What Are The Requirements of ISO 22301?

ISO 22301 provides the requirements for a business continuity management system which goes beyond just having a plan.  

It can be difficult to understand the requirements of international standards without applying them to some context. ISO Consultants such as Assent can help you navigate the challenge and provide knowledge transfer that can help your team to run the system going forward.

Here is a brief outline of the requirements of ISO 22301, so you know what to expect before starting your ISO Project:

Management System Framework

ISO 22301 aligns to ISO’s Annex SL, which provides a common clause structure making it much easier to integrate standards.

As such, if you have implemented another standard, many of the requirements will be familiar, including:

– Context of the Organisation

– Leadership

– Risks & Opportunities,

– Supporting functions including Awareness and Documented Information.

– Performance Evaluation including Internal Audits and Management Review.

– Improvement.

There are some key additional subclauses to the main management system requirements such as the need to identify applicable Legal and Regulatory Requirements that could affect the BCMS.

Clause 8 – Operation, is where you’ll find many of the discipline specific requirements, some of which are discussed below.

Business Impact Analysis (BIA)

Conducting a BIA is an explicit requirement of the standard, and this is an exercise that can prove very valuable.

While the standard sets out the broad requirements, it gives little guidance as to the BIA methodology you should use.

At Assent Risk Management, we recommend the guidance of the Business Continuity Institute (BCI) and we can guide you through this process.

Risk Assessment

Within Clause 6 the risks to the management system are considered, ISO 22301 includes a risk assessment clause directly after the BIA (see above). This provides a natural follow on from considering the impacts to your business activities.

Potential disruptive events should be identified and controls put in place to limit the likelihood of them occurring, or minimising the disruption should they occur.

Prevention is better than cure, and in this case that means avoiding disruptions rather than activating your business continuity response.

Business Continuity Strategy

There are many ways to approach a continuity of an activity, and the standard requires you to identify this. 

The format of the strategy is not clearly defined, so there is flexibility here to document this as you require.

However, BCI’s Good Practice Guide provides a range of options from ‘Do Nothing’ to full ‘Replication’ and ‘Diversification’

Create Business Continuity Procedures

There are a number of procedures required for an effective business continuity response, including defining an incident response structure, warning systems and the contents of the plan itself.

The standard is fairly prescriptive as to what should be contained within business continuity plans, however there is discretion as to whether you have a single company wide plan or smaller ‘departmental’ plans.

Exercising and Testing

Finally and maybe most importantly, ISO 22301 requires the arrangements to be exercised and tested to ensure that they are fit for purpose and continue to meet the needs of the organisation.

This can be challenging to organise and an exercise itself can introduce risk to the business, however an effective schedule can be created to test elements as well as a full scenario.

Ready to Implement ISO 22301

ISO 22301 provides the core requirements for a business continuity management system, however many organisations find it useful to buy a copy of ISO 22313, which includes additional advice and guidance on the requirements.

Assent Risk Management has a team of experienced consultants and auditors who help organisations implement ISO 22301 and achieve UKAS Accredited Certification. 

Contact us for more information on how we can help.

Kaidee Clark
Kaidee Clark
Articles: 33