1. ISO 22301 Societal Security –
Business Continuity
Management Systems
CAW CONSULTANCY BUSINESS SOLUTIONS LTD
2. Contents
Introduction
Comparison between ISO 22301 and BS 25999-2
Basic terms used in the standard
Content of ISO 22301
ISO 22301 explained
Mandatory documentation
Related standards
Societal security content
Projects under development
Benefits of ISO 22301 business continuity management
Copyrighted by CAW Consultancy Business Soltions Ltd
3. Introduction
The full name of the standard is:
“ISO 22301 Societal security – Business continuity management systems – Requirements”
The standard was fashioned by leading experts on this area to deliver the best framework for business
continuity management in an organisation.
Object: ISO 22301 :2012 specifies requirements to plan, establish, operate, monitor, implement, review,
maintain and continually improve a documented management system to protect against, reduce the
likelihood of occurrence, prepare for, respond to, and recover from the disruptive incidents when they
arise.
Scope: The requirements identified in ISO 22301 :2012 are generic and projected to be appropriate for all
organisations, or parts thereof, regardless of type, size and nature of the organisation. The extent of
application of these requirements depends on the organisation’s operating environment and complexity.
Who can implement this standard? Any organisation, with or non-profit, big or small, private or public.
The standard is formulated in such a was that it is applicable to any size or type of organisation.
Copyrighted by CAW Consultancy Business Soltions Ltd
4. Comparison between ISO 22301
and BS 2599-2
The ISO 22301 has replaces 25999-2. These are quite similar standards, but the ISO 22301 is
often regarded as an update.
Copyrighted by CAW Consultancy Business Soltions Ltd
ISO 22301 BS 25999-2
Complete name ISO 22301:2012 Societal security –
Business continuity management
systems – Requirements
BS 25999-2 Business Continuity
Management – Part 2: Specification
Published by International Organisation for
standardisation
British standards Institution
Published date 15/05/2012 20/11/2007
Total number of minimum pages 24 28
Official recommendations Internationally accepted by standards
institutes on 163 countries
Accepted only in the United Kingdom,
but implemented worldwide
5. ISO 22301 is not that different from BS 25990-2 in most businesses continuity sections
such as business impact, analysis, strategy or planning; the greatest changes are in the
management areas of the standard
ISO 22301 places particular emphasis on understanding requirements, constructing
objectives and measuring performance. Therefore, it will be more easily accepted by top
management. In turn this will contribute to the widespread adoption of this standard like
ISO 27001, ISO 9001 or ISO 14001.
Copyrighted by CAW Consultancy Business Soltions Ltd
Comparison between ISO 22301
and BS 2599-2 (continuation)
6. Basic terms used within the standard
Business Continuity Management System (BCMS) – part of an overall management system that
ensures business continuity is planned, implemented, maintained, and continually improved
Maximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted
without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD)
Recovery Time Objective (RTO) – the specified time at which an activity must be resumed, or
resources must me recovered
Recovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data that needs to
be restored
Minimum Business Continuity Objective (MBCO) – the minimum level of services or products an
organisation needs to produce after resuming it business operations.
Copyrighted by CAW Consultancy Business Soltions Ltd
7. Content of ISO 22301
Introduction
0.1 General
0.2 The Plan-Do-Check-Act (PDCA) model
0.3 Components of PDCA in this International
Standard
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
4.1 Understanding of the organisation and its
context
4.2 Understanding the needs and expectations
of the interested parties
4.3 Determining the scope of the management
system
4.4 Business continuity management system
Copyrighted by CAW Consultancy Business Soltions Ltd
5. Leadership
5.1 General
5.2 Management commitment
5.3 Policy
5.4 Organisational roles, responsibility and
authorities
6. Planning
6.1 Actions to address risks and opportunities
6.2 Business continuity objectives and plans to
achieve them
7. Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8. Operation
8.1 Operational planning and control
8.2 Business impact analysis and risk assessment
8.3 Business continuity strategy
8.4 Establish and implement business continuity
procedures
8.5 Exercising and testing
9. Performance evaluation
9.1 Monitoring, measurement, analysis and
evaluation
9.2 Internal audit
9.3 Management review
10. Improvement
10.1 Non conformity and corrective action
10.2 Continual improvement
Bibliography
8. ISO 22301 explained
ISO 22301 is the second published
management system standard that has
recognised the new high-level structure and
standardised text agreed in ISO
This will guarantee consistency with all
future and revamped management system
standards and make integrated use easier,
for example, ISO 9001 (quality), ISO 1400
(environmental) and ISO/IEC 27001
(information security).
The standard is separated into main clauses,
starting with scope, typical references, and
terms and definitions. Following these are
the standard’s requirements.
Copyrighted by CAW Consultancy Business Soltions Ltd
9. ISO 22301 explained
Clause 4 – Context of the organisation
The first step involves an understanding of the organisation, both the internal and external needs, and setting clear
guidelines for the scope of the management system. In particular, this requires the organisation to understand the
obligations of the relevant interested parties, such as regulators, customers and staff. It must in particular understand
the appropriate legal and regulatory requirements. This enables it to determine the scope of the business continuity
management system (BCMS).
Clause 5 – Leadership
ISO 22301 places specific emphasis on the need for suitable leadership of BCM. This is so that top management
ensures appropriate resources are provided, establishes policy and appoints people to implement and maintain the
BCMS.
Clause 6 – Planning
This requires the organisation to identify risks to the implementation of the management system and set clear
objectives, goals and criteria that can be used to measure its success.
Copyrighted by CAW Consultancy Business Soltions Ltd
10. ISO 22301 explained
Clause 7 – Support
Resources are compulsory for implementation, Clause 7 introduces the important concept of competence. For business
continuity to be successful, people with appropriate knowledge, skills and experience must be in place to both aid the BCMS
and respond to incidents when they occur. It is also essential that all staff are aware of their own role in reacting to incidents
and this clause deals with all of these areas. The need for communication about the BCMS – for instance in telling customers
that the organisation has suitable BCM in place – and preparedness to communicate subsequent an incident (when normal
channels may be disrupted) is also covered here.
Clause 8 – Operations
This section contains the main body of business continuity-specific expertise. The organisation must assume business impact
analysis to comprehend how its business is affected by disruption and how this changes over time. Risk assessment sorts to
understand the risks to the business in a structured way and these form the progress and expansion of business continuity
strategy. Steps to avoid or reduce the likelihood of incidents are advanced alongside a guideline of steps to be taken when
incidents occur. As it is impossible to completely predict and prevent all incidents, the approach of balancing risk reduction and
planning for all eventualities is complementary. It might be said “hope for the best, plan for the worst”
Copyrighted by CAW Consultancy Business Soltions Ltd
11. ISO 22301 explained
Clause 9 – Evaluation
For any management system, it is crucial to evaluate performance against plan. ISO 22301
therefore involves the organisation selecting and measuring itself against appropriate performance
metrics. Internal audits must be carried out and there is a requirement that management review
the BCMS and act upon these reviews.
Clause 10 – Improvement
No management system is perfect initially, organisations and their environments are constantly
transforming. Clause 10 defines actions to take to improve the BCMS over time and confirm that
corrective actions arising from audits, reviews, exercise and so on are tackled.
Copyrighted by CAW Consultancy Business Soltions Ltd
12. Mandatory documentation
If an organisation wants to implement this standard, the following documentation is mandatory:
Copyrighted by CAW Consultancy Business Soltions Ltd
List of applicable legal, regulatory and other
requirements
Scope of the BCMS
Business Continuity Policy
Business continuity objectives Evidence of
personnel competences
Records of communication with interested
parties
Business impact analysis
Risk assessment, including risk appetite
Incident response structure
Business continuity plan
Recovery procedures
Results of preventative actions
Results of monitoring and measurement
Results of internal audit
Results of Management review
Results of corrective actions
13. Related standards
Other standards that are helpful in implementation of business continuity are:
ISO/IEC 27031 – Guidelines for information and communication technology readiness for
business continuity
PAS 200 – Crisis management – guidance and good practice
PD 25666 – Guidance on exercising and testing for continuity and contingency programs
PD 25111 – Guidance on human aspects of business continuity
ISO/IEC 24762 – Guidelines for information and communications technology disaster recovery
services
ISO/PAS 22399 – Guidelines for incident preparedness and operational continuity
management
ISO/IEC 27001 – Information security management systems - Requirements
Copyrighted by CAW Consultancy Business Soltions Ltd
14. Societal security context
ISO 22301 has been developed by ISO/TC 223, societal security
The committee has previously published the following standards
and other documents:
ISO 22300:2012, Societal security – Terminology
ISO 22300:2012, Societal security – Emergency management –
requirements for incident response
ISO/TR 22312:2011, Societal security – Technological capabilities
ISO/PAS 22399:2007, Societal security – Guideline for incident
preparedness and operational continuity management
Copyrighted by CAW Consultancy Business Soltions Ltd
15. Projects under development
ISO 22311, Societal security – Video-surveillance – Export interoperability
ISO 22313, Societal security – Business continuity management systems - Guidance
ISO 22315, Societal security – Mass evacuation
ISO 22322, Societal security – Emergency management – Public warning
ISO 22323, Organisational resilience management systems – Requirements with guidance for use
ISO 22325, Societal security – Guidelines for emergency capability assessment for organisations
ISO 22351, Societal security – Emergency management – Shared situation awareness
ISO 22397, Societal security – Public Private Partnership – Guidelines to set up partnership agreements
ISO 22398, Societal security – Guidelines for exercising and testing
ISO 22324, Societal security – Emergency management – Color-coded alert.
Copyrighted by CAW Consultancy Business Soltions Ltd
16. The benefits of ISO 22301 business
continuity management
What are the benefits of ISO 22301 business continuity management?
Identify and manage current and future threats to your business
Take a proactive approach to minimizing the impact of incidents
Keep critical sections of the business up and running during times of crisis
Minimise interruption during incidents and improve recovery time
Exhibit resilience to customers, suppliers and for tender requests
Copyrighted by CAW Consultancy Business Soltions Ltd
17. Do you have any questions?
Thank you for listening
Get in touch now on 07427535662 or email craig@cawconsultancy.co.uk
Copyrighted by CAW Consultancy Business Soltions Ltd