What is ISO/TS 22332: A Brief Background
In June 2021, ISO, the International Organization for Standardization, published “ISO/TS 22332 Security and resilience – Business continuity management systems – Guidelines for developing business continuity plans and procedures.” This is a long title for a short 27-page standard!
In a nutshell, ISO/TS 22332 is a Technical Specification to help your organization develop effective and consistent business continuity plans and procedures.
Table of Contents
- ISO 22332 At a Glance
- ISO 22332 Significant Takeaways
ISO/TS 22332 At a Glance
What Is ISO/TS 22332?
Developing business continuity plans and procedures is one of the components of business continuity management. The ISO/TC 292 Security and Resilience Technical Committee developed the ISO/TS 22332 Technical Specification to provide detailed guidance in this area.
Using ISO/TS 22332 provides your organization with:
- Detailed methods to develop business continuity plans and procedures.
- A structured approach to collect and organize information to develop business continuity plans and procedures.
- Advice for maintaining business continuity plans and procedures over time to establish a continual improvement environment.
ISO/TS 22332 is termed a “Technical Specification,” hence the TS in its name. TS standards provide guidance and are developed in an area where ISO either expects further feedback in the future, or where there is the possibility of the development of a future full International Standard.
How Is ISO/TS 22332 Connected With ISO 22301?
ISO/TS 22332 is consistent with existing ISO business continuity International Standards, including the requirements in the related ISO 22301 and the guidance in ISO 22313. These italicized words are important as they emphasise the difference between various types of standards ISO develops. Some standards such as ISO 22301 define what organizations must do for compliance with that standard; other standards provide guidance related to a compliance standard, as ISO 22313 does for ISO 22301.
ISO/TS 22332 is not an International Standard, instead, as a Technical Specification standard it supports ISO 22301 and ISO 22313 and ensures that someone using ISO/TS 22332 can develop a business continuity plan aligned with these.
Why Does ISO/TS 22332 Matter?
ISO/TS 22332 provides a detailed and clearly structured way to develop business continuity plans and associated procedures.
Who Is ISO/TS 22332 For?
ISO/TS 22332 is for all organizations, according to the standard in its Scope section. It is “applicable to all organizations regardless of type, size, and nature.”
Where Can I Purchase ISO/TS 22332?
Organizations and individuals can purchase ISO/TS 22332 from their regional standards organization or directly from the ISO Store.
Get The Crisis Management Plan Template
ISO/TS 22332 Structure and Significant Takeaways
ISO/TS 22332 starts by defining its terms of reference, stating that a business continuity plan provides guidance and information to assist teams to respond to a disruption in order to meet expectations regarding delivery of products and services. It goes on to state that organizations should have business continuity plans and procedures in place to address the following areas: communications, emergency management, incident response, crisis management, recovery, and restoration.
ISO/TS 22332 is structured in 12 clauses, followed by an annex and a bibliography.
The first three clauses are short, covering the standard’s Scope, Normative References, and Terms and Definitions. After this scene-setting we get into the meat of the document:
Clause 4: Prerequisites
The Prerequisites section of ISO/TS 22332 sets out the requirements needed before starting to develop business continuity plans and procedures. These include:
- Understanding what “interested parties” need and expect when it comes to response and recovery following disruption.
- Determining, selecting, and approving business continuity strategies and solutions.
- Establishing and understanding plan development roles and competencies. “Top Management’” should assign a development team leader. The standard sets out a list of competencies the leader and development team should have.
- Resource consideration: Your organization should allocate resources (including personnel time and financial) required to develop, document, and maintain business continuity plans and procedures.
Clause 5: Response
This part of ISO/TS 22332 looks at what is needed to effectively use business continuity plans and procedures during an incident. It covers:
- Response structure: Sets out a hierarchical team structure consisting of strategic, tactical, and operational teams to manage response. The standard also says that in small organizations all these areas may be managed within one team.
- Competence of team members: Provides a list of the main characteristics required of members of each of the three types of response teams.
Clause 6: Types of Business Continuity Team Plans and Procedures
Clause 6 states that business continuity procedures are documented in plans and the teams set out in Clause 5 require:
- Information within the plans to understand their scope, objectives, and responsibilities.
- The information to be immediately available.
Clause 5 goes on to describe the development of specific plans for each team type and outlines the purpose, team composition, and owner for each plan type.
Clause 7: Business Continuity Plan and Procedure Content
Clause 7 provides a comprehensive checklist of items needed for the three types of plans set out in Clause 6. Some items may be common to all or most of the plans, while some may be more specific.
Clause 8: Plans for Response to Specific Disruptions
Without using the term, ISO/TS 22332 says organizations may wish to develop specific business continuity playbooks to document the approach to “specific anticipated disruptions.” The standard gives pandemic/epidemic and cyber-attack as two areas where this approach might be taken, but also states these are just examples from many possibilities. Clauses 8.1 and 8.2 give checklists for possible content for pandemic/epidemic plans and cyber-attack plans.
Clause 9: Guidance on Documenting Plans
Business continuity plans and procedures need documentation and this section sets out guidance for doing so. Key points include:
- A business continuity plan is a document intended for use in high pressure, time-limited situations.
- Plans are not manuals or reports and should contain no unnecessary information.
- Plans should be as self-contained as possible.
- Clarity is important and information should be explicit, clear, consistent, and avoid acronyms.
- Plans should be complete, but also should avoid “excessive details.” They should be based on chosen strategies and should suggest options where these exist to enable response flexibility.
Clause 10: Plan Controls, Storage, and Availability
As the title suggests, Clause 10 considers ways to control and manage plan documents; ways to protect them; and storage methods. It points out that all response team members should take responsibility for ensuring they have access to the latest version of the plans “at all times.”
Clause 11: Next Steps After Documenting Plans and Procedures
Clause 11 overviews how to raise organizational awareness about business continuity plans and procedures and how to exercise and test those plans. For further information on business continuity exercising, ISO/TS 22332 points readers to ISO 22398 guidelines.
Clause 12: Monitoring and Reviewing Business Continuity Plans and Procedures
Closing the continuous development loop, Clause 12 describes methods to ensure business continuity plans and procedures remain current. These include:
- Performance review
- Management review
Annex: Procedures for Maintenance of a Business Continuity Capability
ISO/TS 22332 includes a substantial annex covering various ‘supporting capabilities’ that need to be established and maintained during normal operations in order to ensure the effectiveness of the business continuity plans and procedures during a response. CTA: Need help implementing ISO 22332 Technical Specifications within your organization? Download Castellan’s Department Recovery Plan Template or read our “Implementing ISO 22301” white paper. Have other questions? Book a meeting with Castellan to learn more about how to implement ISO 22332 Technical Specifications for your organization.
Develop and quantify your organization’s unique business case for investing in a business continuity and operational resilience capability. Worksheet included.DOWNLOAD NOW