Overview of ISO 22301
ISO 22301:2019, Security and resilience – Business continuity management systems – Requirements (BCMS)
ISO 22301 is a management system standard published by International Organization for Standardization (ISO).
It describes the business continuity requirements for you to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented business continuity management system:
- to protect against;
- to reduce the likelihood of occurrence;
- to prepare for;
- respond to; and
- recover
from disruptive incidents when they arise.
ISO 22301 is all about disaster recovery preparedness to ensure business continuity and sustainability.
The latest revision of ISO 22301 was published in October 2019. ISO 22301:2019 has replaced ISO 22301:2012, which was developed based on the British standard BS 25999-2.
The ISO 22301:2019 version is far more flexible and less prescriptive, adding more value to organizations and their customers as compared with the ISO 22301:2012 version.
Who Should Use ISO 22301?
- Organizations of all types and sizes and natures can implement ISO 22301 BCMS.
It does not matter what size your organization is:
- Any organisation with as few as 2 persons to as large as million persons can benefit from ISO 23001 BCMS.
It does not matter what industry you are in:
- Any organisation in service or manufacturing, profit or non-profit organisation, private or public or government can implement ISO 22301 BCMS.
- Any organization that wants to avoid and prevent large-scale damage arising from disruptive incidents.
- Any organization that wants to save money from any disruption incidents. Whether by preventing disruptive incidents from happening or by becoming capable of faster recovery, you will save money.
- Any organisation that wants to prove its compliance with business continuity to its customers, partners, owners, and other stakeholders.
- You may face the risks and lost opportunities involved with not having an ISO 22301:
- where ISO 22301 may be a legal or contractual requirement; and
- you will potentially be eligible for more lucrative, large scale both government and private sector contracts that are only offered to organisations that have ISO 22301.
ISO 22301:2019 Requirements
Clause 4 Context Of The Organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.2.1 General
4.2.2 Legal and regulatory requirements
4.3 Determining the scope of the business continuity management system
4.3.1 General
4.3.2 Scope of the business continuity management system
4.4 Business continuity management system
Clause 5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.2.1 Establishing the business continuity policy
5.2.2 Communicating the business continuity policy
5.3 Roles, responsibilities and authorities
Clause 6 Planning
6.1 Actions to address risks and opportunities
6.1.1 Determining risks and opportunities
6.1.2 Addressing risks and opportunities
6.2 Business continuity objectives and planning to achieve them
6.2.1 Establishing business continuity objectives
6.2.2 Determining business continuity objectives
6.3 Planning changes to the business continuity management system
Clause 7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented information
Clause 8 Operation
8.1 Operational planning and control
8.2 Business impact analysis and risk assessment
8.2.1 General
8.2.2 Business impact analysis
8.2.3 Risk assessment
8.3 Business continuity strategies and solutions
8.3.1 General
8.3.2 Identification of strategies and solutions
8.3.3 Selection of strategies and solutions
8.3.4 Resource requirements
8.3.5 Implementation of solutions
8.4 Business continuity plans and procedures
8.4.1 General
8.4.2 Response structure
8.4.3 Warning and communication
8.4.4 Business continuity plans
8.4.5 Recovery
8.5 Exercise programme
8.6 Evaluation of business continuity documentation and capabilities
Clause 9 Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.2.1 General
9.2.2 Audit programme(s)
9.3 Management review
9.3.1 General
9.3.2 Management review input
9.3.3 Management review outputs
Clause 10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
MLOK’s methodology and approach to making your company ISO 22301 complied for certification
We adopt four stages of the most practical and methodological process to help you certified for ISO 22301.
Stage 1: Planning
Conduct Kick-Off Meeting to:
- establish implementation schedule and plan;
- appoint BCMS Committee;
- establish an ISO 22301 BCMS documentation framework; and
- have a fundamental understanding of the requirements of ISO 22301.
Stage 2: Documentation
Drafting and writing documents to comply with ISO 22301 requirements:
- BCMS Manual;
- Job Description;
- BCMS Procedures:
- business impact analysis (BIA) and risk assessment;
- procedure for identification of applicable legal and regulatory requirements;
- business continuity strategy;
- business continuity plans and procedures;
- recovery procedure;
- procedure for communication with interested parties;
- exercising and testing the business continuity procedures; and
- others as applicable.
- BCMS Supporting Process Procedures;
- BCMS System Procedures; and
- BCMS Forms, Work Instructions and others.
Stage 3: Implementation
- Guidance and advice on the implementation of the documented BCMS.
- To conduct ISO 22301 BCMS Internal Audit Training.
- To conduct an ISO 23001 BCMS Internal Audit.
- To conduct an ISO 23001 BCMS Management Review Meeting.
Stage 4: External Audit
- Stage 1 Documentation Audit by the Certification Body.
- Rectification of Stage 1 Audit Finding issued by the Certification Body.
- Stage 2 Audit Compliance Audit by the Certification Body.
- Rectification of Stage 2 NCRs issued by the Certification Body.
You will then receive your ISO 22301 certificate.