What is ISO 22301 Business Continuity Management Systems?
ISO 22301 specifies the structure and requirements for implementing and maintaining a business continuity management system (BCMS) that develops business continuity appropriate to the amount and type of impact that the organization may or may not accept following a disruption.
The outcomes of maintaining a BCMS are shaped by the organization's legal, regulatory, organizational, and industry requirements, products and services provided, processes employed, size and structure of the organization, and its interested parties' requirements.
A BCMS emphasizes the importance of:
understanding the organization's needs and the necessity for establishing business continuity policies and objectives;
operating and maintaining processes, capabilities, and response structures for ensuring the organization will survive disruptions;
monitoring and reviewing the performance and effectiveness of the BCMS;
continual improvement based on qualitative and quantitative measures.
To whom does the ISO 22301 apply?
The document specifies requirements to implement, maintain, and improve a management system to protect against, reduce the likelihood of preparing, respond to, and recover from disruptions when they arise.
The requirements specified in this document are generic and intended to apply to all organizations or parts thereof, regardless of their type, size, and nature. The extent of application of these requirements depends on the organization's operating environment and complexity.
This standard applies to all types and sizes of organizations that:
implement, maintain and improve a BCMS;
seek to ensure conformity with stated business continuity policy;
need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption;
seek to enhance their resilience through the effective application of the BCMS.
How do I get started?
Be aware of your organization's key objectives – this will help you clarify your risk management system's targets and requirements.
Assess your current governance structure – this will ensure you allocate the right roles, responsibilities, and reporting procedures when it comes to risk.
Define your level of commitment – what resources will you allocate to implement or maintain a risk management system