BUSINESS CONTINUITY

MANAGEMENT &
ISO22301
Frequently asked questions
January 2015

Protect ● Comply ● Thrive

 IT Governance Green Paper
BUSINESS CONTINUITY
MANAGEMENT &
ISO22301
Business continuity management is often
described as a business-critical activity, but
conversation on the subject is often
confused by the parallel concept of disaster
recovery management. Understanding has
not been improved by the existence of
several different business continuity related
standards. In May 2012, however, the
publication of ISO/IEC 22301 provided a
single standard that replaced the prior
dominant standard, BS25999, while offering
greater clarity on the subject.
So, what exactly is business continuity
management, and how do the current
standards relate to one another?
1. What is business continuity
management (BCM)?
A range of internal or external risks could
negatively impact your organisation. These
include a fuel crisis, pandemic, the loss of
business facilities due to fire, flooding, theft
and vandalism, communications failure,
industrial action, power failures – any event
that interferes with the normal running of
your business.
Business continuity management is the
planning process and activities used to
identify those aspects of your business
activities and resources that are essential
or critical.
Documented and tested plans are essential
if your organisation is to continue with
‘business as usual’ when there is a civil
emergency or business interruption.
The formal definition from ISO/IEC 22301
is: “A holistic management process that
identifies potential threats to an
© IT Governance Ltd 2015
“Statistics indicate that 80% of
organisations that are faced
with a significant business
discontinuity, and do not have
adequate and appropriate plans
to ensure business continuity,
do not survive the event.”
organisation and the impacts to business
operations that those threats, if realised,
might cause, and which provides a
framework for building organisational
resilience with the capability for an effective
response that safeguards the interests of its
key stakeholders, reputation, brand and
value-creating activities.”
2. And what is disaster recovery
management (DRM)?
One definition is: “the ability of an
organisation to respond to a disaster or an
interruption in services by implementing a
disaster recovery plan to stabilise and
restore the organisation’s critical functions.”
On the surface, then, it seems extremely
similar to BCM.
3. So, how do the two concepts relate?
A simple way of approaching these two
concepts is to view business continuity
management as the overall process of
identifying and planning to counteract
business continuity risks; part of that
planning should include recovering the
business from a disaster scenario to get it
back to normal working.
2 BCM-DR-FAQ
 IT Governance Green Paper
In essence, BCM ensures that a business
can continue to function while recovering
from the disaster.
DRM, meanwhile, is a broader process of
returning a business or organisation to a
state of normality after a disastrous event.
This will ordinarily incorporate business
continuity, but the focus is upon total
recovery.
4. Does BCM really matter?
Statistics indicate that 80% of organisations
that are faced with a significant business
discontinuity, and do not have adequate
and appropriate plans to ensure business
continuity, do not survive the event.
Sensible organisations take steps well in
advance of possible disasters to ensure
they will survive them; in today’s climate,
organisations want to be sure their
suppliers and the companies in which they
have invested are going to be able to cope.
An ISO22301-accredited certificate provides
evidence of due diligence where BCM is
concerned.
5. What is ISO22301?
ISO22301 is an international standard that
describes the function of a BCM system. It
follows the work established by BS25999,
which was the first formal national (British)
standard for business continuity
management, published in two parts to
worldwide interest in 2007 and 2008.
6. What if we have BS25999
certification?
BS25999 has been superseded by
ISO22301. From 31 May 2012 to 31 May
2014, the United Kingdom Accreditation
Service (UKAS) required all certification
bodies to reassess organisations that had
been certified for compliance with BS25999.
No new certificates or renewals for
BS25999 have been issued after 31
December 2013.1 This means that any
BS25999 certificate your organisation holds
is no longer valid, so you should seriously
consider certifying to ISO22301.
7. How is ISO22301 related to
ISO22313?
© IT Governance Ltd 2015
 ISO 22301:2012 is a specification for a
BCM system.
 ISO 22313:2012 is guidance for the
implementation of the BCM system
described in ISO22301.
8. What is the difference between the
two and are they both equally
important?
ISO22301 provides a framework for an
effective BCM system. It provides sufficient
clarity that it is the basis for an accredited
certification scheme.
ISO22313 provides guidance in
implementing ISO22301. It recognises that
organisations have differing needs, and so
the information can be followed by
organisations anywhere, in whole or in part.
The framework and guidance are
complementary, but only ISO22301 is
audited for certification.
9. Where can I get copies of the two
standards?
Both are available for purchase from official
ISO distributor, IT Governance:
 ISO/IEC 22301 (specification)
 ISO/IEC 22313 (guidance)
10. What are the benefits of BCM and
ISO22301?
It is vital that organisations are able to
withstand serious incidents such as fire and
flooding, and quickly reopen for business as
normal or, even better, switch to
alternative facilities without missing a
customer.
Even a relatively short interruption to
normal activity can seriously damage
customer relationships and your reputation.
Implementing a best practice BCM
system can help to:
 Safeguard your reputation and
competitive edge.
 Preserve customer loyalty and trust.
 Protect financial income and key
business activities.
 Protect business assets.
3 BCM-DR-FAQ
 IT Governance Green Paper
 Enhance business recovery following
serious discontinuities.
 Support insurance claims.
11. What steps are required to achieve
certification to ISO22301?
There is an ISO22301 certification scheme,
and organisations can have their BCM
systems audited against the specification
contained in the Standard. Please contact
us (servicecentre@itgovernance.co.uk) for
more information about how you can have
your ISO22301 BCM system independently
certified.
12. What other standards exist?
There are two other standards that are
important to the business continuity
professional – with particular reference to
those concerned with IT service continuity
and disaster recovery:
 ISO/IEC 24762 – the international code
of practice for information and
communications technology disaster
recovery services.
 ISO/IEC 27031 – the guidelines for ICT
readiness for business continuity.
© IT Governance Ltd 2015
13. What is the relationship between
ISO/IEC 22301 and ISO/IEC 27001?
ISO 22301 is not part of the framework
established in ISO27001, but there is a
degree of overlap in requirements,
particularly with reference to ISO27001’s
risk management requirements.
ISO27001 and ISO22301 certification are
independent of one another, although many
of the drivers for achieving one form of
certification are likely to be common for the
other.
14. Are there toolkits that can help me
simplify the process of creating a BCM
plan?
Yes, there are. One of the most popular is
also the most comprehensive: the
ISO22301 BCMS Implementation Toolkit. It
contains all the templates and tools that will
enable a business continuity manager to
create a BCM plan and develop a business
continuity management system (BCMS) in
line with ISO22301.
4 BCM-DR-FAQ
 IT Governance Green Paper

Useful resources
IT Governance offers a unique range of products and services, including books, standards, pocket guides,
training courses, staff awareness solutions and professional consultancy services.

Business continuity resources

 ISO22301 BCMS Implementation Toolkit
This toolkit contains all the templates and tools that enable a business continuity manager
to quickly implement an effective BCMS in line with ISO22301.

 Disaster Recovery and Business Continuity, Third Edition

This guide shows you how to safeguard your company from viruses and phishing scams. It
explains how to store data safely, prevent assets and business intelligence from being lost
by accident, and ensure your communication links are secure and functioning when disaster
strikes.

 ISO22301 - A Pocket Guide

ISO22301: A Pocket Guide will help you understand international business continuity best
practice, and provides guidance on the best way to implement a fit-for-purpose business
continuity management system (BCMS).

 A Manager’s Guide to ISO22301

Providing a comprehensive introduction to the topic, the author explains how to develop and
implement a business continuity and disaster recovery plan based on ISO22301, the
international standard for best practice in BCM.

Standards
 ISO/IEC 22301 (Specification)
The standard provides the requirements for a business continuity management system
(BCMS) to enable a company to prepare for a disruptive incident. This standard is
essential for an ISO22301-certified BCMS.

 ISO/IEC 22313 (Guidance)

The international standard for implementing a business continuity management system
(BCMS) that meets the requirements of ISO22301.

Training
 ISO22301 Certified BCMS Foundation Training Course

This one-day Foundation course provides a comprehensive introduction to the

international standard and the requirements of a business continuity management
system.

 ISO22301 Certified BCMS Lead Implementer Training Course

© IT Governance Ltd 2015 5 BCM-DR-FAQ

 IT Governance Green Paper

Gain the knowledge and skills to implement an ISO22301-compliant business continuity

management system (BCMS) in your organisation on this practical three-day course.

 ISO22301 Certified BCMS Lead Auditor Training Course

This course provides delegates with the practical knowledge and skills required to plan
and execute audits of business continuity management systems in line with the
requirements specified by the ISO 22301:2012 standard.

Consultancy
 FastTrack™ Business Continuity Management/ISO22301 Consultancy
This unique consultancy service helps you to implement a robust business continuity
management system (BCMS) and achieve certification to ISO22301, with minimal
business disruption and within a limited budget.

 ISO27001 Implementation Consultancy

This product is part of the ‘We’ll Do It For You’ ISO27001 consultancy service. It can
deliver any mix of hands-on, in-house, or mentor and coach consultancy, or any other
mix of consultancy support and services that you may need anywhere in the world to get
your organisation ready for accredited certification within an agreed time frame.

© IT Governance Ltd 2015 6 BCM-DR-FAQ

 IT Governance Green Paper

IT Governance solutions
IT Governance sources, creates and delivers products and services to meet the evolving IT
governance needs of today's organisations, directors, managers and practitioners.
IT Governance is your one-stop shop for corporate and IT governance information, books,
tools, training and consultancy. Our products and services are unique in that all elements are
designed to work harmoniously together so you can benefit from them individually and also
use different elements to build something bigger and better.
Books
Through our website, www.itgovernance.co.uk, we sell the most sought after publications
covering all areas of corporate and IT governance. We also offer all appropriate standards
documents.
In addition, our publishing team develops a growing collection of titles written to provide
practical advice for staff taking part in IT governance projects, suitable for all levels of staff
knowledge, responsibility and experience.
Toolkits
Our unique documentation toolkits are designed to help small and medium-sized organisations
adapt quickly and adopt best management practice using pre-written policies, forms and
documents.
Visit www.itgovernance.co.uk/product-demos to view and trial all of our available toolkits.
Training
We offer training courses from staff awareness and foundation courses, through to advanced
programmes for IT practitioners and Certified Lead Implementers and Auditors.
Our training team organises and runs in-house and public training courses all year round,
covering a growing number of IT governance topics.
Visit www.itgovernance.co.uk/training for more information.
Through our website, you can also browse and book training courses throughout the UK that
are run by a number of different suppliers.
Consultancy
Our company is an acknowledged world leader in our field. We can use our experienced
consultants, with multi-sector and multi-standard knowledge and experience to help you
accelerate your IT GRC (governance, risk, compliance) projects.
Visit www.itgovernance.co.uk/consulting for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in mind,
make information security risk management straightforward and affordable for all, enabling
organisations worldwide to be ISO27001-compliant.
Visit www.itgovernance.co.uk/software for more information.

1
http://www.ukas.com/services/Technical_Bulletins/BCM_BS25999_to_ISO_22301_Transition.asp

Contact us: + 44 (0) 845 070 1750

www.itgovernance.co.uk servicecentre@itgovernance.co.uk

© IT Governance Ltd 2015 7 BCM-DR-FAQ