ISO 22301:2019 - NQA
ISO 22301:2019BUSINESS CONTINUITY STANDARD IMPLEMENTATION GUIDE50,000CERTIFICATESGLOBALLYTRANSPARENT90
ISO 22301:2019IMPLEMENTATION GUIDE2ISO 22301:2019 IMPLEMENTATION GUIDE
ContentsIntroduction to the standardP04Benefits of implementationP06Key principles and terminologyP08PDCA cycleP09Risk based thinking / auditsP10Process based thinking / auditP11Annex SLP12CLAUSE 1: ScopeP13CLAUSE 2: Normative referencesP14CLAUSE 3: Terms and definitionsP15CLAUSE 4: Context of the organizationP16CLAUSE 5: LeadershipP18CLAUSE 6: PlanningP20CLAUSE 7: SupportP22CLAUSE 8: OperationP24CLAUSE 9: Performance evaluationP26CLAUSE 10: ImprovementP27Get the most from your managementP28Next steps once implementedP29ISO 22301:2019 IMPLEMENTATION GUIDE3
INTRODUCTIONTO THE STANDARDISO 22301:2019 is the latest version of the international standard for Business ContinuityManagement Systems. This standard provides a best practice framework to supportorganizations to effectively manage the impact of a disruption to its normal operation.The purpose of the standard is not necessarily to achieve total mitigation of impact from disruption. It isto support an organization to understand the amount and type of impact it is willing to accept following adisruption. Following which the organization develops a business continuity system sized correctly for theorganizational need.Many organizations will at some point experience a business disruption. The cause and nature of disruptiveevents is ever-changing. Organizations need to be able to think dynamically about this changing threatlandscape and put in place appropriate plans to mitigate impacts.The ISO 22300 FamilyOrigin of the ISO 22301 standard heralds back to the ISOtechnical committee ISO/TC 23, which focussed on addressingconcerns related to societal security. The standard is nowmanaged by ISO/TC 292 - Security and Resilience. The firstiteration of the ISO 22301 standard was published in 2012. Thesecond edition was published in October 2019 and is the focusof this implementation guide.There are currently 11 standards in the ISO 22300 series.The other standards in the series provide more detailedguidance and requirements for specific issues related tobusiness continuity. This ranges from emergency responsemanagement through to mass evacuations.Regular Reviews and UpdatesThe 2019 version of the standard is reflective of the broadermovement of ISO standards towards the application of riskbased thinking, understanding organizational context andsatisfying the needs of interested parties. The 2019 versioncontains less prescriptive requirements and is more flexiblein its approach to documented information. The 2019 versionadditionally includes the new requirement to effectively planchanges to the Business Continuity Management System(BCMS).Within the series, the most importantstandards for an organization seeking toimplement an effective Business ContinuityManagement System are: ISO 22300:2018 - Security and resilience– VocabularyISO standards are subject to review approximatelyevery five years to assess whether an update isrequired. ISO 22301:2019 - Security and resilience– Business Continuity Management Systems– RequirementsThe most recent update to the ISO 22301 standard in 2019brought about a number of changes. Whilst previous edition(2012) was one of the forerunner standards in adoptingan Annex SL type format, the new edition firmly aligns thestandard with Annex SL.4ISO 22301:2019 IMPLEMENTATION GUIDE ISO 22313:2020 - Security and resilience– Business Continuity Management Systems– Guidance. Provides helpful direction in support ofthe practical implementation and operation of abusiness continuity system
ISO 22301:2019 IMPLEMENTATION GUIDE5
BENEFITS OFIMPLEMENTATIONIt has been demonstrated in recent times that a company’s ability to manage disruptiveevents is becoming central to its survival. The variety of threats which can cause businessdisruption is ever-increasing. From cyber-attacks and global pandemics to natural disasters;an organization needs a toolset to manage itself through uncertain times.In the past, business continuity planning tended to be reserved for critical national infrastructure and major corporations.Today, business continuity is an issue that affects practically all organizations to some degree. A correctly implementedBusiness Continuity Management System should be scaled to the size and complexity of the organization – making itsuitable for SME and large corporation alike.The core purpose of a Business Continuity Management System is to enable the mitigation of a disruption. Depending onthe organization the benefits this will work in support of its goals; whether that is to save lives in a hospital or to reducefinancial impact to a manufacturing company.VISIBLE RESILIENCEPEACE OF MINDAn effective BCMS provides evidence to currentand potential customers of organizationalpreparedness for disruption. This is particularlyimportant in sectors where disruption can havesignificant impacts on people’s lives as wellas financial impacts; including government,healthcare, financial, defence, social services.The future is uncertain. An effectivelyimplemented BCMS gives an organizationconfidence to move forward knowing it canmanage a disruption. This peace of mind spansthe organization from personnel operationsteams to board membership.COMPETITIVE ADVANTAGEENHANCE CYBER SECURITY AND ITFAILURE RESILIENCEBeing able to continue to operate during orshortly after a disruption gives a company acompetitive advantage. In the short term itmay be able to win business from competitorswhich are unable to operate or are doing soin a diminished capacity. In the longer term, acompany can generate reputational benefitsthat will attract customers as well as benefit fromstronger financial capabilities.Cyber security and IT disaster planning ishigh on the agenda of many organizations. Abusiness continuity plan supports a companyto manage the impact of the IT disruption. Thiscan be by malicious action or from infrastructurefailure. Crypto viruses, DDoS attacks and datacentre failures can create deep and long lastingdisruption to all functions of an organization.In addition, a Business Continuity ManagementSystem supports an organization to bid or tendermore effectively.PROTECT ORGANIZATIONAL VALUEA BCMS helps to mitigate the negative impactof a disruptive event. Practically speaking, thiscan save the organization significant amounts ofmoney, time and reputational impact.6ISO 22301:2019 IMPLEMENTATION GUIDECyber security certifications such as ISO 27001and Cyber Essentials do not fully addresscontinuity challenges in the event of a disruption.The ISO 27001 attempts to address continuitywithin the IT function itself but this does notextend to the rest of the organization. ISO 22301provides a framework for addressing the widerorganizational impact of IT failure. As a result, aBusiness Continuity Management System(ISO 22301) is well suited to be integratedwith an ISO 27001 information securitymanagement system.
High Level ViewA Business Continuity Management System operateson similar principles to other management systems. Thesystem is built on the Plan-Do-Check-Act model. Determine the organizational needs andunderstand the rationale for business continuityplans: What is important to continue in the event of adisruption Why is that important and to whom? What level of disruption is the organization and itsstakeholders prepared to accept?One of the practical challenges with BCMS is that it comesinto action infrequently. Whilst quality management systemsare implemented into the company’s day to day operation,business continuity systems are only fully brought into actionwhen a disruption occurs. This means there needs to be agreater emphasis on: Business continuity plan (BCP) testing or drills Retaining and refreshing organizational capabilities tosupport business continuity Periodic reviews of the system, its processes and rationaleto ensure it remains aligned to a changing organization. Putting in place a framework for achieving themitigation of the disruption. This can include: Processes Capabilities Response structures Check the performance and effectiveness of thesystem through monitoring. Practically speakingthis will involve testing BC plans through variousmeans. Improve the system based on measuresestablished, revisit the rationale for the businesscontinuity plans and their alignment to what hasbeen implemented.ISO 22301:2019 IMPLEMENTATION GUIDE7
KEY PRINCIPLESOF BUSINESSCONTINUITYBusiness continuity is grounded in a number of key principles which need to be consistentlyapplied to a business continuity system for it to be effective.Clear ObjectivesAn organization’s senior managementand board of directors are responsiblefor business continuity, thisresponsibility must be understoodand accepted. Business continuitymanagement should be an integralcomponent of overall risk management.An organization should have in placeclear business continuity objectivesthat reflect the nature of their activitiesand their impact on stakeholders. Thissupports the prioritisation and resourceallocation to the business continuityprocess. These objectives should clearlydefine the expected continuity levels andcontinuity times.In the event of a disruption, the absenceof clearly defined responsibilities,authorities and roles can cause abusiness continuity plan to becomeineffective.CommunicationOrganizations should include withintheir business continuity plans howand when they will communicate withintheir organizations, with customers andinterested parties (such as regulatorsor suppliers).8Impact andRisk EvaluationResponsibilityISO 22301:2019 IMPLEMENTATION GUIDEThe business continuity standard isdifferent from others in that it focusseson the “what if”. The ability to identifyand plan for potential business impactsand risks is key to an effective businesscontinuity system.TestingThe Business Continuity ManagementSystem should be periodically tested inorder to evaluate its effectiveness andmake changes as required.
PDCA CYCLEISO 22031 is based on the Plan-Do-Check-Act (PDCA) cycle, also known as the Demingwheel or the Shewhart cycle. The PDCA cycle can be applied not only to the managementsystem as a whole but to each individual element to provide an ongoing focus oncontinuing improvement. In brief:Plan:Do:Check:Act:Understand externalcontext and needsof interested parties.Identify risk andopportunity. Establishobjectives and resourcesrequired.Implement what hasbeen planned. From anew Business ContinuityManagement Systemdown to small processchanges.Monitor and measurethe effectiveness of thebusiness continuity.Test business continuityplans and monitoroutcomes.Take action wherenecessary based onmonitoring, measuringand other drivers foraction.PDCA Model ISO 22301NEEDS OFINTERESTEDPARTIESESTABLISHBCMSPlanDoMAINTAINAND IMPROVEBCMSBCMSREQUIREMENTSANDEXPECTATIONSNEEDS OFINTERESTEDPARTIES METIMPLEMENTAND OPERATEBCMSActCheckTEST,MONITORAND REVIEWBCMSBUSINESSCONTINUITYPlan-Do-Check-Act is an example of a closed-loop system. This ensures the learning from the ‘do’ and ‘check’ stages areused to inform the ‘act’ and subsequent ‘plan’ stages. In theory this is cyclical, however it’s more of an upward spiral as thelearning moves you on each time you go through the process.ISO 22301:2019 IMPLEMENTATION GUIDE9
RISK BASEDTHINKING/AUDITSAudits are a systematic, evidence-based, process approach to evaluation of your BusinessContinuity Management System. They are undertaken internally and externally to verifythe effectiveness of the BCMS. Audits are a brilliant example of how risk-based thinking isadopted within Business Continuity Management.1st Party Audits– Internal AuditsInternal audits are a great opportunity for learning withinyour organization. They provide time to focus on a particularprocess or department in order to truly assess its performance.The purpose of an internal audit is to ensure adherence topolicies, procedures and processes as determined by you, theorganization, and to confirm compliance with the requirementsof ISO 22301.2nd Party – External AuditsSecond party audits are usually carried out by customers orby others on their behalf, or you may carry them out on yourexternal providers. 2nd party audits can also be carried out byregulators or any other external party that has a formal interestin an organization.You may have little control over the timing and frequency ofthese audits, however establishing your own BCMS will ensureyou are well prepared for their arrival.Audit Planning3rd Party – Certification AuditsDevising an audit schedule can sound like a complicatedexercise. Depending on the scale and complexity of youroperations, you may schedule internal audits anywhere fromevery month to once a year. There’s more detail on this insection 9 – performance evaluation.Third party audits are carried out by external bodies, usuallyUKAS accredited certification bodies such as NQA.Risk-Based ThinkingThe best way to consider frequency of audits is to look at therisks involved in the process or business area to be audited.Any process which is high risk, either because it has a highpotential to go wrong or because the consequences would besevere if it did go wrong, should be audited more frequentlythan a low risk process.How you assess risk is entirely up to you. ISO 22301 doesn’tdictate any particular method of risk assessment or riskmanagement.The certification body will assess conformance to theISO 22301:2019 standard. This involves a representative of thecertification body visiting the organization and assessing therelevant system and its processes. Maintaining certificationalso involves periodic reassessments.Certification demonstrates to customers that you have acommitment to quality.CERTIFICATIONASSURES: regular assessment to continuallymonitor and improve processes credibility that the system can achieveits intended outcomes reduced risk and uncertainty andincrease market opportunities consistency in the outputs designed tomeet stakeholder expectations.10ISO 22301:2019 IMPLEMENTATION GUIDE
PROCESS BASEDTHINKING/AUDITSA process is the transformation of inputs to outputs, which takes place as a series ofsteps or activities which result in the planned objective(s). Often the output of one processbecomes an input to another subsequent process. Very few processes operate in isolationfrom any other.A business continuity system that is applicable to just onedepartment is not likely to achieve valid continuity objectives.Process based thinking is critical to business continuityplanning. In order to achieve business continuity objectives,an organization has to create business continuity plans whichwill be process based. Spanning multiple processes andorganizational functions.In practice this means that a business continuity system shouldconsider the end to end process through the organization andincorporate relevant support functions to achieve its objectives.The diagram below illustrates how an organization couldconsider prioritising its business continuity objectives throughits business continuity strategy. In the example below, anorganization providing critical healthcare equipment prioritisesits servicing activity and key support functions after a majordisruptive event.BUSINESS AS NORMALPROCESS FLOWSUPPORT NGCATASTROPHIC BUSINESS DISRUPTION EVENTSERVICING ANDSUPPORTINGFUNCTIONSPRIORITISEDSTAKEHOLDERNEEDS (E.G.PATIENT CRITICALEQUIPMENT)PRIORITISED BUSINESSPROCESS FLOWSUPPORT NGISO 22301:2019 IMPLEMENTATION GUIDE11
ANNEX SLOne of the major changes introduced into the 2019 revision of ISO 22301 was the adoptionof Annex SL for the clause structure of the revised standard. Annex SL (previously knownas ISO Guide 83) was used within ISO by standards writers to provide a common corestructure for management system standards.ISO 22301 (Business Continuity Management Systems)adopted this structure during its 2019 revision. ISO 27001(Information Security Management System Standard) alsoadopted this structure during its 2013 revision as well asISO 14001 (Environmental Management System Standard)which adopted this structure during its 2015 revision. Thenewly published ISO 45001 (Health and Safety ManagementSystem Standard) also follows this same common structure.Prior to the adoption of Annex SL there were many differencesbetween the clause structures, requirements and terms anddefinitions used across the various management systemstandards. This made it difficult for organizations to integratethe implementation and management of multiple standards;Environment, Quality, Health and Safety and InformationSecurity being among the most common.High Level StructureAnnex SL consists of 10 core clauses:1. Scope2. Normative References3. Terms and Definitions4. Context of the Organization5. Leadership6. Planning7. Support8. Operation9. Performance Evaluation10. ImprovementOf these clauses, the common terms and coredefinitions cannot be changed. Requirements maynot be removed or altered, however discipline-specificrequirements and recommendations may be added.All management systems require a consideration ofthe context of the organization (more on this in section4); a set of objectives relevant to the discipline, in thiscase quality, and aligned with the strategic directionof the organization; a documented policy to supportthe management system and its aims; internal auditsand management review. Where multiple managementsystems are in place, many of these elements can becombined to address more than one standard.12ISO 22301:2019 IMPLEMENTATION GUIDE
THE 10 CLAUSES OF ISO 22301:2019ISO 22301 is made up of 10sections, known as clauses.As with most other ISOmanagement systemstandards, the requirementsof ISO 22301 that need tobe satisfied are specified inClauses 4.0 – 10.0. Similar toISO 27001, the organizationmust comply with all of therequirements in Clauses 4.0 –10.0; they cannot declare oneor more clauses as being notapplicable to them.ORGANIZATIONALCONTEXTBUSINESS CONTINUITYOBJECTIVESBUSINESS IMPACTASSESSMENTThe diagram to the rightprovides an illustrativeflow of the concepts in thestandard:RISK ASSESSMENTBUSINESS CONTINUITYSTRATEGIES AND SOLUTIONSBUSINESS CONTINUITY PLANS(BCP)CLAUSE 1:SCOPEThe Scope Section of ISO 22301 Sets Out: the purpose of the standard the types of organizations it is designed to apply to the sections of the standard (called Clauses) that containrequirements that an organization needs to comply with inorder for the organization to be certified as “conforming” toit (i.e. being compliant).ISO 22301 is designed to be applicable toany type of organization. Regardless ofsize, complexity, industry sector, purpose ormaturity, any organization can implement andmaintain a BCMS that complieswith ISO 22301.ISO 22301:2019 IMPLEMENTATION GUIDE13
CLAUSE 2:NORMATIVEREFERENCESIn ISO standards, the normative references section lists any other standards that containadditional information that is relevant to determining whether or not an organizationcomplies with the standard in question. In ISO 22301 only one document is listed –ISO 22300, Security and Resilience – Vocabulary.Some of the terms used or requirements detailed in ISO 22301are explained further in ISO 22300. Reference to ISO 22300 isvery useful in helping you to understand a requirement betteror identify the best way to comply with it.14ISO 22301:2019 IMPLEMENTATION GUIDETIP – External auditors will expect you to have taken theinformation contained in ISO 22300 into account in thedevelopment and implementation of your BCMS.
CLAUSE 3:TERMS ANDDEFINITIONSThere are 31 terms and definitions given in ISO 22301 a
and Cyber Essentials do not fully address continuity challenges in the event of a disruption. The ISO 27001 attempts to address continuity . In the past, business continuity planning tended to be reserved for critical national infrastructure and major corporations.
ISO 22301 - Understanding the requirements of ISO 22301:2012 and ISO 22301:2019 4 About this guide This document presents a mapping between the requirements of ISO 22301:2012 Business Continuity Management System (BCMS) and ISO 22301:2019. It has been designed for guidance purposes only and provides the following: 1.
Certification: BS 25999-2 or ISO 22301 Organizations can choose to certify against either BS 25999-2 or ISO 22301 Certification: to ISO 22301 After November 2012, BSI will only be offering certification to ISO 22301 to ensure that BS 25999 certified clients have an adequate amount of t
NQA-1-2000 NQA-1-2004 NQA-1-2008 processes to detect and correct quality problems. processes to detect and correct quality problems. detect and correct quality problems. (b) The program shall provide for indo
10CFR830.122/DOE O 414.1B NQA-1-1989 V/S NQA-1- 2000 REQUIREMENTS MATRIX 1 DOE O 414.1B/CFR 830.122 NQA-1-1989 NQA-1-2000 . The capabilities of a candidate for certification shall be initially determined by a suitable evaluation of the candidate's education, experience, training, and either test results or
PECB-820-4- ISO 22301 LA Exam Preparation Guide Page 2 of 16 The objective of the "Certified ISO 22301 Lead Auditor" examination is to ensure that the candidate has the knowledge and the skills to audit a Business Continuity Management System (BCMS) as specified in ISO 22301:2012 and to manage a team of auditors by applying widely
ISO 9001:2015 - ISO 14001:2015 - DIS2 ISO 45001:2017 - ISO 50001:2011 - ISO 22301:2012 001_22301 2.docx Ersteller: E. Bauer / Prüfer: W. Hackenauer 12/4 ISO 9001:2015 ISO 14001:2015 ISOISO DIS2 45001:2017 ISO 50001:2011 22301:2012 Qualitätsmanagement-system und seine Prozesse
Who is ISO 22301 for ? ISO 22301 is applicable to all organizations, regardless of size, industry or nature of business. It is also relevant to certification and regulatory bodies as it enables them to assess an organization's ability to meet its legal or regulatory requirements. Based on ISO's High-Level Structure ( HLS), it aligns with many other internation -
NQA is a world leading certification body with global operations. NQA specialises in certification in the construction and engineering sectors. AMERICA'S NO.1. Certification body in Aerospace sector. TOP 3 IN THE UK. ISO 9001, ISO 14001, ISO 45001, ISO 27001. CHINA'S NO.1. Certification body in Automotive sector. BANGALORE. BOSTON. LONDON .
