Presentation of ISO 22301 Societal Security - Business Continuity Management Systems, main concepts, basic terms, content of the standard, clauses, mandatory documentation, related standards, comparision with BS25999-2, benefits of ISO 22301 implementation, etc.
1. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
Ramiro Cid | @ramirocid
ISO 22301 Societal Security - Business
Continuity Management Systems
2. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
2
Index
1. Introduction Page 3
2. Comparison between ISO 22301 and BS 25999-2 Page 4
3. Basic terms used in the standard Page 6
4. Content of ISO 22301 Page 7
5. ISO 22301 explained Page 8
6. Mandatory documentation Page 12
7. Related standards Page 13
8. Societal security context Page 14
9. Projects under development Page 15
10. Benefits of ISO 22301 business continuity management Page 16
3. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
3
Introduction
The full name of this standard is:
“ISO 22301 Societal security - Business continuity management systems - Requirements”
This standard was created by leading experts on this area to provide the best framework for business continuity
management in an organization.
Object:
ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and
continually improve a documented management system to protect against, reduce the likelihood of occurrence,
prepare for, respond to, and recover from disruptive incidents when they arise.
Scope:
The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organizations, or
parts thereof, regardless of type, size and nature of the organization. The extent of application of these
requirements depends on the organization's operating environment and complexity.
Who can implement this standard?
Any organization, large or small, with or nonprofit, private or public. The standard is conceived in such a way that it
is applicable to any size or type of organization.
4. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
4
Comparison between ISO 22301 and BS 25999-2
The ISO 22301 has replaced 25999-2. These two standards are quite similar, but the ISO 22301 can
be considered as an update of the BS 25999-2
ISO 22301 BS 25999-2
Complete
name
ISO 22301:2012 Societal
security - Business continuity management
systems - Requirements
BS 25999-2 Business Continuity
Management - Part 2: Specification
Published by
International Organization for
Standardization
British Standards Institution
Published date 15/05/2012 20/11/2007
Total number of
pages
24 28
Official
recogment
Internationally accepted by standards
institutes on 163 countries
Accepted only in United Kingdom only, but
implemented worldwide
5. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
5
ISO 22301 is not that different from BS 25999-2 in most business continuity areas like business
impact analysis, strategy or planning; the biggest changes are in the management part of the
standard.
ISO 22301 places much greater emphasis on understanding requirements, setting objectives and
measuring performance. Therefore, it will be more easily accepted by top management, which in
turn will contribute to the widespread adoption of this standard like ISO 27001, ISO 9001 or ISO
14001.
Comparison between ISO 22301 and BS 25999-2 (continuation)
6. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
6
Basic terms used in the standard
Business Continuity Management System (BCMS) – part of an overall management system that
takes care business continuity is planned, implemented, maintained, and continually improved
Maximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted
without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD)
Recovery Time Objective (RTO) – the pre-determined time at which an activity must be resumed,
or resources must be recovered
Recovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data that needs
to be restored
Minimum Business Continuity Objective (MBCO) – the minimum level of services or products an
organization needs to produce after resuming its business operations
7. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
7
Content of ISO 22301
Introduction 5 Leadership 8 Operation
0.1 General 5.1 General 8.1 Operational planning and control
0.2 The Plan-Do-Check-Act (PDCA)
model
5.2 Management commitment 8.2 Business impact analysis and risk assessment
0.3 Components of PDCA in this
International Standard
5.3 Policy 8.3 Business continuity strategy
1 Scope
5.4 Organizational roles, responsibilities
and authorities
8.4 Establish and implement business continuity procedures
2 Normative references 6 Planning 8.5 Exercising and testing
3 Terms and definitions
6.1 Actions to address risks and
opportunities
9 Performance evaluation
4 Context of the organization
6.2 Business continuity objectives and
plans to achieve them
9.1 Monitoring, measurement, analysis and evaluation
4.1 Understanding of the organization
and its context
7 Support 9.2 Internal audit
4.2 Understanding the needs and
expectations of interested parties
7.1 Resources 9.3 Management review
4.3 Determining the scope of the
management system
7.2 Competence 10 Improvement
4.4 Business continuity management
system
7.3 Awareness 10.1 Nonconformity and corrective action
7.4 Communication 10.2 Continual improvement
7.5 Documented information Bibliography
8. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
8
ISO 22301 explained
ISO 22301 is the second published management systems standard that has adopted the new high-
level structure and standardized text agreed in ISO.
This will ensure consistency with all future and revised management system standards and make
integrated use easier with, for example, ISO 9001 (quality), ISO 14001 (environmental) and ISO/IEC
27001 (information security).
The standard is divided into 10 main clauses, starting with scope, normative references, and terms
and definitions. Following these are the standard’s requirements.
9. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
9
ISO 22301 explained
Clause 4 – Context of the organization
The first step involves getting to know the organization, both internal and external needs, and setting
clear boundaries for the scope of the management system. In particular, this requires the
organization to understand the requirements of relevant interested parties, such as regulators,
customers and staff. It must in particular understand the applicable legal and regulatory
requirements. This enables it to determine the scope of the business continuity management system
(BCMS).
Clause 5 – Leadership
ISO 22301 places particular emphasis on the need for appropriate leadership of BCM. This is so
that top management ensures appropriate resources are provided, establishes policy and appoints
people to implement and maintain the BCMS.
Clause 6 – Planning
This requires the organization to identify risks to the implementation of the management system and
set clear objectives and criteria that can be used to measure its success.
10. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
10
ISO 22301 explained
Clause 7 – Support
Since resources are required for implementation, Clause 7 introduces the important concept of
competence. For business continuity to be successful, people with appropriate knowledge, skills and
experience must be in place to both contribute to the BCMS and respond to incidents when they
occur. It is also important that all staff are aware of their own role in responding to incidents and this
clause deals with all of these areas. The need for communication about the BCMS – for instance in
telling customers that the organization has appropriate BCM in place – and preparedness to
communicate following an incident (when normal channels may be disrupted) is also covered here.
Clause 8 – Operations
This section contains the main body of business continuity-specific expertise. The organization must
undertake business impact analysis to understand how its business is affected by disruption and
how this changes over time. Risk assessment seeks to understand the risks to the business in a
structured way and these inform the development of business continuity strategy. Steps to avoid or
reduce the likelihood of incidents are developed alongside steps to be taken when incidents occur.
As it is impossible to completely predict and prevent all incidents, the approach of balancing risk
reduction and planning for all eventualities is complementary. It might be said, “hope for the best and
plan for the worst”.
11. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
11
ISO 22301 explained
Clause 9 – Evaluation
For any management system, it is essential to evaluate performance against plan. ISO 22301
therefore requires that the organization select and measure itself against appropriate performance
metrics. Internal audits must be conducted and there is a requirement that management review the
BCMS and act on these reviews.
Clause 10 – Improvement
No management system is perfect at the outset, and organizations and their environments are
constantly changing. Clause 10 defines actions to take to improve the BCMS over time and ensure
that corrective actions arising from audits, reviews, exercises and so on are addressed.
12. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
12
Mandatory documentation
If an organization wants to implement this standard, the following documentation is
mandatory:
List of applicable legal, regulatory and other requirements
Scope of the BCMS
Business Continuity Policy
Business continuity objectives
Evidence of personnel competences
Records of communication with interested parties
Business impact analysis
Risk assessment, including risk appetite
Incident response structure
Business continuity plans
Recovery procedures
Results of preventive actions
Results of monitoring and measurement
Results of internal audit
Results of management review
Results of corrective actions
13. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
13
Related standards
Other standards that are helpful in implementation of business continuity are:
ISO/IEC 27031 – Guidelines for information and communication technology readiness for
business continuity
PAS 200 – Crisis management – Guidance and good practice
PD 25666 – Guidance on exercising and testing for continuity and contingency programs
PD 25111 – Guidance on human aspects of business continuity
ISO/IEC 24762 – Guidelines for information and communications technology disaster recovery
services
ISO/PAS 22399 – Guideline for incident preparedness and operational continuity management
ISO/IEC 27001 – Information security management systems – Requirements
14. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
14
Societal security context
ISO 22301 has been developed by ISO/TC 223, Societal security
The committee has previously published the following standards and other documents:
ISO 22300:2012, Societal security – Terminology
ISO 22320:2011, Societal security – Emergency management – Requirements for incident
response
ISO/TR 22312:2011, Societal security – Technological capabilities
ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational
continuity management
15. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
15
Projects under development
ISO 22311, Societal security – Video-surveillance – Export interoperability
ISO 22313, Societal security – Business continuity management systems – Guidance
ISO 22315, Societal security – Mass evacuation
ISO 22322, Societal security – Emergency management – Public warning
ISO 22323, Organizational resilience management systems – Requirements with guidance for use
ISO 22325, Societal security – Guidelines for emergency capability assessment for organizations
ISO 22351, Societal security – Emergency management – Shared situation awareness
ISO 22397, Societal security – Public Private Partnership – Guidelines to set up partnership
agreements
ISO 22398, Societal security – Guidelines for exercises and testing
ISO 22324, Societal security – Emergency management – Colour-coded alert
16. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
16
Benefits of ISO 22301 business continuity management
What are the benefits of ISO 22301 business continuity management?
Identify and manage current and future threats to your business
Take a proactive approach to minimizing the impact of incidents
Keep critical functions up and running during times of crises
Minimize downtime during incidents and improve recovery time
Demonstrate resilience to customers, suppliers and for tender requests
17. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
ISO 22301 Societal security - Business continuity management systems
Questions?
Many thanks!
ramiro@ramirocid.com
@ramirocid
http://www.linkedin.com/in/ramirocid
http://ramirocid.com http://es.slideshare.net/RamiroCid
http://www.youtube.com/user/cidramiro
Ramiro Cid
CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL