ISO 22301 Background
Since its release in 2012, ISO 22301 (Societal security – Business continuity management system – Requirements) has made a dramatic impact on how business continuity programs are designed, managed, and improved.
The standard provided a unifying approach to developing business continuity management systems. Using simple, straightforward language, ISO 22301 summarizes minimum requirements for effective business continuity and enables coordinated preparedness among diverse organizations regardless of size, location, or sector.
It is safe to say that ISO 22301 has successfully guided many organizations in developing and improving effective business continuity programs, and it has introduced a common language for organizations to discuss business continuity planning process and capability. Overall, ISO 22301 offers a unique value proposition that will drive higher levels of business continuity performance in years to come.
In 2019, seven years after its initial publication and in compliance with ISO requirements for updating previously issued standards, the ISO technical committee with responsibility for ISO 22301 (ISO/TC 292) issued its second edition.
The revisions to the original standard are generally focused on simplifying the original language to help organizations understand the requirements and enable more effective attestations (for those seeking certification), as well as removing repetitive content.
The most significant changes are:
- Evolved ISO requirements for management system standards (which have matured since 2012) have been applied;
- Requirements-related descriptions are clearer, with no additional requirements;
- All discipline-specific business continuity requirements, such as requirements for business impact analysis (BIA), risk assessment, strategy determination, plans, exercises, and continual improvement, are now in one section (Clause 8); the 2012 edition had some “Do” elements in the “Plan”-related clauses;
- Descriptions related to requirements – specifically the BIA and risk assessment, as documented in Clause 8 (“Operation”) – have been rewritten and restructured to provide a clearer understanding; and
- Significant changes to terminology (Clause 3) were made to improve clarity and reflect current thinking.
Before You Begin Reading
Organizations with a strong understanding of management systems realize the most value from ISO 22301, but we recognize that not everyone is familiar with management systems and their related processes.
As such, this page is organized into three sections:
Section 1: Introduction to ISO 22301
This section provides an overview of the standard, including its scope, audience, and value proposition.
Section 2: What is a Management System?
This section introduces key management system concepts that all business continuity professionals should understand before moving forward with the implementation of ISO 22301.
Section 3: Understanding ISO 22301’s Structure and Content
This section focuses solely on ISO 22301, introducing practical, pragmatic guidance to successfully implement the standard and take advantage of each element of the business continuity management system.
Download our white paper Implementing ISO 22301 to gain full access to the content in section three.
Castellan has been a longtime proponent of aligning to management systems standards, and, if a business case exists, proceeding toward organizational certification.
If you’re looking for assistance with aligning your program to ISO 22301, please book a meeting with our team. As an ISO 22301 certified firm, we’d love to learn about your goals and discuss how we can help you successfully align to the standard.
Implementing ISO 22301: The Business Continuity Management System Standard
SECTION 1: An Introduction to ISO 22301
Scope of the Standard
As stated in ISO 22301 Clause 1, the intended purpose of the standard is to enable organizations to “protect against, reduce the likelihood of the occurrence of, prepare for, respond to, and recover from a disruption when they arise” by establishing, operating, and continuously improving a business continuity management system (BCMS).
The official title of ISO 22301 reflects that it is a “requirements” document, but what exactly does that mean? Essentially, standards are structured in one of two ways:
- Requirements Standards: As known as specifications (and for ISO documents, typically ending with a “01” in their number), these are documents written in a way that captures core elements of a discipline that should be implemented regardless of an organization’s size, location, or purpose (industry). In other words, requirements standards detail what an organization should do, not necessarily how they should do it. Written using the word “shall,” requirements standards enable independent audit and certification (if a business case warrants such a decision).
- Guidance Standards: Designed to complement a requirements standard, or act in a purely independent manner, guidance standards detail more of the how by introducing implementation options based on best practices. In the case of business continuity, ISO 22313 is the guidance standard that supports ISO 22301 by offering implementation and continual improvement guidance.
Again, ISO 22301 is a requirements standard, written to enable auditability, as well as organizational certification for entities seeking such third-party, independent attestation. Certification, while optional, is a value-adding differentiator for many organizations, particularly those engaged in business-to-business transactions, as it provides third-party validation of the effectiveness of the organization’s business continuity management system. However, first and foremost, ISO 22301 was written to enable higher levels of business continuity performance, and Castellan expects that the vast majority of organizations will continue to align to the spirit and intent of the standard for that reason.
The business continuity community has some fairly high expectations for the second edition of ISO 22301. Castellan believes that the actual reaction will be positive, as organizations will appreciate the organized, straightforward, and clarified language – especially for Clause 8 (Operation). Additionally, this version of ISO 22301 includes ISO’s evolved approach for management system standards. Many business continuity professionals focused on aligning with ISO 22301 will appreciate the clarity and organization.
Overall, as you read ISO 22301, remember it is written in a manner that introduces topics so the wording is applicable to everyone – regardless of geography, size, structure, or purpose – including not-for-profit entities and those in the public and private sectors. In other words, the content is high-level and describes the what, not the how.
ISO 22301’s Audience
ISO 22301 describes business continuity planning concepts using clear, straightforward language that can be used by anyone in any organization to plan for, implement, and continually improve a business continuity management system. Regardless of experience or job title, ISO 22301 enables those charged with leading the business continuity planning effort to understand business continuity concepts with significantly less jargon and using descriptions in lieu of acronyms.
Ultimately, any entity and or person (including business continuity professionals, program sponsors, and executive management) charged with preparing for disruptions will benefit from ISO 22301 if they intend to:
- Improve performance as it pertains to preparedness for a disruption;
- Use approaches consistent with those employed by business partners and customers;
- Prepare for certification to the standard, if a business case exists (which is optional).
To be clear, this standard is not just for those new to the business continuity profession, nor is it strictly for the most experienced professionals. This standard is written for everyone with a role in mitigating risk associated with disruptions.
ISO 22301’s Value Proposition
Standards exist to improve organizational performance in a specific discipline. As an extension of performance improvement, ISO designs its standards to offer approaches and solutions to address the most common challenges facing an organization. ISO 22301 is no different.
As the first international standard focused exclusively on business continuity planning, ISO 22301 offers content to address the most common challenges facing the organization as a whole, as well as its business continuity professional(s) and executive sponsors. In addition, the standard provides a framework to build the capability necessary to respond to, recover from, and operate effectively during the most challenging and unexpected circumstances.
Castellan identified seven key challenges that ISO 22301 is well-positioned to address:
- Clarity Regarding Business Continuity Outcomes
To executive management, the business continuity outcome is not recovery time and recovery point objectives, or even up-to-date plans. These are all necessary, but they are means to an end. Mitigating the risk associated with a disruption and ensuring processes and resources are recoverable to meet interested party expectations specific to product/service delivery is not only the outcome executive sponsors and customers expect, but what they want measured.
- Focus and Strategic Alignment
The standard focuses on an organization’s most important products and services, which forces scoping using the same methods the organization uses to measure and improve organizational performance in general. This approach helps executives connect risk and impact to organizational initiatives, objectives, and obligations.
- Management Engagement
Using management system concepts mapped to the Plan-Do-Check-Act (PDCA) model, this standard appropriately engages management and positions senior leadership to participate in the process of strategically scoping and setting objectives, making strategic resourcing decisions, and prioritizing continual improvement opportunities based on performance compared to objectives and needs.
- Perceived Complexity
Unfortunately, business continuity can often be perceived by many as overly complex and burdensome. The original ISO 22301 advanced business continuity towards a higher degree of pragmatism, and the second edition of ISO 22301 continues the journey, written to advance the concept of removing unnecessary complexity.
The second edition remains focused on the most important methods to connect (and stay connected) with management and perform the activities that lead to higher levels of business continuity performance. In most cases, the standard avoids the use of unnecessary actions and acronyms.
A growing number of organizations are integrating business continuity with other risk management disciplines, which demonstrates that the industry is maturing. As a management system standard, ISO 22301 can help organizations appropriately coordinate risk management efforts, with the end objective of mitigating a broad range of risks in the most efficient manner possible.
- Addressing Multiple Sources of Needs and Obligations
Management systems standards are designed to be “plug and play.” Because ISO standards are written on the international stage using consensus-driven approaches, they cannot possibly meet the unique needs of all organizations (be that legal, contractual, regulatory, or cultural needs). Instead, ISO management systems standards enable organizations to identify and address these influencing factors and obligations without directly calling out what they may be or what their requirements are.
- Project Versus Program Mindset
ISO 22301 is all about long-term continual improvement. With this as the focus, the risk of treating business continuity as a one-time action greatly decreases. It is clear to planning participants and their executive sponsors that recurring action is necessary to enable alignment to key priorities and the expectations of interested parties.
If done correctly, organizations will assess risk in terms of an inability to recover the activities and resources that deliver the organization’s most important products and services, which is a powerful presentation for an executive management audience.
Since this standard involved input from over 60 countries, as well as multiple observer organizations over a number of years, it is safe to say that ISO 22301 summarizes best practices applicable to all entities, regardless of location, purpose, or size.
For those struggling with selling certain business continuity planning approaches or techniques, ISO 22301 can serve as a form of benchmarking, summarizing the core planning activities necessary to ensure successful preparedness outcomes. Overall, ISO 22301 describes planning approaches and outcomes that lead to better uniformity and coordination with other interested parties, including government, customers, and suppliers.
This revised standard also focuses on response and recovery solutions performance (e.g., how fast and to what capability an organization can recover its most important activities and resources), not just how good the organization is at performing the business continuity planning lifecycle. If done correctly, organizations will assess risk in terms of an inability to recover the activities and resources that deliver the organization’s most important products and services, which is a powerful presentation for an executive management audience.
As a strong proponent of standards in general, and especially management systems standards, Castellan believes that ISO 22301 offers unprecedented value because of:
- ISO clout and global acceptance
- Management engagement
- Clarity regarding business continuity scope (products and services)
- Continual improvement
- Performance-based content
Overall, this standard was developed to address some of the most significant, recurring obstacles that often lead to business continuity performance issues, specifically clarity of purpose and management engagement.
ISO 22301 At A Glance
WHAT IS IT?
The first international standard focused exclusively on business continuity.
WHAT IS THE SCOPE?
Implementing, operating, and continuously improving a business continuity management system.
WHAT IS THE FOCUS?
Written for any organization, regardless of industry, size, or location.
WHAT IS THE PURPOSE?
A requirements document; although written to drive business continuity performance, it supports voluntary organization certification.
WHERE CAN I PURCHASE THE STANDARD?
ISO 22301: 2019 can be purchased here.
ISO 22301 Supporting Guidelines
Since its adoption in 2012, a number of Technical Specifications have been published to provide additional guidance for implementing ISO 22301. These include:
ISO 22301 Significant Changes
|General||Terminology||Significant improvements were made to terminology, as listed in Clause 3 (Terms and Definitions). Definitions can also be found in ISO 22300.|
|General||Redundant Verbiage||Modifications have been made to improve readability and comprehension, as well as removing redundant verbiage. Additionally, the term risk appetite has been replaced with a new definition clarifying risk tolerance by “the amount and type of risk the organization may or may not take.”|
|General||Align to Risk Standards||ISO 22301 is better aligned to established risk standards (ISO 31000). For example, Clause 8.2.3 states, “an organization shall implement and maintain a risk assessment process,” with direct reference to ISO 31000.|
|Clause 8.1||Operational Planning and Control||Added the term supply chain to the organizational changes that need to be controlled.|
|Clause 8.2.1||BIA and Risk Assessment||Requirements for conducting a business impact analysis and risk assessment have been clarified to remove duplication. Simply stated, organizations are required to “implement and maintain systemic processes” for conducting a BIA and risk assessment and review results “at planned intervals” and when there is an organizational change.|
|Clause 8.2.2||BIA Process||This clause, providing guidance on the business impact analysis process, has added three more requirements, including: (1) defining impact types and criteria relevant to the organization’s context; (2) using impact types and criteria for assessing impacts over time; and (3) using the analysis results to identify prioritized activities.|
|Clause 8.3||Business Continuity Strategies and Solutions||In the past, this clause focused on business continuity strategies, following the BIA and risk assessment. “Solutions” has been added to the requirements. This is significant, as an organization is required to not only identify strategies, but to also define solutions implemented for each strategy.|
|Clause 8.4||Business Continuity Plans and Procedures||Originally, this clause addressed developing business continuity procedures; the revised section calls for the implementation of plans and procedures. The distinction appropriately notes that there are different types of procedures that comprise a plan.|
|Clause 8.5||Exercise Program||This clause goes further than the original version in not only requiring that an organization exercise its business continuity procedures, but to also develop an exercise program to ensure ongoing validation and modification of strategies and plans.|
|Clause 8.6||Evaluation||The requirement for evaluating business continuity documentation and capabilities has moved from Clause 9 into Clause 8 to emphasize the need to regularly evaluate business continuity documentation and capabilities rather than “periodically.”|
SECTION 2: WHAT IS A MANAGEMENT SYSTEM?
Although widely used in other professional disciplines for many years (i.e., quality, environmental, health and safety, and information security management), the term management system remains a relatively new concept to business continuity professionals. First introduced to business continuity professionals through British Standard (BS) 25999-2 as a business continuity management system, the management systems concept continues to gain traction in our profession through the ISO standards development effort, as well as new and updated standards from the National Fire Protection Association (NFPA) and ASIS International.
A management system is defined as the framework of processes and procedures used to ensure that an organization can fulfill all tasks required to achieve a set of related business objectives (see Clause 3.16). Management system standards provide a model for establishing, operating, maintaining, and improving a management system and executing capabilities that align to management’s expectations. The scope of the management system the entire organization, or specific identified sections or functions within the organization.
Why Should Continuity Professionals Care About Management Systems?
Understanding management system principles is a key success factor in achieving the most value from ISO 22301. Even more importantly, many executive leadership teams may already be familiar with management system concepts and understand their role in operating within a management system. As discussed throughout this web page, a management system is not only a great way to capture leadership support, but it’s also a great way to keep it.
Key Characteristics of Management Systems
A management system exists to continuously improve key processes and outcomes to meet core business objectives. But, what are some of the key characteristics of a management system, regardless of its focus?
- Accountability: A management system always outlines roles and responsibilities for its key interested parties, ranging from the most senior managers (referred to “top management” in ISO standards) to the general employee population, as well as external entities that have a role in planning, response, and recovery.
- Repeatable Processes: Processes are not designed for one-time use; rather, they are designed to be revisited on a periodic basis in order to adapt the management system’s outputs to organizational change.
- Documentation: Management systems enable repeatability through management-approved documentation that outlines expectations and process characteristics. Organizations also develop documentation in the form of standard operating procedures, or SOPs (in some organizations, SOPs are called frameworks), which set specific performance and frequency expectations to ensure repeatability and continual improvement.
- Resources: A management system identifies the resources needed to enable alignment with organizational objectives and expectations.
- Performance Measurement and Review Mechanisms: With a focus on continual improvement, a management system includes methods of assessing performance based on senior leadership’s expectations.
- Competence: A management system defines the role-specific skills and experiences necessary to meet objectives.
- Cultural Change: Building, promoting, and embedding a business continuity management culture within an organization through training and appropriate communications mechanisms ensures that it becomes part of the organization’s core values and, perhaps, even part of its governance structure. In other words, business continuity stops being a series of separate activities and becomes part of day-to-day decision-making and operations instead.
Key Components of Management Systems
All management systems standards include ten key components. In the case of ISO 22301, each component is designed to provide value to the organization as described in the following list:
- Policy and other Documentation: Documentation includes written, management-endorsed expectations and procedures designed to drive repeatable performance and continual improvement.
- Leadership Involvement: In order to drive alignment with strategic needs and imperatives, executive management must be involved with scoping and objectives-setting from the beginning. This involvement enables management to continuously allocate resources and prioritize continual improvement opportunities based on scope change and performance measurement results.
- Context and Obligations: As mentioned earlier, management systems essentially demand that organizations establish a scope based on key products and services rather than facilities or the organizational chart. This approach is not only more strategic, but also enables effective dialogue with executive managers because they think in terms of organizational outputs (products and services). Management systems also involve identifying obligations (legal, regulatory, and contractual) up front as a source of requirements. “Context definition” is a continuous process, reviewing in-scope products, services, and associated obligations, which is key to establishing a constant connection between the organization’s strategic needs and the business continuity management system.
- Resources: This category includes both the time and money necessary to enable the people charged with business continuity planning to meet objectives based on the scope established by executive management.
- Communication: Business continuity planning activities and solutions require coordination and introduction to all interested parties. Communication can take the form of instructing employees regarding planning activities or developing awareness regarding response and recovery strategies, as well as internal and external communication when faced with a disruptive incident.
- Competencies / Training and Awareness: In order to perform based on expectations, personnel assigned to specific business continuity planning activities must have the right skills and experiences to be successful. As such, management systems involve defining roles and competencies (qualifications), as well as the training and awareness content necessary to build and grow competencies.
- Performance Evaluation and Internal Audit: This element involves evaluating performance based on management’s expectations (which may include the use of Internal Audit or independent, objective parties) and creating processes to develop and deliver metrics and communicate feedback.
- Nonconformity and Corrective Actions:
This management systems element identifies where business continuity planning activities and solutions fail to meet policy and other obligations, as well as sets performance targets (in this case, business continuity requirements through the BIA and risk assessment).
- Management Review: This activity enables formal methods of communicating management system characteristics and performance in order to capture management feedback and approval.
- Continuous Improvement: This activity enables the program to internalize performance feedback in order to improve key processes and outcomes, thus more closely aligning to the strategic needs of the organization.
Organizations struggling to capture and keep senior leadership’s attention will quickly realize value when implementing management system concepts – positive input and feedback will increase, as will the resources necessary to meet management expectations.
The Relationship of Management Systems to PDCA
Those familiar with management systems often equate them to something known as a “Plan, Do, Check, Act” systems methodology, or PDCA. This iterative, flexible methodology and its general concepts originated with Total Quality Management (TQM). It was made popular by Dr. W. Edwards Deming, who is considered by many to be the father of modern quality assurance.
PDCA weaves decision making into the fabric of an organization’s overall operational capability and business practices, and often makes the organization more efficient and better positioned to meet important challenges. PDCA provides a problem identification and problem-solving method that can be implemented by an organization, with the implementation approach based on its unique activities and needs. Executing the cycle over time extends knowledge about the PDCA process. As such, repeating the PDCA cycle continuously can bring an organization closer to its goals, usually ideal operational capability and high-quality outputs.
By incorporating PDCA into business continuity management, organizations can assess their unique needs to make informed decisions. As has been demonstrated with environmental and quality management standards, the PDCA approach creates an organizational culture that drives continual improvement through repetitive performance measurement and feedback.
The following graphic maps ISO 22301’s ten clauses to the PDCA model:
- Clause 1: Scope
- Clause 2: Normative References
- Clause 3: Terms and Definitions
- Clause 4: Context of the Organization ……………………………………………….PLAN
- Clause 5: Leadership ……………………………………………………………………………PLAN
- Clause 6: Planning ……………………………………………………………………………….PLAN
- Clause 7: Support ………………………………………………………………………………..PLAN
- Clause 8: Operations …………………………………………………………………………..DO
- Clause 9: Performance Evaluation ………………………………………………………CHECK
- Clause 10: Improvement ………………………………………………………………………ACT
Most of what business continuity professionals consider as traditional business continuity methodology resides in DO, whereas the set-up and continual improvement of the management system resides in PLAN, CHECK, and ACT.
How Do Management Systems Apply to Business Continuity?
Risk management efforts are greatly enhanced with management-oriented models that avoid professional jargon and focus on organizational outcomes. As described above, PDCA is a simple method apply a proven, and widely accepted means of engaging management and driving continual improvement. Further, it lends itself to multi-disciplinary application and coordination. Management systems offer a series of processes wrapped around a common objective, and, in the case of business continuity, the objective is mitigating business continuity-related risk, which includes protecting the activities and resources that deliver the organization’s most important products and services.
Management systems add value because, by design, they enable an organization to address multiple standards, regulatory requirements, and other obligations using a single management system. In the case of business continuity, organizations often have multiple sources of requirements influencing the execution of planning activities. Because management systems standards such as ISO 22301 can help implement an “umbrella” management system, it is well-positioned to flexibly serve every organization’s unique business continuity needs, as they are free to add planning activities and solutions to the business continuity management system.
What’s the Relationship Between a Business Continuity Program and a Business Continuity Management System?
Many managers and business continuity professionals see little difference between a business continuity program and management system. In reality, the subtle differences can lead to major performance improvements.
A program is a planned sequence and combination of activities designed to achieve specific goals. A program normally involves organizing resources to perform a finite, recurring set of activities to meet a set of specific objectives (sometimes performed alone and without coordination with other processes, activities, or disciplines). However, this approach often does little to continually evaluate, incorporate, and address the wider organizational obligations, needs, and expectations.
In comparison, a management system refers to what the organization does to define and manage its processes and activities so its products and services meet the objectives it has set for itself, such as:
- Satisfying customers’ requirements;
- Capturing market share or offering a competitive differentiator;
- Complying with regulations; and/or
- Meeting other organizational objectives.
Management systems offer a proven, discipline-neutral framework for managing and continually improving an organization’s policies, processes, and activities, as well as the outcomes specific to the discipline.
It is a common misconception that an organization must use one or the other – either a program or a management system. Interestingly, what many business continuity professionals view as program approaches for preparedness (risk assessments, business impact analyses, plan documentation, exercises, and maintenance processes), ISO 22301 includes (essentially Clause 8 of the standard); however, these aspects are just part of the overall approach, making up the DO of PDCA. The remaining management system concepts drive management connection, strategic alignment, continuous improvement, and repeatability.
Where Can I Go For More Information on Management Systems?
A number of resources are available to further describe management systems. Consider purchasing a copy of ISO Guide 72, which offers considerable information on key management system components and characteristics. Also, review other management systems-oriented standards (ISO 9001, ISO 14001, ISO 27001), or consult with Quality, EHS, or Information Security professionals that have experience developing, implementing, or operating management systems. Lastly, review the numerous management system case studies posted online in order to further understand the value of the concept and how organizations have achieved success.
Overall, management systems are now part of the business continuity profession, and Castellan believes the industry is fortunate that these concepts are now becoming the status quo within industry standards. Organizations struggling to capture and keep senior leadership’s attention will quickly realize value when implementing management system concepts – positive input and feedback will increase, as will the resources necessary to meet management expectations
Section 3: Understanding ISO 22301’S Structure and Content
The first three clauses of the standard provide background information regarding ISO 22301. Clauses four through ten define the business continuity management system. The following graphic shows how the clauses align to the Plan-Do-Check-Act model in granular detail:
|BUSINESS CONTINUITY MANAGEMENT SYSTEM|
CLAUSE 4: CONTEXT OF THE ORGANIZATION
CLAUSE 5: LEADERSHIP
CLAUSE 6: PLANNING
CLAUSE 7: SUPPORT
CLAUSE 8: SUPPORT
CLAUSE 9: PERFORMANCE EVALUATION
CLAUSE 10: IMPROVEMENT
Download Our Free White Paper
This section focuses solely on ISO 22301: 2019, introducing practical, pragmatic guidance to successfully implement the standard and take advantage of each element of the business continuity management system. Starting with Clause 4, Castellan structured the summary of each clause by focusing on four topics:
- What is it?
- What value can it deliver?
- Tips on getting started
- Things to consider before moving on
Download our free white paper – Implementing ISO 22301 – to gain full access to the detailed content covered in section three.