Guide to ISO 22301 for Business Continuity Management

How prepared would you be if a bomb went off outside your office this weekend? We’re guessing the incident would affect your operations, at the very least, even if your employees escaped unharmed and your property remained intact.

Liberty Mutual Insurance experienced this exact scenario in the wake of the Boston Marathon bombings. “Our team was onsite the next morning, and we set up an emergency command center,” commented Ashley Goosman, Risk Manager of Business Continuity & Crisis Management Specialist at Liberty Mutual. “We couldn’t get into the offices where my team was typically located because it was part of the crime scene. So, we had to improvise, and we were in a conference center on our main campus across the street.”

The ability to adapt quickly takes practice and planning, even when you can’t foresee every possible complication and contingency. Handling the many business continuity challenges can seem daunting, but you don’t need to reinvent the wheel to address them. ISO 22301 provides a framework for security, resilience, and business continuity. So how can you implement this standard at your company?

Read on as we explore what ISO 22301 is, its critical components, and how implementing it can benefit your organization.

What Is ISO 22301?

Developed by the International Organization for Standardization (ISO), ISO 22301 is a standard for establishing business continuity management systems (BCMS). It lays out a framework for planning, implementing, and maintaining a BCMS to deal with disruptive incidents and formalize a company’s resilience management efforts.

First released in 2012, ISO 22301 was the first standard covering business continuity and resilience. They released an update in 2019, but it contained only minor text changes for clarity. Unlike some industry-specific standards, ISO 22301 is generic and flexible enough to cover companies of any size or type. However, there are requirements within the document that apply only to certain businesses.

What is a business continuity management system?

Although the phrase “management system” often brings to mind complex software packages, a business continuity management system is a set of processes combining disparate elements of a company’s business continuity plan.

Some of the key pieces include:

• A business continuity policy describing the scope and objectives for keeping operations running
• Risk assessment and management policies
• A business impact analysis detailing continuity requirements
• Emergency response plans, such as evacuation routes and active shooter policies
• Communication plans, including policies on how to segment employees for mass notifications
• Lists of key stakeholders for handling potential emergencies
• Resources to manage an incident in the event of infrastructure disruptions
• Workforce management plans, including essential roles and backup points of contact
• Plans to reduce recovery time and resume normal operations quickly

Integrating with other ISO standards

Companies complying with ISO 22301 will often want to adhere to other related standards, such as:

• ISO 9001 — Quality management
• ISO 14001 — Environmental management
• ISO 27001 — Information security

Thankfully, ISO 22301 makes these integrations fairly simple. It’s the first ISO standard to conform to Annex SL. This document set a unified structure for any ISO standard related to systems management. Once your company is familiar with the structure, complying with other standards is simply a matter of implementation.

Benefits of ISO 22301 Implementation

Implementing an ISO 22301-compliant business continuity management system is a positive outcome by itself, as your company will be better prepared to deal with threats to operations. But it also provides a range of other benefits.

Minimizing downtime and disruptions

In the fast-paced modern economy, downtime can lead to huge financial losses. Investing in ISO 22301 compliance protects your operations from downtime. It ensures that when there are unavoidable disruptions, you can get back up and running as quickly as possible.

Maintaining legal and regulatory compliance

For many industries, ISO 22301 compliance isn’t just nice to have—it’s a requirement. Specifically, any businesses considered essential to the public good, such as transportation, healthcare, and energy, will be legally required to ensure continuity. Failing to comply could mean heavy fines, suspension of licenses, and lengthy disruptions to company operations.

Improving organizational resilience

Being prepared for things you can’t quite plan for amounts to resilience. Business resilience and business continuity are distinct yet deeply related concepts. Continuity mostly applies to discrete events like earthquakes or hurricanes. But as you develop business continuity plans, you also empower your organization to deal with the unforeseen. These improvements ripple outward, improving your organization’s ability to respond and recover from all kinds of setbacks.

For example, a large finance company preparing for natural disasters would want to include technology redundancy in its continuity plans. They’d set up geographically distant data centers and alternate network routes and develop plans to bring these resources online rapidly. These types of improvements are just as useful for unforeseen circumstances, like if a construction company accidentally severs a network trunk. In both cases, the company’s operations would become more resilient overall.

Enhancing your safety culture

Employees, vendors, clients, and shareholders all depend on your company’s safe and smooth operations. Being prepared for emergencies and organizational disruptions is a key component of safety culture. When your whole company buys in, you can count on your team to protect themselves, each other, and your company’s operations.

Following an international standard sends a strong message that you’re committed to business continuity. And when emergencies do arise, your teams will feel confident following their prescribed roles in restoring or preserving operations.

Key Components of ISO 22301

ISO 22301 contains 10 sections, known as clauses. The first three clauses lay the groundwork for the rest of the standard:

• Clause 1: Scope — This lays out the intent of 22301 and describes how companies can use it to improve business continuity.
• Clause 2: Normative References — Every ISO management system standard lists essential documents to cross-reference. However, there are no normative references for ISO 22301.
• Clause 3: Terms and Definitions — Clause 3 contains a glossary of specialized terms which appear throughout the standard. It also provides specific definitions for commonly used terms to avoid ambiguity.

The next seven sections set forth ISO 22301’s requirements.

Clause 4: Context

For a BCMS to be effective, it needs to address your business’s unique needs. Clause 4 defines the scope of your BCMS based on your organization’s parameters. Ask yourself contextual questions to help explore business aspects, such as:

• Who are the key stakeholders in business continuity, both internally and externally?
• What business functions and outputs do you need to protect?
• What are the expectations for business continuity?
• Do you have legal or regulatory requirements to address?

Clause 5: Leadership

ISO 22301 codifies the concept of company-wide buy-in, which is a foundational component of operational resilience. At this stage, company leadership needs to:

• Establish a business continuity team with a mandate to implement ISO 22301
• Develop roles with clear responsibilities and authority to undertake the implementation
• Provide interested parties with the resources they need on an ongoing basis
• Reinforce the importance of ISO 22301 compliance throughout the organization with coordinated communication and ongoing training

Clause 6: Planning

Clause 6 covers the development plans you’ll need for every aspect of the business continuity process. Key items to understand and document include:

• A thorough risk assessment
• Measurable business continuity objectives
• An accounting of your business operations and what constitutes acceptable downtime
• Any legal or regulatory requirements for continuity
• Reference documents such as a business continuity policy, business impact analysis, business continuity strategy, etc.
• Any prerequisites that need to exist in order for this plan to be effective
• Clear definition of roles and responsibilities for activation of the plans, urgent purchases, communication with media, etc.
• A list of required resources
• Individual recovery plans for disasters, locations and transportation, incident response, and plan activation/deactivation

Clause 7: Support

Business continuity teams will often handle the planning aspect. Once those plans are developed, they’ll need organization-wide resources to implement these procedures. Specific functions will depend on your company, but the following are common:

• IT resources to assess and mitigate specialized risks, such as network outages or damage to critical technology
• Communication teams to develop messaging strategies and train with your company’s two-way communication platform
• Employee education programs to develop documentation and train your workforce in continuity plans

Clause 8: Operation

It’s time to turn plans into action. Clause 8 covers the development and implementation of your BCMS, including:

• Developing business continuity strategies to cover risk mitigation, response, and recovery
• Documenting procedures for business disruptions with well-defined roles, necessary resources, and contingency plans
• Testing business continuity procedures to refine and improve your company’s plans

Clause 9: Performance evaluation

It’s difficult to manage a process if you can’t measure it. Take maximum allowable downtime, for example. If a national restaurant chain is closed for 24 hours, it would be inconvenient. But if an international bank were offline for a full day, it could pose serious risks to the global economy. Understanding the parameters of your continuity plans is critical to measuring their efficacy.

Clause 9 calls for a formal evaluation process, which should include:

• A list of performance indicators and metrics
• Methods for measuring and analyzing your performance metrics
• A schedule of internal audits of your BCMS with documentation processes
• Periodic management reviews of audit results

Clause 10: Improvement

The only way to ensure business continuity is to approach planning as an ongoing cycle rather than a one-time process. So, it’s fitting that the final step directs safety leaders to step back and analyze outcomes. ISO 22301 prescribes a formal process to assess continuity efforts, document the evaluations, and implement improvements as needed.

For example, Liberty Mutual discovered room for improvement in its business continuity communication strategy after the Boston Marathon bombing.

“Many of us had been trained or come from an emergency management background, and our style of messaging is very direct,” Goosman noted. “We got feedback from the organization after that event that employees wanted richer and more information.”

Their initial crisis response focused on managing and supporting their workforce throughout operational disarray. Based on this feedback, Liberty Mutual was able to refine its communication strategy and improve its business continuity management system.

Navigating the ISO 22301 Certification Process

Not all companies implementing ISO 22301 must seek certification. Certain industries, though, such as healthcare, energy, and transportation, have legal requirements for certification. For other organizations, seeking certification can provide internal peace of mind and serve as a selling point for customers.

There are three major steps in the certification process:

Choose a certification body

ISO develops and publishes standards, but they don’t issue certifications for compliance. Instead, private, third-party companies offer certification based on ISO standards.

Many organizations will seek accreditation to prove they’re following the appropriate guidelines. When looking for a certification body, we recommend consulting the International Accreditation Forum to vet the companies’ reputations.

The ISO 22301 audit process

Certification bodies can set their own process. However, many follow the same structure: The process often begins with a pre-certification check, including an optional gap analysis. The certification body will review your company’s documentation and implementation, then make any recommendations for adjustment.

The formal audit process involves two steps:

• A review of your business continuity management system and documentation
• An assessment of the ISO 22301 implementation and organizational controls to ensure it’s working as intended

If your company fails either step, you’ll have to repeat the process and pay for another audit.

Maintaining ISO 22301 certification

ISO 22301 certifications are valid for three years. During the first two years, you’ll have to undergo surveillance audits. These are less rigorous than the initial approval process, but ensure your company is maintaining compliance with all of ISO 22301’s requirements. At the end of the third year, you’ll undergo a re-certification audit. If any of the audits reveal problems, you’ll have an opportunity to remedy them and preserve your certification.

Maximize Business Continuity With Best Practices

Preparing your company to face a wide array of threats can be daunting. One day you might deal with a tornado; the next, you might experience an intruder in a neighboring business. Your organization and all of your stakeholders are counting on your preparedness.

ISO 22301 lifts some of the weight from your shoulders. It lays out a tried-and-true formula for minimizing disruptions to your operations. And by following an international standard for business continuity, you can rest easy knowing you’ve prepared your organization for whatever it faces tomorrow.