ISO 22301 Business Continuity Management

Minimize the impact of disruptive incidents

Understand and prioritize the threats to your business with the international standard for business continuity. ISO 22301 specifies the requirements for a management system to protect against, reduce the likelihood of, and ensure your business recovers from disruptive incidents.

Where are you on your business continuity management journey?

Whether you’re new to ISO 22301 or looking to take your expertise further, we have the resources that can be customized to your business to get you started with business continuity management. An ISO 22301 package can be designed to remove the complexity of getting you where you want to be – whatever your starting point.

Getting started with ISO 22301 Business Continuity Management

Expect the unexpected and plan for it with an ISO 22301 Business Continuity Management System (BCMS). Discover how you can adapt the standard to your organization to manage the risks that threaten the smooth running of your business and ensure its survival in the event of a disruption.

Give your business the advantage.
Put business continuity arrangements in place with ISO 22301.

Maintaining business operations in the event of disruption is of utmost importance to your business’s profitability.

Events such as IT outages, power cuts and industrial action can cause serious problems and the shocking impact of natural disasters has made it ever more important to protect your organization by ensuring it’s not left vulnerable to disruption. We understand that having the knowledge to effectively implement and operate your business continuity management system is key. By taking a company-wide view of business continuity you can protect your organization from unexpected threats and give your business a competitive edge. ISO 22301 is a great framework to help you do just that. ISO 22301 is the international standard which specifies the requirements for a business continuity management system. It helps you to identify potential threats to your business and build the capacity to deal with unforeseen events.

Organizations cannot always avoid disruptions, and if not planned for, this can have a major impact on your business’s operations, reputation and profitability. With an ISO 22301 Business Continuity Management system the rewards can be significant. Not only will your organization minimize the operational impact of disruptive incidents and ensure you recover from them with the least impact on your business performance, you’ll also stand apart from your competitors and protect your brand. Whether you’re new to ISO 22301 and business continuity management or looking to take your expertise further, we have training courses, resources and services to suit your needs. We offer service packages that can be customized to your business to support your business continuity ambitions.

ISO 22301 for small and medium-sized businesses (SME’s)

It is not only large organizations that can be affected by unexpected disruptions.  Small companies face similar threats too.  No matter the size of your organization, the capability to respond effectively is more critical than ever before. That’s why the ISO 22301 business continuity management system has been designed to help you manage the risks that threaten the smooth running of your business and ensure its survival in the event of a disruption.  And we can show you how.

Shaping ISO 22301 for SME’s

Small and medium-sized businesses that implement ISO 22301 can improve their resilience in the same way as larger organizations. We know that you may have tighter budgets and less time and resources to put the necessary business continuity management processes in place. That’s why we provide packages to your suit your business. We can customize your package to include only the services you need – removing the unnecessary cost and complexity of implementing ISO 22301.

We can help you identify essential business functions and the ways in which they could be impacted by incidents. Let us show you how to protect critical functions and minimize the impact of disruptions. You’ll see how ISO 22301 can put you in a better position when competing for new business and improve supply chain resilience.

Benefits of ISO 22301

Don’t let your business get knocked off course by the unexpected. Whether this is from power cuts, IT system or equipment failure, industrial action, or natural disaster, you need to make sure your business is not vulnerable to disruption and you can recover as quickly as possible. In today’s fast moving world where supply chains are often complex, and where the threats from which we need to protect ourselves range from terrorism to cyber-crime, or even extreme weather, the need to have a robust and resilient business that can quickly recover from any kind of disaster is vital. ISO 22301 is the international standard that helps organizations to protect against and recover from disruptive incidents when they happen. It provides a systematic approach to business continuity management, and it’s applicable to any organization, regardless of type, size and sector. Use ISO 22301 to protect your business, your reputation, and minimize financial loss in the case of an incident. Statistics indicate that 80% of organisations that are faced with a significant business discontinuity, and do not have in place adequate and appropriate plans to ensure business continuity, do not survive the event. Don’t let this happen to you!

Threats to business continuity

  • 85% of Business Continuity Managers fear the possibility of a cyber-attack
  • 80% of organizations had a breach in 2014
  • 77% fear unplanned IT outages

We spend lots of hours each year improving the performance of business in Azerbaijan. This experience allows us to see first-hand how ISO 22301 can help organizations to reduce risks, increase resilience, and deliver real benefits.

Don’t let your business get knocked off course by the unexpected. Whether this is from power cuts, IT system or equipment failure, industrial action, or natural disaster, you need to make sure your business is not vulnerable to disruption and you can recover as quickly as possible. In today’s fast moving world where supply chains are often complex, and where the threats from which we need to protect ourselves range from terrorism to cyber-crime, or even extreme weather, the need to have a robust and resilient business that can quickly recover from any kind of disaster is vital. ISO 22301 is the international standard that helps organizations to protect against and recover from disruptive incidents when they happen. It provides a systematic approach to business continuity management, and it’s applicable to any organization, regardless of type, size and sector. Use ISO 22301 to protect your business, your reputation, and minimize financial loss in the case of an incident. Statistics indicate that 80% of organisations that are faced with a significant business discontinuity, and do not have in place adequate and appropriate plans to ensure business continuity, do not survive the event. Don’t let this happen to you!

Top international tips on making ISO 22301 effective for you.

How ISO 22301 works and what it delivers for you and your company

ISO 22301 is the international standard that helps organizations put business continuity plans in place to protect them, and help them recover from, disruptive incidents when they happen. It also helps you to identify potential threats to your business and to build the capacity to deal with unforeseen events. It helps you to protect your business and your reputation, stay agile and resilient, and to minimize the impact of unexpected interruptions. Whether your business is large or small, the ability to respond quickly and effectively to the unexpected is the key to the survival of any organization. This is why having a robust business continuity management system in place, such as ISO 22301, can be considered as one of the most comprehensive approaches to organizational resilience.

How ISO 22301 works

ISO 22301 is based on the high level structure (Annex SL) which is a common framework for all new management system standards. This helps keep consistency, align different management system standards, offer matching sub-clauses against the top-level structure and apply common language across all standards. It makes it easier for organizations to incorporate their Business Continuity Management System (BCMS), into core business processes, make efficiencies, and get more involvement from senior management. Plan-Do-Check-Act (PDCA) is the operating principle of ISO 22301. It’s applied to all processes and the BCMS as a whole for continuous improvement. This diagram shows how Clauses 4 to 10 of ISO 22301 can be grouped in relation to PDCA.

Some of the core concepts of ISO 22301 are:

Key requirements of ISO 22301

Clause 1: Scope The first clause details the scope of the standard.

Clause 2: Normative references This clause provides the normative references contained in the standard.

Clause 3: Terms and definitions Please refer to the terms and definitions contained in ISO 22300. This is an important document to read.

Clause 4: Context of the organization This clause is a good starting point to approach the standard as you need to decide on the context of your BCMS and how your organizations’ strategy supports this. This means that you need to identify how your organization sits within its environment. You will need to identify external and internal issues that are relevant to the purpose of the BCMS and how they relate to its expected outcomes. Then you’ll need to identify your relevant internal and external “interested parties” (or stakeholders) who are relevant to the BCMS. You’ll also need to decide what is covered by business continuity and just as importantly what isn’t. This means that you will need to consider your appetite for risk and what the relevant legal and regulatory requirements for your organization are. You will be required to communicate this scope to relevant interested parties both internally and externally so they are aware of your BCMS and how it is relevant to them.

Clause 5: Leadership This clause focuses on the role and requirements of top management, which is the group of people who direct and control your organization at the highest level in relation to the BCMS. Top management must show their commitment to the BCMS in a number of different ways. Firstly, by ensuring the BCMS is compatible with the strategic direction of the organization. Secondly, they need to show how your BCMS requirements are integrated into your business processes. And lastly by communicating the importance of an effective BCMS and conforming to the BCMS requirements. Policy creation and communication is a really important part of this clause. You will need to ensure that your business continuity policy is appropriate for your organization and that it meets relevant legal and regulatory requirements. It should also be made available to all interested parties you have identified. Top management should assign responsibility for the establishment, implementation and monitoring of the BCMS. And finally, you will also need to show how you continually improve the BCMS.

Clause 6: Planning This clause relates to establishing the strategic objectives and guiding principles of the BCMS as a whole. It requires you to consider the risks from your BCMS not being successfully implemented. This means that you need to make sure you understand both the internal culture and the external environment in which your organization operates and also what the likely barriers may be in preventing your BCMS from being effective. You will be required to clearly define your business continuity objectives and show that you have plans to achieve them. Your objectives should be measureable. You will also need to decide on the minimum level of products and services that will be acceptable to your organization in order to achieve your business objectives. (This links back to the scope that you have defined in clause 1). You’ll need to decide who will be responsible for delivering the objectives, what will be done in what timescale, what resources will be required, and how the results will be evaluated.

Clause 7: Support This clause is all about the resources that are required to establish, implement and maintain an effective BCMS. You‘ll need to make sure that people are competent in terms of education, training, awareness and experience. You will also need to consider the communications with interested parties and your requirements for document management. Taking into consideration the increased use of subcontractors in today’s business environment this clause requires you to make sure that everyone under the control of your BCMS understands their contribution to its effectiveness and the implications of not conforming to it. Critically, they must understand their role at the time of a disruption. You will also need to show how you respond to communications from interested parties. It is crucial that your organization fully documents all elements of the BCMS and these documents must be maintained, controlled, and stored appropriately. (How you do this is up to you, but it must be effective for your organization)

Clause 8: Operation In this clause you must show how the processes that you have developed to manage the risks to the BCMS are being correctly implemented. This includes any processes that may have been subcontracted or outsourced. You need to define the order and timing of recovery for critical activities that support your organizations products and services. This includes deciding on what a minimum acceptable level is. You need to be aware that there may be certain financial or governmental obligations that require communication and that there may be a societal need to share certain information in the event of a disruption. Your process should focus on minimizing the consequences of a disruption. You will also need to have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident. Although you do not need to have an approved exercise programme in place to check the effectiveness of your BCMS, you do need to have exercises based on an appropriate range of scenarios. Lastly, you will need to promote continual improvement of the BCMS.

Clause 9: Performance evaluation This clause covers the maintaining and reviewing of the BCMS so it is kept relevant and up-to-date. This is so that you have the metrics in place to ensure that you effectively manage the BCMS and continually improve. After an internal audit, the management responsible for the area being audited must ensure that any corrections or corrective actions that have been identified are carried out without delay. This clause also covers management review. You will need to provide information for review on the trends in; nonconformities and corrective actions, monitoring and measurement evaluation results, and auditing results. Finally, there is a requirement for your organization to communicate the results of the management review to relevant interested parties and take appropriate actions relating to those results.

Clause 10: Improvement This clause is all about making your BCMS as effective as it can be to show how you are proactive in managing it. You are required to show how you continually improve and enhance the performance of your BCMS to ensure it is robust and relevant. This may be, as a result of identifying potential threats or risks from any internal or external factors that are relevant to your organization. You will also need to show how the BCMS has been updated in response to any non-conformities or corrective actions

Why AQS?

AQS is the sole organization in Azerbaijan certified on ISO 10019:2007 “Guidelines for the selection of quality management system consultants and use of their services”. We have the best knowledge of ISO 27001 as consulting partnership of BSI which has been at the forefront of ISO 22301 since the original Business Continuity Standard, BS 25999-2 was pioneered by BSI in 2007. That’s why we’re best placed to help you understand the standard. We help organizations to embed resilience, helping them to grow sustainably, adapt to change, and prosper for the long term. We make quality services = quality life.