In this ultimate guide I have packaged my 10+ years of experience with ISO 22301 to provide a simplified, actionable guide to what it is, why you need it, and how to achieve certification.
ISO 22301 is the international standard for the design, implementation, management and continuous improvement of a Business Continuity Management System (BCMS.)
In this ultimate guide, we will explore what ISO 22301 entails, its benefits, implementation steps, common challenges, and much more.
So, let's dive in and demystify the world of ISO 22301 together.
What is ISO 22301 and How Does It Work?
ISO 22301 is the international standard for the design, implementation, management and continuous improvement of an Business Continuity Management System (BCMS.)
But, what is a BCMS?
BCMS stands for Business Continuity Management System.
It is a comprehensive framework that encompasses the policies, processes, procedures, people, and technology that you implement to mitigate the threats and risks that impact the continuity of your business.
It encompasses various aspects, including:
Risk management
Asset management
Incident response
Business continuity
Disaster recovery
Crisis management
and much much more...
It's important to understand that a BCMS is not a technology thing.
It's not a piece of software, a platform, a tool.
It is a method for managing the continuity of your business in the face of disruption and adversity.
Why is a BCMS so important?
A BCMS is designed to provide organisations with a structured approach to managing and continuously improving their business continuity.
Your BCMS is meant to consider the context of your organisation and exist as a living system that adapts and evolves in response to the internal and external factors that impact your business. For example:
Legal and regulatory changes
Customer expectations and requirements
Technology changes
Changes in the threat landscape
New vulnerabilities
In the same way that your organisation has a Customer Relationship Management system made up of sales, marketing and service related activities; business continuity needs a management system - a Business Continuity Management System.
Its role, its purpose is to provide a systematic approach to how you identify, protect, detect, respond and recover from threats, risks and vulnerabilities that impact your business.
Where does ISO 22301 come in?
ISO 22301 is the embodiment of what thousands of experts worldwide consider to be industry best practice for designing, implementing, managing and continuously improving a Business Continuity Management System.
It is a globally recognised, international standard that provides a structured framework for managing and improving your business continuity.
The good news is that it doesn't discriminate either.
It is technology agnostic, vendor agnostic and is applicable to any organisation - regardless of size, scale, industry or geography.
Is ISO 22301 relevant to me?
ISO 22301 is designed to provide organisations with a structured approach to managing and continuously improving their business continuity.
The Standard is technology agnostic, vendor agnostic and applicable to any organisation - regardless of size, scale, industry or geography.
So really, the real key question you should be asking is:
"If my business was affected by a catastrophe or crisis, would it be able to continue operating?"
If the answer to this question is no, then using ISO 22301 as the basis for establishing a structured approach to responding to a crisis is a good place to start.
ISO 22301:2019 Basics: Understanding the Standard
Before we deep dive into all the details, lets cover some of the basics.
ISO 22301 is based on the ISO Annex SL Directive
A Business Continuity Management System (BCMS) is not the only management system that exists within your business right?
You'll have management systems for many aspects of your business - be it HR, finance, IT, data protection, privacy, quality etc.
Some of the biggest challenges organisations face when it comes to management systems and their wider Governance, Risk and Compliance (GRC) journey include:
Complexity - Multiple legal, regulatory and compliance requirements
Cost - Multiple management systems to satisfy requirements, often running in silos
Integration - The ability to bridge multiple management systems in a streamlined way
Annex SL is a framework the ISO uses to define the core requirements and characteristics of a generic management system; which are then tailored to specific domains such as quality management, information security management and of course, business continuity management.
The significance of this is that Annex SL enables organisations to harmonise, streamline and standardise (supported) management systems in order to establish a more Integrated Management System.
ISO 22301 is one of these Standards, alongside many others, including:
ISO 9001:2015, Quality management systems
ISO/IEC 19770-1:2017, Information Technology - IT asset management systems
ISO/IEC 20000-1:2018, Information Technology -Service management systems
ISO 27001:2022, Information security management systems
ISO 37301:2021, Compliance management systems
Now, I'm not suggesting that you look at these other standards now.
The focus of this article is ISO 22301.
But as you continue your journey of building your cyber resilience, ISO 22301 creates the opportunity to harmonise, streamline and optimise the way your organisation operates through one Integrated Management System.
Let's move onto the the ISO 22301 Standard itself.
Understanding the structure of ISO 22301:2019
As I mentioned earlier in this article, ISO 22301 is the international standard for the design, implementation, management and continuous improvement of a Business Continuity Management System (BCMS).
The ISO 22301 Standard is made up of seven mandatory clauses and 26 subclauses that - together - enable organisations to establish a Business Continuity Management System (BCMS) that conforms to the ISO 22301 Standard.
We'll explore this in more depth later in this article.
ISO22301:2019 Basics: Core Principles
Over the years, I have seen a lot of successful ISO 22301 implementations.
I've also seen a lot of not-so-successful ISO 22301 implementations.
Success is dependent on you keeping some core principles in the back of your mind.
#1 Context of your organisation
ISO 22301 is designed to guide you through the process of establishing, maintaining and continuously improving an BCMS that is in the context of your organisation.
Every business is different and there is no one size-fits-all ISMS that you can cookie cutter from one organisation to another.
Why? Because Context is King!
To be successful, it is vital that you take into consideration the context of the organisation.
Otherwise, you run the risk of implementing an BCMS that might comply with ISO 22301 but is ineffective, costly and incongruent with the objectives and outcomes that the business is trying to drive.
#2 Risk-based
ISO 22301 is grounded in risk. And this is a good thing!
Risk helps us identify, prioritise and focus on what's important to protecting and safeguarding our business, our people, our customers, our systems and our data.
ISO 22301 guides us through the process of establishing a risk management strategy, risk assessment processes and risk treatment processes that
The result is a foundation that makes risk work for you to help drive continuous improvement of your security posture and risk profile.
#3 Continuous improvement
ISO 22301 is underpinned by the concept of evaluating the performance and driving continuous improvement of your BCMS.
This helps us ensure that our BCMS is effective and delivering against our objectives, whilst enabling us to respond to change in a controlled and managed way.
#4 Integrate, don't isolate
As ISO BCMS is based on the ISO Annex SL Directive, it is designed to integrate with other management systems, frameworks, standards and controls.
Creating silo's and isolating management systems is the fast track to increasing cost, complexity and friction within your organisation.
Damaging the effectiveness, efficiency and impact that your BCMS can have.
ISO22301:2019 Basics: The Requirements (aka The Mandatory Clauses)
ISO 22301 is made up of 7 requirements (or mandatory clauses) that organisations must comply with in order to establish a BCMS that conforms to the Standard.
Clause 4, Context of the organisation
Clause 5, Leadership
Clause 6, Planning
Clause 7, Support
Clause 8, Operation
Clause 9, Performance evaluation
Clause 10, Improvement
Within these mandatory clauses are a collection of 26 subclauses that detail the requirements for specific characteristics of a BCMS.
Combined, these clauses establish the foundations of an BCMS that applies a risk-based approach, underpinned by the principle of continuous improvement.
To learn more about each of the clauses and subclauses, along with practical guidance on how to establish, maintain, manage and continuously improve them; check out my definitive reference guide to the ISO 22301 requirements.
Benefits of Adopting ISO22301:2019
Implementing ISO 22301 offers organisations numerous benefits, both from a security and business perspective.
The standard helps build resilience into your organisation that ensures continuity of business operations during disruptions or critical events.
By identifying and mitigating risks, organisations can safeguard your the delivery of products and services; whilst protecting assets, turnover, profits and reputation.
Furthermore, ISO 22301 aids in building trust with customers, partners, and stakeholders.
Demonstrating compliance with internationally recognised standards can serve as a competitive differentiator and open doors to new business opportunities.
Moreover, ISO 22301 promotes a culture of risk awareness and responsibility throughout the organisation, fostering a resilient and proactive approach to business continuity.
Ultimately, ISO 22301 helps improve resilience and drive business outcomes.
ISO 22301 is not merely a checkbox exercise; it can be a catalyst for positive change.
By aligning business continuity management with strategic objectives, organisations can leverage ISO 22301 to enhance overall resilience and improve their bottom line.
Implementing ISO22301:2019: The 10 Step Guide
To implement ISO 22301, you will need to develop a management system - in the context of your organisation - that is made up of people, processes and technology.
While ISO 22301 implementation may seem like a daunting task, breaking it down into manageable steps can simplify the process.
Here is my 10 steps to implementing ISO 22301:
Step #1 - Get Management Support
Step #2 - Define the Scope
Step #3 - Establish Your Business Continuity Policy
Step #4 - Identify and Classify Your Assets
Step #5 - Define Your Risk Management Methodology
Step #6 - Assess Your Risks
Step #7 - Treat Your Risks
Step #8 - Evaluate Your Performance
Step #9 - Drive Continuous Improvement
Step #10 - Get Certified
By following this 10 step guide, you will save hundreds of hours in effort; whilst implementing a BCMS that is effective, relevant and in the context of your organisation.
ISO22301:2019 Compliance: Common Challenges and Solutions
While ISO22301:2019 offers a robust framework, organisations often face challenges during the compliance journey. Some common hurdles include:
Lack of Awareness - Limited understanding of ISO 22301 and its benefits among key stakeholders can hinder progress. Regular awareness programs and training initiatives can address this challenge.
Resource Constraints - Organisations may struggle to allocate sufficient resources, both financial and human, to effectively implement and maintain a BCMS. Strategic resource planning and proper budgeting can help overcome this obstacle.
Complexity - The breadth and depth of ISO 22301 requirements can be overwhelming. Engaging experienced consultants and leveraging automation tools can simplify compliance efforts.
By proactively addressing these challenges and seeking appropriate solutions, organisations can navigate the path to ISO 22301 compliance more effectively.
ISO22301:2019 Audits: Keys to Success
Audits play a vital role in maintaining ISO 22301 compliance. Conducting regular internal audits helps ensure the effectiveness and efficiency of the organisation's BCMS.
When preparing for internal or external audits, consider these key success factors:
Planning and preparation
Audits - both internal and external - are incredibly valuable activities. Effective planning and preparation enables you to maximise the value and impact of audits.
Proper documentation
Maintain accurate and up-to-date documentation of policies, procedures, and controls to streamline the audit process.
Thorough training
Provide comprehensive training to employees involved in the audit process to enhance their understanding of ISO 22301 requirements and audit techniques.
Clear communication
Ensure all stakeholders have a clear understanding of their roles and responsibilities, the audit process and what documentation they need to provide.
Continual improvement
Treat audit findings as opportunities for improvement, implementing corrective actions, and monitoring their effectiveness.
By adopting a proactive and systematic approach to auditing, organizations can reinforce their commitment to information security and reinforce the effectiveness of their ISMS.
Managing Ongoing Compliance with ISO22301:2019
ISO 22301 compliance is not a one-time effort. To maintain its effectiveness and continuously improve the BCMS, organisations must establish a culture of ongoing compliance and vigilance.
This involves regularly monitoring and reviewing the BCMS, conducting internal audits at planned intervals, and addressing any emerging risks or non-conformities promptly.
Additionally, organisations should stay up-to-date with the latest developments in the field of business continuity to adapt their practices as needed.
ISO22301 Frequently Asked Questions
As organisations explore ISO 22301, several commonly asked questions arise. Let's address some of these queries:
Is ISO22301:2019 applicable to all organisations?
ISO 22301 can benefit organisations of all sizes and across industries. Business continuity and maintaining operational effectiveness in the face of adversity is a universal concern, and ISO 22301 provides a flexible framework that can be tailored to an organisation's unique context.
How long does it take to implement ISO22301:2019?
The timeline for ISO 22301 implementation varies depending on the organisation's size, complexity, and existing practices. On average, the implementation process can take several months to a year.
How long does it take to get ISO22301 Certified?
On average, the ISO22301:2019 Certification process takes approximately 3 months.
Can ISO22301:2019 help improve regulatory compliance?
Yes, ISO 22301 provides a comprehensive framework that helps organisations meet regulatory requirements related to business continuity, disaster recovery and operational resilience.
Does ISO22301:2019 cover data protection regulations such as GDPR?
ISO 22301 in itself does not make you GDPR compliant. It is a complementary standard and framework that helps you establish, maintain and continuously improve your Business Continuity Management System (BCMS). Which in turn, can aid in satisfying aspects of GDPR (such as Principle 6: Maintain Adequate Security.)