spares, or adding particular risk mitigation for sensitive unique or long lead time equipment. By
extension, chosen technology continuity strategies need to consider elements such as:
The required recovery time for key systems and applications
Location and distance between technology sites
Remote access requirements and required telecoms connectivity
Failover requirements - are system downtime and manual intervention required? Does the continuity
switchover need to be instantaneous?

Influence of Key Macro Technology Trends on Business Continuity


IT business continuity strategies are also being influenced by key macro-trends such as virtualisation, cloud
computing, mobile devices, and social networking among others. Much of these developments are positive and can
facilitate continuity planning, but they can also introduce new IT challenges.

Virtualisation
A key benefit that virtualisation allows in relation to BCM is that it can greatly reduce the number of
physical servers or other hardware that an organisation needs to manage and worry about. Virtual
machines and applications can be replicated more easily, and switched more easily between physical
resource pools such as processors, memory and storage. In addition, desktop virtualisation technologies
such as Citrix and DVI, combined with secure tunnelling, can facilitate employees working remotely away
from core premises in the case of a disaster event.

Cloud Computing
Developments in cloud computing can facilitate significant benefits around continuity planning. For
example organisations are now able to combine external SaaS options with private cloud infrastructures,
switching seamlessly between different internal and external cloud scenarios as needed for continuity. For
example baseline operating scenarios might operate on a private cloud infrastructure, but a downtime
event or a need to scale up requirements may automatically transition the infrastructure to an external
cloud provided by service providers. While this creates new possibilities, it also creates new IT
management challenges, and appropriate SLAs with external service providers should be arranged. It is
important to note that gaining insight into the site recovery capabilities of external providers may be a
challenge.

ISO 22301 Business Continuity Management An Overview

Page | 7

Mobile Computing
Business Continuity thought leaders increasingly see mobile devices as a key medium in supporting
workforce recovery during a business recovery event. Mobile devices can alert employees to information
such as the current status of recovery, locations to which employees should be in response to the event,
applications and services to which they can access. Mobile sales personnel can also be supported in
continuing remote work with minimal disruption. Aside from these communication aspects, mobile devices
are increasingly subsuming much of the functionality traditionally associated with PCs, allowing them to
support actual work tasks when PC-based sites are unavailable.

Social Networks
The role that social networking platforms such as Twitter, Facebook, LinkedIn, Skype and others can play
around BCM is still emerging. Its potential as a mass communications channel for supporting incident
management and disaster recovery is self-evident, particularly in relation to mobilising employees and other
key stakeholders. However, it can also be harmful from a PR perspective if misleading, inappropriate or
untimely information around a disaster event is made available to the public.

Drafting Business Continuity Plans (BCPs)


Clause 8.4.4 of ISO 22301 establishes documented procedures for responding to a disruptive incident and how it
will continue and recover activities within a predetermined timeframe. The primary goal is to address the business
disruption or loss from the initial response to the point at which normal business operations are resumed. Crucial
plan elements to be covered include defining incident response roles for people and teams, processes for
activating necessary incident responses, identifying necessary notifications and communications (both to internal
and external parties), and the key activities that need to be taken and allowable timeframes involved.
Ultimately, the overarching BCP will contain various categories of sub-plan depending on the organisations
specific context, with overlapping plans covering areas such as incident response, emergency response, crisis
management, recovery and restoration, communication and training and awareness.

Training, Awareness and Testing


As part of the planning stage, it is important to consider the skills requirements of those who will be required to
manage and execute BC efforts, whether existing personnel can manage the efforts, and/or whether new
personnel are needed. Once personnel requirements are identified, a plan needs to be put in place to make the
relevant people aware of the business continuity initiative, and details of their role within that effort. If skill gaps
exist, appropriate training measures should also be put in place.
Once the continuity plans are in place and the necessary procedures identified, they should be practiced and
tested to ensure consistency with the business continuity objectives. Different levels of testing can be employed
depending on the scenario, ranging from less invasive methods such as distributing business plans for review, to
practice simulations, to parallel tests that replicate a core process without interrupting it, to full invasive tests that
fully replicate the disaster event and actually require day-to-day operations to be interrupted. The goal of such tests
and exercises is to ensure that personnel are capable of executing the defined continuity plan, and to ensure that
defined procedures are consistent with the necessary steps in question.
ISO 22301 Business Continuity Management An Overview

Page | 8

Monitoring, Reviewing and Improving BCM Efforts


The Check and Act elements of the PDCA wheel involve an iterative analysis of the continuity planning and
execution stages. Taking the outputs of the business continuity planning, exercise and test stages as input, the
overall performance and effectiveness of the initiative needs to be evaluated. An important part of this evaluation is
to identify key metrics against which the process can be measured. Such metrics can be defined for both
operational aspects of the continuity planning (e.g. rating the quality of the defined procedures and associated
documentation), versus KPI-type metrics to support management understanding at the high-level (e.g. monitoring
the average cost of a disruptive incident over time).
The self-validation stage should also include provision for self-auditing and ensuring that what has been outlined
and defined in the BCP is in fact delivered upon and executed. For added assurance, external auditing by a
suitably qualified third party can also be considered. This auditing process forms the basis for management review,
ensuring the continuing suitability, adequacy and effectiveness of the BCMS, and highlighting opportunities for
improvement.

Business Continuity Planning - What Espion Can Provide


Espion can provide your organisation with end-to-end support towards developing improved Business Continuity
Management processes within your organisation ranging from consultancy services, training, and auditing. More
specific service offerings include:
Scoping exercise to identify requirements
BCM Workshops
Gap Analysis between current status and full compliance
Business Impact Analysis (BIA)
Risk Assessment
Roadmap to compliance
Risk Assessment
Plan Documentation
Certified Training & Awareness
BCP and DR Exercise Facilitation
Internal Audit
Certification Preparation

Need To Know More Info


For more information on this research, contact Seamus Galvin, Espion Research at +353 (1) 210 1711, or
seamus.galvin@espiongroup.com

ISO 22301 Business Continuity Management An Overview

Page | 9

About Espion
Espion are Corporate Information
specialists. We work with
organisations across all industries
and business functions to provide
advice and assistance relating to
the holistic compliance, protection
and management requirements of
their most valuable asset
information. This allows our clients
to focus on their core business and
ultimately achieve greater success.

Espion Headquaters
Corrig Court, Corrig Road,
Sandyford Industrial Estate,
Dublin 18, Ireland
+353 (01) 2101711
www.espiongroup.com