Societal Security— Business Continuity Management Systems


ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to prepare for, respond to, and recover from disruptive events when they arise. Natural disasters, environmental accidents, technology mishaps, and man-made crises have demonstrated that severe incidents can and will happen, impacting the public and private sectors alike. The challenge goes beyond providing an emergency response plan or using disaster management strategies that were previously used.

ISO 22301:2012 Societal security—Business continuity management systems— Requirements is the world’s first international business continuity management standard (BCMS). It was developed by ISO Technical Committee 223. ISO published this standard on June 15, 2012. It cancels and replaces the old BS 25999 business continuity standard, which is obsolete and has been officially withdrawn.

The purpose of ISO 22301:2012 is to show individuals how to set up and manage a BCMS. These requirements can be found in seven sections within the standard (Table 35.1). The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organizations (or parts thereof), regardless of type, size, and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity.



Similarly to ISO 9001 and ISO 13485, ISO 22301 uses what is called the plan–do– check–act (PDCA) cycle, which uses this model to organize the standard:

Plan. Parts 4, 5, 6, and 7 expect you to plan the establishment of your organization’s BCMS

Do. Part 8 expects you to establish your BCMS

Check. Part 9 expects you to evaluate your BCMS

Act. Part 10 expects you to improve your BCMS


Following the new structure of ISO Guide 83, ISO 22301 is organized into seven main clauses (Table 35.1), and the key activities for each clause are summarized.

Clause 4: Context of the Organization

Understand your organization, its purpose, and objectives context while understanding the needs and expectations of interested parties in light of legal and regulatory requirements. Organizations should consider how disruptive incidents could impact the organization.

Clause 5: Leadership

Provide leadership and support for your organization and ensure that managers demonstrate their commitment and support and encourage employee involvement. Allocate responsibility and authority for carrying out business continuity roles to the appropriate people within your organization.

Clause 6: Planning

Identify and determine the risks and opportunities that could influence the effectiveness of your organization or disrupt its operation. Define actions and prepare plans to address the risks and opportunities that could influence the effectiveness of your organization or disrupt its operation.

Clause 7: Support

Identify and provide the resources that your organization needs, including procedures and communication tools. Determine the competence requirements of the people under your organization’s control who have an impact on its performance, and ensure that people are aware of their responsibilities.

Clause 8: Operation

Plan and develop your BCMS processes by studying potential disruptions and analyzing business risks, and set your priorities. Establish a formal process that your organization can use to evaluate and set business continuity and recovery priorities, objectives, and targets; document, implement, and maintain your priority-setting process.

Clause 9: Performance Evaluation

Determine how you will monitor and measure the performance and effectiveness of your organization. Make sure that your audit program is capable of determining whether your system conforms to requirements.

Clause 10: Improvement

Identify, react to, and evaluate nonconformities when they occur. Implement corrective actions to address causes, and review the effectiveness of your corrective actions. Continuously improve the performance, suitability, adequacy, and effectiveness of your system.