Business Continuity Management System ISO 22301:2012 An Overview
” Recent worldwide situation such as revolutions, natural disasters, environmental crisis and technology issues has shown that severe incidents may happen and impact the private sectors as well as the public sectors. “
In the past in order to deal with crisis, the Organization was used to Emergency response plan or a small disaster management committee.
ISO 22301 ‘’Societal security – Business continuity management systems –Requirements’’, the world’s first international standard for Business Continuity Management (BCM), has been developed to help organizations to minimize the risk of any disruptions “Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity”.
This standard was published in May 2012 to provide the organization with the best framework for business continuity management and therefore replaces the BS25999 Business Continuity British Standard that was published in 2006.
In 2012, ISO has also published ISO 22313 “ISO 22313:2012 Societal security – Business continuity management systems – Guidance “ to provide guidance to ISO 22301 for setting up and managing an effective business continuity management system (BCMS).
ISO 22301 Objective:
ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
ISO 22301 Scope:
The ISO 22301 scope is generic and the intended requirements are applicable to all organizations or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity.
Who can implement ISO 22301 standard?
The implementation could be done by any organization, large or small, profitable or not, private or public.
ISO 22301 is applicable to any size or type of organization.
Business Continuity Definitions
• Business Continuity Management (BCM)
Holistic management process that identifies potential threats to an organization and the impacts to business operations of those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities
• Business Continuity Management Systems (BCMS)
That part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity , The management system includes organizational structure, policies, planning activities, responsibilities, procedures, processes and resources. Business Continuity Plan – documented procedures that guide organization to respond , recover , resume and restore to a pre-defined level of operation following disruption
• Recovery Time Objective (RTO)
Period of time following an incident within which product or service must be resumed or activity must be resumed or resources must be recovered
• Recovery Point Objective (RPO)
Maximum data loss, point to which information used by an activity must be restored to enable the activity to operate on resumption
• Maximum Acceptable Outage (MAO)
Time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable
Business Continuity Benefits
Business Continuity Management System ISO 22301:2013 Structure
This structure is a new formulation of ISO Management System and an alignment with “ Annex SL “ that allows the organization to made multiple implementation at the same time for related ISO Management Standard.
As mentioned before in “ ISO 27001:2013 An Overview Article “ and our “Integrated implementation Model” that was proposed in CSCAMP 2013 (1)
Now with our Integrated Implementation Model, any organization can implement ISO 22301:2012 (Business Continuity Management System) along with ISO/IEC 27001:2013 at the same implementation time within almost 12-14 Months. (2)
State the Applicability of Standard within the Types of Organization
2. Normative References
3. Terms and Definitions
A brief, formalized glossary Including Common Terms and Definition of BCMS
Clause 4 – Context of the organization
Understand the context of organization, internal and external needs, and setting clear boundaries for the scope of the BC management system.
Clause 5 – Leadership
BCMS required appropriate leadership. Top management must ensure appropriate resources, establishes policy and appoints people to implement and maintain the BCMS.
Clause 6 – Planning
This requires the organization to identify risks to the implementation of the management system and set clear objectives and criteria that can be used to measure its success.
Clause 7 – Support
Introduces the important concept of competence. For business continuity to be successful, people with appropriate knowledge, skills and experience must be in place to both contribute to the BCMS and respond to incidents when they occur.
Clause 8 – Operations
Operation Clause contains the main body of business continuity management . The organization must undertake business impact analysis, Risk assessment and development of business continuity strategy.
Clause 9 – Evaluation
For any management system, it is essential to evaluate performance . BCMS requires that the organization select and measure itself against appropriate performance metrics , Conduct Internal audits , management review of BCMS and act on these reviews.
Clause 10 – Improvement
Organizations and their environments are constantly changing. this Clause defines actions to take to improve the BCMS over time and ensure that corrective actions arising from audits, reviews, exercises .
The Plan-Do-Check-Act Cycle
The standard applies the ‘Plan-Do-Check-Act’ (PDCA) cycle to plan, establish, implement, operate, monitor, review, maintain and continually improve the effectiveness of an organization’s BCMS.
Related Best Practices and Standards
UAE AE/HSC/NCEMA 7000:2012
First BCM bilingual Standard (Arabic and English) in the whole region. This standard identifies the components, mechanisms and activities used to establish, implement, and continually improve business continuity management for entities in both public and private sectors.
The Good Practice Guidelines (GPG) – Business Continuity Institute BCI
Independent body of knowledge for good Business Continuity worldwide practice and now includes terminology from ISO 22301:2012, the International Standard for Business Continuity management systems and consist of six Professional practices.
Professional Practices- Disaster Recovery Institute International DRII
The Professional Practices are a body of knowledge designed to assist the entity in the development and implementation of a BCM program and Consist of Ten Subject Area..
Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity
Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services
ISO 22301 Mandatory documentation
Any organization that wants to implement ISO 22301 and get certified, the following documentation is
1. List of applicable legal, regulatory and other requirements
Understanding Context of organization
2. Scope of the BCMS
Organization Statement of business continuity Scope that will be covered under BCMS
3. Business Continuity Policy
Statement of BCM Policy that has to be applied on the Organization
4. Business Continuity objectives
Clear statement of Organization BCMS objectives
5. Business Impact Analysis
Analysis business function and the effect that the business disruption might have upon them
6. Risk Assessment, including risk appetite
Overall process of risk identification, risk analysis and risk evaluation
7. Incident response structure
The proper structure of dealing with organization incident including escalation criteria and incident levels
8. Business Continuity Plans
Documented procedures that guide organization to respond, recover, resume and restore to a pre-defined level of operation following disruption
9. Records of communication with interested parties
Address communication among the various levels of organization issue with internal /External interested parties
10. Recovery procedures
A process that attempts to bring an organization back to a normal operating state (BAU)
11. Evidence of personnel competences
Evidence of BCM Team Competencies, training, awareness and Staff skills.
12. Results of preventive actions and corrective actions
Evidence of maintaining and improving the effectiveness and efficiency of the BCMS by taking preventive and corrective actions
13. Results of monitoring and measurement
Evidence of defining measures of BCMS performance and continual improvement.
14. Results of internal audit
Evidence of establishing an independent system for BCM implementation verification.
15. Results of management review
Evidence that the organization’s top management reviews its BCMS regularly.
Estimated Time needed for Implementation and Certification ISO/IEC 27001:2013
Based on my Experience
Phase I: Estimated time needed for ISO 22301:2012 Implementation
Estimated Duration needed for Implementation
depends on the Organization specifications
“Employees, Premises, Processes and Budget allocation“
• Small Organization: 50 – 350 Employees
Estimated time for Implementation of the Standard 4-6 Months
• Medium Organization: 350 – 700 Employees
Estimated time for Implementation of the Standard 7 – 9 Months
• Large Organization: 700 to 1500+ Employees
Estimated time for Implementation of the Standard 10 – 12 Months
Phase II : Estimated Time needed for Certification ISO 22301:2012
Case 1 : in case of one or more Minor Nonconformity
and the organization tries to Correct them accordingly
the certificate can be Issued around a Month
Case 2 : in case of one or more Major Nonconformity
and the organization tries to Correct them accordingly
the Certificate can be Issued around 3-5 Months
Organizations must follow systematic approach that includes protection, preparedness, mitigation, response for business continuity and recovery.
Organization ability to recover from a disaster is related to the quality of the business continuity management approach that was taken in place before the disaster.
Business continuity Management system helps organizations to reach the continuous operation of all types of businesses in case of disaster.
• ISO 22301 Societal security – Business continuity management systems – Requirements
• ISO 22313:2012 Societal security — Business continuity management systems – Guidance
(1) “ ISO 27001:2013 An Overview Article “ http://www. slideshare.net/AhmedRiad2/isoiec-2
(2) “ Integrated Implementation Model can Implement ISO 22301:2012 (Business Continuity Management
System) Together with ISO/IEC 27001:2013 http:// www.slideshare.net/AhmedRiad2/presentationfinal-28559374
About The Author
Ahmed Riad, Middle East Business Continuity Leader