What is ISO 22301?

The full name of this standard is ISO 22301:2019 Security and resilience – Business continuity management systems – Requirements. It is an international standard published by the International Organization for Standardization (ISO), and it describes how to manage business continuity in an organisation. This standard is written by leading business continuity experts and provides the best framework for managing business continuity in an organisation.

One of the features that differentiates this standard from other business continuity frameworks/standards is that an organisation can become certified by an accredited certification body, and will therefore be able to prove its compliance to its customers, partners, owners, and other stakeholders.

What are the benefits of business continuity?

There are four essential business benefits that a company can achieve with the implementation of this business continuity standard:

Comply with legal requirements. There are more and more countries defining laws and regulations requiring business continuity compliance. And beyond government interests, private businesses (e.g., financial institutions) are also requiring their suppliers and partners to implement business continuity solutions. And the good news is that ISO 22301 provides a perfect framework and methodology to support compliance with these requirements – by reducing administrative and operational effort, as well as the number of penalties to be paid. Read the article Laws and regulations on information security and business continuity to see a list of business continuity legislation worldwide.

Achieve marketing advantage. If your company is ISO 22301 certified and your competitors aren’t, you will have an advantage over them when it comes to customers who are sensitive about keeping the continuity of their operations, and the delivery of their products and services. Additionally, such certification can help you get new customers, by making it easier to demonstrate that you are among the best in the industry, leading to increased market share and higher profits.

Reduce dependence on individuals. More often than not, a company’s critical activities rely on just a few people who are hard to replace – a situation painfully demonstrated when these people leave the organisation. Executives who are aware of this can make use of business continuity practices to become far less dependent on those individuals (either because of implemented replacement solutions or by documenting related tasks), meaning you can prevent a lot of headache when someone leaves the organisation.

Prevent large-scale damage. In a world of real-time services and transactions, every minute of down service costs money – a lot of money. And, even if your business is not so sensitive to small periods of unavailability, disruptive incidents will cost you. By implementing business continuity practices compliant with ISO 22301, you will have a sort of insurance policy. Whether by preventing disruptive incidents from happening, or by becoming capable of faster recovery – your company will save money. And, the best thing of all is that your investment in ISO 22301 is far smaller than the cost savings you’ll achieve.

How does ISO 22301 work?

The focus of ISO 22301 is to ensure continuity of business delivery of products and services after occurrence of disruptive events (e.g., natural disasters, man-made disasters, etc.). This is done by finding out business continuity priorities (through business impact analysis), what potential disruptive events can affect business operations (through risk assessment), defining what needs to be done to prevent such events from happening, and then defining how to recover minimal and normal operations in the shortest time possible (i.e., risk mitigation or risk treatment). Therefore, the main philosophy of ISO 22301 is based on analyzing impacts and managing risks: find out which activities are more important and which risks can affect them, and then systematically treat those risks.

The strategies and solutions that are to be implemented are usually in the form of policies, procedures, and technical/physical implementation (e.g., facilities, software, and equipment). In most cases, organisations do not have all the facilities, hardware, and software in place – therefore, ISO 22301 implementation will involve not only setting organisational rules (i.e., writing documents) that are needed in order to prevent disruptive incidents, but also developing plans and allocating technical and other resources to make the continuity and recovery of business activities possible. Because such implementation will require a number of policies, procedures, people, assets, etc. to be managed, ISO 22301 has described how to fit all these elements together in the Business Continuity Management System (BCMS).

How is ISO 22301 implemented?

Get commitment and support from senior management.
Engage the whole business with good internal communication.
Compare existing business continuity management system with ISO 22301 requirements.
Get customer and supplier feedback on current business continuity management processes.
Establish an implementation team to get the best results.
Map out and share roles, responsibilities and timescales.
Adapt the basic principles of the ISO 22301 standard to your business.
Motivate staff involvement with training and incentives.
Share ISO 22301 knowledge and encourage staff to train as internal auditors.
Regularly review your ISO 22301 system to make sure it remains effective and you are continually improving it.

What is a Business Continuity Risk?

As stated, business continuity management using a well-documented management system helps you to identify better and reduce the likelihood of disruptive incidents or address business continuity risks. Business continuity management leads to the growth of a more stable environment, although companies with no successful business continuity systems will increase chances significantly. A well-developed, organised and rehearsed Business Continuity Plan (BCP) can help the business rebound from an incident as quickly as possible.

All of your procedures must be up-to-date, accurate and efficient. Methods include but are not limited to corporate risk assessments, information security risks reviews, and addressing your health and safety policies, as well as your continuity management plan.

What are the benefits of having an ISO 22301 certification?

There are many benefits to holding an ISO 22301 certification. Some of those benefits are:

- Protect assets, turnover and profits: Effective business continuity management (BCM) enables organisations to protect their income steam following an incident or disaster, while reducing the risk of further losses.

- Ensure continuity of business operations: A BCMS helps maintain an organisation’s service levels to its customers. It also helps business leaders to assess the potential impacts of an operational disruption, make the right decisions quickly, deploy an effective response and minimise the overall impact.

- Increase competitive advantage and enhance corporate reputation: Organisations with an ISO 22301-compliant BCMS can improve customer confidence in the organisation’s ability to respond to incidents.

- Meet legal and regulatory requirements: We recommend ISO 22301 compliance as a useful tool for implementing a well-defined incident response and reporting structure, so organisations can demonstrate they are taking steps to comply with regulatory requirements, such as the and the the EU General Data Protection Regulation (GDPR) and the NIS Directive.

- Obtain an independent assessment of your security posture: Accredited certification involves regular reviews and internal audits that provide an expert opinion as to whether the BCMS is functioning properly and provides the level of security needed to protect the organisation’s products and services.