What is ISO 22301 and how can it help organizations in preparing for disruptive events?

For organizations conforming to ISO management system standards, some would question as to
whether their certification (or conformity) to the requirements could have helped them prepare for the
pandemic and its huge economic aftereffects we are still expecting. After all, the latest versions of the
most popular standards ISO 9001, ISO 14001, and ISO 45001 did include risk-based approach as a key
element. It is important to note though that the intended outcomes of management systems for these
three standards would not directly address the management of risks related to the continuity and the
resilience of the business. ISO 9001, for example, would help organizations in addressing risks related to
its intended outcomes which are customer satisfaction and conformity of its products and services with
requirements of customers and other interested parties. It can be argued that ensuring continuity of
product and service delivery during the pandemic could be part of the requirements of customers.
However, these issues can be better addressed within a business continuity management system
(BCMS) which follows another ISO standard – ISO 22301 1.

Most organizations would make it their goal to get certified under the famous triad of standards – ISO
9001, ISO 14001, and ISO 45001 for quality, environmental, and occupational health and safety
management systems respectively. However, with the COVID-19 pandemic disrupting normal business
operations, the BCMS standard deserves to be given another look.

The International Organization for Standardization saw the need for many organizations to be informed
or revisit a number of standards to help individuals and organizations in their fight against the
coronavirus or at least reduce the impact of the pandemic. On April 16, ISO decided to make some of its
standards freely available on its website2. Short of saying that these standards are free, ISO made them
available for access during the COVID-19 pandemic in read-only format and with copyright restrictions
still in place. Most of the standards were about medical devices and PPEs such as standards for
protective gloves, lung ventilators, and protective clothing. However, along with these standards for the
medical devices industry are other standards that are relevant in strengthening the BCMS and risk
management processes, namely ISO 22301 and ISO 31000 3.

So, what is ISO 22301 and what elements does it have that we can add to our arsenal against the effects
of disruptive events?

ISO 22301 is the international standard for business continuity management systems and provides
requirements for an organization to be able to establish, implement, and maintain a world-class BCMS.
Ideally, organizations conforming to the requirements of ISO 22301 have better understanding of the
different threats to their business and are able to continue delivery of products and services at
predefined levels even during disruptions. In the event of disruptive events, it is the intention of the
BCMS to have the organization operating at an acceptable level and to recover to normal levels within a
specified timeframe.

The following are some of the key elements in ISO 22301 4:

Strategic and operational approaches in addressing risk

Following the risk management framework, the standard requires organizations to develop an
understanding of its context, the needs and expectations of its relevant interested parties as well as
access to applicable legal and regulatory requirements. This becomes the jump off point in the
establishment and implementation of policies, objectives as well as action plans to better manage risks
and reduce the impact of disruptive events.

Leadership and deployment of business continuity policies and objectives

As with other popular ISO management system standards, the organization’s leadership is given
ultimate responsibility over the performance of the BCMS. Hence, top management will have to
demonstrate their commitment to the successful implementation of the management system. A
business continuity policy needs to be first established and communicated. This becomes the basis for
business continuity objectives that are established at relevant functions and levels..

Resource requirements

The International Standard has not been very specific on the resources that the organization requires for
the BCMS, leaving the organization much leeway on how to plan and implement its management
system. These, however, are similar to the requirements mentioned in ISO 9001 such as people,
facilities, information and communications technology (ICT), communication with interested parties,
documented information as well as finance and funding. Specific to human resources are also
competency and awareness requirements.

Business impact analysis and risk assessment (BIA & RA)

The BIA & RA are essential processes in the BCMS. The first process, BIA, are necessary to determine the
impact of different threats to the organization. Performing the BIA will provide the organization an idea
on prioritized activities as well as dependencies on resources and third party providers. The BIA will also
allow the organization to identify its maximum tolerable period of disruption (MTPD) beyond which the
effects are deemed already unacceptable to the organization. The recovery time objective (RTO) may
then be set within the MTPD. The second process, RA, serves to identify, analyze and evaluate risks in
order to determine which of these would require further treatment (i.e. controls and actions).
Business continuity plans (BCP) and business continuity strategies (BCS)

The BCP is an indispensable tool in managing business disruptions which is also partly the reason why to
some organizations, it becomes synonymous to the BCMS. In the context of ISO 22301, it is still an
essential part of the BCMS and provides specific procedures on how to manage a disruption. In addition,
it defines a response structure, warning and communication procedures, as well as recovery plans. As
with emergency preparedness and response processes in ISO 14001 and ISO 45001, BCPs will also need
to have a programme for exercising and testing (e.g. drill).

Similar to BCPs, BCSs may provide strategies on how to continue prioritized activities within acceptable
levels and time frames. Solutions provided by BCSs may include protection of prioritized activities (such
as through outsourcing or use of less risky alternatives); transfer to alternate locations and creating
spare capacities, and reputation management.

Performance evaluation and improvement

Completing the PDCA5 model used by ISO management systems are the last two clauses of the
standards: performance evaluation and improvement. In order to ensure that the management system
is being implemented as planned and that it is achieving its intended outcomes, it becomes necessary to
monitor and measure performance. The results are then analyzed and evaluated against the
management system objectives and stakeholder requirements with the intention of correcting and
further improving effectiveness. Internal audits and management reviews are instrumental in evaluating
performance of management systems and are likewise important requirements of ISO 22301. Finally,
improvement can be further effected by acting on detected nonconformities in order to prevent
recurrence as well as through adoption of processes that continually improve suitability, adequacy, and
effectiveness of the BCMS.

Visit courses.eddams.com for elearning courses on ISO management system standards.

Get in touch with the author at info@eddams.com.

Notes
1
ISO 22301: 2019 Security and resilience – Business continuity management systems – Requirements
2
International Organization for Standardization (April 16, 2020). COVID-19 response: Freely available ISO
standards. Retrieved from https://www.iso.org/covid19
3
ISO 31000: 2018 Risk management –Guidelines
4
For this post, I also referred to ISO 22313: 2020 Security and resilience – Business continuity
management systems – Guidance on the use of ISO 22301
5
Plan-Do-Check-Act