Standard Structure

ISO 22301:2019 follows the Annex SL high-level structure common to all modern ISO management system standards. This makes it easier to integrate with ISO 27001, ISO 9001, and other management systems.

The standard contains 10 clauses, with Clauses 1-3 covering scope, normative references, and terms. Clauses 4-10 contain the requirements against which organizations are certified.

Clause 4: Context of the Organization

Clause 4 establishes the foundation for your BCMS by understanding your organization and its environment.

4.1 Understanding the Organization and Its Context

  • Identify external and internal issues relevant to business continuity
  • Consider regulatory, legal, and contractual obligations
  • Understand the business environment and market conditions

4.2 Understanding Needs and Expectations of Interested Parties

  • Identify interested parties (customers, regulators, employees, suppliers)
  • Determine their requirements related to business continuity
  • Document legal, regulatory, and contractual obligations

4.3 Determining the Scope

  • Define BCMS boundaries and applicability
  • Consider internal and external issues (4.1)
  • Consider interested party requirements (4.2)
  • Document the scope as a documented information

4.4 Business Continuity Management System

Establish, implement, maintain, and continually improve the BCMS according to ISO 22301 requirements.

Clause 5: Leadership

Leadership commitment is essential for BCMS success.

5.1 Leadership and Commitment

Top management must demonstrate leadership by:

  • Ensuring BC policy and objectives are established
  • Ensuring BCMS integration into business processes
  • Ensuring resources are available
  • Communicating the importance of effective BC management
  • Ensuring the BCMS achieves its intended outcomes
  • Directing and supporting continual improvement

5.2 Policy

The BC policy must:

  • Be appropriate to the organization's purpose
  • Provide a framework for setting BC objectives
  • Include commitment to satisfy applicable requirements
  • Include commitment to continual improvement
  • Be documented, communicated, and available to interested parties

5.3 Organizational Roles, Responsibilities, and Authorities

Top management must assign and communicate responsibilities for:

  • Ensuring BCMS conformity with ISO 22301
  • Reporting on BCMS performance

Clause 6: Planning

6.1 Actions to Address Risks and Opportunities

Plan actions to:

  • Give assurance the BCMS can achieve intended outcomes
  • Prevent or reduce undesired effects
  • Achieve continual improvement

6.2 Business Continuity Objectives and Planning

BC objectives must be:

  • Consistent with the BC policy
  • Measurable (if practicable)
  • Take into account applicable requirements
  • Monitored, communicated, and updated as appropriate

Planning must address: what will be done, resources needed, responsibility, deadlines, and evaluation methods.

Clause 7: Support

7.1 Resources

Determine and provide resources needed for the BCMS.

7.2 Competence

  • Determine necessary competence for BC roles
  • Ensure persons are competent through education, training, or experience
  • Take actions to acquire competence and evaluate effectiveness
  • Retain evidence of competence

7.3 Awareness

Persons working under the organization's control must be aware of:

  • The BC policy
  • Their contribution to BCMS effectiveness
  • Implications of not conforming with BCMS requirements
  • Their role during disruptive incidents

7.4 Communication

Determine internal and external communications including what, when, with whom, and how to communicate.

7.5 Documented Information

The BCMS must include documented information required by the standard and determined by the organization as necessary for effectiveness.

Clause 8: Operation (Deep Dive)

Clause 8 is the heart of ISO 22301, containing the BC-specific operational requirements.

8.1 Operational Planning and Control

Plan, implement, and control processes needed to meet requirements by:

  • Establishing criteria for processes
  • Implementing control in accordance with criteria
  • Keeping documented information to demonstrate execution as planned
  • Controlling planned changes and reviewing unintended changes
  • Controlling outsourced processes

8.2 Business Impact Analysis and Risk Assessment

8.2.1 General

Implement and maintain a formal, documented process for BIA and risk assessment.

8.2.2 Business Impact Analysis

The BIA process must:

  • Identify activities supporting products and services
  • Assess impacts over time of not performing activities
  • Set prioritized timeframes for resuming activities (RTO)
  • Identify dependencies and supporting resources

8.2.3 Risk Assessment

The risk assessment process must:

  • Identify risks of disruption to prioritized activities
  • Systematically analyse risks
  • Evaluate which risks require treatment
  • Identify treatments aligned with BC objectives

8.3 Business Continuity Strategies and Solutions

8.3.1 Determination and Selection

Based on BIA and risk assessment outputs, identify and select BC strategies to:

  • Protect prioritized activities
  • Stabilize, continue, resume, and recover activities
  • Meet prioritized timeframes

8.3.2 Resource Requirements

Determine resource requirements including:

  • People (skills, knowledge, competence)
  • Information and data
  • Buildings and associated utilities
  • Facilities, equipment, and consumables
  • ICT systems
  • Transportation and logistics
  • Finance
  • Partners and suppliers

8.3.3 Protection and Mitigation

Implement measures to reduce likelihood of disruption, shorten disruption period, and limit impact.

8.4 Business Continuity Plans and Procedures

8.4.1 General

Establish, implement, and maintain BC plans and procedures.

8.4.2 Incident Response Structure

Implement an incident response structure that:

  • Identifies activation thresholds
  • Assesses nature and extent of disruptive incidents
  • Activates appropriate BC response
  • Has defined processes and procedures for activation
  • Has authority and resources to implement response
  • Communicates with interested parties

8.4.3 Warning and Communication

Establish warning and communication procedures that:

  • Detect and monitor incidents
  • Facilitate internal and external communication
  • Ensure availability of communication means
  • Facilitate receipt and documentation of information
  • Alert interested parties potentially impacted
  • Communicate with emergency services
  • Record vital information about incidents

8.4.4 Business Continuity Plans

BC plans must have:

  • Defined purpose and scope
  • Objectives
  • Criteria and procedures for activation
  • Implementation procedures
  • Roles, responsibilities, and authorities
  • Communication requirements
  • Internal and external interdependencies
  • Resource requirements
  • Information flow and documentation processes

8.4.5 Recovery

Establish procedures to restore and return business activities from temporary measures.

8.5 Exercise Programme

The organization must:

  • Exercise and test BC procedures to ensure consistency with objectives
  • Conduct exercises based on appropriate scenarios
  • Produce formalized post-exercise reports containing outcomes
  • Review within management review
  • Conduct at planned intervals and when significant changes occur

8.6 Evaluation of BC Documentation and Capabilities

Evaluate the suitability, adequacy, and effectiveness of BIA, risk assessment, strategies, solutions, plans, and procedures through review, exercises, and post-incident analysis.

Clause 9: Performance Evaluation

9.1 Monitoring, Measurement, Analysis, and Evaluation

Determine what to monitor, methods, when to monitor, and when to analyse results. Evaluate BCMS performance and effectiveness.

9.2 Internal Audit

Conduct internal audits at planned intervals to determine if the BCMS conforms to requirements and is effectively implemented. Establish audit programme, select auditors, and report results.

9.3 Management Review

Top management must review the BCMS at planned intervals. Inputs include previous reviews, changes, feedback, audit results, and BC performance. Outputs include decisions on improvement, changes, and resource needs.

Clause 10: Improvement

10.1 Nonconformity and Corrective Action

When nonconformity occurs:

  • React to control and correct it
  • Evaluate need for action to eliminate causes
  • Implement action needed
  • Review effectiveness of corrective action
  • Make changes to BCMS if necessary

10.2 Continual Improvement

Continually improve BCMS suitability, adequacy, and effectiveness.

ISO 22301 Requirements BCMS