INTERNATIONAL ISO

STANDARD 22301

First edition
2012-05-15

Societal security Business continuity

management systems Requirements
Scurit socitale Gestion de la continuit des affaires Exigences

Reference number
ISO 22301:2012(E)

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012
ISO 22301:2012(E)

COPYRIGHT PROTECTED DOCUMENT

ISO 2012

Tel. + 41 22 749 01 11

Web www.iso.org

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ii ISO 2012 All rights reserved

 ISO 22301:2012(E)

Contents

Foreword ............................................................................................................................................................................ iv
0 Introduction ..................................................................................................................................................................... v
0.1 General .......................................................................................................................................................................... v
0.2 The Plan-Do-Check-Act (PDCA) model ................................................................................................................ v
0.3 Components of PDCA in this International Standard ...................................................................................... vi
1 Scope ...................................................................................................................................................................... 1
2 Normative references ......................................................................................................................................... 1
......................................................................................................................................... 1
4 Context of the organization .............................................................................................................................. 8
4.1 Understanding of the organization and its context.................................................................................... 8
4.2 Understanding the needs and expectations of interested parties ......................................................... 9
4.3 Determining the scope of the business continuity management system ........................................... 9
4.4 Business continuity management system ................................................................................................. 10
5 Leadership........................................................................................................................................................... 10
5.1 Leadership and commitment ......................................................................................................................... 10
5.2 Management commitment............................................................................................................................... 10
5.3 Policy .................................................................................................................................................................... 11
5.4 Organizational roles, responsibilities and authorities ............................................................................ 11
6 Planning ............................................................................................................................................................... 12
6.1 Actions to address risks and opportunities............................................................................................... 12
6.2 Business continuity objectives and plans to achieve them .................................................................. 12
7 Support................................................................................................................................................................. 12
7.1 Resources ........................................................................................................................................................... 12
7.2 Competence ........................................................................................................................................................ 13
7.3 Awareness ........................................................................................................................................................... 13
7.4 Communication .................................................................................................................................................. 13
7.5 Documented information................................................................................................................................. 14
8 Operation ............................................................................................................................................................. 15
8.1 Operational planning and control ................................................................................................................. 15
8.2 Business impact analysis and risk assessment ....................................................................................... 15
8.3 Business continuity strategy ......................................................................................................................... 16
8.4 Establish and implement business continuity procedures ................................................................... 17
8.5 Exercising and testing ..................................................................................................................................... 19
9 Performance evaluation................................................................................................................................... 19
9.1 Monitoring, measurement, analysis and evaluation ................................................................................ 19
9.2 Internal audit ....................................................................................................................................................... 20
9.3 Management review .......................................................................................................................................... 21
10 Improvement ....................................................................................................................................................... 22
10.1 Nonconformity and corrective action .......................................................................................................... 22
10.2 Continual improvement ................................................................................................................................... 23
Bibliography ..................................................................................................................................................................... 24
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved iii

ISO 22301:2012(E)

Foreword

Societal security.
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

iv ISO 2012 All rights reserved

 ISO 22301:2012(E)

0 Introduction

0.1 General

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

0.2 The Plan-Do-Check-Act (PDCA) model

Quality
management systems Environmental management systems Information security
management systems Information technology Service management

ISO 2012 All rights reserved v

ISO 22301:2012(E)

Continual improvement of business continuity

management system (BCMS)

Establish
(Plan)
Interested
Interested
parties
parties

Maintain and Implement

improve and operate
(Act) (Do)

Requirements
Managed
for business
business
continuity
Monitor and continuity
review
(Check)

Figure 1 PDCA model applied to BCMS processes

Table 1 Explanation of PDCA model

Plan

Do
procedures.
Check

Act

0.3 Components of PDCA in this International Standard

cover the following components.

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

vi ISO 2012 All rights reserved

 ISO 22301:2012(E)
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved vii

--`````,`,,`````````,`,```,
INTERNATIONAL STANDARD ISO 22301:2012(E)

Societal security Business continuity management

systems Requirements

1 Scope

2 Normative references
-

3.1
activity

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved 1

ISO 22301:2012(E)

3.2
audit

3.3
business continuity

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
following disruptive incident

[SOURCE: ISO 22300]

3.4
business continuity management

3.5
business continuity management system
BCMS

3.6
business continuity plan

3.7
business continuity programme

3.8
business impact analysis

[SOURCE: ISO 22300]

3.9
competence

3.10
conformity

[SOURCE: ISO 22300]

2 ISO 2012 All rights reserved

 ISO 22301:2012(E)

3.11
continual improvement

[SOURCE: ISO 22300]

3.12
correction

[SOURCE: ISO 22300]

3.13
corrective action

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
[SOURCE: ISO 22300]

3.14
document

3.15
documented information

3.16
effectiveness

[SOURCE: ISO 22300]

3.17
event

ISO 2012 All rights reserved 3

ISO 22301:2012(E)

3.18
exercise

[SOURCE: ISO 22300]

3.19
incident

[SOURCE: ISO 22300]

3.20
infrastructure

3.21
interested party
stakeholder

3.22
internal audit

3.23
invocation

3.24
management system

4 --`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 2012 All rights reserved
 ISO 22301:2012(E)

3.25
maximum acceptable outage
MAO

3.26
maximum tolerable period of disruption
MTPD

3.27
measurement

3.28
minimum business continuity objective
MBCO

3.29
monitoring

3.30
mutual aid agreement

[SOURCE: ISO 22300]

3.31
nonconformity

[SOURCE: ISO 22300]

3.32
objective
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved 5

ISO 22301:2012(E)

3.33
organization

3.34
outsource (verb)

process is within the scope.

3.35
performance

3.36
performance evaluation

3.37
personnel

3.38
policy

3.39
procedure
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

3.40
process

3.41
products and services

3.42
prioritized activities

[SOURCE: ISO 22300]

6 ISO 2012 All rights reserved

 ISO 22301:2012(E)

3.43
record

3.44
recovery point objective
RPO

3.45
recovery time objective
RTO

resources must be recovered

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
3.46
requirement

3.47
resources

3.48
risk

ISO 2012 All rights reserved 7

ISO 22301:2012(E)

3.49
risk appetite

3.50
risk assessment

3.51
risk management

3.52
testing

[SOURCE: ISO 22300]

3.53
top management

3.54

3.55
work environment
set of conditions under which work is performed

[SOURCE: ISO 22300]

4 Context of the organization

4.1 Understanding of the organization and its context

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`-

8 ISO 2012 All rights reserved

 ISO 22301:2012(E)

4.2 Understanding the needs and expectations of interested parties

4.2.1 General

4.2.2 Legal and regulatory requirements

4.3 Determining the scope of the business continuity management system

4.3.1 General

ISO 2012 All rights reserved

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
9
ISO 22301:2012(E)

4.3.2 Scope of the BCMS

4.4 Business continuity management system

5 Leadership

5.1 Leadership and commitment

5.2 Management commitment

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

10 ISO 2012 All rights reserved

 ISO 22301:2012(E)

5.3 Policy

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

5.4 Organizational roles, responsibilities and authorities

ISO 2012 All rights reserved 11

ISO 22301:2012(E)

6 Planning

6.1 Actions to address risks and opportunities

b) how to

6.2 Business continuity objectives and plans to achieve them

7 Support

7.1 Resources

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

12 ISO 2012 All rights reserved

 ISO 22301:2012(E)

7.2 Competence

7.3 Awareness

d) their own role during disruptive incidents.

7.4 Communication
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved 13

ISO 22301:2012(E)

7.5 Documented information

7.5.1 General

the competence of persons.

7.5.2 Creating and updating

7.5.3 Control of documented information

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

14 ISO 2012 All rights reserved

 ISO 22301:2012(E)

8 Operation

8.1 Operational planning and control

8.2 Business impact analysis and risk assessment

8.2.1 General

order in which these will be conducted.

8.2.2 Business impact analysis

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved 15

ISO 22301:2012(E)

8.2.3 Risk assessment

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

8.3 Business continuity strategy

8.3.1 Determination and selection

8.3.2 Establishing resource requirements

16 ISO 2012 All rights reserved

 ISO 22301:2012(E)

8.3.3 Protection and mitigation

8.4 Establish and implement business continuity procedures

8.4.1 General

8.4.2 Incident response structure

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved 17

ISO 22301:2012(E)

8.4.3 Warning and communication

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.4.4 Business continuity plans

18 ISO 2012 All rights reserved

 ISO 22301:2012(E)

8.4.5 Recovery

8.5 Exercising and testing

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

9.1.1 General

ISO 2012 All rights reserved 19

ISO 22301:2012(E)

9.1.2 Evaluation of business continuity procedures

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

9.2 Internal audit

20 ISO 2012 All rights reserved

 ISO 22301:2012(E)

9.3 Management review

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved 21

ISO 22301:2012(E)

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
10 Improvement

10.1 Nonconformity and corrective action

22 ISO 2012 All rights reserved

 ISO 22301:2012(E)

10.2 Continual improvement

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved 23

ISO 22301:2012(E)

Bibliography

Quality management systems Requirements

Environmental management systems Requirements with guidance for use

Guidelines for auditing management systems

Information Technology Service Management

Societal security Terminology

Societal security Guideline for incident preparedness and operational continuity

management

Information technology Security techniques Guidelines for Information and

communications technology disaster recovery services

Information Security Management Systems

Information technology Security techniques Guidelines for information and

communication technology readiness for business continuity

Risk Management Principles and Guidelines

Risk management Risk assessment techniques

Risk management Vocabulary

Business continuity management Code of practice

Security and continuity management systems Requirements and guidance for use

Standard on disaster/emergency management and business continuity programs

[17] Business Continuity Plan Drafting Guideline

Business Continuity Guideline

Organizational Resilience: Security, Preparedness, and Continuity Managements

Systems Requirements with Guidance for Use Singapore Standard for Business
Continuity Management

[20] Business Continuity Management Systems: Requirements with Guidance for Use

24 --`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 2012 All rights reserved
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)

ICS 03.100.01
--`````,`,,`````````,`,```,,,-`-`,

ISO 2012 All rights reserved