ISO 22301 ‘’Societal security - Business continuity management systems – Requirements’’, the world’s first international standard for Business Continuity Management (BCM), has been developed to help organisations to minimise the risk of any disruptions “Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity”.
Business Continuity Management System ISO 22301:2012 An Overview
1. BestPractice
Business Continuity Management System
ISO 22301:2012 An Overview
In the past in order to deal with crisis, the Organization was used to Emergency
response plan or a small disaster management committee.
ISO 22301 ‘’Societal security - Business continuity management systems –
Requirements’’, the world’s first international standard for Business Continuity
Management (BCM), has been developed to help organizations to minimize the
risk of any disruptions “Part of the overall management system that establishes,
implements, operates, monitors, reviews, maintains and improves business
continuity”.
This standard was published in May 2012 to provide the organization with the
best framework for business continuity management and therefore replaces the
BS25999 Business Continuity British Standard that was published in 2006.
Recent worldwide situation such as revolutions, natural disasters,
environmental crisis and technology issues has shown that severe
incidents may happen and impact the private sectors as well as the
public sectors.
Manager – Risk Management
& Compliance Advisory Service
Ventures Middle East
2. Business Continuity Management History
In 2012, ISO has also published ISO 22313
“ISO 22313:2012 Societal security - Business continuity management systems – Guidance “ to provide guidance to
ISO 22301 for setting up and managing an effective business continuity management system (BCMS).
ISO 22301 Objective:
ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually
improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for,
respond to, and recover from disruptive incidents when they arise.
ISO 22301 Scope:
The ISO 22301 scope is generic and the intended requirements are applicable to all organizations or parts thereof,
regardless of type, size and nature of the organization. The extent of application of these requirements depends on
the organization’s operating environment and complexity.
Who can implement ISO 22301 standard?
The implementation could be done by any organization, large or small, profitable or not, private or public.
ISO 22301 is applicable to any size or type of organization.
Business Continuity Definitions
• Business Continuity Management (BCM)
Holistic management process that identifies potential threats to an organization and the impacts to business
operations of those threats, if realized, might cause, and which provides a framework for building organizational
resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation,
brand and value-creating activities
1988
Creation of DRII
( Disaster
Recovery
Institute ) USA
1994
Creation of
Business Continuty
Institute (BCI)
2012
ISO Publish
first version of
ISO 22301
2007
Pubication
of BS
25999-2
2006
Publication of
BS 2599-1
3. • Business Continuity Management Systems (BCMS)
That part of the overall management system that establishes, implements, operates, monitors, reviews, maintains
and improves business continuity , The management system includes organizational structure, policies, planning
activities, responsibilities, procedures, processes and resources. Business Continuity Plan - documented procedures
that guide organization to respond , recover , resume and restore to a pre-defined level of operation following
disruption
• Recovery Time Objective (RTO)
Period of time following an incident within which product or service must be resumed or activity must be resumed
or resources must be recovered
• Recovery Point Objective (RPO)
Maximum data loss, point to which information used by an activity must be restored to enable the activity to operate
on resumption
• Maximum Acceptable Outage (MAO)
Time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing
an activity, to become unacceptable
Business Continuity Benefits
Protection of people
Predictable and
effective response
to crises
Cost reduction
understanding of
the organization
Legal and egulatory
compliance
Contract compliance
Maintenance of
vital activities of the
organization
Confidence of clients
Competitive
advantage
Increase effectiveness -
helps to demonstrate to
customers and stakeholders
that the business is run
effectively
Reduce risk - remove
uncertainty; perceived
competence,
dependability and
openness
Unprecedented
improvement in
behaviors
Keeps existing business
and Gains new business
4. Business Continuity Management System ISO 22301:2013 Structure
This structure is a new formulation of ISO Management System and an alignment with “ Annex SL “ that allows the
organization to made multiple implementation at the same time for related ISO Management Standard.
As mentioned before in “ ISO 27001:2013 An Overview Article “ and our “Integrated implementation Model” that
was proposed in CSCAMP 2013 (1)
Now with our Integrated Implementation Model, any organization can implement ISO 22301:2012 (Business
Continuity Management System) along with ISO/IEC 27001:2013 at the same implementation time within almost
12-14 Months. (2)
Structure Contents
1. Scope
State the Applicability of Standard within the Types of Organization
2. Normative References
3. Terms and Definitions
A brief, formalized glossary Including Common Terms and Definition of BCMS
Clause 4 – Context of the organization
Understand the context of organization, internal and external needs, and setting clear boundaries for the scope of
the BC management system.
Clause 5 – Leadership
BCMS required appropriate leadership. Top management must ensure appropriate resources, establishes policy and
appoints people to implement and maintain the BCMS.
Clause 6 – Planning
This requires the organization to identify risks to the implementation of the management system and set clear
objectives and criteria that can be used to measure its success.
5. Clause 7 – Support
Introduces the important concept of competence. For business continuity to be successful, people with appropriate
knowledge, skills and experience must be in place to both contribute to the BCMS and respond to incidents when
they occur.
Clause 8 – Operations
Operation Clause contains the main body of business continuity management . The organization must undertake
business impact analysis, Risk assessment and development of business continuity strategy.
Clause 9 – Evaluation
For any management system, it is essential to evaluate performance . BCMS requires that the organization select
and measure itself against appropriate performance metrics , Conduct Internal audits , management review of BCMS
and act on these reviews.
Clause 10 – Improvement
Organizations and their environments are constantly changing. this Clause defines actions to take to improve the
BCMS over time and ensure that corrective actions arising from audits, reviews, exercises .
The Plan-Do-Check-Act Cycle
The standard applies the ‘Plan-Do-Check-Act’ (PDCA) cycle to plan, establish, implement, operate, monitor, review,
maintain and continually improve the effectiveness of an organization’s BCMS.
Related Best Practices and Standards
UAE AE/HSC/NCEMA 7000:2012
First BCM bilingual Standard (Arabic and English) in the whole region.
This standard identifies the components, mechanisms and activities used to establish, implement, and continually
improve business continuity management for entities in both public and private sectors.
The Good Practice Guidelines (GPG) – Business Continuity Institute BCI
Independent body of knowledge for good Business Continuity worldwide practice and now includes terminology
from ISO 22301:2012, the International Standard for Business Continuity management systems and consist of six
Professional practices.
Professional Practices- Disaster Recovery Institute International DRII
The Professional Practices are a body of knowledge designed to assist the entity in the development and
implementation of a BCM program and Consist of Ten Subject Area..
ISO/IEC 27031:2011
Information technology -- Security techniques -- Guidelines for information and communication technology readiness
for business continuity
ISO/IEC 24762:2008
Information technology — Security techniques — Guidelines for information and communications technology disaster
recovery services
6. ISO 22301 Mandatory documentation
Any organization that wants to implement ISO 22301 and get certified, the following documentation is mandatory:
1. List of applicable legal, regulatory and other requirements
Understanding Context of organization
2. Scope of the BCMS
Organization Statement of business continuity
Scope that will be covered under BCMS
3. Business Continuity Policy
Statement of BCM Policy that has to be applied on the Organization
4. Business Continuity objectives
Clear statement of Organization BCMS objectives
5. Business Impact Analysis
Analysis business function and the effect that the business disruption might have upon them
6. Risk Assessment, including risk appetite
Overall process of risk identification, risk analysis and risk evaluation
7. Incident response structure
The proper structure of dealing with organization incident including escalation criteria and incident levels
8. Business Continuity Plans
Documented procedures that guide organization to respond, recover, resume and restore to a pre-defined level of
operation following disruption
9. Records of communication with interested parties
Address communication among the various levels of organization issue with internal /External interested parties
10. Recovery procedures
A process that attempts to bring an organization back to a normal operating state (BAU)
11. Evidence of personnel competences
Evidence of BCM Team Competencies, training, awareness and Staff skills.
12. Results of preventive actions and corrective actions
Evidence of maintaining and improving the effectiveness and efficiency of the BCMS by taking preventive and
corrective actions
13. Results of monitoring and measurement
Evidence of defining measures of BCMS performance and continual improvement.
14. Results of internal audit
Evidence of establishing an independent system for BCM implementation verification.
15. Results of management review
Evidence that the organization’s top management reviews its BCMS regularly.
7. Estimated Time needed for Implementation and Certification ISO/IEC 27001:2013
Based on my Experience
Phase I: Estimated time needed for ISO 22301:2012 Implementation
Estimated Duration needed for Implementation depends on the Organization specifications “Employees, Premises,
Processes and Budget allocation “
• Small Organization: 50 - 350 Employees
Estimated time for Implementation of the Standard 4-6 Months
• Medium Organization: 350 – 700 Employees
Estimated time for Implementation of the Standard 7 - 9 Months
• Large Organization: 700 to 1500+ Employees
Estimated time for Implementation of the Standard 10 - 12 Months
Phase II : Estimated Time needed for Certification ISO 22301:2012
Case 1 : in case of one or more Minor Nonconformity and the organization tries to Correct them accordingly the
certificate can be Issued around a Month
Case 2 : in case of one or more Major Nonconformity and the organization tries to Correct them accordingly the
Certificate can be Issued around 3-5 Months
Conclusion
Organizations must follow systematic approach that includes protection, preparedness, mitigation, response for
business continuity and recovery.
Organization ability to recover from a disaster is related to the quality of the business continuity management
approach that was taken in place before the disaster.
Business continuity Management system helps organizations to reach the continuous operation of all types of
businesses in case of disaster
References
• ISO 22301 Societal security - Business continuity management systems - Requirements
• ISO 22313:2012 Societal security -- Business continuity management systems – Guidance
(1) “ ISO 27001:2013 An Overview Article “ http://www.slideshare.net/AhmedRiad2/isoiec-2
(2) “ Integrated Implementation Model can Implement ISO 22301:2012 (Business Continuity Management System)
Together with ISO/IEC 27001:2013 http://www.slideshare.net/AhmedRiad2/presentation-final-28559374