Business Continuity Management
It is critical that businesses plan for the potential disruptions to operations that can be caused by everything from minor accidents to major disasters. Maintaining business continuity has become a vital requirement of all organizations. ISO 22301:2019 Security and Resilience — Business Continuity Management System Requirements was developed to establish the minimum standards for an effective BCM system (BCMS).
By identifying and outlining the elements of an effective BCMS, the standard is designed around keeping a business operating at required levels during any emergency. An effective BCMS will help you safeguard critical resources and staff, protect your reputation and brand value, and keep your critical business functions operating. The outcome is protection of all stakeholders and the bottom line.
Business continuity, risk management, and disaster recovery have existed for a long time. ISO 22301:2019 provides a more comprehensive means to BCM, supported by enterprise-wide planning and procedures. With ISO 22301:2019, organizations have a framework for continual improvement and demonstrating to stakeholders that they meet best practice.
Who needs ISO 22301:2019?
ISO 22301:2019 can be applied to small or large organizations, and it is particularly valuable for high risk industries such as information service providers, banking, telecom, and utilities where high availability is crucial. For organizations with less risk, ISO 22301:2019 can meet the BCM needs of critical groups, divisions, and support functions. Since Risk Assessment is a fundamental piece of your BCM strategy, any organization can utilize ISO 22301:2019 to develop a proportionate and effective implementation (of the standard and best practice) and ensure operations are sustainable given an unexpected event.
What are the benefits?
An effective and certified BCMS:
- Outlines a proven framework on which an organization can base its BCM system
- Improves an organization’s resilience when encountering unexpected events
- Provides a measured and planned response organization-wide when an event occurs
- Creates competitive advantage, reputation, and brand value in the marketplace through reliability and high availability
- Identifies opportunities for improvement by developing a clearer understanding of the organization and risk levels
- Demonstrates compliance and commitment to contracts, applicable laws, and government regulations
- Reduces costs by eliminating or minimizing the lost productivity that results from interrupted operations
How does ISO 22301:2019 help?
It specifies the requirements for designing, implementing, and managing a BCMS. It reinforces:
- Understanding the business and risks that underlie an effective BCMS
- Operational controls and measurements that help an organization manage business continuity
- Management, monitoring, and review of performance and effectiveness of an organization’s BCMS
- Continual improvement based on an effective strategy and objective measurement of the system
How is a BCMS like other management systems?
Like other management systems, such as ISO 9001, ISO 27001, and ISO 14001, a BCMS has the following elements:
- Based on the High Level Structure (HLS), it has a strong foundation that now aligns with many other internationally recognized management system standards such as ISO 9001 quality management and ISO/IEC 27001 information security management
- Identification of resources, competency, and responsibilities
- Management processes that address BCM policy, system planning, implementation and operation of the BCMS, performance assessment and measurement, management review, continual improvement, and documentation and auditable evidence of effectiveness
- Business and organization –specific processes and outcomes such as risk assessment, business impact, contingency planning, response, and overall BCM plan development
- The Plan-Do-Check-Act (PDCA) cycle for establishing, implementing, operating, monitoring, maintaining, and improving the effectiveness of an organization’s BCMS
The Certification Process
Certification can happen once your management system is ready. The typical certification process involves an on-site pre-assessment (gap analysis) if you desire, readiness review of your BCMS documentation, the certification audit itself, closure of any open issues, a review by the registrar, and issuance of your certificate. Certification costs are typically small compared to the cost of implementing the system. Fees are typically driven by the size of your company, complexity, and audit days required. With some basic information about your company, SRI can easily provide a no-obligation, detailed cost proposal.
ISO 22301:2019 replaces ISO 22301:2012 and the older BS 25999-2:2007. If your organization is certified to ISO 22301:2012, there is an anticipated three year period to upgrade to ISO 22301:2019 and after October, 30 2022 certificates for ISO 22301:2012 will no longer be valid.