iso 22301 business continuity management

ramirocid.com [email protected] Twitter: @ramirocid

ISO 22301 Societal security - Business continuity management systems

Ramiro Cid | @ramirocid

ISO 22301 Societal Security - Business Continuity Management Systems



2

Index

1. Introduction Page 3

2. Comparison between ISO 22301 and BS 25999-2 Page 4

3. Basic terms used in the standard Page 6

4. Content of ISO 22301 Page 7

5. ISO 22301 explained Page 8

6. Mandatory documentation Page 12

7. Related standards Page 13

8. Societal security context Page 14

9. Projects under development Page 15

10. Benefits of ISO 22301 business continuity management Page 16



3

Introduction

The full name of this standard is:

“ISO 22301 Societal security - Business continuity management systems - Requirements”

This standard was created by leading experts on this area to provide the best framework for business continuitymanagement in an organization.

Object:ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and

continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

Scope:The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organizations, or

parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.

Who can implement this standard?Any organization, large or small, with or nonprofit, private or public. The standard is conceived in such a way that it

is applicable to any size or type of organization.



4

Comparison between ISO 22301 and BS 25999-2

The ISO 22301 has replaced 25999-2. These two standards are quite similar, but the ISO 22301 can

be considered as an update of the BS 25999-2

ISO 22301 BS 25999-2

Complete

name

ISO 22301:2012 Societal

security - Business continuity management

systems - Requirements

BS 25999-2 Business Continuity

Management - Part 2: Specification

Published byInternational Organization for

StandardizationBritish Standards Institution

Published date 15/05/2012 20/11/2007

Total number of

pages24 28

Official

recogment

Internationally accepted by standards

institutes on 163 countries

Accepted only in United Kingdom only, but

implemented worldwide



5

ISO 22301 is not that different from BS 25999-2 in most business continuity areas like business

impact analysis, strategy or planning; the biggest changes are in the management part of the

standard.

ISO 22301 places much greater emphasis on understanding requirements, setting objectives and

measuring performance. Therefore, it will be more easily accepted by top management, which in

turn will contribute to the widespread adoption of this standard like ISO 27001, ISO 9001 or ISO

14001.

Comparison between ISO 22301 and BS 25999-2 (continuation)



6

Basic terms used in the standard

� Business Continuity Management System (BCMS) – part of an overall management system that

takes care business continuity is planned, implemented, maintained, and continually improved

� Maximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted

without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD)

� Recovery Time Objective (RTO) – the pre-determined time at which an activity must be resumed,

or resources must be recovered

� Recovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data that needsto be restored

� Minimum Business Continuity Objective (MBCO) – the minimum level of services or products an

organization needs to produce after resuming its business operations



7

Content of ISO 22301

Introduction 5 Leadership 8 Operation

0.1 General 5.1 General 8.1 Operational planning and control

0.2 The Plan-Do-Check-Act (PDCA)

model5.2 Management commitment 8.2 Business impact analysis and risk assessment

0.3 Components of PDCA in this

International Standard5.3 Policy 8.3 Business continuity strategy

1 Scope5.4 Organizational roles, responsibilities

and authorities8.4 Establish and implement business continuity procedures

2 Normative references 6 Planning 8.5 Exercising and testing

3 Terms and definitions6.1 Actions to address risks and

opportunities9 Performance evaluation

4 Context of the organization6.2 Business continuity objectives and

plans to achieve them9.1 Monitoring, measurement, analysis and evaluation

4.1 Understanding of the organization

and its context7 Support 9.2 Internal audit

4.2 Understanding the needs and

expectations of interested parties7.1 Resources 9.3 Management review

4.3 Determining the scope of the

management system7.2 Competence 10 Improvement

4.4 Business continuity management

system7.3 Awareness 10.1 Nonconformity and corrective action

7.4 Communication 10.2 Continual improvement

7.5 Documented information Bibliography



8

ISO 22301 explained

ISO 22301 is the second published management systems standard that has adopted the new high-

level structure and standardized text agreed in ISO.

This will ensure consistency with all future and revised management system standards and make

integrated use easier with, for example, ISO 9001 (quality), ISO 14001 (environmental) and ISO/IEC

27001 (information security).

The standard is divided into 10 main clauses, starting with scope, normative references, and termsand definitions. Following these are the standard’s requirements.



9

ISO 22301 explained

Clause 4 – Context of the organization

The first step involves getting to know the organization, both internal and external needs, and settingclear boundaries for the scope of the management system. In particular, this requires the

organization to understand the requirements of relevant interested parties, such as regulators,

customers and staff. It must in particular understand the applicable legal and regulatory

requirements. This enables it to determine the scope of the business continuity management system

(BCMS).

Clause 5 – Leadership

ISO 22301 places particular emphasis on the need for appropriate leadership of BCM. This is so

that top management ensures appropriate resources are provided, establishes policy and appointspeople to implement and maintain the BCMS.

Clause 6 – Planning

This requires the organization to identify risks to the implementation of the management system andset clear objectives and criteria that can be used to measure its success.



10

ISO 22301 explained

Clause 7 – Support

Since resources are required for implementation, Clause 7 introduces the important concept ofcompetence. For business continuity to be successful, people with appropriate knowledge, skills and

experience must be in place to both contribute to the BCMS and respond to incidents when they

occur. It is also important that all staff are aware of their own role in responding to incidents and this

clause deals with all of these areas. The need for communication about the BCMS – for instance in

telling customers that the organization has appropriate BCM in place – and preparedness tocommunicate following an incident (when normal channels may be disrupted) is also covered here.

Clause 8 – Operations

This section contains the main body of business continuity-specific expertise. The organization mustundertake business impact analysis to understand how its business is affected by disruption and

how this changes over time. Risk assessment seeks to understand the risks to the business in a

structured way and these inform the development of business continuity strategy. Steps to avoid or

reduce the likelihood of incidents are developed alongside steps to be taken when incidents occur.

As it is impossible to completely predict and prevent all incidents, the approach of balancing riskreduction and planning for all eventualities is complementary. It might be said, “hope for the best and

plan for the worst”.



11

ISO 22301 explained

Clause 9 – Evaluation

For any management system, it is essential to evaluate performance against plan. ISO 22301therefore requires that the organization select and measure itself against appropriate performance

metrics. Internal audits must be conducted and there is a requirement that management review the

BCMS and act on these reviews.

Clause 10 – Improvement

No management system is perfect at the outset, and organizations and their environments are

constantly changing. Clause 10 defines actions to take to improve the BCMS over time and ensure

that corrective actions arising from audits, reviews, exercises and so on are addressed.



12

Mandatory documentation

If an organization wants to implement this standard, the following documentation ismandatory:

�List of applicable legal, regulatory and other requirements

�Scope of the BCMS

�Business Continuity Policy

�Business continuity objectives

�Evidence of personnel competences

�Records of communication with interested parties

�Business impact analysis

�Risk assessment, including risk appetite

�Incident response structure

�Business continuity plans

�Recovery procedures

�Results of preventive actions

�Results of monitoring and measurement

�Results of internal audit

�Results of management review

�Results of corrective actions



13

Related standards

Other standards that are helpful in implementation of business continuity are:

� ISO/IEC 27031 – Guidelines for information and communication technology readiness forbusiness continuity

� PAS 200 – Crisis management – Guidance and good practice

� PD 25666 – Guidance on exercising and testing for continuity and contingency programs

� PD 25111 – Guidance on human aspects of business continuity

� ISO/IEC 24762 – Guidelines for information and communications technology disaster recovery

services

� ISO/PAS 22399 – Guideline for incident preparedness and operational continuity management

� ISO/IEC 27001 – Information security management systems – Requirements



14

Societal security context

ISO 22301 has been developed by ISO/TC 223, Societal security

The committee has previously published the following standards and other documents:

� ISO 22300:2012, Societal security – Terminology

� ISO 22320:2011, Societal security – Emergency management – Requirements for incident

response

� ISO/TR 22312:2011, Societal security – Technological capabilities

� ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational

continuity management



15

Projects under development

� ISO 22311, Societal security – Video-surveillance – Export interoperability

� ISO 22313, Societal security – Business continuity management systems – Guidance

� ISO 22315, Societal security – Mass evacuation

� ISO 22322, Societal security – Emergency management – Public warning

� ISO 22323, Organizational resilience management systems – Requirements with guidance for use

� ISO 22325, Societal security – Guidelines for emergency capability assessment for organizations

� ISO 22351, Societal security – Emergency management – Shared situation awareness

� ISO 22397, Societal security – Public Private Partnership – Guidelines to set up partnership

agreements

� ISO 22398, Societal security – Guidelines for exercises and testing

� ISO 22324, Societal security – Emergency management – Colour-coded alert



16

Benefits of ISO 22301 business continuity management

What are the benefits of ISO 22301 business continuity management?

� Identify and manage current and future threats to your business

� Take a proactive approach to minimizing the impact of incidents

� Keep critical functions up and running during times of crises

� Minimize downtime during incidents and improve recovery time

� Demonstrate resilience to customers, suppliers and for tender requests



Questions?

Many thanks!

[email protected]

@ramirocid

http://www.linkedin.com/in/ramirocid

http://ramirocid.com http://es.slideshare.net/RamiroCid

http://www.youtube.com/user/cidramiro

Ramiro CidCISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL

iso 22301 business continuity management

Technology

ramirocid iso

business continuity

business continuity

business continuity

care business continuity

content of iso

benefits of iso

business operations