+91 9962590571 / +91 8220666148

ISO 22301

ISO 22301 in UAE
27 Sep 2021

ISO 22301

Posted By

ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements, 

This standard provides specifications for a business continuity management system (BCMS) that is part of a wider resilience and risk management process. The BCMS can be used by an organization to support the development and implementation of its strategy, objectives, targets, and plans for managing security risks and incidents. It will also include organizational structures, roles, and responsibilities, as well as relevant procedures that must be implemented to ensure effective management of risks, incidents, and events.

What does ISO 22301 specify?

The standard specifies the process for establishing, implementing, reviewing, maintaining and improving a BCMS within an organization. It is not intended to prescribe solutions or practices but to provide guidelines so that an organization can decide what approach will work best in its situation. The standard also specifies requirements for the management of continuity of operations (COOP) and continuity of support (COS), which are critical elements for improving an organization’s resilience.

ISO 22301 Primary Focus

The primary focus is on defining BCM process outcomes, not methods or specific actions. While this version of the standard does not include tools, guidance is provided on how to select tools that support the BCM process.

ISO 22301 is intended for use by all organizations, regardless of size or complexity. It can be used by small businesses (or even individuals responsible for continuity planning), as well as larger enterprises with multiple lines of business and subsidiaries. The standard provides a common framework for managing continuity risks irrespective of an organization’s structure or its governance model.

ISO 22301 is applicable to all organizations, including the public and private sector, commercial for-profit, and not-for-profit entities. It can be applied by any organization that has an impact across the wider community or supply chain, which it serves.

How does ISO 22301 relate to ISO Guide 73:2009, Risk management — Vocabulary?

ISO 22301 provides specifications for a BCMS. While some definitions are provided, this standard does not attempt to prescribe the use of specific terms or their meaning. The risk management community has adopted an accepted set of definitions for key risk management terms in ISO Guide 73:2009, which is directly related to ISO 22301. The BCMS specified in ISO 22301 is intended to fulfill the process outcomes of Annex A of ISO Guide 73.

ISO 22301 was developed through an open consensus-based multidisciplinary committee with representation from all stakeholders, including national standards institutes (NSI), government regulators, business continuity practitioners, end-users, and consultants. In addition, there were extensive services provided by the project secretariat from SAI Global and a number of international standards development partners.

The publication has been well received by practitioners and industry bodies worldwide with thousands of organizations already using it. In May 2018, BCM practitioner Assoc. Prof. Simon Kearney from the University of Melbourne welcomed ISO 22301 because it “provides a much needed common standard around which organizations… around the world can meaningfully engage by offering an official standard for BCM.”

What is the key benefit of ISO 22301 to organizations?

The benefits of using ISO 22301 depending on the organization. The standard will provide significant advantages for those that have not previously established a BCMS, because it offers a comprehensive and practical guide to developing a process. For those organizations that have a BCMS in place, ISO 22301 will ensure the management system is fit-for-purpose for all business continuity activities.

Main challenges while implementing ISO 22301?

The key challenges are to ensure that the required resources are made available, that BCM objectives are well understood by all stakeholders, and that there is buy-in to the process at all levels. An effective governance structure will help organizations overcome these challenges.

Most organizations have to undertake a gap assessment before they can implement ISO 22301, which needs to be carried out by experienced consultants with specialized knowledge. There are also planning and implementation tools available that will help organizations translate the requirements set out in ISO 22301 into practical action.

Some organizations may need support to develop plans for areas not covered by ISO 22301, such as crisis communication. There are a number of other standards that provide guidance on managing information security incidents and emergencies, which organizations can use to assist with these activities.

Are there any compliance criteria for ISO 22301?

ISO 22301 is self-declared, so the standard does not have any compliance criteria or certification scheme attached to it. However, organizations can achieve certification of the BCMS against ISO 9001:2015 and other standards if they have a quality management system in place.

What ISO 22301 does is to provide a framework for organizations to implement a BCMS that will ensure business continuity is managed effectively within the organization. It also sets out a number of requirements for the BCMS that will enable organizations to prepare for, respond to and recover from disruptive incidents. ISO 22301 ensures consistency in approach with related standards, such as ISO Guide 73, which provides guidance on developing business continuity plans.

ISO 22301 can help organizations manage risk by reducing vulnerabilities through preventative measures, strengthen capabilities required to continue core activities through effective mitigation strategies, and develop a culture of business continuity within the organization.

What is expected from ISO 22301 revision?

ISO 22301:2018 has been developed as a minor update to align with changes in technology, terminology, and industry best practices since the standard was first published in 2012. For example, terms such as cybersecurity have now become mainstream and the standard includes a new clause to cover this area.

The revision provides additional guidance for organizations that need to manage “third party risks” and has revised the requirements for communication within the organization, which will help integrate business continuity with other management systems such as information security or health and safety. Organizations are also now required to plan for testing their BCMS, to demonstrate that it meets the requirements of ISO 22301.

How many countries are involved in ISO 22301 revision?

ISO technical committee (TC) 229 is responsible for the development of the standard. The TC comprises experts from 34 countries including Japan, China, Australia, and South Africa as well as Europe and North America. A number of countries, such as China and Australia, have been involved in the development of the revision.

What benefits do ISO 22301 auditors see?

Auditors will be able to provide assurance to management that their BCMS is fit for its purpose and has been implemented effectively through an objective assessment process. They should also be in a position to detect where improvements are needed. Auditors are generally looking for good practice guidance, which is available within ISO 22301, as well as additional standards such as ISO 31000 on risk management and ISO 10002 on quality management systems.

Is there an increasing awareness of business continuity?

Publication of standards such as ISO 22301 does generate higher levels of awareness among organizations, but there is still a considerable way to go. There are different reasons why organizations do not have effective BCMSs in place. Many continue to view business continuity as an area for risk management, so the budget allocated to BCMS will be viewed as part of this activity rather than as its own project or function. It can also become an expensive task, where there are high levels of disruption within an organization. Organizational cultures can be resistant to change and it takes senior-level commitment to ensure that business continuity is considered as a top priority, with the right resources put in place.

What does ISO 22301 provide?

The standard sets out requirements for BCMSs, based on a number of best practices to ensure that an organization can prepare for, respond to and recover from disruptive incidents. It also sets out requirements for an organization’s business continuity policy, plans, and related organizational aspects in a risk management context.

While ISO 22301 provides a basis or starting point for BCMS development, it does not provide sufficient guidance in all areas to ensure that an organization’s BCMS is fit for purpose. Organizations are advised to seek further guidance from other standards, including ISO 31000 on risk management and ISO 10002 on quality management systems.

For more information contact https://www.iasiso-gulf/uae/ at enquiry@iascertification.com

Leave a Reply