Societal Security— Business Continuity Management Systems
AN OVERVIEW OF ISO 22301:2012
ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to prepare for, respond to, and recover from disruptive events when they arise. Natural disasters, environmental accidents, technology mishaps, and man-made crises have demonstrated that severe incidents can and will happen, impacting the public and private sectors alike. The challenge goes beyond providing an emergency response plan or using disaster management strategies that were previously used.
ISO 22301:2012 Societal security—Business continuity management systems— Requirements is the world’s first international business continuity management standard (BCMS). It was developed by ISO Technical Committee 223. ISO published this standard on June 15, 2012. It cancels and replaces the old BS 25999 business continuity standard, which is obsolete and has been officially withdrawn.
The purpose of ISO 22301:2012 is to show individuals how to set up and manage a BCMS. These requirements can be found in seven sections within the standard (Table 35.1). The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organizations (or parts thereof), regardless of type, size, and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity.
THE PDCA APPROACH
Similarly to ISO 9001 and ISO 13485, ISO 22301 uses what is called the plan–do– check–act (PDCA) cycle, which uses this model to organize the standard:
• Plan. Parts 4, 5, 6, and 7 expect you to plan the establishment of your organization’s BCMS
• Do. Part 8 expects you to establish your BCMS
• Check. Part 9 expects you to evaluate your BCMS
• Act. Part 10 expects you to improve your BCMS
BRIEF OVERVIEW OF KEY CLAUSES OF ISO 22301:2012 BUSINESS CONTINUITY STANDARD
Following the new structure of ISO Guide 83, ISO 22301 is organized into seven main clauses (Table 35.1), and the key activities for each clause are summarized.
Clause 4: Context of the Organization
Understand your organization, its purpose, and objectives context while understanding the needs and expectations of interested parties in light of legal and regulatory requirements. Organizations should consider how disruptive incidents could impact the organization.
Clause 5: Leadership
Provide leadership and support for your organization and ensure that managers demonstrate their commitment and support and encourage employee involvement. Allocate responsibility and authority for carrying out business continuity roles to the appropriate people within your organization.
Clause 6: Planning
Identify and determine the risks and opportunities that could influence the effectiveness of your organization or disrupt its operation. Define actions and prepare plans to address the risks and opportunities that could influence the effectiveness of your organization or disrupt its operation.
Clause 7: Support
Identify and provide the resources that your organization needs, including procedures and communication tools. Determine the competence requirements of the people under your organization’s control who have an impact on its performance, and ensure that people are aware of their responsibilities.
Clause 8: Operation
Plan and develop your BCMS processes by studying potential disruptions and analyzing business risks, and set your priorities. Establish a formal process that your organization can use to evaluate and set business continuity and recovery priorities, objectives, and targets; document, implement, and maintain your priority-setting process.
Clause 9: Performance Evaluation
Determine how you will monitor and measure the performance and effectiveness of your organization. Make sure that your audit program is capable of determining whether your system conforms to requirements.
Clause 10: Improvement
Identify, react to, and evaluate nonconformities when they occur. Implement corrective actions to address causes, and review the effectiveness of your corrective actions. Continuously improve the performance, suitability, adequacy, and effectiveness of your system.