ISO 22301 Business Continuity

ISO 22301: Business Continuity Management System

ISO 22301 is an international standard for Business Continuity Management Systems. The standard provides a framework that organisations of all sizes can follow to manage Business Continuity within a work place as well as fulfilling legal compliance obligations, and identify risks and opportunities along with treatment controls.

There are many industries where ISO 22301 certification is a contractual requirement. For some it can be an essential tool for gaining the advantage over competitors and demonstrating enhanced credibility in relation to environmental performance.

ISO 22301 Business Continuity standard outlines the requirements for setting up and managing an effective Business Continuity Management System (BCMS). This is a rapidly emerging standard and the expected take-up of certification within the supply chain will mean; that companies will need to implement ISO 22301 business continuity plans much quicker than expected. Or else face losing business to their competitors.

The business world has become increasingly aware of the need for business continuity, following a number of natural disasters and the ever-present threat of terrorism. Recent flooding incidents have focused minds that the supply chain needs to have disaster planning and plans in place to prevent long term disruption to the supply of goods and services.

ISO22301 provides the framework to undertake a risk assessment and implement contingency plans to reduce or eliminate mass disruption to business. Whether the disaster is caused by fire flood or even terrorism.

Who Is It Relevant To?

ISO 22301 business continuity is suitable for any organisation, from any sector whether large or small. It is particularly relevant for organisations that operate in high risk environments such as finance, telecommunications, transport and the public sector.

ISO 22301 Promotes Some of the Following Key Areas

ISO 22301 Requirements Explained

Addresses the “context” of the organisation. Before proceeding with developing processes or procedures we need to understand the business in regards to how the business is run and what factors can hinder or contribute to the running of the business. In other words what does the business do. In determining the context we will identify internal and external issues, interested parties and the scope of the BCMS.   

Requires the company’s top management to actively lead the Business Continuity Management System and be able to demonstrate this through policies and responsibilities. Leadership has emphasis on prevention specific applications ranging from identifying hazards and risk and any regulatory requirements. The top management’s responsibilities include establishing an Business Continuity policy, communication of the policy and the importance of the BCMS and assigning responsibilities to ensure the effectiveness of the Business Continuity Management System. 

Addresses the process of determining the activities required to achieve a desired goal. Planning also involves thinking about the risks that may occur in future and addressing these through adequate control measures. Clause 6 of ISO 22301 deals with this highly critical activity and requires an organisation to identify its Incidents, events and risk and plan for uncertainties and pro-actively prevent undesired Incidents, events. Another aspect of planning is to identify BCMS objectives which can be used to monitor and track our progress. Additionally, this clause requires an organisation to plan for changes and follow a structured approach for any changes required in the management system.

Requires the organisation to determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the Business Continuity Management System. In doing so the organisation should consider the capabilities of, and constraints on, existing internal resources and what needs to be obtained from external providers. This will include people, infrastructure, the working environment, monitoring and measuring resources, organisational knowledge, competence & awareness, communication, documented information.

Requires the organisation to plan, implement and control the processes needed to meet the requirements of the BCMS and legal requirements. These include controls to ensure Business Continuity performance is maintained and preparing and testing emergency plans..

Requires an organisation assess its own performance in meeting regularity requirements as well as its performance in meeting the requirements of its own BCMS and the requirements of the ISO 22301 standard. These will include activities such as, establishing what needs to be monitored and measured, analysis and evaluation of data, completing internal audits and top management carrying out a formal review on the performance of the BCMS.

Requires and organisation to determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance Business Continuity performance. These activities include improving your systems as well as to address future needs and expectations of interested parties. Correcting, preventing, or reducing undesired effects and improving the performance and effectiveness of the Information Security management system and investigating and correcting BCMS risks, Events and incidents.

GAP Analysis

A Candy Management lead consultant can carry out a no obligation fully detailed GAP analysis on your existing systems to identify what work is needed to meet the requirements of all the ISO 22301 clauses. Or you can give us a call and speak to one of our advisers for free.    

ISO 9001 Gap Analysis

Book an Appointment With One of Our Consultants


Call Us

0161 470 7929