Societal Security— Business Continuity

Management Systems
AN OVERVIEW OF ISO 22301:2012
ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review,
maintain, and continually improve a documented management system to prepare for,
respond to, and recover from disruptive events when they arise. Natural disasters,
environmental accidents, technology mishaps, and man-made crises have demonstrated
that severe incidents can and will happen, impacting the public and private sectors alike.
The challenge goes beyond providing an emergency response plan or using disaster
management strategies that were previously used.
ISO 22301:2012 Societal security—Business continuity management systems—
Requirements is the world’s first international business continuity management standard
(BCMS). It was developed by ISO Technical Committee 223. ISO published this
standard on June 15, 2012. It cancels and replaces the old BS 25999 business continuity
standard, which is obsolete and has been officially withdrawn.
The purpose of ISO 22301:2012 is to show individuals how to set up and manage a
BCMS. These requirements can be found in seven sections within the standard (Table
35.1). The requirements specified in ISO 22301:2012 are generic and intended to be
applicable to all organizations (or parts thereof), regardless of type, size, and nature of the
organization. The extent of application of these requirements depends on the
organization’s operating environment and complexity.
HE PDCA APPROACH
Similarly to ISO 9001 and ISO 13485, ISO 22301 uses what is called the plan–do–
check–act (PDCA) cycle, which uses this model to organize the standard:
• Plan. Parts 4, 5, 6, and 7 expect you to plan the establishment of your
organization’s BCMS
• Do. Part 8 expects you to establish your BCMS
• Check. Part 9 expects you to evaluate your BCMS
• Act. Part 10 expects you to improve your BCMS
BRIEF OVERVIEW OF KEY CLAUSES OF ISO 22301:2012 BUSINESS
CONTINUITY STANDARD
Following the new structure of ISO Guide 83, ISO 22301 is organized into seven main
clauses (Table 35.1), and the key activities for each clause are summarized.
Clause 4: Context of the Organization
Understand your organization, its purpose, and objectives context while understanding
the needs and expectations of interested parties in light of legal and regulatory
requirements. Organizations should consider how disruptive incidents could impact the
organization.
Clause 5: Leadership
Provide leadership and support for your organization and ensure that managers
demonstrate their commitment and support and encourage employee involvement.
Allocate responsibility and authority for carrying out business continuity roles to
the appropriate people within your organization.
Clause 6: Planning
Identify and determine the risks and opportunities that could influence the effectiveness
of your organization or disrupt its operation. Define actions and prepare plans to address
the risks and opportunities that could influence the effectiveness of your organization or
disrupt its operation.
Clause 7: Support
Identify and provide the resources that your organization needs, including procedures and
communication tools. Determine the competence requirements of the people under your
organization’s control who have an impact on its performance, and ensure that people are
aware of their responsibilities.
Clause 8: Operation
Plan and develop your BCMS processes by studying potential disruptions and analyzing
business risks, and set your priorities. Establish a formal process that your organization
can use to evaluate and set business continuity and recovery priorities, objectives, and
targets; document, implement, and maintain your priority-setting process.
Clause 9: Performance Evaluation
Determine how you will monitor and measure the performance and effectiveness of your
organization. Make sure that your audit program is capable of determining whether your
system conforms to requirements.
Clause 10: Improvement
Identify, react to, and evaluate nonconformities when they occur. Implement corrective
actions to address causes, and review the effectiveness of your corrective actions.
Continuously improve the performance, suitability, adequacy, and effectiveness of your
system.