Clause 4 Context addresses the “context” of the organisation. Before proceeding with developing processes or procedures we need to understand the business in regards to how the business is run and what factors can hinder or contribute to the running of the business. In other words what does the business do. In determining the context we will identify internal and external issues, interested parties and the scope of the BCMS.   

Clause 5 Leadership requires the company’s top management to actively lead the Business Continuity Management System and be able to demonstrate this through policies and responsibilities. Leadership has emphasis on prevention specific applications ranging from identifying hazards and risk and any regulatory requirements. The top management’s responsibilities include establishing an Business Continuity policy, communication of the policy and the importance of the BCMS and assigning responsibilities to ensure the effectiveness of the Business Continuity Management System. 

Clause 6 Planning addresses the process of determining the activities required to achieve a desired goal. Planning also involves thinking about the risks that may occur in future and addressing these through adequate control measures. Clause 6 of ISO 22301 deals with this highly critical activity and requires an organisation to identify its Incidents, events and risk and plan for uncertainties and pro-actively prevent undesired Incidents, events. Another aspect of planning is to identify BCMS objectives which can be used to monitor and track our progress. Additionally, this clause requires an organisation to plan for changes and follow a structured approach for any changes required in the management system.

Clause 7 Support requires the organisation to determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the Business Continuity Management System. In doing so the organisation should consider the capabilities of, and constraints on, existing internal resources and what needs to be obtained from external providers. This will include people, infrastructure, the working environment, monitoring and measuring resources, organisational knowledge, competence & awareness, communication, documented information.

Clause 8 Operation requires the organisation to plan, implement and control the processes needed to meet the requirements of the BCMS and legal requirements. These include controls to ensure Business Continuity performance is maintained and preparing and testing emergency plans..

Clause 9 Performance Evaluation require an organisation assess its own performance in meeting regularity requirements as well as its performance in meeting the requirements of its own BCMS and the requirements of the ISO 22301 standard. These will include activities such as, establishing what needs to be monitored and measured, analysis and evaluation of data, completing internal audits and top management carrying out a formal review on the performance of the BCMS.

Clause 10 Improvement requires and organisation to determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance Business Continuity performance. These activities include improving your systems as well as to address future needs and expectations of interested parties. Correcting, preventing, or reducing undesired effects and improving the performance and effectiveness of the Information Security management system and investigating and correcting BCMS risks, Events and incidents.